Skip to content

glibc: allow to build position-independent static executable#123989

Merged
Mic92 merged 3 commits intoNixOS:stagingfrom
Mic92:static-pie
May 25, 2021
Merged

glibc: allow to build position-independent static executable#123989
Mic92 merged 3 commits intoNixOS:stagingfrom
Mic92:static-pie

Conversation

@Mic92
Copy link
Copy Markdown
Member

@Mic92 Mic92 commented May 22, 2021
edited
Loading

This enables ALSR on static executables, which makes them harder to
exploit by providing a crt suitable for static PIEs.

Motivation for this change
Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Added a release notes entry if the change is major or breaking
  • Fits CONTRIBUTING.md.

@Mic92 Mic92 requested a review from matthewbauer May 22, 2021 08:14
@Mic92 Mic92 marked this pull request as draft May 22, 2021 08:27
@Mic92
Copy link
Copy Markdown
Member Author

Mic92 commented May 22, 2021

Also @Ericson2314 claims static-pie support, it is not quite true yet: https://news.ycombinator.com/item?id=23657020
Not sure if glibc support is incomplete but I still cannot create a simple static application with it:

#include <stdio.h>

int main() {
    printf("main: %p\n", main);
    return 0;
}
with import <nixpkgs> {};
stdenv.mkDerivation {
  name = "env";
  nativeBuildInputs = [
    bashInteractive
  ];
  buildInputs = [
    glibc.static
  ];
}
$ gcc -static-pie -o main main.c
$ gdb ./main
Reading symbols from ./main...
(gdb) r
Starting program: /tmp/tmp.kSRlP5T372/solo5/main

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7f5115c in __dcigettext ()
(gdb) bt
#0  0x00007ffff7f5115c in __dcigettext ()
#1  0x00007ffff7f502ce in __assert_fail ()
#2  0x00007ffff7f90415 in _dl_relocate_static_pie ()
#3  0x00007ffff7f4f3b8 in __libc_start_main ()
#4  0x00007ffff7f4ee1a in _start () at ../sysdeps/x86_64/start.S:120

@Mic92
Copy link
Copy Markdown
Member Author

Mic92 commented May 22, 2021

My blind guess is, that it somehow breaks TLS:

gef➤  context
[ Legend: Modified register | Code | Heap | Stack | String ]
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── registers ────
$rax   : 0xffffffffffffffc0
$rbx   : 0x0
$rcx   : 0x0
$rdx   : 0x0
$rsp   : 0x00007fffffff9060  →  0x0000000000000000
$rbp   : 0x00007fffffff9150  →  0x00007ffff7fd1495  →  "get-dynamic-info.h"
$rsi   : 0x00007ffff7fcd350  →  "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n"
$rdi   : 0x00007ffff7fe10c0  →  0x000000006362696c ("libc"?)
$rip   : 0x00007ffff7f5115c  →  <__dcigettext+108> mov eax, DWORD PTR fs:[rax]
$r8    : 0x0
$r9    : 0x5
$r10   : 0x6ffffdff
$r11   : 0x6ffffe32
$r12   : 0x92
$r13   : 0x00007ffff7fe10c0  →  0x000000006362696c ("libc"?)
$r14   : 0x00007ffff7f45000  →  0x03010102464c457f
$r15   : 0x00007ffff7ffc160  →  0x00007ffff7f45000  →  0x03010102464c457f
$eflags: [zero CARRY PARITY ADJUST SIGN trap INTERRUPT direction overflow RESUME virtualx86 identification]
$cs: 0x0033 $ss: 0x002b $ds: 0x0000 $es: 0x0000 $fs: 0x0000 $gs: 0x0000
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── stack ────
0x00007fffffff9060│+0x0000: 0x0000000000000000   ← $rsp
0x00007fffffff9068│+0x0008: 0x0000000000000000
0x00007fffffff9070│+0x0010: 0x0000000000000000
0x00007fffffff9078│+0x0018: 0x0000000000000000
0x00007fffffff9080│+0x0020: 0x0000000000000000
0x00007fffffff9088│+0x0028: 0x0000000000000000
0x00007fffffff9090│+0x0030: 0x0000000000000000
0x00007fffffff9098│+0x0038: 0x0000000000000000
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── code:x86:64 ────
   0x7ffff7f5114b <__dcigettext+91> mov    rax, 0xffffffffffffffc0
   0x7ffff7f51152 <__dcigettext+98> mov    rbx, 0x0
   0x7ffff7f51159 <__dcigettext+105> mov    r13, rdi
 → 0x7ffff7f5115c <__dcigettext+108> mov    eax, DWORD PTR fs:[rax]
   0x7ffff7f5115f <__dcigettext+111> mov    DWORD PTR [rbp-0xc4], eax
   0x7ffff7f51165 <__dcigettext+117> test   rbx, rbx
   0x7ffff7f51168 <__dcigettext+120> je     0x7ffff7f51182 <__dcigettext+146>
   0x7ffff7f5116a <__dcigettext+122> lea    rdi, [rip+0xaccef]        # 0x7ffff7ffde60 <__libc_setlocale_lock>
   0x7ffff7f51171 <__dcigettext+129> call   0x7ffff7f4e090
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── threads ────
[#0] Id 1, Name: "main", stopped 0x7ffff7f5115c in __dcigettext (), reason: SIGSEGV
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── trace ────
[#0] 0x7ffff7f5115c → __dcigettext()
[#1] 0x7ffff7f502ce → __assert_fail()
[#2] 0x7ffff7f90415 → _dl_relocate_static_pie()
[#3] 0x7ffff7f4f3b8 → __libc_start_main()
[#4] 0x7ffff7f4ee1a → _start()
───────────────────────────────────

@ofborg ofborg bot added the 10.rebuild-linux-stdenv This PR causes stdenv to rebuild on Linux and must target a staging branch. label May 22, 2021
@ofborg ofborg bot requested review from Ma27 and edolstra May 22, 2021 09:57
@ofborg ofborg bot added 10.rebuild-darwin: 11-100 This PR causes between 11 and 100 packages to rebuild on Darwin. 10.rebuild-linux: 501+ This PR causes many rebuilds on Linux and should normally target the staging branches. 10.rebuild-linux: 5001+ This PR causes many rebuilds on Linux and must target the staging branches. labels May 22, 2021
@Mic92
Copy link
Copy Markdown
Member Author

Mic92 commented May 22, 2021

This works in an archlinux container. So it is something that breaks in our setup.

@Mic92
Copy link
Copy Markdown
Member Author

Mic92 commented May 22, 2021

This is what archlinux produces:

[root@213013bf7066 ~]# gcc -v -static-pie -o main main.c
Using built-in specs.
COLLECT_GCC=gcc
COLLECT_LTO_WRAPPER=/usr/lib/gcc/x86_64-pc-linux-gnu/11.1.0/lto-wrapper
Target: x86_64-pc-linux-gnu
Configured with: /build/gcc/src/gcc/configure --prefix=/usr --libdir=/usr/lib --libexecdir=/usr/lib --mandir=/usr/share/man --infodir=/usr/share/info --with-bugurl=https://bugs.archlinux.org/ --enable-languages=c,c++,ada,fortran,go,lto,objc,obj-c++,d --with-isl --with-linker-hash-style=gnu --with-system-zlib --enable-__cxa_atexit --enable-cet=auto --enable-checking=release --enable-clocale=gnu --enable-default-pie --enable-default-ssp --enable-gnu-indirect-function --enable-gnu-unique-object --enable-install-libiberty --enable-linker-build-id --enable-lto --enable-multilib --enable-plugin --enable-shared --enable-threads=posix --disable-libssp --disable-libstdcxx-pch --disable-libunwind-exceptions --disable-werror gdc_include_dir=/usr/include/dlang/gdc
Thread model: posix
Supported LTO compression algorithms: zlib zstd
gcc version 11.1.0 (GCC)
COLLECT_GCC_OPTIONS='-v' '-static-pie' '-o' 'main' '-mtune=generic' '-march=x86-64'
 /usr/lib/gcc/x86_64-pc-linux-gnu/11.1.0/cc1 -quiet -v main.c -quiet -dumpbase main.c -dumpbase-ext .c -mtune=generic -march=x86-64 -version -o /tmp/cc30fNCE.s
GNU C17 (GCC) version 11.1.0 (x86_64-pc-linux-gnu)
        compiled by GNU C version 11.1.0, GMP version 6.2.1, MPFR version 4.1.0, MPC version 1.2.1, isl version isl-0.24-GMP

GGC heuristics: --param ggc-min-expand=100 --param ggc-min-heapsize=131072
ignoring nonexistent directory "/usr/lib/gcc/x86_64-pc-linux-gnu/11.1.0/../../../../x86_64-pc-linux-gnu/include"
#include "..." search starts here:
#include <...> search starts here:
 /usr/lib/gcc/x86_64-pc-linux-gnu/11.1.0/include
 /usr/local/include
 /usr/lib/gcc/x86_64-pc-linux-gnu/11.1.0/include-fixed
 /usr/include
End of search list.
GNU C17 (GCC) version 11.1.0 (x86_64-pc-linux-gnu)
        compiled by GNU C version 11.1.0, GMP version 6.2.1, MPFR version 4.1.0, MPC version 1.2.1, isl version isl-0.24-GMP

GGC heuristics: --param ggc-min-expand=100 --param ggc-min-heapsize=131072
Compiler executable checksum: 3d0ac5c030c008e73f10e8b66957dbfa
COLLECT_GCC_OPTIONS='-v' '-static-pie' '-o' 'main' '-mtune=generic' '-march=x86-64'
 as -v --64 -o /tmp/ccnTcBWQ.o /tmp/cc30fNCE.s
GNU assembler version 2.36.1 (x86_64-pc-linux-gnu) using BFD version (GNU Binutils) 2.36.1
COMPILER_PATH=/usr/lib/gcc/x86_64-pc-linux-gnu/11.1.0/:/usr/lib/gcc/x86_64-pc-linux-gnu/11.1.0/:/usr/lib/gcc/x86_64-pc-linux-gnu/:/usr/lib/gcc/x86_64-pc-linux-gnu/11.1.0/:/usr/lib/gcc/x86_64-pc-linux-gnu/
LIBRARY_PATH=/usr/lib/gcc/x86_64-pc-linux-gnu/11.1.0/:/usr/lib/gcc/x86_64-pc-linux-gnu/11.1.0/../../../../lib/:/lib/../lib/:/usr/lib/../lib/:/usr/lib/gcc/x86_64-pc-linux-gnu/11.1.0/../../../:/lib/:/usr/lib/
COLLECT_GCC_OPTIONS='-v' '-static-pie' '-o' 'main' '-mtune=generic' '-march=x86-64' '-dumpdir' 'main.'
 /usr/lib/gcc/x86_64-pc-linux-gnu/11.1.0/collect2 -plugin /usr/lib/gcc/x86_64-pc-linux-gnu/11.1.0/liblto_plugin.so -plugin-opt=/usr/lib/gcc/x86_64-pc-linux-gnu/11.1.0/lto-wrapper -plugin-opt=-fresolution=/tmp/ccZ96sde.res -plugin-opt=-pass-through=-lgcc -plugin-opt=-pass-through=-lgcc_eh -plugin-opt=-pass-through=-lc --build-id --eh-frame-hdr --hash-style=gnu -m elf_x86_64 -static -pie --no-dynamic-linker -z text -pie -o main /usr/lib/gcc/x86_64-pc-linux-gnu/11.1.0/../../../../lib/rcrt1.o /usr/lib/gcc/x86_64-pc-linux-gnu/11.1.0/../../../../lib/crti.o /usr/lib/gcc/x86_64-pc-linux-gnu/11.1.0/crtbeginS.o -L/usr/lib/gcc/x86_64-pc-linux-gnu/11.1.0 -L/usr/lib/gcc/x86_64-pc-linux-gnu/11.1.0/../../../../lib -L/lib/../lib -L/usr/lib/../lib -L/usr/lib/gcc/x86_64-pc-linux-gnu/11.1.0/../../.. /tmp/ccnTcBWQ.o --start-group -lgcc -lgcc_eh -lc --end-group /usr/lib/gcc/x86_64-pc-linux-gnu/11.1.0/crtendS.o /usr/lib/gcc/x86_64-pc-linux-gnu/11.1.0/../../../../lib/crtn.o
COLLECT_GCC_OPTIONS='-v' '-static-pie' '-o' 'main' '-mtune=generic' '-march=x86-64' '-dumpdir' 'main.'

This is Nixpkgs:

╰─ % gcc -v -static-pie -o ./main main.c
Using built-in specs.
COLLECT_GCC=/nix/store/8dbr91p4rmf902dd0bjwgzjxz7wslda3-gcc-10.2.0/bin/gcc
COLLECT_LTO_WRAPPER=/nix/store/8dbr91p4rmf902dd0bjwgzjxz7wslda3-gcc-10.2.0/libexec/gcc/x86_64-unknown-linux-gnu/10.2.0/lto-wrapper
Target: x86_64-unknown-linux-gnu
Configured with:
Thread model: posix
Supported LTO compression algorithms: zlib
gcc version 10.2.0 (GCC)
COLLECT_GCC_OPTIONS='-O2' '-D' '_FORTIFY_SOURCE=2' '-fstack-protector-strong' '--param=ssp-buffer-size=4' '-fno-strict-overflow' '-Wformat=1' '-Wformat-security' '-Werror=format-security' '-fPIC' '-v' '-static-pie' '-o' './main' '-B' '/nix/store/i4pd9p1l8yhz63vff66rfa4bd353lqq7-gcc-10.2.0-lib/lib' '-B' '/nix/store/pkg5q9irs9z2aviq8p0f99i05rm5wbyn-glibc-2.32-40/lib/' '-idirafter' '/nix/store/9kj4zgykka9ypm1wzvhngs7lcx951lm7-glibc-2.32-40-dev/include' '-idirafter' '/nix/store/8dbr91p4rmf902dd0bjwgzjxz7wslda3-gcc-10.2.0/lib/gcc/x86_64-unknown-linux-gnu/10.2.0/include-fixed' '-B' '/nix/store/rgybqkxfkajlmblix7sfcr0jlsj41r8y-gcc-wrapper-10.2.0/bin/' '-frandom-seed=hq9nk61nxq' '-isystem' '/nix/store/xcdw6br5h78yxydr4wgig6x106232b35-bash-interactive-4.4-p23-dev/include' '-isystem' '/nix/store/k8n8g1x19f1vaffcn5bnyryyfn372c0y-libseccomp-2.5.1-dev/include' '-isystem' '/nix/store/xcdw6br5h78yxydr4wgig6x106232b35-bash-interactive-4.4-p23-dev/include' '-isystem' '/nix/store/k8n8g1x19f1vaffcn5bnyryyfn372c0y-libseccomp-2.5.1-dev/include' '-L/nix/store/vax4qgfx7ddi5f08dc05yrvpgld2g3kz-glibc-2.32-40-static/lib' '-L/nix/store/wa789v2wim0p4xrfgpd99lcla651rhvl-libseccomp-2.5.1-lib/lib' '-L/nix/store/vax4qgfx7ddi5f08dc05yrvpgld2g3kz-glibc-2.32-40-static/lib' '-L/nix/store/wa789v2wim0p4xrfgpd99lcla651rhvl-libseccomp-2.5.1-lib/lib' '-L/nix/store/pkg5q9irs9z2aviq8p0f99i05rm5wbyn-glibc-2.32-40/lib' '-L/nix/store/i4pd9p1l8yhz63vff66rfa4bd353lqq7-gcc-10.2.0-lib/lib' '-mtune=generic' '-march=x86-64' '-fcommon'
 /nix/store/8dbr91p4rmf902dd0bjwgzjxz7wslda3-gcc-10.2.0/libexec/gcc/x86_64-unknown-linux-gnu/10.2.0/cc1 -quiet -v -D _FORTIFY_SOURCE=2 -idirafter /nix/store/9kj4zgykka9ypm1wzvhngs7lcx951lm7-glibc-2.32-40-dev/include -idirafter /nix/store/8dbr91p4rmf902dd0bjwgzjxz7wslda3-gcc-10.2.0/lib/gcc/x86_64-unknown-linux-gnu/10.2.0/include-fixed -isystem /nix/store/xcdw6br5h78yxydr4wgig6x106232b35-bash-interactive-4.4-p23-dev/include -isystem /nix/store/k8n8g1x19f1vaffcn5bnyryyfn372c0y-libseccomp-2.5.1-dev/include -isystem /nix/store/xcdw6br5h78yxydr4wgig6x106232b35-bash-interactive-4.4-p23-dev/include -isystem /nix/store/k8n8g1x19f1vaffcn5bnyryyfn372c0y-libseccomp-2.5.1-dev/include main.c -quiet -dumpbase main.c -mtune=generic -march=x86-64 -auxbase main -O2 -Wformat=1 -Wformat-security -Werror=format-security -version -fstack-protector-strong -fno-strict-overflow -fPIC -frandom-seed=hq9nk61nxq -fcommon --param=ssp-buffer-size=4 -o /run/user/1000/cc6Ggpn2.s
GNU C17 (GCC) version 10.2.0 (x86_64-unknown-linux-gnu)
        compiled by GNU C version 10.2.0, GMP version 6.2.1, MPFR version 4.1.0, MPC version 1.2.1, isl version isl-0.20-GMP

GGC heuristics: --param ggc-min-expand=100 --param ggc-min-heapsize=131072
ignoring duplicate directory "/nix/store/xcdw6br5h78yxydr4wgig6x106232b35-bash-interactive-4.4-p23-dev/include"
ignoring duplicate directory "/nix/store/k8n8g1x19f1vaffcn5bnyryyfn372c0y-libseccomp-2.5.1-dev/include"
ignoring nonexistent directory "/nix/store/8dbr91p4rmf902dd0bjwgzjxz7wslda3-gcc-10.2.0/lib/gcc/x86_64-unknown-linux-gnu/10.2.0/../../../../x86_64-unknown-linux-gnu/include"
ignoring duplicate directory "/nix/store/9kj4zgykka9ypm1wzvhngs7lcx951lm7-glibc-2.32-40-dev/include"
ignoring duplicate directory "/nix/store/8dbr91p4rmf902dd0bjwgzjxz7wslda3-gcc-10.2.0/lib/gcc/x86_64-unknown-linux-gnu/10.2.0/include-fixed"
#include "..." search starts here:
#include <...> search starts here:
 /nix/store/xcdw6br5h78yxydr4wgig6x106232b35-bash-interactive-4.4-p23-dev/include
 /nix/store/k8n8g1x19f1vaffcn5bnyryyfn372c0y-libseccomp-2.5.1-dev/include
 /nix/store/8dbr91p4rmf902dd0bjwgzjxz7wslda3-gcc-10.2.0/lib/gcc/x86_64-unknown-linux-gnu/10.2.0/include
 /nix/store/8dbr91p4rmf902dd0bjwgzjxz7wslda3-gcc-10.2.0/include
 /nix/store/8dbr91p4rmf902dd0bjwgzjxz7wslda3-gcc-10.2.0/lib/gcc/x86_64-unknown-linux-gnu/10.2.0/include-fixed
 /nix/store/9kj4zgykka9ypm1wzvhngs7lcx951lm7-glibc-2.32-40-dev/include
End of search list.
GNU C17 (GCC) version 10.2.0 (x86_64-unknown-linux-gnu)
        compiled by GNU C version 10.2.0, GMP version 6.2.1, MPFR version 4.1.0, MPC version 1.2.1, isl version isl-0.20-GMP

GGC heuristics: --param ggc-min-expand=100 --param ggc-min-heapsize=131072
Compiler executable checksum: 51e193d705b8aa8fb3d71b10edfdea16
COLLECT_GCC_OPTIONS='-O2' '-D' '_FORTIFY_SOURCE=2' '-fstack-protector-strong' '--param=ssp-buffer-size=4' '-fno-strict-overflow' '-Wformat=1' '-Wformat-security' '-Werror=format-security' '-fPIC' '-v' '-static-pie' '-o' './main' '-B' '/nix/store/i4pd9p1l8yhz63vff66rfa4bd353lqq7-gcc-10.2.0-lib/lib' '-B' '/nix/store/pkg5q9irs9z2aviq8p0f99i05rm5wbyn-glibc-2.32-40/lib/' '-idirafter' '/nix/store/9kj4zgykka9ypm1wzvhngs7lcx951lm7-glibc-2.32-40-dev/include' '-idirafter' '/nix/store/8dbr91p4rmf902dd0bjwgzjxz7wslda3-gcc-10.2.0/lib/gcc/x86_64-unknown-linux-gnu/10.2.0/include-fixed' '-B' '/nix/store/rgybqkxfkajlmblix7sfcr0jlsj41r8y-gcc-wrapper-10.2.0/bin/' '-frandom-seed=hq9nk61nxq' '-isystem' '/nix/store/xcdw6br5h78yxydr4wgig6x106232b35-bash-interactive-4.4-p23-dev/include' '-isystem' '/nix/store/k8n8g1x19f1vaffcn5bnyryyfn372c0y-libseccomp-2.5.1-dev/include' '-isystem' '/nix/store/xcdw6br5h78yxydr4wgig6x106232b35-bash-interactive-4.4-p23-dev/include' '-isystem' '/nix/store/k8n8g1x19f1vaffcn5bnyryyfn372c0y-libseccomp-2.5.1-dev/include' '-L/nix/store/vax4qgfx7ddi5f08dc05yrvpgld2g3kz-glibc-2.32-40-static/lib' '-L/nix/store/wa789v2wim0p4xrfgpd99lcla651rhvl-libseccomp-2.5.1-lib/lib' '-L/nix/store/vax4qgfx7ddi5f08dc05yrvpgld2g3kz-glibc-2.32-40-static/lib' '-L/nix/store/wa789v2wim0p4xrfgpd99lcla651rhvl-libseccomp-2.5.1-lib/lib' '-L/nix/store/pkg5q9irs9z2aviq8p0f99i05rm5wbyn-glibc-2.32-40/lib' '-L/nix/store/i4pd9p1l8yhz63vff66rfa4bd353lqq7-gcc-10.2.0-lib/lib' '-mtune=generic' '-march=x86-64' '-fcommon'
 /nix/store/rgybqkxfkajlmblix7sfcr0jlsj41r8y-gcc-wrapper-10.2.0/bin/as -v --64 -o /run/user/1000/ccRh84Q2.o /run/user/1000/cc6Ggpn2.s
GNU assembler version 2.35.1 (x86_64-unknown-linux-gnu) using BFD version (GNU Binutils) 2.35.1
COMPILER_PATH=/nix/store/i4pd9p1l8yhz63vff66rfa4bd353lqq7-gcc-10.2.0-lib/lib/:/nix/store/pkg5q9irs9z2aviq8p0f99i05rm5wbyn-glibc-2.32-40/lib/:/nix/store/rgybqkxfkajlmblix7sfcr0jlsj41r8y-gcc-wrapper-10.2.0/bin/:/nix/store/8dbr91p4rmf902dd0bjwgzjxz7wslda3-gcc-10.2.0/libexec/gcc/x86_64-unknown-linux-gnu/10.2.0/:/nix/store/8dbr91p4rmf902dd0bjwgzjxz7wslda3-gcc-10.2.0/libexec/gcc/x86_64-unknown-linux-gnu/10.2.0/:/nix/store/8dbr91p4rmf902dd0bjwgzjxz7wslda3-gcc-10.2.0/libexec/gcc/x86_64-unknown-linux-gnu/:/nix/store/8dbr91p4rmf902dd0bjwgzjxz7wslda3-gcc-10.2.0/lib/gcc/x86_64-unknown-linux-gnu/10.2.0/:/nix/store/8dbr91p4rmf902dd0bjwgzjxz7wslda3-gcc-10.2.0/lib/gcc/x86_64-unknown-linux-gnu/
LIBRARY_PATH=/nix/store/i4pd9p1l8yhz63vff66rfa4bd353lqq7-gcc-10.2.0-lib/lib/:/nix/store/pkg5q9irs9z2aviq8p0f99i05rm5wbyn-glibc-2.32-40/lib/:/nix/store/rgybqkxfkajlmblix7sfcr0jlsj41r8y-gcc-wrapper-10.2.0/bin/:/nix/store/8dbr91p4rmf902dd0bjwgzjxz7wslda3-gcc-10.2.0/lib/gcc/x86_64-unknown-linux-gnu/10.2.0/:/nix/store/8dbr91p4rmf902dd0bjwgzjxz7wslda3-gcc-10.2.0/lib/gcc/x86_64-unknown-linux-gnu/10.2.0/../../../../lib64/:/nix/store/8dbr91p4rmf902dd0bjwgzjxz7wslda3-gcc-10.2.0/lib/gcc/x86_64-unknown-linux-gnu/10.2.0/../../../
COLLECT_GCC_OPTIONS='-O2' '-D' '_FORTIFY_SOURCE=2' '-fstack-protector-strong' '--param=ssp-buffer-size=4' '-fno-strict-overflow' '-Wformat=1' '-Wformat-security' '-Werror=format-security' '-fPIC' '-v' '-static-pie' '-o' './main' '-B' '/nix/store/i4pd9p1l8yhz63vff66rfa4bd353lqq7-gcc-10.2.0-lib/lib' '-B' '/nix/store/pkg5q9irs9z2aviq8p0f99i05rm5wbyn-glibc-2.32-40/lib/' '-idirafter' '/nix/store/9kj4zgykka9ypm1wzvhngs7lcx951lm7-glibc-2.32-40-dev/include' '-idirafter' '/nix/store/8dbr91p4rmf902dd0bjwgzjxz7wslda3-gcc-10.2.0/lib/gcc/x86_64-unknown-linux-gnu/10.2.0/include-fixed' '-B' '/nix/store/rgybqkxfkajlmblix7sfcr0jlsj41r8y-gcc-wrapper-10.2.0/bin/' '-frandom-seed=hq9nk61nxq' '-isystem' '/nix/store/xcdw6br5h78yxydr4wgig6x106232b35-bash-interactive-4.4-p23-dev/include' '-isystem' '/nix/store/k8n8g1x19f1vaffcn5bnyryyfn372c0y-libseccomp-2.5.1-dev/include' '-isystem' '/nix/store/xcdw6br5h78yxydr4wgig6x106232b35-bash-interactive-4.4-p23-dev/include' '-isystem' '/nix/store/k8n8g1x19f1vaffcn5bnyryyfn372c0y-libseccomp-2.5.1-dev/include' '-L/nix/store/vax4qgfx7ddi5f08dc05yrvpgld2g3kz-glibc-2.32-40-static/lib' '-L/nix/store/wa789v2wim0p4xrfgpd99lcla651rhvl-libseccomp-2.5.1-lib/lib' '-L/nix/store/vax4qgfx7ddi5f08dc05yrvpgld2g3kz-glibc-2.32-40-static/lib' '-L/nix/store/wa789v2wim0p4xrfgpd99lcla651rhvl-libseccomp-2.5.1-lib/lib' '-L/nix/store/pkg5q9irs9z2aviq8p0f99i05rm5wbyn-glibc-2.32-40/lib' '-L/nix/store/i4pd9p1l8yhz63vff66rfa4bd353lqq7-gcc-10.2.0-lib/lib' '-mtune=generic' '-march=x86-64' '-fcommon'
 /nix/store/8dbr91p4rmf902dd0bjwgzjxz7wslda3-gcc-10.2.0/libexec/gcc/x86_64-unknown-linux-gnu/10.2.0/collect2 -plugin /nix/store/8dbr91p4rmf902dd0bjwgzjxz7wslda3-gcc-10.2.0/libexec/gcc/x86_64-unknown-linux-gnu/10.2.0/liblto_plugin.so -plugin-opt=/nix/store/8dbr91p4rmf902dd0bjwgzjxz7wslda3-gcc-10.2.0/libexec/gcc/x86_64-unknown-linux-gnu/10.2.0/lto-wrapper -plugin-opt=-fresolution=/run/user/1000/cc9Zbok4.res -plugin-opt=-pass-through=-lgcc -plugin-opt=-pass-through=-lgcc_eh -plugin-opt=-pass-through=-lc --eh-frame-hdr -m elf_x86_64 -static -pie --no-dynamic-linker -z text -o ./main /nix/store/pkg5q9irs9z2aviq8p0f99i05rm5wbyn-glibc-2.32-40/lib/rcrt1.o /nix/store/pkg5q9irs9z2aviq8p0f99i05rm5wbyn-glibc-2.32-40/lib/crti.o /nix/store/8dbr91p4rmf902dd0bjwgzjxz7wslda3-gcc-10.2.0/lib/gcc/x86_64-unknown-linux-gnu/10.2.0/crtbeginS.o -L/nix/store/vax4qgfx7ddi5f08dc05yrvpgld2g3kz-glibc-2.32-40-static/lib -L/nix/store/wa789v2wim0p4xrfgpd99lcla651rhvl-libseccomp-2.5.1-lib/lib -L/nix/store/vax4qgfx7ddi5f08dc05yrvpgld2g3kz-glibc-2.32-40-static/lib -L/nix/store/wa789v2wim0p4xrfgpd99lcla651rhvl-libseccomp-2.5.1-lib/lib -L/nix/store/pkg5q9irs9z2aviq8p0f99i05rm5wbyn-glibc-2.32-40/lib -L/nix/store/i4pd9p1l8yhz63vff66rfa4bd353lqq7-gcc-10.2.0-lib/lib -L/nix/store/i4pd9p1l8yhz63vff66rfa4bd353lqq7-gcc-10.2.0-lib/lib -L/nix/store/pkg5q9irs9z2aviq8p0f99i05rm5wbyn-glibc-2.32-40/lib -L/nix/store/rgybqkxfkajlmblix7sfcr0jlsj41r8y-gcc-wrapper-10.2.0/bin -L/nix/store/8dbr91p4rmf902dd0bjwgzjxz7wslda3-gcc-10.2.0/lib/gcc/x86_64-unknown-linux-gnu/10.2.0 -L/nix/store/8dbr91p4rmf902dd0bjwgzjxz7wslda3-gcc-10.2.0/lib/gcc/x86_64-unknown-linux-gnu/10.2.0/../../../../lib64 -L/nix/store/8dbr91p4rmf902dd0bjwgzjxz7wslda3-gcc-10.2.0/lib/gcc/x86_64-unknown-linux-gnu/10.2.0/../../.. /run/user/1000/ccRh84Q2.o -rpath /nix/store/hq9nk61nxqym59dknykxqqnsmynwziln-env/lib64 -rpath /nix/store/hq9nk61nxqym59dknykxqqnsmynwziln-env/lib --start-group -lgcc -lgcc_eh -lc --end-group /nix/store/8dbr91p4rmf902dd0bjwgzjxz7wslda3-gcc-10.2.0/lib/gcc/x86_64-unknown-linux-gnu/10.2.0/crtendS.o /nix/store/pkg5q9irs9z2aviq8p0f99i05rm5wbyn-glibc-2.32-40/lib/crtn.o
COLLECT_GCC_OPTIONS='-O2' '-D' '_FORTIFY_SOURCE=2' '-fstack-protector-strong' '--param=ssp-buffer-size=4' '-fno-strict-overflow' '-Wformat=1' '-Wformat-security' '-Werror=format-security' '-fPIC' '-v' '-static-pie' '-o' './main' '-B' '/nix/store/i4pd9p1l8yhz63vff66rfa4bd353lqq7-gcc-10.2.0-lib/lib' '-B' '/nix/store/pkg5q9irs9z2aviq8p0f99i05rm5wbyn-glibc-2.32-40/lib/' '-idirafter' '/nix/store/9kj4zgykka9ypm1wzvhngs7lcx951lm7-glibc-2.32-40-dev/include' '-idirafter' '/nix/store/8dbr91p4rmf902dd0bjwgzjxz7wslda3-gcc-10.2.0/lib/gcc/x86_64-unknown-linux-gnu/10.2.0/include-fixed' '-B' '/nix/store/rgybqkxfkajlmblix7sfcr0jlsj41r8y-gcc-wrapper-10.2.0/bin/' '-frandom-seed=hq9nk61nxq' '-isystem' '/nix/store/xcdw6br5h78yxydr4wgig6x106232b35-bash-interactive-4.4-p23-dev/include' '-isystem' '/nix/store/k8n8g1x19f1vaffcn5bnyryyfn372c0y-libseccomp-2.5.1-dev/include' '-isystem' '/nix/store/xcdw6br5h78yxydr4wgig6x106232b35-bash-interactive-4.4-p23-dev/include' '-isystem' '/nix/store/k8n8g1x19f1vaffcn5bnyryyfn372c0y-libseccomp-2.5.1-dev/include' '-L/nix/store/vax4qgfx7ddi5f08dc05yrvpgld2g3kz-glibc-2.32-40-static/lib' '-L/nix/store/wa789v2wim0p4xrfgpd99lcla651rhvl-libseccomp-2.5.1-lib/lib' '-L/nix/store/vax4qgfx7ddi5f08dc05yrvpgld2g3kz-glibc-2.32-40-static/lib' '-L/nix/store/wa789v2wim0p4xrfgpd99lcla651rhvl-libseccomp-2.5.1-lib/lib' '-L/nix/store/pkg5q9irs9z2aviq8p0f99i05rm5wbyn-glibc-2.32-40/lib' '-L/nix/store/i4pd9p1l8yhz63vff66rfa4bd353lqq7-gcc-10.2.0-lib/lib' '-mtune=generic' '-march=x86-64' '-fcommon'

@Mic92
Copy link
Copy Markdown
Member Author

Mic92 commented May 22, 2021

Interesting enough even without the change glibc already builds rcrt1.o which is doing the relocation in static binaries.

@Mic92 Mic92 mentioned this pull request May 22, 2021
Closed
8 tasks
@Mic92
glibc: allow to build position-independent static executable
61c74e1 
This enables ALSR on static executables, which makes them harder to
exploit by providing a crt suitable for static PIEs.

Does this break existing binaries? Likely not. Static-pie is only
used if explicitly enabled.
@Mic92
Copy link
Copy Markdown
Member Author

Mic92 commented May 22, 2021

Ha! It works now. After compiling glibc from source I could pin-point the assertion that broke the execution.

Mic92
Mic92 commented May 22, 2021
View reviewed changes
Mic92
Mic92 commented May 22, 2021
View reviewed changes
@ofborg ofborg bot added 10.rebuild-darwin-stdenv This PR causes stdenv to rebuild on Darwin and must target a staging branch. 10.rebuild-darwin: 501+ This PR causes many rebuilds on Darwin and should normally target the staging branches. 10.rebuild-darwin: 5001+ This PR causes many rebuilds on Darwin and must target the staging branches. and removed 10.rebuild-darwin: 11-100 This PR causes between 11 and 100 packages to rebuild on Darwin. labels May 22, 2021
@Mic92 Mic92 force-pushed the static-pie branch 7 times, most recently from e8fd80d to 831abe9 Compare May 23, 2021 11:27
@Mic92 Mic92 force-pushed the static-pie branch 2 times, most recently from 2676fc1 to 8a4dcb6 Compare May 23, 2021 13:23
@Mic92 Mic92 force-pushed the static-pie branch 2 times, most recently from 1a3860b to 166948d Compare May 23, 2021 18:57
@Mic92 Mic92 marked this pull request as ready for review May 23, 2021 18:58
@Mic92 Mic92 requested a review from Ericson2314 as a code owner May 23, 2021 18:58
@Mic92 Mic92 mentioned this pull request May 24, 2021
Draft
5 tasks
Ericson2314
Ericson2314 reviewed May 24, 2021
View reviewed changes
Ericson2314
Ericson2314 approved these changes May 24, 2021
View reviewed changes
Copy link
Copy Markdown
Member

@Ericson2314 Ericson2314 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think something like my comment would make it easier to understand, but that aside LGTM.

@Mic92 @Ericson2314
Update pkgs/build-support/bintools-wrapper/ld-wrapper.sh
602b5f8 
Co-authored-by: John Ericson <git@JohnEricson.me>
@Mic92
Copy link
Copy Markdown
Member Author

Mic92 commented May 25, 2021

Someone tested also macOS/clang for me. Good to go.

@Mic92 Mic92 merged commit 5551a78 into NixOS:staging May 25, 2021
@Mic92 Mic92 deleted the static-pie branch May 25, 2021 14:32
@misuzu
Copy link
Copy Markdown
Contributor

misuzu commented Jul 1, 2021

I think this change broke glibc on armv7l:

/build/build/elf/sln /build/build/elf/symlink.list
make[1]: *** [Makefile:115: install-symbolic-link] Segmentation fault (core dumped)
make[1]: Leaving directory '/build/glibc-2.32'
make: *** [Makefile:12: install] Error 2
builder for '/nix/store/hrrfkbfywf8awmj84gkasj3zck5p4s3l-glibc-2.32-48.drv' failed with exit code 2

According to https://sourceware.org/glibc/wiki/PortStatus --enable-static-pie is not supported on armv7l:

This feature is currently supported on i386, x86_64 and x32 with binutils 2.29 or later, and on aarch64 with binutils 2.30 or later.

On Debian and Gentoo --enable-static-pie is enabled only on supported platforms.

Reverting 61c74e1 (on top of 59ef808) allowed me to successfully build glibc on armv7l.

Mic92
Mic92 commented Jul 1, 2021
View reviewed changes
pkgs/development/libraries/glibc/common.nix
"--enable-add-ons"
"--sysconfdir=/etc"
"--enable-stackguard-randomization"
"--enable-static-pie"
Copy link
Copy Markdown
Member Author

@Mic92 Mic92 Jul 1, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Well I guess this line should be disabled on arm-legacy again than.

@misuzu misuzu mentioned this pull request Jul 2, 2021
Merged
11 tasks
@nh2 nh2 mentioned this pull request Jul 8, 2021
Open
@piegamesde piegamesde mentioned this pull request Jul 14, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Ericson2314 Ericson2314 Ericson2314 approved these changes

@matthewbauer matthewbauer Awaiting requested review from matthewbauer

@Ma27 Ma27 Awaiting requested review from Ma27

@edolstra edolstra Awaiting requested review from edolstra

Assignees

No one assigned

Labels

10.rebuild-darwin: 501+ This PR causes many rebuilds on Darwin and should normally target the staging branches. 10.rebuild-darwin: 5001+ This PR causes many rebuilds on Darwin and must target the staging branches. 10.rebuild-darwin-stdenv This PR causes stdenv to rebuild on Darwin and must target a staging branch. 10.rebuild-linux: 501+ This PR causes many rebuilds on Linux and should normally target the staging branches. 10.rebuild-linux: 5001+ This PR causes many rebuilds on Linux and must target the staging branches. 10.rebuild-linux-stdenv This PR causes stdenv to rebuild on Linux and must target a staging branch.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Mic92 @misuzu @Ericson2314