Re: PIE and static libraries

To: Christian Seiler <christian@iwakd.de>
Cc: Andreas Metzler <ametzler@bebt.de>, debian-devel@lists.debian.org, Theodore Ts'o <tytso@mit.edu>
Subject: Re: PIE and static libraries
From: Guillem Jover <guillem@debian.org>
Date: Sun, 22 May 2016 19:31:11 +0200
Message-id: <[🔎] 20160522173111.GA12704@gaara.hadrons.org>
Mail-followup-to: Christian Seiler <christian@iwakd.de>, Andreas Metzler <ametzler@bebt.de>, debian-devel@lists.debian.org, Theodore Ts'o <tytso@mit.edu>
In-reply-to: <[🔎] 574170D4.7050103@iwakd.de>
References: <[🔎] ha181d-r9b.ln1@argenau.bebt.de> <[🔎] 574170D4.7050103@iwakd.de>

Hi!

On Sun, 2016-05-22 at 10:41:56 +0200, Christian Seiler wrote:
[… useful overview …]

I've tried to condense this and the other message on the other thread
to extend the dpkg-buildflags(1) man page. Attached the patch I'm
intending to apply. Let me know if you have other suggestions,
improvements, wording tweaks, etc.

Thanks,
Guillem

From d3a6f97736bade62a8945f91c22593f22f3e2ae4 Mon Sep 17 00:00:00 2001
From: Guillem Jover <guillem@debian.org>
Date: Sun, 22 May 2016 19:20:04 +0200
Subject: [PATCH] man: Document interaction between PIE and libraries

Prompted-by: Christian Seiler <christian@iwakd.de>
---
 man/dpkg-buildflags.1 | 30 ++++++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)

diff --git a/man/dpkg-buildflags.1 b/man/dpkg-buildflags.1
index ac2489e..47b77d8 100644
--- a/man/dpkg-buildflags.1
+++ b/man/dpkg-buildflags.1
@@ -362,6 +362,36 @@ locations to bounce off of during a memory corruption attack.
 This is not compatible with \fB\-fPIC\fP so care must be taken when
 building shared objects.
 
+Static libraries can be used by programs or other shared libraries.
+Depending on the flags used to compile all the objects within a static
+library, these libraries will be usable by different sets of objects:
+
+.RS
+.TP
+none
+Cannot be linked into a PIE program, nor a shared library.
+.TP
+.B \-fPIE
+Can be linked into any program, but not a shared library.
+.TP
+.B \-fPIC
+Can be linked into any program and shared library.
+The resulting program might be slightly slower and bigger in case
+\fBbindnow\fP is not in use.
+.RE
+
+.IP
+Unconditionally passing \fB\-fPIE\fP, \fB\-fpie\fP or \fB\-pie\fP to a
+build-system using libtool is safe as these flags will get stripped when
+building shared libraries.
+Otherwise on projects that build both programs and shared libraries you
+might need to make sure that when building the shared libraries \fB\-fPIC\fP
+is always passed last (so that it overrides any previous \fB\-PIE\fP) to
+compilation flags such as \fBCFLAGS\fP, and \fB\-shared\fP is passed last
+(so that it overrides any previous \fB\-pie\fP) to linking flags such as
+\fBLDFLAGS\fP.
+
+.IP
 Additionally, since PIE is implemented via a general register, some
 register starved architectures (but not including i386 anymore since
 optimizations implemented in gcc >= 5) can see performance losses of up to
-- 
2.8.1

Reply to:

Follow-Ups:
- Re: PIE and static libraries
  - From: Christian Seiler <christian@iwakd.de>

References:
- PIE and static libraries
  - From: Andreas Metzler <ametzler@bebt.de>
- Re: PIE and static libraries
  - From: Christian Seiler <christian@iwakd.de>

Prev by Date: Re: Debian Installer Stretch Alpha 6 release
Next by Date: Re: PIE and static libraries
Previous by thread: Re: PIE and static libraries
Next by thread: Re: PIE and static libraries
Index(es):
- Date
- Thread