Re: Bug#478057: [hardening-discuss] Linker fails on i386 and amd64 with hardening options
On Mon, Apr 28, 2008 at 12:35:51PM -0700, Kees Cook wrote:
> Hi Jörg,
>
> On Mon, Apr 28, 2008 at 06:43:36PM +0200, Jörg Sommer wrote:
> > gcc -g -O2 -Wall -g -O2 -fPIC -fPIE -fstack-protector -Wformat=2 -Wextra \
> > -D_FORTIFY_SOURCE=2 -Wl,-zrelro,-pie conftest.c
> >
> > but this fails on i386 and amd64.
> >
> > /usr/bin/ld: /usr/lib/gcc/x86_64-linux-gnu/4.2.3/../../../../lib64/crt1.o: relocation R_X86_64_32S against `__libc_csu_fini' can not be used when making a shared object; recompile with -fPIC
> > /usr/lib/gcc/x86_64-linux-gnu/4.2.3/../../../../lib64/crt1.o: could not read symbols: Bad value
> >
> > Can someone of you help me? The build also fails on Sparc, but I don't
> > have the config.log to tell why. I expect it's the same reason.
>
> hardening-wrapper isn't setting "-Wl,-zrelro,-pie" ... that command-line
> is wrong.
>
> First, for relro, it should be "-Wl,-z,relro". "-pie" needs to be
> specified on the gcc command-line, not the linker command-line, since gcc
> is responsible for choosing the crt, etc. Do you know what the origin
> of the -Wl addition is?
He has LD_FLAGS set to -Wl,-zrelro,-pie
> This, for example, works:
> gcc -g -O2 -Wall -g -O2 -fPIC -fPIE -pie -fstack-protector -Wformat=2 \
> -Wextra -D_FORTIFY_SOURCE=2 -Wl,-z,relro -o hello hello.c
That seems to work for me.
> Note, AFAIK, -fPIC and -fPIE is redundant: -fPIE is a subset of -fPIC.
They're simular, but I don't think one is the subset of the other.
Anyway, -fPIC isn't something you need, it's to make a shared library.
Kurt
Reply to: