[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#835148: gcc-6: please enable PIE hardening flags by default on amd64 ppc64el and s390x

Package: gcc-6
Followup-For: Bug #835148

FYI: Enabling PIE by default has a drastic impact on the Linux kernel,                                        
which needs to be compiled with PIE disabled.

After upgrading to the new gcc-6 package today dkms failed to build the 
nvidia kernel module with the following error message:
> error: code model kernel does not support PIC mode

The very evil thing is that compiling the linux kernel fails because
most those "cc-option" checks fail (silently, because the error message
is redirected to /dev/null), and thus a lot of options are missing:

$ grep cc-option Makefile
KBUILD_CFLAGS   += $(call cc-option,-fno-delete-null-pointer-checks,)
KBUILD_CFLAGS   += $(call cc-option,--param=allow-store-data-races=0)
KBUILD_CFLAGS += $(call cc-option,-fno-reorder-blocks,) \
                 $(call cc-option,-fno-ipa-cp-clone,) \
                 $(call cc-option,-fno-partial-inlining)
KBUILD_CFLAGS += $(call cc-option,-Wframe-larger-than=${CONFIG_FRAME_WARN})
  ifeq ($(call cc-option, $(stackp-flag)),)
  ifeq ($(call cc-option, $(stackp-flag)),)
  stackp-flag := $(call cc-option, -fno-stack-protector)
  ifeq ($(call cc-option, $(CFLAGS_KCOV)),)
KBUILD_CPPFLAGS += $(call cc-option,-Qunused-arguments,)
KBUILD_CPPFLAGS += $(call cc-option,-Wno-unknown-warning-option,)
KBUILD_CFLAGS += $(call cc-option, -mno-global-merge,)
KBUILD_CFLAGS += $(call cc-option, -fcatch-undefined-behavior)
KBUILD_CFLAGS   += $(call cc-option, -fno-var-tracking-assignments)
KBUILD_CFLAGS   += $(call cc-option, -gsplit-dwarf, -g) 
KBUILD_CFLAGS   += $(call cc-option, -gdwarf-4,)
KBUILD_CFLAGS   += $(call cc-option, -femit-struct-debug-baseonly) \
                   $(call cc-option,-fno-var-tracking)
CC_USING_FENTRY := $(call cc-option, -mfentry -DCC_USING_FENTRY)
KBUILD_CFLAGS += $(call cc-option, -fno-inline-functions-called-once)
KBUILD_CFLAGS += $(call cc-option,-Wdeclaration-after-statement,)
KBUILD_CFLAGS   += $(call cc-option,-fno-strict-overflow)
KBUILD_CFLAGS   += $(call cc-option,-fconserve-stack)
KBUILD_CFLAGS   += $(call cc-option,-Werror=implicit-int)
KBUILD_CFLAGS   += $(call cc-option,-Werror=strict-prototypes)
KBUILD_CFLAGS   += $(call cc-option,-Werror=date-time)
KBUILD_CFLAGS   += $(call cc-option,-Werror=incompatible-pointer-types)

The mentioned patch below at least fixed the kernel.

- <https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1574982?comments/17>
- <http://kernel.ubuntu.com/~kernel-ppa/mainline/v4.8-rc2/0002-UBUNTU-SAUCE-no-up-disable-pie-when-gcc-has-it-enabl.patch>

Debugging this issue cost me ~2h, so just consider this FYI to save others from
having to do the same bug hunt again.

-- System Information:
Debian Release: stretch/sid
  APT prefers unstable
  APT policy: (990, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.7.9 (SMP w/2 CPU cores; PREEMPT)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages gcc-6 depends on:
ii  binutils      2.27-9
ii  cpp-6         6.2.0-9
ii  gcc-6-base    6.2.0-9
ii  libc6         2.24-5
ii  libcc1-0      6.2.0-9
ii  libgcc-6-dev  6.2.0-9
ii  libgcc1       1:6.2.0-9
ii  libgmp10      2:6.1.1+dfsg-1
ii  libisl15      0.17.1-1
ii  libmpc3       1.0.3-1
ii  libmpfr4      3.1.5-1
ii  libstdc++6    6.2.0-9
ii  zlib1g        1:1.2.8.dfsg-2+b1

Versions of packages gcc-6 recommends:
ii  libc6-dev  2.24-5

Versions of packages gcc-6 suggests:
pn  gcc-6-doc         <none>
pn  gcc-6-locales     <none>
ii  gcc-6-multilib    6.2.0-9
pn  libasan3-dbg      <none>
pn  libatomic1-dbg    <none>
pn  libcilkrts5-dbg   <none>
pn  libgcc1-dbg       <none>
pn  libgomp1-dbg      <none>
pn  libitm1-dbg       <none>
pn  liblsan0-dbg      <none>
pn  libmpx2-dbg       <none>
pn  libquadmath0-dbg  <none>
pn  libtsan0-dbg      <none>
pn  libubsan0-dbg     <none>

-- no debconf information

Reply to: