Bug#835148: gcc-6: please enable PIE hardening flags by default on amd64 ppc64el and s390x
Package: gcc-6
Followup-For: Bug #835148
FYI: Enabling PIE by default has a drastic impact on the Linux kernel,
which needs to be compiled with PIE disabled.
After upgrading to the new gcc-6 package today dkms failed to build the
nvidia kernel module with the following error message:
> error: code model kernel does not support PIC mode
The very evil thing is that compiling the linux kernel fails because
most those "cc-option" checks fail (silently, because the error message
is redirected to /dev/null), and thus a lot of options are missing:
$ grep cc-option Makefile
KBUILD_CFLAGS += $(call cc-option,-fno-delete-null-pointer-checks,)
KBUILD_CFLAGS += $(call cc-option,--param=allow-store-data-races=0)
KBUILD_CFLAGS += $(call cc-option,-fno-reorder-blocks,) \
$(call cc-option,-fno-ipa-cp-clone,) \
$(call cc-option,-fno-partial-inlining)
KBUILD_CFLAGS += $(call cc-option,-Wframe-larger-than=${CONFIG_FRAME_WARN})
ifeq ($(call cc-option, $(stackp-flag)),)
ifeq ($(call cc-option, $(stackp-flag)),)
stackp-flag := $(call cc-option, -fno-stack-protector)
ifeq ($(call cc-option, $(CFLAGS_KCOV)),)
KBUILD_CPPFLAGS += $(call cc-option,-Qunused-arguments,)
KBUILD_CPPFLAGS += $(call cc-option,-Wno-unknown-warning-option,)
KBUILD_CFLAGS += $(call cc-option, -mno-global-merge,)
KBUILD_CFLAGS += $(call cc-option, -fcatch-undefined-behavior)
KBUILD_CFLAGS += $(call cc-option, -fno-var-tracking-assignments)
KBUILD_CFLAGS += $(call cc-option, -gsplit-dwarf, -g)
KBUILD_CFLAGS += $(call cc-option, -gdwarf-4,)
KBUILD_CFLAGS += $(call cc-option, -femit-struct-debug-baseonly) \
$(call cc-option,-fno-var-tracking)
CC_USING_FENTRY := $(call cc-option, -mfentry -DCC_USING_FENTRY)
KBUILD_CFLAGS += $(call cc-option, -fno-inline-functions-called-once)
KBUILD_CFLAGS += $(call cc-option,-Wdeclaration-after-statement,)
KBUILD_CFLAGS += $(call cc-option,-fno-strict-overflow)
KBUILD_CFLAGS += $(call cc-option,-fconserve-stack)
KBUILD_CFLAGS += $(call cc-option,-Werror=implicit-int)
KBUILD_CFLAGS += $(call cc-option,-Werror=strict-prototypes)
KBUILD_CFLAGS += $(call cc-option,-Werror=date-time)
KBUILD_CFLAGS += $(call cc-option,-Werror=incompatible-pointer-types)
The mentioned patch below at least fixed the kernel.
Links:
- <https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1574982?comments/17>
- <http://kernel.ubuntu.com/~kernel-ppa/mainline/v4.8-rc2/0002-UBUNTU-SAUCE-no-up-disable-pie-when-gcc-has-it-enabl.patch>
Debugging this issue cost me ~2h, so just consider this FYI to save others from
having to do the same bug hunt again.
-- System Information:
Debian Release: stretch/sid
APT prefers unstable
APT policy: (990, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.7.9 (SMP w/2 CPU cores; PREEMPT)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages gcc-6 depends on:
ii binutils 2.27-9
ii cpp-6 6.2.0-9
ii gcc-6-base 6.2.0-9
ii libc6 2.24-5
ii libcc1-0 6.2.0-9
ii libgcc-6-dev 6.2.0-9
ii libgcc1 1:6.2.0-9
ii libgmp10 2:6.1.1+dfsg-1
ii libisl15 0.17.1-1
ii libmpc3 1.0.3-1
ii libmpfr4 3.1.5-1
ii libstdc++6 6.2.0-9
ii zlib1g 1:1.2.8.dfsg-2+b1
Versions of packages gcc-6 recommends:
ii libc6-dev 2.24-5
Versions of packages gcc-6 suggests:
pn gcc-6-doc <none>
pn gcc-6-locales <none>
ii gcc-6-multilib 6.2.0-9
pn libasan3-dbg <none>
pn libatomic1-dbg <none>
pn libcilkrts5-dbg <none>
pn libgcc1-dbg <none>
pn libgomp1-dbg <none>
pn libitm1-dbg <none>
pn liblsan0-dbg <none>
pn libmpx2-dbg <none>
pn libquadmath0-dbg <none>
pn libtsan0-dbg <none>
pn libubsan0-dbg <none>
-- no debconf information
Reply to: