Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID:
 <AM7PR83MB04183F89D57C602B2A42B2DDE54D9@AM7PR83MB0418.EURPRD83.prod.outlook.com>
Date: Thu, 15 Apr 2021 20:14:09 +0000
From: Andy Caldwell <andy.caldwell@...rosoft.com>
To: "musl@...ts.openwall.com" <musl@...ts.openwall.com>
Subject: [PATCH] Add static-pie support to musl-gcc

Hello all,

I've been using musl as the libc backend for rustc for various and  I also wanted
to build some C executables against musl (using the `musl-gcc` wrapper since I'm
compiling on Ubuntu/Centos).  For various (security and other) reasons we want
to build `-static-pie` executables but the existing `musl-gcc.specs` file doesn't
handle that flag.  I found https://www.openwall.com/lists/musl/2019/05/28/1
which seemed like a good start, but also seems to have stalled.

Starting from that patch, I've applied the various suggestions in the following
emails in the thread (adding `-z text` and handling `-eh-frame-hdr`).  I've also
make a few other changes:

 * Pass `-pie` to the linker when `-static-pie` is requested (this might be
   passed automatically if gcc was built `-default-pie` but it doesn't hurt to
   pass it in and it's certainly needed in some cases)
 * Don't pass `-dynamic-linker ...` when `-static` is requested (which mirror's
   gcc's standard behaviour)

Using this specfile, I was able to build and run the OpenSSL command line tools
(which seem to be a decent stress-test of a compiler/linker) both as `-static` and
as `-static-pie`, as well as building the compiling the following example
executable to check that PIE is being applied appropriately (compare the
outputs with `-static` vs. `-static-pie` across multiple runs).

```
#include <stdio.h>

static int static_int = 42;
static int *static_ptr = &static_int;

int main(int argc, char** argv) {
  printf("main: %p, stack: %p, statics: %p\n", main, &argc, static_ptr);
  return 0;
}
```

Thanks,

Andy Caldwell

--- PATCH BELOW ---

>From 2953e1dc837cd81cac059ea0fa7b4f7bb11c568a Mon Sep 17 00:00:00 2001
From: Andy Caldwell <andy.caldwell@...rosoft.com>
Date: Thu, 15 Apr 2021 21:05:38 +0100
Subject: [PATCH] Add static-pie support to musl-gcc
 
---
 tools/musl-gcc.specs.sh | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 
diff --git a/tools/musl-gcc.specs.sh b/tools/musl-gcc.specs.sh
index 30492574..0e5a9035 100644
--- a/tools/musl-gcc.specs.sh
+++ b/tools/musl-gcc.specs.sh
@@ -17,13 +17,13 @@ cat <<EOF
 libgcc.a%s %:if-exists(libgcc_eh.a%s)
 
 *startfile:
-%{!shared: $libdir/Scrt1.o} $libdir/crti.o crtbeginS.o%s
+%{static-pie: $libdir/rcrt1.o; !shared: $libdir/Scrt1.o} $libdir/crti.o crtbeginS.o%s
 
 *endfile:
 crtendS.o%s $libdir/crtn.o
 
 *link:
--dynamic-linker $ldso -nostdlib %{shared:-shared} %{static:-static} %{rdynamic:-export-dynamic}
+%{static-pie: -no-dynamic-linker -pie; !static: -dynamic-linker $ldso} -nostdlib -z text %{shared} %{static-pie|static:-static} %{rdynamic:-export-dynamic} %{!static: -eh-frame-hdr}
 
 *esp_link:
 
-- 
2.31.1

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.