GCC hardening for 16.10

In Ubuntu 16.10, as an additional compiler hardening measure, we've enabled PIE and immediate binding by default on amd64 and ppc64le. This greatly increases the effectiveness of ASLR on those platforms.

Dealing with build failures

As always, enabling these compiler options by default will cause problems for some packages. What follows are the typical kinds of problems seen in test rebuilds, and suggestions on how to deal with them.

Note that some of these packages have already taken patches upstream from distros that were using patched versions of GCC that enabled PIE by default and added a GCC option -nopie to disable it. However, upstream GCC has settled on the -no-pie option as the means for disabling PIE when GCC is configured to use it by default. See:

as added in upstream GCC commit:

The ideal fix is to correct the upstreams detection and disabling of PIE. Example debdiffs:

Relocation Linking Failure

A dynamically linked program that pulls in a static library that was not built with -fPIC. These give an error like:

    relocation R_X86_64_32 against '[SYMBOL]' can not be used when making a shared object; recompile with -fPIC

To address these types of issues, the package providing the static object needs to be rebuilt (usually just a no-change rebuild against the pie-by-default compiler) before rebuilding the failed package.

In the general case, either -no-pie needs to be passed or cc needs to be invoked with -r rather than -Wl,-r.

Failures using ThreadSanitizer

Another source of build failures occurs when building with ThreadSanitizer (aka TSAN), which doesn't work with pie binaries. These packages need to disable via -no-pie.

Assembler code that is not position independent

These will need to disable via -no-pie.

Other random errors

These will need investigation on a case-by-case basis.

SecurityTeam/PIE (last edited 2016-04-30 00:22:03 by sbeattie)