| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 18 Oct 2016 09:48:17 -0600
From: Shuah Khan <shuahkhan@...il.com>
To: Greg KH <gregkh@...uxfoundation.org>
Cc: Linus Torvalds <torvalds@...ux-foundation.org>, mmarek@...e.com,
LKML <linux-kernel@...r.kernel.org>
Subject: Re: Ubuntu 16.10 - Linux Kernel build fails - GCC related
On Tue, Oct 18, 2016 at 9:37 AM, Greg KH <gregkh@...uxfoundation.org> wrote:
> On Tue, Oct 18, 2016 at 09:24:20AM -0600, Shuah Khan wrote:
>> After upgrading to Ubuntu 16.10, I can't build kernels anymore unless
>> the following patch is applied to the kernel Makefile. A word of
>> caution for anybody that is planning to update their development
>> systems.
>>
>> https://patchwork.ozlabs.org/patch/616621/
>>
>> Please refer to the Ubuntu 16.10 release notes for more details.
>>
>> https://wiki.ubuntu.com/YakketyYak/ReleaseNotes#GCC
>>
>> Ubuntu is recommended applying this patch for building Linux kernels.
>> I am not sure this is the right way to go. I am hoping this is
>> work-around and patching the kernel Makefile will not be the solution
>> going forward.
>>
>> I haven't seen any patch sent upstream to make this change, so I still
>> hope this is a temporary work-around. Maybe be there is patch that
>> came through and you are aware of this problem?
>
> Does commit 6d92bc9d483a solve this issue for you? That should have
> resolved a -pie issue, back in 4.6, or is this something else?
>
This is a new problem because of a change Ubuntu made in their gcc
version 6.2.0 20161005 (Ubuntu 6.2.0-5ubuntu12) it appears.
The Ubuntu 16.10 release notes says:
"We have modified GCC to by-default compile programs with position
independent executable support to improve the security benefits
provided by
Address Space Layout Randomization.
This may cause difficulty when trying to compile Linux kernels that
still need this patch applied.
Other programs may experience other problems; some debugging
guidelines are at https://wiki.ubuntu.com/SecurityTeam/PIE"
The above clearly states a patch needs to applied to the Linux Kernel
makefile. This patch forces no-pie for distro compilers that enable
pie by default
The error I am seeing on 4.9-rc1 is:
CHK include/config/kernel.release
Cannot use CONFIG_CC_STACKPROTECTOR_STRONG: -fstack-protector-strong
not supported by compiler
Makefile:1058: recipe for target 'prepare-compiler-check' failed
make: *** [prepare-compiler-check] Error 1
I think CONFIG_CC_STACKPROTECTOR_STRONG is enabled in most distro
configs. So I am not why this should fail now.
Here is the Ubuntu recommended patch for easy reference: (note cut and
paste - probably won't apply) -
https://patchwork.ozlabs.org/patch/616621/
diff --git a/Makefile b/Makefile
index e27da43..e4e8331 100644
--- a/Makefile
+++ b/Makefile
@@ -640,6 +640,11 @@ ifneq ($(CONFIG_FRAME_WARN),0)
KBUILD_CFLAGS += $(call cc-option,-Wframe-larger-than=${CONFIG_FRAME_WARN})
endif
+# force no-pie for distro compilers that enable pie by default
+KBUILD_CFLAGS += $(call cc-option, -fno-pie)
+KBUILD_CFLAGS += $(call cc-option, -no-pie)
+KBUILD_AFLAGS += $(call cc-option, -fno-pie)
+
# Handle stack protector mode.
#
# Since kbuild can potentially perform two passes (first with the old
diff --git a/arch/x86/Makefile b/arch/x86/Makefile
index 4086abc..84d1cc8 100644
--- a/arch/x86/Makefile
+++ b/arch/x86/Makefile
@@ -27,6 +27,7 @@ REALMODE_CFLAGS := $(M16_CFLAGS) -g -Os -D__KERNEL__ \
-mno-mmx -mno-sse \
$(call cc-option, -ffreestanding) \
$(call cc-option, -fno-stack-protector) \
+ $(call cc-option, -fno-pie) \
$(call cc-option, -mpreferred-stack-boundary=2)
export REALMODE_CFLAGS
@@ -129,7 +130,7 @@ endif
# Make sure compiler does not have buggy stack-protector support.
ifdef CONFIG_CC_STACKPROTECTOR
cc_has_sp := $(srctree)/scripts/gcc-x86_$(BITS)-has-stack-protector.sh
- ifneq ($(shell $(CONFIG_SHELL) $(cc_has_sp) $(CC)
$(KBUILD_CPPFLAGS) $(biarch)),y)
+ ifneq ($(shell $(CONFIG_SHELL) $(cc_has_sp) $(CC) -fno-pie
$(KBUILD_CPPFLAGS) $(biarch)),y)
$(warning stack-protector enabled but compiler support broken)
endif
endif
diff --git a/arch/x86/entry/vdso/Makefile b/arch/x86/entry/vdso/Makefile
index 265c0ed..9677975 100644
--- a/arch/x86/entry/vdso/Makefile
+++ b/arch/x86/entry/vdso/Makefile
@@ -44,6 +44,7 @@ export CPPFLAGS_vdso.lds += -P -C
VDSO_LDFLAGS_vdso.lds = -m64 -Wl,-soname=linux-vdso.so.1 \
-Wl,--no-undefined \
-Wl,-z,max-page-size=4096 -Wl,-z,common-page-size=4096 \
+ $(call ld-option, -no-pie) \
$(DISABLE_LTO)
$(obj)/vdso64.so.dbg: $(src)/vdso.lds $(vobjs) FORCE
@@ -67,6 +68,7 @@ $(obj)/vdso-image-%.c: $(obj)/vdso%.so.dbg
$(obj)/vdso%.so $(obj)/vdso2c FORCE
CFL := $(PROFILING) -mcmodel=small -fPIC -O2
-fasynchronous-unwind-tables -m64 \
$(filter -g%,$(KBUILD_CFLAGS)) $(call cc-option, -fno-stack-protector) \
-fno-omit-frame-pointer -foptimize-sibling-calls \
+ $(call cc-option, -fno-pie) \
-DDISABLE_BRANCH_PROFILING -DBUILD_VDSO
$(vobjs): KBUILD_CFLAGS += $(CFL)
@@ -140,6 +142,7 @@ KBUILD_CFLAGS_32 := $(filter-out
-mcmodel=kernel,$(KBUILD_CFLAGS_32))
KBUILD_CFLAGS_32 := $(filter-out -fno-pic,$(KBUILD_CFLAGS_32))
KBUILD_CFLAGS_32 := $(filter-out -mfentry,$(KBUILD_CFLAGS_32))
KBUILD_CFLAGS_32 += -m32 -msoft-float -mregparm=0 -fpic
+KBUILD_CFLAGS_32 += $(call cc-option, -no-pie)
KBUILD_CFLAGS_32 += $(call cc-option, -fno-stack-protector)
KBUILD_CFLAGS_32 += $(call cc-option, -foptimize-sibling-calls)
KBUILD_CFLAGS_32 += -fno-omit-frame-pointer
thanks,
-- Shuah
Powered by blists - more mailing lists