lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAKocOOPbo24Nt_JuNDc7eRmbz3f0soUqbQzHSohWUgxGBAy1sg@mail.gmail.com>
Date:   Tue, 18 Oct 2016 09:48:17 -0600
From:   Shuah Khan <shuahkhan@...il.com>
To:     Greg KH <gregkh@...uxfoundation.org>
Cc:     Linus Torvalds <torvalds@...ux-foundation.org>, mmarek@...e.com,
        LKML <linux-kernel@...r.kernel.org>
Subject: Re: Ubuntu 16.10 - Linux Kernel build fails - GCC related

On Tue, Oct 18, 2016 at 9:37 AM, Greg KH <gregkh@...uxfoundation.org> wrote:
> On Tue, Oct 18, 2016 at 09:24:20AM -0600, Shuah Khan wrote:
>> After upgrading to Ubuntu 16.10, I can't build kernels anymore unless
>> the following patch is applied to the kernel Makefile. A word of
>> caution for anybody that is planning to update their development
>> systems.
>>
>> https://patchwork.ozlabs.org/patch/616621/
>>
>> Please refer to the Ubuntu 16.10 release notes for more details.
>>
>> https://wiki.ubuntu.com/YakketyYak/ReleaseNotes#GCC
>>
>> Ubuntu is recommended applying this patch for building Linux kernels.
>> I am not sure this is the right way to go. I am hoping this is
>> work-around and patching the kernel Makefile will not be the solution
>> going forward.
>>
>> I haven't seen any patch sent upstream to make this change, so I still
>> hope this is a temporary work-around. Maybe be there is patch that
>> came through and you are aware of this problem?
>
> Does commit 6d92bc9d483a solve this issue for you?  That should have
> resolved a -pie issue, back in 4.6, or is this something else?
>

This is a new problem because of a change Ubuntu made in their gcc
version 6.2.0 20161005 (Ubuntu 6.2.0-5ubuntu12) it appears.

The Ubuntu 16.10 release notes says:

"We have modified GCC to by-default compile programs with position
independent executable support to improve the security benefits
provided by
Address Space Layout Randomization.

This may cause difficulty when trying to compile Linux kernels that
still need this patch applied.
Other programs may experience other problems; some debugging
guidelines are at https://wiki.ubuntu.com/SecurityTeam/PIE"

The above clearly states a patch needs to applied to the Linux Kernel
makefile. This patch forces no-pie for distro compilers that enable
pie by default

The error I am seeing on 4.9-rc1 is:

 CHK     include/config/kernel.release
Cannot use CONFIG_CC_STACKPROTECTOR_STRONG: -fstack-protector-strong
not supported by compiler
Makefile:1058: recipe for target 'prepare-compiler-check' failed
make: *** [prepare-compiler-check] Error 1

I think CONFIG_CC_STACKPROTECTOR_STRONG is enabled in most distro
configs. So I am not why this should fail now.

Here is the Ubuntu recommended patch for easy reference: (note cut and
paste - probably won't apply) -
https://patchwork.ozlabs.org/patch/616621/

diff --git a/Makefile b/Makefile
index e27da43..e4e8331 100644
--- a/Makefile
+++ b/Makefile
@@ -640,6 +640,11 @@  ifneq ($(CONFIG_FRAME_WARN),0)
 KBUILD_CFLAGS += $(call cc-option,-Wframe-larger-than=${CONFIG_FRAME_WARN})
 endif

+# force no-pie for distro compilers that enable pie by default
+KBUILD_CFLAGS += $(call cc-option, -fno-pie)
+KBUILD_CFLAGS += $(call cc-option, -no-pie)
+KBUILD_AFLAGS += $(call cc-option, -fno-pie)
+
 # Handle stack protector mode.
 #
 # Since kbuild can potentially perform two passes (first with the old
diff --git a/arch/x86/Makefile b/arch/x86/Makefile
index 4086abc..84d1cc8 100644
--- a/arch/x86/Makefile
+++ b/arch/x86/Makefile
@@ -27,6 +27,7 @@  REALMODE_CFLAGS := $(M16_CFLAGS) -g -Os -D__KERNEL__ \
    -mno-mmx -mno-sse \
    $(call cc-option, -ffreestanding) \
    $(call cc-option, -fno-stack-protector) \
+   $(call cc-option, -fno-pie) \
    $(call cc-option, -mpreferred-stack-boundary=2)
 export REALMODE_CFLAGS

@@ -129,7 +130,7 @@  endif
 # Make sure compiler does not have buggy stack-protector support.
 ifdef CONFIG_CC_STACKPROTECTOR
  cc_has_sp := $(srctree)/scripts/gcc-x86_$(BITS)-has-stack-protector.sh
-        ifneq ($(shell $(CONFIG_SHELL) $(cc_has_sp) $(CC)
$(KBUILD_CPPFLAGS) $(biarch)),y)
+        ifneq ($(shell $(CONFIG_SHELL) $(cc_has_sp) $(CC) -fno-pie
$(KBUILD_CPPFLAGS) $(biarch)),y)
                 $(warning stack-protector enabled but compiler support broken)
         endif
 endif
diff --git a/arch/x86/entry/vdso/Makefile b/arch/x86/entry/vdso/Makefile
index 265c0ed..9677975 100644
--- a/arch/x86/entry/vdso/Makefile
+++ b/arch/x86/entry/vdso/Makefile
@@ -44,6 +44,7 @@  export CPPFLAGS_vdso.lds += -P -C
 VDSO_LDFLAGS_vdso.lds = -m64 -Wl,-soname=linux-vdso.so.1 \
  -Wl,--no-undefined \
  -Wl,-z,max-page-size=4096 -Wl,-z,common-page-size=4096 \
+ $(call ld-option, -no-pie) \
  $(DISABLE_LTO)

 $(obj)/vdso64.so.dbg: $(src)/vdso.lds $(vobjs) FORCE
@@ -67,6 +68,7 @@  $(obj)/vdso-image-%.c: $(obj)/vdso%.so.dbg
$(obj)/vdso%.so $(obj)/vdso2c FORCE
 CFL := $(PROFILING) -mcmodel=small -fPIC -O2
-fasynchronous-unwind-tables -m64 \
        $(filter -g%,$(KBUILD_CFLAGS)) $(call cc-option, -fno-stack-protector) \
        -fno-omit-frame-pointer -foptimize-sibling-calls \
+       $(call cc-option, -fno-pie) \
        -DDISABLE_BRANCH_PROFILING -DBUILD_VDSO

 $(vobjs): KBUILD_CFLAGS += $(CFL)
@@ -140,6 +142,7 @@  KBUILD_CFLAGS_32 := $(filter-out
-mcmodel=kernel,$(KBUILD_CFLAGS_32))
 KBUILD_CFLAGS_32 := $(filter-out -fno-pic,$(KBUILD_CFLAGS_32))
 KBUILD_CFLAGS_32 := $(filter-out -mfentry,$(KBUILD_CFLAGS_32))
 KBUILD_CFLAGS_32 += -m32 -msoft-float -mregparm=0 -fpic
+KBUILD_CFLAGS_32 += $(call cc-option, -no-pie)
 KBUILD_CFLAGS_32 += $(call cc-option, -fno-stack-protector)
 KBUILD_CFLAGS_32 += $(call cc-option, -foptimize-sibling-calls)
 KBUILD_CFLAGS_32 += -fno-omit-frame-pointer

thanks,
-- Shuah

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ