Bug#596150: [hardening-includes] No documentation how to filter *_PIE which breaks building of shared objects

[Emil Langrock]

Package: hardening-includes
Version: 1.29
Severity: normal

I tried to use the file to find the correct flags for a project. It simply
included it as specified in the file

/usr/share/hardening-includes/hardening.make

And in my main Makefile i did something like 

export CFLAGS=$(shell dpkg-buildflags --get CFLAGS)
export LDFLAGS=$(shell dpkg-buildflags --get LDFLAGS)


but omg, it killed the compilation completely. The reason seems to be the pie
stuff. So I could disable the PIE  of course, but when thinking about
package management then we would have the problem that packages which are
shared objects and executables that we automatically kill pie for them.

So just in case I am completely wrong in what I am doing:

$ echo 'void test(void) {} void bla(void) { test(); }' > test.c && gcc -fPIE 
-pie -fPIC test.c -shared -o test.so 
/usr/bin/ld: /tmp/ccIJdd5j.o: relocation R_X86_64_PC32 against symbol `test' 
can not be used when making a shared object; recompile with -fPIC
/usr/bin/ld: final link failed: Bad value
collect2: ld returned 1 exit status


$ echo 'void test(void) {} void bla(void) { test(); }' > test.c && gcc -shared 
-fPIE -pie -fPIC test.c  -o test.so
/usr/bin/ld: /usr/lib/debug/usr/lib/Scrt1.o(.debug_info): relocation 0 has 
invalid symbol index 11
/usr/bin/ld: /usr/lib/debug/usr/lib/Scrt1.o(.debug_info): relocation 1 has 
invalid symbol index 12
/usr/bin/ld: /usr/lib/debug/usr/lib/Scrt1.o(.debug_info): relocation 2 has 
invalid symbol index 2
/usr/bin/ld: /usr/lib/debug/usr/lib/Scrt1.o(.debug_info): relocation 3 has 
invalid symbol index 2
/usr/bin/ld: /usr/lib/debug/usr/lib/Scrt1.o(.debug_info): relocation 4 has 
invalid symbol index 11
/usr/bin/ld: /usr/lib/debug/usr/lib/Scrt1.o(.debug_info): relocation 5 has 
invalid symbol index 13
/usr/bin/ld: /usr/lib/debug/usr/lib/Scrt1.o(.debug_info): relocation 6 has 
invalid symbol index 13
/usr/bin/ld: /usr/lib/debug/usr/lib/Scrt1.o(.debug_info): relocation 7 has 
invalid symbol index 13
/usr/bin/ld: /usr/lib/debug/usr/lib/Scrt1.o(.debug_info): relocation 8 has 
invalid symbol index 2
/usr/bin/ld: /usr/lib/debug/usr/lib/Scrt1.o(.debug_info): relocation 9 has 
invalid symbol index 2
/usr/bin/ld: /usr/lib/debug/usr/lib/Scrt1.o(.debug_info): relocation 10 has 
invalid symbol index 12
/usr/bin/ld: /usr/lib/debug/usr/lib/Scrt1.o(.debug_info): relocation 11 has 
invalid symbol index 13
/usr/bin/ld: /usr/lib/debug/usr/lib/Scrt1.o(.debug_info): relocation 12 has 
invalid symbol index 13
/usr/bin/ld: /usr/lib/debug/usr/lib/Scrt1.o(.debug_info): relocation 13 has 
invalid symbol index 13
/usr/bin/ld: /usr/lib/debug/usr/lib/Scrt1.o(.debug_info): relocation 14 has 
invalid symbol index 13
/usr/bin/ld: /usr/lib/debug/usr/lib/Scrt1.o(.debug_info): relocation 15 has 
invalid symbol index 13
/usr/bin/ld: /usr/lib/debug/usr/lib/Scrt1.o(.debug_info): relocation 16 has 
invalid symbol index 13
/usr/bin/ld: /usr/lib/debug/usr/lib/Scrt1.o(.debug_info): relocation 17 has 
invalid symbol index 13
/usr/bin/ld: /usr/lib/debug/usr/lib/Scrt1.o(.debug_info): relocation 18 has 
invalid symbol index 13
/usr/bin/ld: /usr/lib/debug/usr/lib/Scrt1.o(.debug_info): relocation 19 has 
invalid symbol index 13
/usr/bin/ld: /usr/lib/debug/usr/lib/Scrt1.o(.debug_info): relocation 20 has 
invalid symbol index 21
/usr/lib/gcc/x86_64-linux-gnu/4.4.5/../../../../lib/Scrt1.o: In function 
`_start':
(.text+0x20): undefined reference to `main'
collect2: ld returned 1 exit status

I am personally don't think that I make it soooo wrong, because I have
that problem also with cmake generated projects.

I know that there exist HARDENING_DISABLE_PIE_*FLAGS_FILTER -
but there is no documentation how I should (as package
maintainer) filter it specific for libraries, but still build
executables as PIE (using white/blacklisting from hardening-includes).

So this is not about the pie break at all, but missing documentation
how to filter it for specific build systems like automake, cmake, ...


The rest stuff is really amazing. Keep on the good work.

--- System information. ---
Architecture: amd64
Kernel:       Linux 2.6.35-trunk-amd64

Debian Release: squeeze/sid
  500 unstable        www.debian-multimedia.org 
  500 unstable        ftp.debian.org 
  500 testing         ftp.debian.org 
  500 stable          ftp.debian.org 
    1 experimental    ftp.debian.org 

--- Package information. ---
Package's Depends field is empty.

Package's Recommends field is empty.

Package's Suggests field is empty.




-- 
Emil Langrock



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org