[FFmpeg-devel] [PATCH]configure: Enable pie for toolchain=hardened.

Carl Eugen Hoyos ceffmpeg at gmail.com
Thu Oct 13 00:44:27 EEST 2016 

2016-10-12 19:04 GMT+02:00 Andreas Cadhalpun <andreas.cadhalpun at googlemail.com>:
> On 04.10.2016 12:24, Carl Eugen Hoyos wrote:
>> Sorry if I miss something but with this patch, the hardening_check
>> script succeeds here both for x86_32 and x86_64 (static and shared).
>
> This script uses a very simplistic approach for testing position
> independent executables.
> I think it just does the equivalent of 'readelf -h $PROGRAM | grep Type'.
> If the Type is EXEC, it's a normal executable, and if it is DYN, it
> assumes it's compiled as PIE.

> However, that doesn't guarantee that the executable is actually position
> independent, i.e. does not contain text relocations.

My understanding of PIE is (very) limited but I suspect text relocations
and PIE do not exclude each other.

>> --- a/configure
>> +++ b/configure
>> @@ -3577,6 +3577,8 @@ case "$toolchain" in
>>          add_cppflags -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2
>>          add_cflags   -fno-strict-overflow -fstack-protector-all
>>          add_ldflags  -Wl,-z,relro -Wl,-z,now
>> +        add_cflags   -fPIE
>
> I think this should be -fPIC, at least when building shared libraries.

Afaiu, shared libraries and PIE do exclude each other, pic is already
supported in FFmpeg (--enable-pic) but this patch is only meant for
PIE.

> That's how I understand the gcc manual [1]:
> -fpie
> -fPIE
>     These options are similar to -fpic and -fPIC, but generated position
>     independent code can be only linked into executables.

So shared libraries and PIE exclude each other but PIE is for
static linking what pic is for dynamic linking.
Good to know!

>> +        add_ldexeflags -fPIE -pie
>>      ;;
>>      ?*)
>>          die "Unknown toolchain $toolchain"
>> -- 1.7.10.4
>
> In general, enabling PIE for toolchain=hardened is a good idea.

> But According to [2] PIE doesn't work on hppa and m68k, so it
> shouldn't get enabled for these architectures.

I was convinced that my ancient Linux system wouldn't know
about ASLR but to my surprise, I was able to reproduce that
my patch actually works (56bit entropy iiuc).
My hppa test-system is currently down (and all reports about
pie not working on hppa seem to be from 2008), I will try to test,
in any case, I will commit the patch soon.

I will not be able to test on m68k.

Carl Eugen

More information about the ffmpeg-devel mailing list