Hi Pierre, This is better discussed on the hardening-discuss mailing list (Cc'd).
On Mon, Apr 14, 2008 at 09:48:11AM +0200, Pierre Chifflier wrote: > It seems that with current versions from unstable, programs using cmake > can't be build with hardening options on. > Even the simplest cmake project fails: > > $ cat CMakeLists.txt > PROJECT(coin C) > > $ DEB_BUILD_HARDENING=1 cmake . > -- Check for working C compiler: /usr/bin/gcc > -- Check for working C compiler: /usr/bin/gcc -- broken > CMake Error: The C compiler "/usr/bin/gcc" is not able to compile a > simple test program. If you're using the hardening options and something goes wrong, a good first-step is to add DEB_BUILD_HARDENING_DEBUG=1 (as shown in the man page) to see specifically what commands are being run: $ DEB_BUILD_HARDENING=1 DEB_BUILD_HARDENING_DEBUG=1 cmake . -- Check for working C compiler: /usr/bin/gcc -- Check for working C compiler: /usr/bin/gcc -- broken CMake Error: The C compiler "/usr/bin/gcc" is not able to compile a simple test program. It fails with the following output: /usr/bin/make -f CMakeFiles/cmTryCompileExec.dir/build.make CMakeFiles/cmTryCompileExec.dir/build make[1]: Entering directory `/tmp/ow/CMakeFiles/CMakeTmp' /usr/bin/cmake -E cmake_progress_report /tmp/ow/CMakeFiles/CMakeTmp/CMakeFiles 1 Building C object CMakeFiles/cmTryCompileExec.dir/testCCompiler.o /usr/bin/gcc -o CMakeFiles/cmTryCompileExec.dir/testCCompiler.o -c /tmp/ow/CMakeFiles/CMakeTmp/testCCompiler.c gcc-4.2 -fstack-protector -fPIE -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security -o CMakeFiles/cmTryCompileExec.dir/testCCompiler.o -c /tmp/ow/CMakeFiles/CMakeTmp/testCCompiler.c /usr/bin/gcc-4.2.real -fstack-protector -fPIE -Wformat -Wformat-security -fstack-protector -fPIE -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security -o CMakeFiles/cmTryCompileExec.dir/testCCompiler.o -c /tmp/ow/CMakeFiles/CMakeTmp/testCCompiler.c compilation was okay, however... Linking C executable cmTryCompileExec /usr/bin/cmake -P CMakeFiles/cmTryCompileExec.dir/cmake_clean_target.cmake /usr/bin/gcc -fPIC "CMakeFiles/cmTryCompileExec.dir/testCCompiler.o" -o cmTryCompileExec -rdynamic gcc-4.2 -fstack-protector -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security -fPIC CMakeFiles/cmTryCompileExec.dir/testCCompiler.o -o cmTryCompileExec -rdynamic /usr/bin/gcc-4.2.real -fstack-protector -Wformat -Wformat-security -fstack-protector -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security -fPIC CMakeFiles/cmTryCompileExec.dir/testCCompiler.o -o cmTryCompileExec -rdynamic /usr/bin/ld.real -z relro -pie --eh-frame-hdr -m elf_x86_64 --hash-style=both -export-dynamic -dynamic-linker /lib64/ld-linux-x86-64.so.2 -o cmTryCompileExec /usr/lib/gcc/x86_64-linux-gnu/4.2.3/../../../../lib64/crt1.o /usr/lib/gcc/x86_64-linux-gnu/4.2.3/../../../../lib64/crti.o /usr/lib/gcc/x86_64-linux-gnu/4.2.3/crtbegin.o -L/usr/lib/gcc/x86_64-linux-gnu/4.2.3 -L/usr/lib/gcc/x86_64-linux-gnu/4.2.3 -L/usr/lib/gcc/x86_64-linux-gnu/4.2.3/../../../../lib64 -L/lib/../lib64 -L/usr/lib/../lib64 -L/usr/lib/gcc/x86_64-linux-gnu/4.2.3/../../.. CMakeFiles/cmTryCompileExec.dir/testCCompiler.o -lgcc --as-needed -lgcc_s --no-as-needed -lc -lgcc --as-needed -lgcc_s --no-as-needed /usr/lib/gcc/x86_64-linux-gnu/4.2.3/crtend.o /usr/lib/gcc/x86_64-linux-gnu/4.2.3/../../../../lib64/crtn.o /usr/bin/ld.real: /usr/lib/gcc/x86_64-linux-gnu/4.2.3/../../../../lib64/crt1.o: relocation R_X86_64_32S against `__libc_csu_fini' can not be used when making a shared object; recompile with -fPIC /usr/lib/gcc/x86_64-linux-gnu/4.2.3/../../../../lib64/crt1.o: could not read symbols: Bad value collect2: ld returned 1 exit status linking failed. Seeing the "relocation R_X86_64_32S against `__libc_csu_fini' can not be used when making a shared object; recompile with -fPIC" error is a hint to me that this is related to attempting a PIE build and failing. To try the wrapper without PIE hardening, use DEB_BUILD_HARDENING_PIE=0: $ DEB_BUILD_HARDENING=1 DEB_BUILD_HARDENING_PIE=0 DEB_BUILD_HARDENING_DEBUG=1 cmake . -- Check for working C compiler: /usr/bin/gcc -- Check for working C compiler: /usr/bin/gcc -- works -- Check size of void* -- Check size of void* - done -- Configuring done -- Generating done > Is there a known solution or workaround ? (I'll ask on the cmake list at > the same time). This seems to be a bug in the hardening-wrapper. Cmake is doing builds in a way that wasn't expected (i.e. passing -fPIC during an executable build, which disables PIE at the compiler level, but the linker will still attempt to do it). While I think cmake is being weird, it is still a valid command line (/usr/bin/gcc -fPIC "CMakeFiles/cmTryCompileExec.dir/testCCompiler.o" -o cmTryCompileExec -rdynamic). -Kees -- Kees Cook @outflux.net -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
