On 5/6/24 5:14 PM, Fangrui Song wrote:
On Mon, May 6, 2024 at 5:05 PM Kees Cook keescook@chromium.org wrote:
On Mon, May 06, 2024 at 04:30:27PM -0700, Fangrui Song wrote:
On Tue, Apr 16, 2024 at 10:28 AM Kees Cook keescook@chromium.org wrote:
On Tue, Apr 16, 2024 at 08:28:29PM +0500, Muhammad Usama Anjum wrote:
The -static overrides the -pie and binaries aren't position independent anymore. Use -static-pie instead which would produce a static and position independent binary. This has been caught by clang's warnings:
clang: warning: argument unused during compilation: '-pie' [-Wunused-command-line-argument]
Tested with both gcc and clang after this change.
Fixes: 4d1cd3b2c5c1 ("tools/testing/selftests/exec: fix link error") Signed-off-by: Muhammad Usama Anjum usama.anjum@collabora.com
Thanks for this!
Reviewed-by: Kees Cook keescook@chromium.org
-- Kees Cook
GCC versions before 8.1 do not support -static-pie, while https://www.kernel.org/doc/html/next/process/changes.html says the minimal version is GCC 5.1. Is this a problem?
If not, and CFLAGS is guaranteed to include -fpie/-fpic/-fPIE/-fPIC (PIC), using -static-pie looks good to me.
Should we use this alternative, which may be more portable? https://lore.kernel.org/all/20240504022301.35250-1-jhubbard@nvidia.com/
-Kees
s/-fPIE -static/-static/ then it looks good to me:)
hmm, maybe that is better, considering that -static-pie is relatively new (as you pointed out in the other thread), and would break the minimum kernel gcc version requirements.
-static creates a position-dependent executable. It doesn't matter whether the compiler uses -fno-pic/-fpie/-fpic codegen, so -fPIE can be removed.
This is something I'd have to take your word for. The whole PIE story not completely clear to me, but if you're sure it is not required here, then of course leaving it out entirely works nicely...
thanks,