[FFmpeg-devel] [PATCH]configure: Enable pie for toolchain=hardened.

Andreas Cadhalpun andreas.cadhalpun at googlemail.com
Wed Oct 12 20:04:43 EEST 2016 

On 04.10.2016 12:24, Carl Eugen Hoyos wrote:
> Sorry if I miss something but with this patch, the hardening_check 
> script succeeds here both for x86_32 and x86_64 (static and shared).

This script uses a very simplistic approach for testing position
independent executables.
I think it just does the equivalent of 'readelf -h $PROGRAM | grep Type'.
If the Type is EXEC, it's a normal executable, and if it is DYN, it
assumes it's compiled as PIE.
However, that doesn't guarantee that the executable is actually position
independent, i.e. does not contain text relocations.

> --- a/configure
> +++ b/configure
> @@ -3577,6 +3577,8 @@ case "$toolchain" in
>          add_cppflags -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2
>          add_cflags   -fno-strict-overflow -fstack-protector-all
>          add_ldflags  -Wl,-z,relro -Wl,-z,now
> +        add_cflags   -fPIE

I think this should be -fPIC, at least when building shared libraries.
That's how I understand the gcc manual [1]:
-fpie
-fPIE
    These options are similar to -fpic and -fPIC, but generated position
    independent code can be only linked into executables.

> +        add_ldexeflags -fPIE -pie
>      ;;
>      ?*)
>          die "Unknown toolchain $toolchain"
> -- 1.7.10.4

In general, enabling PIE for toolchain=hardened is a good idea.
But According to [2] PIE doesn't work on hppa and m68k, so it shouldn't get
enabled for these architectures.

On 05.10.2016 15:14, Carl Eugen Hoyos wrote:
> I would have expected that this (pie) patch does not work on x86_32
> but the binary runs fine here: Am I missing something or should I
> apply to get this tested?

The problem on x86_32 is that libavcodec, libavutil, etc. use
text relocations in hand-written assembler code, so these libraries
won't be position independent, unless using --disable-asm.

Now, when producing shared libraries, the ffmpeg binary is actually
position independent, just not libavcodec, libavutil...
However, when linking statically, the ffmpeg binary contains the
text relocations from the hand-written assembler code and is thus
not really position independent.

This can be tested e.g. with scanelf from pax-utils [3].
 * shared PIE build on x86_32 (no text relocations):
$ scanelf -t ./ffmpeg
 TYPE   TEXTREL FILE 
ET_DYN    -    ./ffmpeg 
 * static PIE build on x86_32 (with text relocations):
$ scanelf -t ./ffmpeg
 TYPE   TEXTREL FILE 
ET_DYN TEXTREL ./ffmpeg 

The '-T' options shows were exactly the text relocations are.

Best regards,
Andreas


1: https://gcc.gnu.org/onlinedocs/gcc/Code-Gen-Options.html
2: https://wiki.debian.org/Hardening#DEB_BUILD_HARDENING_PIE_.28gcc.2Fg.2B-.2B-_-fPIE_-pie.29
3: https://wiki.gentoo.org/wiki/Hardened/PaX_Utilities

More information about the ffmpeg-devel mailing list