[GHC] #9007: fails to build with hardening flags enabled (relocation R_X86_64_32 against `stg_CHARLIKE_closure'...)
GHC
ghc-devs at haskell.org
Fri Jun 26 05:31:13 UTC 2015
#9007: fails to build with hardening flags enabled (relocation R_X86_64_32 against
`stg_CHARLIKE_closure'...)
-------------------------------------+-------------------------------------
Reporter: nomeata | Owner: nomeata
Type: bug | Status: infoneeded
Priority: high | Milestone: 7.12.1
Component: Compiler | Version: 7.9
Resolution: | Keywords:
Operating System: Unknown/Multiple | Architecture:
Type of failure: Building GHC | Unknown/Multiple
failed | Test Case:
Blocked By: | Blocking:
Related Tickets: | Differential Revisions:
-------------------------------------+-------------------------------------
Comment (by mitchty):
It appears I'm hitting an instance of this, or a related case after
porting ghc to Alpine Linux. Though the situation I'm encountering is
slightly different, the error I see is the same as rwbarton noted earlier
with the stg function.
What I am seeing with a ghc --make test.hs compile of a really simple
haskell program:
https://gist.githubusercontent.com/mitchty/296be0fd030aba6aa7b5/raw/f845993582c32e9b8e4e1752d64f7f1a9b3fc1aa/make.out
If you note from that make.out example, stg_bh_upd_frame_info is not PIC
after its been statically linked.
To explain a bit more, Alpine linux is setup to compile with PIE
executables by default, as well as PIC libraries. This can be changed for
errant things which cannot use aslr if needed, but the default ABI
requires PIE/PIC. Effectively Alpine linux is running the same as Debian
when hardened. However if necessary you can use an escape hatch of -nopie
-fno-PIC, which is how I had to port ghc.
This presents a problem however, as it appears ghc will not emit PIC
assembly in this case. Nor is there apparently an option to do so that one
can toggle via configure or auto tools or editing the settings file
directly to achieve that goal.
What would appear to be needed here after chatting with rwbarton on irc is
some way to have ghc emit PIC assembly on Linux x86_64 platforms when
necessary. Note that in the case of Alpine Linux, we would want PIC/PIE to
always be on. For Debian hardened that may not hold true in that ghc
itself might need to be built as a pie executable but executables it
creates in this situation may not need to be pie.
As an example, gcc on Alpine Linux has the following macros set by default
with no feature switches enabled to gcc:
$ echo ";" | gcc -E -dD -c -| grep PIC
#define __PIC__ 2
$ echo ";" | gcc -E -dD -c -| grep PIE
#define __PIE__ 2
Also note, unlike the Debian hardening, there is no easy way to change
these defaults outside of possibly recompiling gcc. From the discussion in
irc the following two options seem reasonable:
- Add a value to the settings file to control if ghc will emit PIC
assembly by default or not
- Possibly attempt to detect that the Linux in use requires PIC/PIE via
some trick like the above gcc preprocessor dumps
The latter may be a better option overall but I will need to compare
against the other hardened linux flavors in all their possible settings.
As an example Gentoo linux allows you to change the gcc hardened settings
at run time, which would make detection of the "right" thing to do rather
difficult. Similar behavior would apply to fedora as well.
I'm not sure the correct way forward but for the moment a setting to
adjust what type of assembly ghc emits would seem the best option. Right
now I have to force all binaries to be nopie as a workaround to this
issue.
--
Ticket URL: <http://ghc.haskell.org/trac/ghc/ticket/9007#comment:15>
GHC <http://www.haskell.org/ghc/>
The Glasgow Haskell Compiler
More information about the ghc-tickets
mailing list