| Message ID | 20240508172848.work.131-kees@kernel.org |
|---|---|
| Headers | show |
| Series | binfmt_elf: Honor PT_LOAD alignment for static PIE | expand |
On 5/8/24 10:31 AM, Kees Cook wrote: > After commit 4d1cd3b2c5c1 ("tools/testing/selftests/exec: fix link > error"), the load address alignment tests tried to build statically. > This was silently ignored in some cases. However, after attempting to > further fix the build by switching to "-static-pie", the test started > failing. This appears to be due to non-PT_INTERP ET_DYN execs ("static > PIE") not doing alignment correctly, which remains unfixed[1]. See commit > aeb7923733d1 ("revert "fs/binfmt_elf: use PT_LOAD p_align values for > static PIE"") for more details. > > Provide rules to build both static and non-static PIE binaries, improve > debug reporting, and perform several test steps instead of a single > all-or-nothing test. However, do not actually enable static-pie tests; > alignment specification is only supported for ET_DYN with PT_INTERP > ("regular PIE"). > > Link: https://bugzilla.kernel.org/show_bug.cgi?id=215275 [1] > Signed-off-by: Kees Cook <keescook@chromium.org> > --- > Cc: Chris Kennelly <ckennelly@google.com> > Cc: Eric Biederman <ebiederm@xmission.com> > Cc: Shuah Khan <shuah@kernel.org> > Cc: Muhammad Usama Anjum <usama.anjum@collabora.com> > Cc: John Hubbard <jhubbard@nvidia.com> > Cc: Fangrui Song <maskray@google.com> > Cc: Andrew Morton <akpm@linux-foundation.org> > Cc: Yang Yingliang <yangyingliang@huawei.com> > Cc: linux-mm@kvack.org > Cc: linux-kselftest@vger.kernel.org > --- > tools/testing/selftests/exec/Makefile | 19 +++--- > tools/testing/selftests/exec/load_address.c | 67 +++++++++++++++++---- > 2 files changed, 66 insertions(+), 20 deletions(-) > > diff --git a/tools/testing/selftests/exec/Makefile b/tools/testing/selftests/exec/Makefile > index fb4472ddffd8..619cff81d796 100644 > --- a/tools/testing/selftests/exec/Makefile > +++ b/tools/testing/selftests/exec/Makefile > @@ -3,8 +3,13 @@ CFLAGS = -Wall > CFLAGS += -Wno-nonnull > CFLAGS += -D_GNU_SOURCE > > +ALIGNS := 0x1000 0x200000 0x1000000 > +ALIGN_PIES := $(patsubst %,load_address.%,$(ALIGNS)) > +ALIGN_STATIC_PIES := $(patsubst %,load_address.static.%,$(ALIGNS)) > +ALIGNMENT_TESTS := $(ALIGN_PIES) > + > TEST_PROGS := binfmt_script.py > -TEST_GEN_PROGS := execveat load_address_4096 load_address_2097152 load_address_16777216 non-regular > +TEST_GEN_PROGS := execveat non-regular $(ALIGNMENT_TESTS) > TEST_GEN_FILES := execveat.symlink execveat.denatured script subdir > # Makefile is a run-time dependency, since it's accessed by the execveat test > TEST_FILES := Makefile > @@ -28,9 +33,9 @@ $(OUTPUT)/execveat.symlink: $(OUTPUT)/execveat > $(OUTPUT)/execveat.denatured: $(OUTPUT)/execveat > cp $< $@ > chmod -x $@ > -$(OUTPUT)/load_address_4096: load_address.c > - $(CC) $(CFLAGS) $(LDFLAGS) -Wl,-z,max-page-size=0x1000 -pie -static $< -o $@ > -$(OUTPUT)/load_address_2097152: load_address.c > - $(CC) $(CFLAGS) $(LDFLAGS) -Wl,-z,max-page-size=0x200000 -pie -static $< -o $@ > -$(OUTPUT)/load_address_16777216: load_address.c > - $(CC) $(CFLAGS) $(LDFLAGS) -Wl,-z,max-page-size=0x1000000 -pie -static $< -o $@ > +$(OUTPUT)/load_address.0x%: load_address.c > + $(CC) $(CFLAGS) $(LDFLAGS) -Wl,-z,max-page-size=$(lastword $(subst ., ,$@)) \ > + -fPIE -pie $< -o $@ > +$(OUTPUT)/load_address.static.0x%: load_address.c > + $(CC) $(CFLAGS) $(LDFLAGS) -Wl,-z,max-page-size=$(lastword $(subst ., ,$@)) \ > + -fPIE -static-pie $< -o $@ Hi Kees, Didn't we learn recently, though, that -static-pie is gcc 8.1+, while the kernel's minimum gcc version is 5? thanks,
On Wed, May 08, 2024 at 07:54:13PM -0700, John Hubbard wrote: > Didn't we learn recently, though, that -static-pie is gcc 8.1+, while the > kernel's minimum gcc version is 5? Yes, that's true. If we encounter anyone trying to build the selftests with <8.1 I think we'll have to add a compiler version test in the Makefile to exclude the static pie tests. There's also the potential issue with arm64 builds that caused the original attempt at -static. We'll likely need an exclusion there too.
On 5/9/24 11:16 AM, Kees Cook wrote: > On Wed, May 08, 2024 at 07:54:13PM -0700, John Hubbard wrote: >> Didn't we learn recently, though, that -static-pie is gcc 8.1+, while the >> kernel's minimum gcc version is 5? > > Yes, that's true. If we encounter anyone trying to build the selftests > with <8.1 I think we'll have to add a compiler version test in the > Makefile to exclude the static pie tests. > > There's also the potential issue with arm64 builds that caused the > original attempt at -static. We'll likely need an exclusion there too. > I'm not getting failures for arm64 instead for arm. I'm trying to find this "rcrt1.o" file. Does anybody have any idea if this error can be resolved by missing file or is it something arm-linux-gnueabihf toolchain doesn't support? make ARCH=arm CROSS_COMPILE=arm-linux-gnueabihf- arm-linux-gnueabihf-gcc -Wall -Wno-nonnull -D_GNU_SOURCE= -Wl,-z,max-page-size=0x1000 \ -fPIE -static-pie load_address.c -o /home/usama/repos/kernel/linux_mainline/tools/testing/selftests/exec/load_address.static.0x1000 /usr/lib/gcc-cross/arm-linux-gnueabihf/12/../../../../arm-linux-gnueabihf/bin/ld: cannot find rcrt1.o: No such file or directory collect2: error: ld returned 1 exit status make: *** [Makefile:39: /home/usama/repos/kernel/linux_mainline/tools/testing/selftests/exec/load_address.static.0x1000] Error 1
On 8/18/24 8:55 PM, Muhammad Usama Anjum wrote: > On 8/7/24 3:22 PM, Muhammad Usama Anjum wrote: >> On 5/9/24 11:16 AM, Kees Cook wrote: >>> On Wed, May 08, 2024 at 07:54:13PM -0700, John Hubbard wrote: >>>> Didn't we learn recently, though, that -static-pie is gcc 8.1+, while the >>>> kernel's minimum gcc version is 5? >>> >>> Yes, that's true. If we encounter anyone trying to build the selftests >>> with <8.1 I think we'll have to add a compiler version test in the >>> Makefile to exclude the static pie tests. >>> >>> There's also the potential issue with arm64 builds that caused the >>> original attempt at -static. We'll likely need an exclusion there too. >>> >> I'm not getting failures for arm64 instead for arm. I'm trying to find >> this "rcrt1.o" file. Does anybody have any idea if this error can be >> resolved by missing file or is it something arm-linux-gnueabihf >> toolchain doesn't support? > Do you have any idea? Yes, I took a closer look just now: > >> >> make ARCH=arm CROSS_COMPILE=arm-linux-gnueabihf- >> arm-linux-gnueabihf-gcc -Wall -Wno-nonnull -D_GNU_SOURCE= >> -Wl,-z,max-page-size=0x1000 \ >> -fPIE -static-pie load_address.c -o >> /home/usama/repos/kernel/linux_mainline/tools/testing/selftests/exec/load_address.static.0x1000 >> /usr/lib/gcc-cross/arm-linux-gnueabihf/12/../../../../arm-linux-gnueabihf/bin/ld: >> cannot find rcrt1.o: No such file or directory >> collect2: error: ld returned 1 exit status >> make: *** [Makefile:39: >> /home/usama/repos/kernel/linux_mainline/tools/testing/selftests/exec/load_address.static.0x1000] >> Error 1 > This appears to be because that particular cross compiler setup (the libc part of the installation) fails to include rcrt1.o. I was able to reproduce this on Ubuntu 23.04, using their standard arm cross compilation packages for gcc and libc. Also, -static-pie is what is causing the linker to look for rcrt1.o. If you change the invocation from "-static-pie" to "-static -pie", then linking succeeds. Putting all of this together, I think we were are seeing is that even though "-static-pie" was added to gcc 8.1+, and even though the cross-compiler installation here shows gcc 12.3.0, the libc support for that feature is lagging. In other words, the cross installation of libc is effectively at something earlier than gcc 8.1's needs. So I think this means that we need to fix up the distros'packages, and meanwhile, fall back to something like "-static-pie" for selftests. thanks,
On 8/19/24 12:41 PM, John Hubbard wrote: > On 8/18/24 8:55 PM, Muhammad Usama Anjum wrote: >> On 8/7/24 3:22 PM, Muhammad Usama Anjum wrote: >>> On 5/9/24 11:16 AM, Kees Cook wrote: ... >>> make ARCH=arm CROSS_COMPILE=arm-linux-gnueabihf- >>> arm-linux-gnueabihf-gcc -Wall -Wno-nonnull -D_GNU_SOURCE= >>> -Wl,-z,max-page-size=0x1000 \ >>> -fPIE -static-pie load_address.c -o >>> /home/usama/repos/kernel/linux_mainline/tools/testing/selftests/exec/load_address.static.0x1000 >>> /usr/lib/gcc-cross/arm-linux-gnueabihf/12/../../../../arm-linux-gnueabihf/bin/ld: >>> cannot find rcrt1.o: No such file or directory >>> collect2: error: ld returned 1 exit status >>> make: *** [Makefile:39: >>> /home/usama/repos/kernel/linux_mainline/tools/testing/selftests/exec/load_address.static.0x1000] >>> Error 1 > > This appears to be because that particular cross compiler setup > (the libc part of the installation) fails to include rcrt1.o. I was > able to reproduce this on Ubuntu 23.04, using their standard arm > cross compilation packages for gcc and libc. > > Also, -static-pie is what is causing the linker to look for rcrt1.o. > If you change the invocation from "-static-pie" to "-static -pie", > then linking succeeds. > > Putting all of this together, I think we were are seeing is that > even though "-static-pie" was added to gcc 8.1+, and even though > the cross-compiler installation here shows gcc 12.3.0, the libc > support for that feature is lagging. In other words, the cross > installation of libc is effectively at something earlier than > gcc 8.1's needs. > > So I think this means that we need to fix up the distros'packages, > and meanwhile, fall back to something like "-static-pie" for > selftests. > Or, another way of handling this would be to say, "gcc 8.1 is sufficiently old, and cross-compiling of kselftests is sufficiently rare, that we can wait for the cross compilers to catch up. Until then, only native builds of kselftests are supported". Shuah, you would know whether or not that's a reasonable thing to claim--what do you think? I'm just trying to list all of the options so that people can decide which way to go here. thanks,