[Buildroot] [PATCH 1/1 v2] gcc: Add support for --enable-default-pie configure option.
Thomas Petazzoni
thomas.petazzoni at free-electrons.com
Thu Dec 28 22:07:43 UTC 2017
Hello,
On Thu, 28 Dec 2017 23:43:33 +0200, Stefan Fröberg wrote:
> By default, buildroot produces insecure binaries.
>
> GCC 6.x added build time configuration option "--enable-default-pie".
> With that enabled, GCC will produce PIE
> (Position-independent executables) binaries.
>
> PIE is a requirement for ASLR (Address space layout randomization)
> that will make exploits like return-to-libc attack impossible.
>
> If you want to have a modern, secure system then enable this option.
>
> To override this default behaviour, you can use -no-pie
> with your CFLAGS/CXXFLAGS.
>
> https://gcc.gnu.org/onlinedocs/gcc-6.2.0/gcc/Link-Options.html
As I said in my previous review, I think we want a solution that also
applies to external toolchains, by passing -pie in the compiler wrapper.
Please see "[PATCH 2/2] security hardening: add RELFO, FORTIFY
options" in the mailing list archives,
https://patchwork.ozlabs.org/patch/830085/, it was also adding -pie
support, but in a more generic way. Could you use this instead ?
Thanks!
Thomas
--
Thomas Petazzoni, CTO, Free Electrons
Embedded Linux and Kernel engineering
http://free-electrons.com
More information about the buildroot
mailing list