[Development] -reduce-relocations vs hardening
Thiago Macieira
thiago.macieira at intel.com
Thu Aug 20 23:08:40 CEST 2015
On Thursday 20 August 2015 22:16:15 Kevin Kofler wrote:
> Lisandro Damián Nicanor Pérez Meyer wrote:
> > Hi! yesterday I received a [bug] report asking Qt to not requiring apps
> > using it to pass -fPIC (actually to let the app use -fPIE) due to
> > hardening reasons.
>
> -fPIC actually allows the same hardening as -fPIE. PIE is basically the
> subset of PIC required for hardening.
Right.
-fPIE is -fPIC but with some extra optimisations that assume that the code
being generated is the first one to ever be loaded into memory. That means it
knows none of its symbols may be interposed (including ones it copy-relocated)
and that thread-specific variables may use the initial-exec and local-exec TLS
models.
The problem isn't "preventing hardening". The problem is the hardening adding
-fPIE to code that otherwise was already using -fPIC. Just leave it at -fPIC.
--
Thiago Macieira - thiago.macieira (AT) intel.com
Software Architect - Intel Open Source Technology Center
More information about the Development
mailing list