From e0d2053b87da7184b60256bae136c4c54a53a3d9 Mon Sep 17 00:00:00 2001 From: Peter Waller Date: Fri, 23 Jun 2023 10:46:49 +0100 Subject: [PATCH] build-support: Use response-expanded params in pie test When a response file is in use, "$*" contains the response file and not the parameters; both the linker and compiler wrappers are updated to use the response-expanded params. The compiler driver likes to pass parameters to the linker via a response file, including -shared. LLD rejects the combination of (-shared -pie), whereas other linkers silently ignore the contradiction: ``` ld.lld: error: -shared and -pie may not be used together ``` This breaks certain configurations using LLD as a linker. Changing `add-hardening.sh` results in a full rebuild. To avoid the rebuild, here is a quick test case which shows the new hardening script allows the link to succeed: ``` { pkgs ? import {} }: let # gcc silently accepts -shared -pie together, lld does not. linker = pkgs.wrapBintoolsWith { bintools = pkgs.llvmPackages.lld; }; patchWrapper = prev: prev.overrideAttrs (final: prev: let prevScript = builtins.match (".*(/nix/store/[a-z0-9]+-add-hardening.sh).*") prev.postFixup; in { postFixup = (builtins.replaceStrings prevScript ["${./new-add-hardening.sh}"] prev.postFixup); }); in pkgs.stdenv.mkDerivation { name = "nixpkgs-hardening-bug"; src = pkgs.writeText "src.c" "int main(int argc, char* argv[]) { return 0; }"; NIX_HARDENING_ENABLE = "pie"; unpackPhase = ":"; buildPhase = '' $CC -c -o src.o $src bash -x ${patchWrapper linker}/bin/ld.lld -o $out @${pkgs.writeText "responsefile" "-shared"} src.o ''; } ``` Fixes: #178162 Signed-off-by: Peter Waller --- pkgs/build-support/bintools-wrapper/add-hardening.sh | 10 +++++----- pkgs/build-support/cc-wrapper/add-hardening.sh | 2 +- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/pkgs/build-support/bintools-wrapper/add-hardening.sh b/pkgs/build-support/bintools-wrapper/add-hardening.sh index 0a2b2509a826..db9553c3fc76 100644 --- a/pkgs/build-support/bintools-wrapper/add-hardening.sh +++ b/pkgs/build-support/bintools-wrapper/add-hardening.sh @@ -37,11 +37,11 @@ fi for flag in "${!hardeningEnableMap[@]}"; do case $flag in pie) - if [[ ! (" $* " =~ " -shared " \ - || " $* " =~ " -static " \ - || " $* " =~ " -r " \ - || " $* " =~ " -Ur " \ - || " $* " =~ " -i ") ]]; then + if [[ ! (" ${params[*]} " =~ " -shared " \ + || " ${params[*]} " =~ " -static " \ + || " ${params[*]} " =~ " -r " \ + || " ${params[*]} " =~ " -Ur " \ + || " ${params[*]} " =~ " -i ") ]]; then if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling LDFlags -pie >&2; fi hardeningLDFlags+=('-pie') fi diff --git a/pkgs/build-support/cc-wrapper/add-hardening.sh b/pkgs/build-support/cc-wrapper/add-hardening.sh index b1aa01355b13..07ac6737f39d 100644 --- a/pkgs/build-support/cc-wrapper/add-hardening.sh +++ b/pkgs/build-support/cc-wrapper/add-hardening.sh @@ -71,7 +71,7 @@ for flag in "${!hardeningEnableMap[@]}"; do # NB: we do not use `+=` here, because PIE flags must occur before any PIC flags if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling CFlags -fPIE >&2; fi hardeningCFlags=('-fPIE' "${hardeningCFlags[@]}") - if [[ ! (" $* " =~ " -shared " || " $* " =~ " -static ") ]]; then + if [[ ! (" ${params[*]} " =~ " -shared " || " ${params[*]} " =~ " -static ") ]]; then if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling LDFlags -pie >&2; fi hardeningCFlags=('-pie' "${hardeningCFlags[@]}") fi