build-support: Use response-expanded params in pie test

When a response file is in use, "$*" contains the response file and not the parameters; both the linker and compiler wrappers are updated to use the response-expanded params. The compiler driver likes to pass parameters to the linker via a response file, including -shared. LLD rejects the combination of (-shared -pie), whereas other linkers silently ignore the contradiction: ``` ld.lld: error: -shared and -pie may not be used together ``` This breaks certain configurations using LLD as a linker. Changing `add-hardening.sh` results in a full rebuild. To avoid the rebuild, here is a quick test case which shows the new hardening script allows the link to succeed: ``` { pkgs ? import <nixpkgs> {} }: let # gcc silently accepts -shared -pie together, lld does not. linker = pkgs.wrapBintoolsWith { bintools = pkgs.llvmPackages.lld; }; patchWrapper = prev: prev.overrideAttrs (final: prev: let prevScript = builtins.match (".*(/nix/store/[a-z0-9]+-add-hardening.sh).*") prev.postFixup; in { postFixup = (builtins.replaceStrings prevScript ["${./new-add-hardening.sh}"] prev.postFixup); }); in pkgs.stdenv.mkDerivation { name = "nixpkgs-hardening-bug"; src = pkgs.writeText "src.c" "int main(int argc, char* argv[]) { return 0; }"; NIX_HARDENING_ENABLE = "pie"; unpackPhase = ":"; buildPhase = '' $CC -c -o src.o $src bash -x ${patchWrapper linker}/bin/ld.lld -o $out @${pkgs.writeText "responsefile" "-shared"} src.o ''; } ``` Fixes: #178162 Signed-off-by: Peter Waller <p@pwaller.net>
2023-06-23 10:46:49 +01:00 · 2023-06-23 10:46:49 +01:00 · e0d2053b87
commit e0d2053b87
parent c311c7c5cc
2 changed files with 6 additions and 6 deletions
--- a/pkgs/build-support/bintools-wrapper/add-hardening.sh
+++ b/pkgs/build-support/bintools-wrapper/add-hardening.sh
@ -37,11 +37,11 @@ fi
 for flag in "${!hardeningEnableMap[@]}"; do
  case $flag in
    pie)
-      if [[ ! (" $* " =~ " -shared " \
-            || " $* " =~ " -static " \
-            || " $* " =~ " -r " \
-            || " $* " =~ " -Ur " \
-            || " $* " =~ " -i ") ]]; then
+      if [[ ! (" ${params[*]} " =~ " -shared " \
+            || " ${params[*]} " =~ " -static " \
+            || " ${params[*]} " =~ " -r " \
+            || " ${params[*]} " =~ " -Ur " \
+            || " ${params[*]} " =~ " -i ") ]]; then
        if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling LDFlags -pie >&2; fi
        hardeningLDFlags+=('-pie')
      fi
--- a/pkgs/build-support/cc-wrapper/add-hardening.sh
+++ b/pkgs/build-support/cc-wrapper/add-hardening.sh
@ -71,7 +71,7 @@ for flag in "${!hardeningEnableMap[@]}"; do
      # NB: we do not use `+=` here, because PIE flags must occur before any PIC flags
      if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling CFlags -fPIE >&2; fi
      hardeningCFlags=('-fPIE' "${hardeningCFlags[@]}")
-      if [[ ! (" $* " =~ " -shared " || " $* " =~ " -static ") ]]; then
+      if [[ ! (" ${params[*]} " =~ " -shared " || " ${params[*]} " =~ " -static ") ]]; then
        if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling LDFlags -pie >&2; fi
        hardeningCFlags=('-pie' "${hardeningCFlags[@]}")
      fi