When building sys-libs/glibc-2.23-r3 (the current latest stable version) with sys-devel/gcc-6.3.0, the following warning is issued suggesting a failure to build glibc with hardening: * PIE hardening not applied, as your compiler doesn't default to PIE The glibc package will continue to build successfully, albeit with this unsettling warning. I've replicated this warning on a recent hardened stage (stage3-amd64-hardened-20170504.tar.bz2) where I've keyworded and built sys-devel/gcc-6.3.0. The warning appears to be a false positive. The evaluation that throws this warning is performed in toolchain-glibc.eclass. However, it looks like this warning is not necessary for >glibc-2.21-r2, since the upstream has already patched to the source to provide hardening. sys-devel/gcc-6.3.0 has changed the way pie and ssp are handled. gcc-5* has USE flags for 'nopie' and 'nossp', and multiple profiles are provided for building packages with a variety of ssp/pie configurations. sys-devel/gcc-6.3.0 has switched the way USE flags are implemented with 'pie' and 'ssp' USE flags, and only a single hardened profile is available after sys-devel/gcc-6.3.0 is built.
Created attachment 472460 [details] emerge --info This caught my attention, too. Same behaviour with gcc-7.1.0-r1 and glibc-2.25 as well.
The reason is that gcc-specs-pie() from toolchain-funcs.eclass doesn't work with gcc-6 (or should not be used with gcc-6). BTW, it seems that gcc-specs-ssp() doesn't work as well.
Should this block bug 617524?
Does gcc-6 include hardened features (PIE, SSP) by default ? What I mean is: would the correct approach to propose a patch for toolchain-funcs.eclass or are there hardened features we're currently missing with gcc-6?
(In reply to Guillaume Ceccarelli from comment #4) > Does gcc-6 include hardened features (PIE, SSP) by default ? > > What I mean is: would the correct approach to propose a patch for > toolchain-funcs.eclass or are there hardened features we're currently > missing with gcc-6? Features are enabled via pie and ssp useflag, these features are upstreamed and no profiles are used anymore.
The warning is due to a regression in the toolchain-funcs.eclass namely functions gcc-specs-ssp and gcc-specs-pie (the spec file query fails for gcc-6 and newer). Lukily though, the warning is only cosmetic. The relevant code is toolchain-glibc.eclass: 267 if use hardened && gcc-specs-pie ; then 268 # Force PIC macro definition for all compilations since they're all 269 # either -fPIC or -fPIE with the default-PIE compiler. 270 append-cppflags -DPIC 271 else 272 # Don't build -fPIE without the default-PIE compiler and the 273 # hardened-pie patch 274 filter-flags -fPIE Filtering a _nonexistent_ "-fPIE" for gcc-6[pie] does not disable the pie feature, so all that seems left is a scary warning.
Created attachment 476314 [details, diff] do not run the checks on >=gcc-6 As spec files are no longer used we can skip the checks. Pie and SSP are both default enabled based on useflag in >=sys-devel/gcc-6
Created attachment 476316 [details, diff] disable checks that use spec files on >=sys-devel/gcc-6 I missed a check, I have fully tested the attached patch and all is as users expect.
(In reply to Jory A. Pratt from comment #8) > Created attachment 476316 [details, diff] [details, diff] > disable checks that use spec files on >=sys-devel/gcc-6 > You should check version of the currently active compiler, e.g. with gcc-major-version().
(In reply to Jory A. Pratt from comment #8) > Created attachment 476316 [details, diff] [details, diff] > disable checks that use spec files on >=sys-devel/gcc-6 > > I missed a check, I have fully tested the attached patch and all is as users > expect. Thanks for your effort - there will be a slightly larger patchset incoming over the course of this week. A first version will be posted to the mailing list shortly.
commit acaffff075a2be413e9dbca54cc682f2bb265bc8 (HEAD -> master, origin/master, origin/HEAD, toolchain-updates) Author: Matthias Maier <tamiko@gentoo.org> Date: Wed Jun 14 10:22:54 2017 -0500 eclass/toolchain-glibc.eclass: skip pie check for gcc-6 or newer For gcc-6 and newer the old logic in the toolchain-glibc eclass: if use hardened && gcc-specs-pie ; then append-cppflags -DPIC else filter-flags -fPIE fi is obsolete. Simply disable the check. commit d33b49b8ca2afafbb1e6827dea8cd851f6658f99 Author: Matthias Maier <tamiko@gentoo.org> Date: Wed Jun 14 10:20:39 2017 -0500 eclass/toolchain-glibc.eclass: use tc-enables-pie instead of gcc-specs-pie commit d20b5a7065950144775848c1401c4f61a44ecd43 Author: Arfrever Frehtes Taifersar Arahesis <Arfrever@Apache.Org> Date: Wed Jun 14 16:23:15 2017 +0200 toolchain-funcs.eclass: Add functions for detection of PIE / SSP in way compatible with GCC >=6. Newly added tc-enables-pie(), tc-enables-ssp(), tc-enables-ssp-strong() and tc-enables-ssp-all() check macros instead of specs. This solution also works with older GCC and with Clang. Signed-off-by: Matthias Maier <tamiko@gentoo.org>
Hello, I'm using gcc version 4.9.4 (Gentoo Hardened 4.9.4 p1.0, pie-0.6.4) and was trying to compile glibc-2.23-r4. The approach fails on my system and I get the PIE hardening warning. My CCFLAGS contains "-g3". This causes gcc to print all built-in defines in the returned test program (e.g. #define __STDC__ 1) before "true" is output. A possible fix (tested locally) would be to compare the $ret variable against *true instead of true for all four new functions. (Note: I do not know/remember if it worked before this change.)
@Eric Lesage Since this bug is closed, I suggest opening a new bug for your issue. I think your bug is sufficiently different to justify a new bug anyways.
The warning should on be enable on older glibc. Newer glibc will detect if -DPIC is needed.