Static PIE with musl and clang

Static PIE with musl and clang

[Paul Sturm]

[-- Attachment #1: Type: text/plain, Size: 371 bytes --]

Has anyone managed to build static PIE with musl and clang, preferably linking with lld? 

I see that this has been done using GCC and rcrt1.o, but I cannot find a combination of command line parameters that will successfully link and execute with clang. 

I am using clang 4.0.0RC2 and musl 1.1.16. I have also tried to use binutils ld instead of llvm lld to no avail. 

[-- Attachment #2: Type: text/html, Size: 653 bytes --]

Re: Static PIE with musl and clang

[Rich Felker]

On Sat, Mar 04, 2017 at 07:47:31PM -0600, Paul Sturm wrote:
> Has anyone managed to build static PIE with musl and clang,
> preferably linking with lld?
> 
> I see that this has been done using GCC and rcrt1.o, but I cannot
> find a combination of command line parameters that will successfully
> link and execute with clang.
> 
> I am using clang 4.0.0RC2 and musl 1.1.16. I have also tried to use
> binutils ld instead of llvm lld to no avail.

I doubt lld can do it yet; you need some equivalent of the
--no-dynamic-linker option I added to BFD ld. It should be possible
with clang using binutils/BFD ld. You might also be able to hack it by
using -shared -Bsymbolic and explicitly linking rcrt1.o on the link
command line (essentially doing the same thing you'd do to make an
executable shared library) but there are corner-case things that break
when you try to do it this way. The right approach would be adding
--no-dynamic-linker to lld and teaching clang to pass it when linking
with -static -pie.

Rich

Re: Static PIE with musl and clang

[Paul Sturm]

[-- Attachment #1: Type: text/plain, Size: 5844 bytes --]

OK. I tried to compile this program: 

#include <stdio.h> 

int main() { 
printf("%p\n", main); 
return 0; 
} 

Command line: 
clang /usr/lib/rcrt1.o ../aslr.c -o aslr -fPIE -shared -Bsymbolic -Wl,--no-dynamic-linker 

./aslr seg faults when I run it. 

readelf -e aslr looks like this: 

ELF Header: 
Magic: 7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00 
Class: ELF64 
Data: 2's complement, little endian 
Version: 1 (current) 
OS/ABI: UNIX - System V 
ABI Version: 0 
Type: DYN (Shared object file) 
Machine: Advanced Micro Devices X86-64 
Version: 0x1 
Entry point address: 0x788 
Start of program headers: 64 (bytes into file) 
Start of section headers: 6584 (bytes into file) 
Flags: 0x0 
Size of this header: 64 (bytes) 
Size of program headers: 56 (bytes) 
Number of program headers: 6 
Size of section headers: 64 (bytes) 
Number of section headers: 26 
Section header string table index: 23 

Section Headers: 
[Nr] Name Type Address Offset 
Size EntSize Flags Link Info Align 
[ 0] NULL 0000000000000000 00000000 
0000000000000000 0000000000000000 0 0 0 
[ 1] .hash HASH 0000000000000190 00000190 
0000000000000058 0000000000000004 A 2 0 8 
[ 2] .dynsym DYNSYM 00000000000001e8 000001e8 
0000000000000198 0000000000000018 A 3 1 8 
[ 3] .dynstr STRTAB 0000000000000380 00000380 
00000000000000de 0000000000000000 A 0 0 1 
[ 4] .rela.dyn RELA 0000000000000460 00000460 
00000000000000f0 0000000000000018 A 2 0 8 
[ 5] .rela.plt RELA 0000000000000550 00000550 
0000000000000048 0000000000000018 AI 2 19 8 
[ 6] .init PROGBITS 0000000000000598 00000598 
000000000000000d 0000000000000000 AX 0 0 1 
[ 7] .plt PROGBITS 00000000000005b0 000005b0 
0000000000000040 0000000000000010 AX 0 0 16 
[ 8] .plt.got PROGBITS 00000000000005f0 000005f0 
0000000000000018 0000000000000000 AX 0 0 8 
[ 9] .text PROGBITS 0000000000000610 00000610 
0000000000000497 0000000000000000 AX 0 0 16 
[10] .fini PROGBITS 0000000000000aa7 00000aa7 
0000000000000008 0000000000000000 AX 0 0 1 
[11] .rodata PROGBITS 0000000000000aaf 00000aaf 
0000000000000004 0000000000000001 AMS 0 0 1 
[12] .eh_frame_hdr PROGBITS 0000000000000ab4 00000ab4 
000000000000001c 0000000000000000 A 0 0 4 
[13] .eh_frame PROGBITS 0000000000000ad0 00000ad0 
0000000000000064 0000000000000000 A 0 0 8 
[14] .ctors PROGBITS 0000000000200e40 00000e40 
0000000000000010 0000000000000000 WA 0 0 8 
[15] .dtors PROGBITS 0000000000200e50 00000e50 
0000000000000010 0000000000000000 WA 0 0 8 
[16] .jcr PROGBITS 0000000000200e60 00000e60 
0000000000000008 0000000000000000 WA 0 0 8 
[17] .dynamic DYNAMIC 0000000000200e68 00000e68 
0000000000000150 0000000000000010 WA 3 0 8 
[18] .got PROGBITS 0000000000200fb8 00000fb8 
0000000000000048 0000000000000008 WA 0 0 8 
[19] .got.plt PROGBITS 0000000000201000 00001000 
0000000000000030 0000000000000008 WA 0 0 8 
[20] .data PROGBITS 0000000000201030 00001030 
0000000000000008 0000000000000000 WA 0 0 8 
[21] .bss NOBITS 0000000000201040 00001038 
0000000000000050 0000000000000000 WA 0 0 32 
[22] .comment PROGBITS 0000000000000000 00001038 
000000000000003c 0000000000000001 MS 0 0 1 
[23] .shstrtab STRTAB 0000000000000000 000018fb 
00000000000000b9 0000000000000000 0 0 1 
[24] .symtab SYMTAB 0000000000000000 00001078 
0000000000000648 0000000000000018 25 51 8 
[25] .strtab STRTAB 0000000000000000 000016c0 
000000000000023b 0000000000000000 0 0 1 
Key to Flags: 
W (write), A (alloc), X (execute), M (merge), S (strings), I (info), 
L (link order), O (extra OS processing required), G (group), T (TLS), 
C (compressed), x (unknown), o (OS specific), E (exclude), 
l (large), p (processor specific) 

Program Headers: 
Type Offset VirtAddr PhysAddr 
FileSiz MemSiz Flags Align 
LOAD 0x0000000000000000 0x0000000000000000 0x0000000000000000 
0x0000000000000b34 0x0000000000000b34 R E 200000 
LOAD 0x0000000000000e40 0x0000000000200e40 0x0000000000200e40 
0x00000000000001f8 0x0000000000000250 RW 200000 
DYNAMIC 0x0000000000000e68 0x0000000000200e68 0x0000000000200e68 
0x0000000000000150 0x0000000000000150 RW 8 
GNU_EH_FRAME 0x0000000000000ab4 0x0000000000000ab4 0x0000000000000ab4 
0x000000000000001c 0x000000000000001c R 4 
GNU_STACK 0x0000000000000000 0x0000000000000000 0x0000000000000000 
0x0000000000000000 0x0000000000000000 RW 10 
GNU_RELRO 0x0000000000000e40 0x0000000000200e40 0x0000000000200e40 
0x00000000000001c0 0x00000000000001c0 R 1 

Section to Segment mapping: 
Segment Sections... 
00 .hash .dynsym .dynstr .rela.dyn .rela.plt .init .plt .plt.got .text .fini .rodata .eh_frame_hdr .eh_frame 
01 .ctors .dtors .jcr .dynamic .got .got.plt .data .bss 
02 .dynamic 
03 .eh_frame_hdr 
04 
05 .ctors .dtors .jcr .dynamic .got 



From: "dalias" <dalias@libc.org> 
To: "musl" <musl@lists.openwall.com> 
Sent: Sunday, March 5, 2017 2:44:03 AM 
Subject: Re: [musl] Static PIE with musl and clang 

On Sat, Mar 04, 2017 at 07:47:31PM -0600, Paul Sturm wrote: 
> Has anyone managed to build static PIE with musl and clang, 
> preferably linking with lld? 
> 
> I see that this has been done using GCC and rcrt1.o, but I cannot 
> find a combination of command line parameters that will successfully 
> link and execute with clang. 
> 
> I am using clang 4.0.0RC2 and musl 1.1.16. I have also tried to use 
> binutils ld instead of llvm lld to no avail. 

I doubt lld can do it yet; you need some equivalent of the 
--no-dynamic-linker option I added to BFD ld. It should be possible 
with clang using binutils/BFD ld. You might also be able to hack it by 
using -shared -Bsymbolic and explicitly linking rcrt1.o on the link 
command line (essentially doing the same thing you'd do to make an 
executable shared library) but there are corner-case things that break 
when you try to do it this way. The right approach would be adding 
--no-dynamic-linker to lld and teaching clang to pass it when linking 
with -static -pie. 

Rich 

[-- Attachment #2: Type: text/html, Size: 6902 bytes --]

Re: Static PIE with musl and clang

[Szabolcs Nagy]

* Paul Sturm <psturm@computervoice.com> [2017-03-04 21:41:24 -0600]:
> clang /usr/lib/rcrt1.o ../aslr.c -o aslr -fPIE -shared -Bsymbolic -Wl,--no-dynamic-linker 
> 
> ./aslr seg faults when I run it. 

you did not static link the libc at all

Re: Static PIE with musl and clang

[Paul Sturm]

[-- Attachment #1: Type: text/plain, Size: 5779 bytes --]

I decided to take a step back and try to make this work first with gcc (7.1) and ld (2.28). Both tools were built statically and musl (1.16+) is also built as a static libc.a. 

Test program is aslr.c: 

#include <stdio.h> 

int main() { 
printf("%p\n", main); 
return 0; 
} 

gcc aslr.c -fPIE -pie -static-libgcc -Wl,-static -Wl,--no-dynamic-linker 

./a.out 
Segementation fault 

bash-4.4# readelf -e a.out 
ELF Header: 
Magic: 7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00 
Class: ELF64 
Data: 2's complement, little endian 
Version: 1 (current) 
OS/ABI: UNIX - System V 
ABI Version: 0 
Type: DYN (Shared object file) 
Machine: Advanced Micro Devices X86-64 
Version: 0x1 
Entry point address: 0x300 
Start of program headers: 64 (bytes into file) 
Start of section headers: 31560 (bytes into file) 
Flags: 0x0 
Size of this header: 64 (bytes) 
Size of program headers: 56 (bytes) 
Number of program headers: 6 
Size of section headers: 64 (bytes) 
Number of section headers: 25 
Section header string table index: 24 

Section Headers: 
[Nr] Name Type Address Offset 
Size EntSize Flags Link Info Align 
[ 0] NULL 0000000000000000 00000000 
0000000000000000 0000000000000000 0 0 0 
[ 1] .hash HASH 0000000000000190 00000190 
0000000000000014 0000000000000004 A 2 0 8 
[ 2] .dynsym DYNSYM 00000000000001a8 000001a8 
0000000000000030 0000000000000018 A 3 1 8 
[ 3] .dynstr STRTAB 00000000000001d8 000001d8 
0000000000000007 0000000000000000 A 0 0 1 
[ 4] .rela.dyn RELA 00000000000001e0 000001e0 
00000000000000c0 0000000000000018 A 2 0 8 
[ 5] .init PROGBITS 00000000000002a0 000002a0 
000000000000000d 0000000000000000 AX 0 0 1 
[ 6] .plt PROGBITS 00000000000002b0 000002b0 
0000000000000010 0000000000000010 AX 0 0 16 
[ 7] .plt.got PROGBITS 00000000000002c0 000002c0 
0000000000000018 0000000000000000 AX 0 0 8 
[ 8] .text PROGBITS 00000000000002e0 000002e0 
0000000000004f44 0000000000000000 AX 0 0 16 
[ 9] .fini PROGBITS 0000000000005224 00005224 
0000000000000008 0000000000000000 AX 0 0 1 
[10] .rodata PROGBITS 0000000000005240 00005240 
0000000000000b90 0000000000000000 A 0 0 32 
[11] .eh_frame_hdr PROGBITS 0000000000005dd0 00005dd0 
0000000000000024 0000000000000000 A 0 0 4 
[12] .eh_frame PROGBITS 0000000000005df8 00005df8 
000000000000007c 0000000000000000 A 0 0 8 
[13] .ctors PROGBITS 0000000000205e88 00005e88 
0000000000000010 0000000000000000 WA 0 0 8 
[14] .dtors PROGBITS 0000000000205e98 00005e98 
0000000000000010 0000000000000000 WA 0 0 8 
[15] .data.rel.ro PROGBITS 0000000000205ea8 00005ea8 
0000000000000008 0000000000000000 WA 0 0 8 
[16] .dynamic DYNAMIC 0000000000205eb0 00005eb0 
0000000000000130 0000000000000010 WA 3 0 8 
[17] .got PROGBITS 0000000000205fe0 00005fe0 
0000000000000020 0000000000000008 WA 0 0 8 
[18] .got.plt PROGBITS 0000000000206000 00006000 
0000000000000018 0000000000000008 WA 0 0 8 
[19] .data PROGBITS 0000000000206018 00006018 
00000000000000f8 0000000000000000 WA 0 0 8 
[20] .bss NOBITS 0000000000206120 00006110 
00000000000006e0 0000000000000000 WA 0 0 32 
[21] .comment PROGBITS 0000000000000000 00006110 
000000000000003e 0000000000000001 MS 0 0 1 
[22] .symtab SYMTAB 0000000000000000 00006150 
00000000000010e0 0000000000000018 23 100 8 
[23] .strtab STRTAB 0000000000000000 00007230 
000000000000085b 0000000000000000 0 0 1 
[24] .shstrtab STRTAB 0000000000000000 00007a8b 
00000000000000b7 0000000000000000 0 0 1 
Key to Flags: 
W (write), A (alloc), X (execute), M (merge), S (strings), I (info), 
L (link order), O (extra OS processing required), G (group), T (TLS), 
C (compressed), x (unknown), o (OS specific), E (exclude), 
l (large), p (processor specific) 

Program Headers: 
Type Offset VirtAddr PhysAddr 
FileSiz MemSiz Flags Align 
LOAD 0x0000000000000000 0x0000000000000000 0x0000000000000000 
0x0000000000005e74 0x0000000000005e74 R E 0x200000 
LOAD 0x0000000000005e88 0x0000000000205e88 0x0000000000205e88 
0x0000000000000288 0x0000000000000978 RW 0x200000 
DYNAMIC 0x0000000000005eb0 0x0000000000205eb0 0x0000000000205eb0 
0x0000000000000130 0x0000000000000130 RW 0x8 
GNU_EH_FRAME 0x0000000000005dd0 0x0000000000005dd0 0x0000000000005dd0 
0x0000000000000024 0x0000000000000024 R 0x4 
GNU_STACK 0x0000000000000000 0x0000000000000000 0x0000000000000000 
0x0000000000000000 0x0000000000000000 RW 0x10 
GNU_RELRO 0x0000000000005e88 0x0000000000205e88 0x0000000000205e88 
0x0000000000000178 0x0000000000000178 R 0x1 

Section to Segment mapping: 
Segment Sections... 
00 .hash .dynsym .dynstr .rela.dyn .init .plt .plt.got .text .fini .rodata .eh_frame_hdr .eh_frame 
01 .ctors .dtors .data.rel.ro .dynamic .got .got.plt .data .bss 
02 .dynamic 
03 .eh_frame_hdr 
04 
05 .ctors .dtors .data.rel.ro .dynamic .got 
bash-4.4# 

bash-4.4# readelf -d a.out 

Dynamic section at offset 0x5eb0 contains 15 entries: 
Tag Type Name/Value 
0x000000000000000c (INIT) 0x2a0 
0x000000000000000d (FINI) 0x5224 
0x0000000000000004 (HASH) 0x190 
0x0000000000000005 (STRTAB) 0x1d8 
0x0000000000000006 (SYMTAB) 0x1a8 
0x000000000000000a (STRSZ) 7 (bytes) 
0x000000000000000b (SYMENT) 24 (bytes) 
0x0000000000000015 (DEBUG) 0x0 
0x0000000000000003 (PLTGOT) 0x206000 
0x0000000000000007 (RELA) 0x1e0 
0x0000000000000008 (RELASZ) 192 (bytes) 
0x0000000000000009 (RELAENT) 24 (bytes) 
0x000000006ffffffb (FLAGS_1) Flags: PIE 
0x000000006ffffff9 (RELACOUNT) 8 
0x0000000000000000 (NULL) 0x0 


From: "Szabolcs Nagy" <nsz@port70.net> 
To: "musl" <musl@lists.openwall.com> 
Sent: Sunday, March 5, 2017 12:21:18 PM 
Subject: Re: [musl] Static PIE with musl and clang 

* Paul Sturm <psturm@computervoice.com> [2017-03-04 21:41:24 -0600]: 
> clang /usr/lib/rcrt1.o ../aslr.c -o aslr -fPIE -shared -Bsymbolic -Wl,--no-dynamic-linker 
> ). 
> ./aslr seg faults when I run it. 

you did not static link the libc at all 

[-- Attachment #2: Type: text/html, Size: 19053 bytes --]

Re: Static PIE with musl and clang

[Szabolcs Nagy]

* Paul Sturm <psturm@computervoice.com> [2017-05-15 14:24:58 -0500]:
> I decided to take a step back and try to make this work first with gcc (7.1) and ld (2.28). Both tools were built statically and musl (1.16+) is also built as a static libc.a. 
> 
> Test program is aslr.c: 
> 
> #include <stdio.h> 
> 
> int main() { 
> printf("%p\n", main); 
> return 0; 
> } 
> 
> gcc aslr.c -fPIE -pie -static-libgcc -Wl,-static -Wl,--no-dynamic-linker 
> 
> ./a.out 
> Segementation fault 

there is no -static passed to the compiler so it cannot possibly
select the right crt file.

you need to patch gcc for static pie support, or pass all the
necessary linker flags manually (including the crt files).

https://github.com/richfelker/musl-cross-make/blob/master/patches/gcc-6.3.0/0010-static-pie-support.diff