Opened 5 years ago

Last modified 6 months ago

#6622 new defect

Tor link against static zlib broken by -pie switch

Reported by: tmpname0901 Owned by:
Priority: High Milestone: Tor: unspecified
Component: Core Tor/Tor Version: Tor: 0.2.3.20-rc
Severity: Normal Keywords: tor-relay tor-relay autotools build link static
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Build environment: CentOS v5.8/x86_64 with GCC v4.4.6.

I'm linking Tor against staticly-built versions of zlib (v1.2.7) and OpenSSL (v1.0.1c). This has always worked correctly with the 0.2.2.x versions of Tor. With version 0.2.3-20-rc the final link fails with this error:

$ gcc44 -m64 -O2 -g -march=native -mno-avx -D_FORTIFY_SOURCE=2 -fstack-protector-all -Wstack-protector -fwrapv --param ssp-buffer-size=1 -fPIE -Wall -fno-strict-aliasing -L/home/rpmbuild/BUILD/tor-0.2.3.20-rc/dependencies/lib -pie -z relro -z now -o tor tor_main.o ./libtor.a ../common/libor.a ../common/libor-crypto.a ../common/libor-event.a /home/rpmbuild/BUILD/tor-0.2.3.20-rc/dependencies/lib/libz.a -lm /home/rpmbuild/BUILD/tor-0.2.3.20-rc/dependencies/lib/libevent.a /home/rpmbuild/BUILD/tor-0.2.3.20-rc/dependencies/lib/libssl.a /home/rpmbuild/BUILD/tor-0.2.3.20-rc/dependencies/lib/libcrypto.a /home/rpmbuild/BUILD/tor-0.2.3.20-rc/dependencies/lib/libz.a -ldl -lrt
/usr/bin/ld: /home/rpmbuild/BUILD/tor-0.2.3.20-rc/dependencies/lib/libz.a(deflate.o): relocation R_X86_64_32S against `_length_code' can not be used when making a shared object; recompile with -fPIC
/home/rpmbuild/BUILD/tor-0.2.3.20-rc/dependencies/lib/libz.a: could not read symbols: Bad value

Removing that -pie switch allows the link to complete successfully.

The GCC doc suggests that the linking error is due to not having used -pie during compilation. This seems to be true as neither zlib nor openssl nor libevent are compiled with this switch (or with -fPIC). Not even the Tor source is compiled with -pie. It is used nowhere until that final link.

The offending symbol is defined in zlib's deflate.c, which is compiled with this command line:

gcc44 -m64 -O2 -g -march=native -mno-avx -c -o deflate.o deflate.c

Do we really need this -pie switch when linking Tor? What is the adverse impact if I just remove it from the linker input?

Child Tickets

Change History (8)

comment:1 Changed 5 years ago by Sebastian

This has been bugging me too, what you need to do is compile all dependencies with -fPIC. For libevent that means settings it in CFLAGS, for openssl it means using the -fPIC config switch.

comment:2 in reply to:  1 Changed 5 years ago by tmpname0901

Replying to Sebastian:

This has been bugging me too, what you need to do is compile all dependencies with -fPIC. For libevent that means settings it in CFLAGS, for openssl it means using the -fPIC config switch.

True. A static-except-for-glibc build of v0.2.3.20-rc:

$ ldd BUILD/tor-0.2.3.20-rc/src/or/tor

linux-vdso.so.1 => (0x00007fffe21fd000)
libm.so.6 => /lib64/libm.so.6 (0x00002adebff41000)
libdl.so.2 => /lib64/libdl.so.2 (0x00002adec01c4000)
librt.so.1 => /lib64/librt.so.1 (0x00002adec03c9000)
libc.so.6 => /lib64/libc.so.6 (0x00002adec05d2000)
libpthread.so.0 => /lib64/libpthread.so.0 (0x00002adec0929000)
/lib64/ld-linux-x86-64.so.2 (0x00002adebf789000)

comment:3 Changed 5 years ago by nickm

The point of the -fPIE / -fPIC here is that it allows Tor to use ASLR. That's usually considered a good thing from the point of view of making it a little harder to attack. If you're not worried about that, you can turn off ASLR, and some other compiler security features, with --disable-gcc-hardening.

comment:4 Changed 5 years ago by nickm

Keywords: tor-relay added

comment:5 Changed 5 years ago by nickm

Component: Tor RelayTor

comment:6 Changed 5 years ago by nickm

Keywords: build added
Milestone: Tor: 0.2.3.x-finalTor: 0.2.5.x-final

I'd like to squeeze in a major revamp for the build system, but 0.2.3 is stable and 0.2.4 is trying to stabilize.

comment:7 Changed 4 years ago by nickm

Milestone: Tor: 0.2.5.x-finalTor: unspecified

I think that our only option in that case is to log a better warning. We shouldn't stop trying to build -fPIE by default just because some static library doesn't have -fPI[CE]

comment:8 Changed 6 months ago by nickm

Keywords: autotools link static added
Severity: Normal
Note: See TracTickets for help on using tickets.