This repository was archived by the owner on Jan 23, 2023. It is now read-only.
Port from 5.0: Fix Position Independent Code in CMake files #28143
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Yeah this will need Tactics approval, we will work on that once we have a similar change done in corefx. Thanks |
mangod9
approved these changes
Feb 12, 2021
Is there any progress? The branch is open. |
jeffschwMSFT
approved these changes
May 6, 2021
There was a problem hiding this comment.
Approved. I will take for consideration in 3.1.x
cc @blowdart and @GrabYourPitchforks
|
FYI, this is fixing this issue: dotnet/runtime#45862 |
leecow
added
Servicing-approved
hoyosjs
pushed a commit
to hoyosjs/coreclr
that referenced
this pull request
Jul 14, 2021
…e files (dotnet#28143) Port from 5.0: Fix Position Independent Code in CMake files (dotnet#28143) * CoreCLR PR26323 Port: Fix PIE options * Added missing PIE and RELRO compilation flags.
hoyosjs
added a commit
that referenced
this pull request
Jul 14, 2021
* Update branding to 3.1.17 (#28173) * Port from 5.0: Fix Position Independent Code in CMake files (#28143) * CoreCLR PR26323 Port: Fix PIE options * Added missing PIE and RELRO compilation flags. * Merged PR 15832: Port from 5.0: Fix Position Independent Code in CMake files (#28143) Port from 5.0: Fix Position Independent Code in CMake files (#28143) * CoreCLR PR26323 Port: Fix PIE options * Added missing PIE and RELRO compilation flags. * Fix System.Globalization.Native build on Big Sur (#28181) * Fix System.Globalization.Native build on Big Sur * Fix build * Add flags for Linux * [release/3.1] Handle Counter Polling Interval of 0 (#28180) * Backport dotnet/runtime#53836 * Fix test build * update test Co-authored-by: Jan Jahoda <jajahoda@microsoft.com> Co-authored-by: Ivan Diaz Sanchez <ivdiazsa@microsoft.com> Co-authored-by: Will Godbe <wigodbe@microsoft.com> Co-authored-by: Santiago Fernandez Madero <safern@microsoft.com> Co-authored-by: John Salem <josalem@microsoft.com>
hoyosjs
added a commit
that referenced
this pull request
Aug 11, 2021
* Update branding to 3.1.17 (#28173) * Port from 5.0: Fix Position Independent Code in CMake files (#28143) * CoreCLR PR26323 Port: Fix PIE options * Added missing PIE and RELRO compilation flags. * Merged PR 15832: Port from 5.0: Fix Position Independent Code in CMake files (#28143) Port from 5.0: Fix Position Independent Code in CMake files (#28143) * CoreCLR PR26323 Port: Fix PIE options * Added missing PIE and RELRO compilation flags. * Fix System.Globalization.Native build on Big Sur (#28181) * Fix System.Globalization.Native build on Big Sur * Fix build * Add flags for Linux * [release/3.1] Handle Counter Polling Interval of 0 (#28180) * Backport dotnet/runtime#53836 * Fix test build * update test * update branding to 3.1.18 (#28182) * Update dependencies from https://github.com/dotnet/core-setup build 20210609.1 (#28178) Microsoft.NETCore.App From Version 3.1.9-servicing.20459.3 -> To Version 3.1.17-servicing.21309.1 Co-authored-by: dotnet-maestro[bot] <dotnet-maestro[bot]@users.noreply.github.com> * Merged PR 15716: [release/3.1] Use user read+write access for coredump file descriptor open * [release/3.1] #28183 Fix OSX native dependency installation * Avoid upgrading packages that are explicitly installed. * Use a brewfile * Change shebang to use bash and directly execute. * [release/3.1] Update dependencies from dotnet/corefx (#28179) [release/3.1] Update dependencies from dotnet/corefx - Add 3.1 AzDO feeds to the test build to ensure that the test build can correctly restore the CoreFX build. It seems that the new CoreFX build isn't on the old blob feeds, so without this fix, we end up restoring the first 5.0.0-alpha.1 build instead of the build we want. - Exclude tests that depend on OOB assemblies. - Turn off CoreFX test legs in CI. Now that the branch is on servicing, and the churn is low, exclude these as they break far more often than they detect issues. These already run in CoreFX CI on release bits. In case we want to bring them back for checked testing, we need to fix CoreFX.depproj. It has a package - Microsoft.Private.CoreFx.OOB - that's supposed to bring in all deps that are out of box. These are currently not getting restored and this ends up causing File not found issues in the binder when compiling tests, making test exclusions impossible. Please enter the commit message for your changes. Lines starting with '#' will be ignored, and an empty message aborts the commit. Co-authored-by: Jan Jahoda <jajahoda@microsoft.com> Co-authored-by: Ivan Diaz Sanchez <ivdiazsa@microsoft.com> Co-authored-by: Will Godbe <wigodbe@microsoft.com> Co-authored-by: Santiago Fernandez Madero <safern@microsoft.com> Co-authored-by: John Salem <josalem@microsoft.com> Co-authored-by: Anirudh Agnihotry <anirudhagnihotry098@gmail.com> Co-authored-by: dotnet-bot <dotnet-bot@microsoft.com> Co-authored-by: dotnet-maestro[bot] <42748379+dotnet-maestro[bot]@users.noreply.github.com> Co-authored-by: dotnet-maestro[bot] <dotnet-maestro[bot]@users.noreply.github.com>
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Port Description
This is a direct port from PR #26323 in this same repo. This one was added during .NET Core 5.0 development but there is a customer need to also have it in the .NET Core 3.1 release.
In summary, the
-pielinker option was missing and while the code was being compiled as Position Independent, the executables weren't, and therefore ASLR was not applied to them. This resulted in them being loaded to fixed addresses, which might potentially open vulnerabilities.This port also automates the appliance of the
-fPIC/-fPIEsettings to all targets from a single centralized setting calledCMAKE_POSITION_INDEPENDENT_CODE, which allows CMake to apply the appropriate compiler options without further need of manual specification.Customer Impact
Having these flags enabled provides the built binaries with an additional layer of security, which has become a necessary requirement for some compliance checks, as well as safer applications overall. This port was requested by teams in Azure.
Regression
This was not a regression.
Testing
The checksec tool was used to verify the executables and shared objects had been indeed built with
PIEandFull RELROenabled.Risk
The risk of this is pretty low, since it's been well tested in the current
mainbranch, as well as .NET 5.0 releases.