[vbox-dev] 's/-fPIC/-fPIC -pie/' Config.kmk -- Linking with -pie for ASLR support

Moez Roy moez.roy at gmail.com
Fri Jun 5 15:38:14 UTC 2015 

Hello,

It doesn't matter if the kernel modules cannot be compiled with PIC,
right? Because the kernel modules are compiled using DKMS when you
install VBox. So then why is there a -fno-PIC in various locations in
the Config.kmk file?

Why is -fPIC in the LDFLAGS when there is already -fPIC in the CFLAGS
& CXXFLAGS?

I am trying to build VirtualBox with ASLR support so it passes the
checksec test.

I did: sed -i 's/-fPIC/-fPIC -pie/' Config.kmk


However this causes the build to fail (also happens with v4.3.28) :

kmk: *** [/out/linux.amd64/release/obj/VBoxRTImp/VBoxRTImp.so]
Error 1
The failing command:
@g++ -shared               '-Wl,-rpath,/opt/VirtualBox' -fPIC -pie
-Wl,-z,noexecstack,-z,relro -Wl,--as-needed -m64   -o
/out/linux.amd64/release/obj/VBoxRTImp/VBoxRTImp.so
-Wl,-soname=VBoxRT.so
/out/linux.amd64/release/obj/VBoxRTImp/gen/VBoxRTImpImp.o
    -lpthread   -lm   -lrt   -ldl
/usr/lib/gcc/x86_64-redhat-linux/4.9.2/../../../../lib64/Scrt1.o: In
function `_start':
(.text+0x20): undefined reference to `main'
collect2: error: ld returned 1 exit status
kmk: *** [/out/linux.amd64/release/obj/VMMR3Imp/VMMR3Imp.so]
Error 1
The failing command:
@g++ -shared               '-Wl,-rpath,/opt/VirtualBox' -fPIC -pie
-Wl,-z,noexecstack,-z,relro -Wl,--as-needed -m64   -o
/out/linux.amd64/release/obj/VMMR3Imp/VMMR3Imp.so
-Wl,-soname=VBoxVMM.so
/out/linux.amd64/release/obj/VMMR3Imp/gen/VMMR3ImpImp.o
    -lpthread   -lm   -lrt   -ldl
kmk: *** Exiting with status 2

Another attempt: sed -i 's/-fPIC/-shared -fPIC -pie/' Config.kmk

kmk_builtin_append -n
"/media/sf_trunk/56248/out/linux.amd64/release/obj/VBoxRTImp/gen/VBoxRTImpImp.o.dep"
"" "/media/sf_trunk/56248/out/linux.amd64/release/obj/VBoxRTImp/VBoxRTImpImp.c:"
""
kBuild: Linking VBoxRTImp =>
/media/sf_trunk/56248/out/linux.amd64/release/obj/VBoxRTImp/VBoxRTImp.so
kmk_builtin_rm -f --
/media/sf_trunk/56248/out/linux.amd64/release/obj/VBoxRTImp/VBoxRTImp.dep
/media/sf_trunk/56248/out/linux.amd64/release/obj/VBoxRTImp/VBoxRTImp.so
 /media/sf_trunk/56248/out/linux.amd64/release/obj/VBoxRTImp/VBoxRTImp.map
g++ -shared               '-Wl,-rpath,/opt/VirtualBox' -shared -fPIC
-pie  -Wl,-z,noexecstack,-z,relro -Wl,--as-needed -m64   -o
/media/sf_trunk/56248/out/linux.amd64/release/obj/VBoxRTImp/VBoxRTImp.so
-Wl,-soname=VBoxRT.so
/media/sf_trunk/56248/out/linux.amd64/release/obj/VBoxRTImp/gen/VBoxRTImpImp.o
    -lpthread   -lm   -lrt   -ldl
/usr/lib/gcc/x86_64-redhat-linux/4.9.2/../../../../lib64/Scrt1.o: In
function `_start':
(.text+0x20): undefined reference to `main'
collect2: error: ld returned 1 exit status
kmk: *** [/media/sf_trunk/56248/out/linux.amd64/release/obj/VBoxRTImp/VBoxRTImp.so]
Error 1


PS. I have managed to get VirtualBox to build with -Wl,-z,now (FULL
RELRO) but I cannot enable PIE on VBoxSVC and VBoxXPCOMIPCD:

checksec --proc-all

VBoxXPCOMIPCD  19080 Full RELRO        No canary found        NX
enabled    No PIE
         VBoxSVC  19087 Full RELRO        Canary found           NX
enabled    No PIE

Any help in getting VirtualBox to build with ASLR support appreciated.

Thanks.

-Moez

More information about the vbox-dev mailing list