Bug 233707 - www/firefox: fails to build with -fstack-protector-{strong,all} + -Wl,-z,nocopyreloc
Summary: www/firefox: fails to build with -fstack-protector-{strong,all} + -Wl,-z,noco...
Status: New
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: freebsd-toolchain mailing list
URL:
Keywords: regression
Depends on:
Blocks: 214864 233791
  Show dependency treegraph
 
Reported: 2018-12-02 05:28 UTC by Jan Beich
Modified: 2018-12-05 15:36 UTC (History)
5 users (show)

See Also:
bugzilla: maintainer-feedback? (gecko)


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Jan Beich freebsd_committer 2018-12-02 05:28:45 UTC
Firefox 63 enabled -Wl,-z,nocopyreloc which broke build with non-default SSP_C?FLAGS but Firefox 65 enable -fstack-protector-strong which broke even default builds.

$ cc -v
FreeBSD clang version 7.0.1 (branches/release_70 346007) (based on LLVM 7.0.1)
Target: x86_64-unknown-freebsd13.0
Thread model: posix
InstalledDir: /usr/bin

$ cat >a.c
#include <time.h>

int main() {
  struct timespec ts;
  clock_gettime(CLOCK_MONOTONIC, &ts);
  return 0;
}

$ cc -fstack-protector-strong -Wl,-z,nocopyreloc a.c
ld: error: unresolvable relocation R_X86_64_PC32 against symbol '__stack_chk_guard'; recompile with -fPIC or remove '-z nocopyreloc'
>>> defined in /lib/libc.so.7
>>> referenced by a.c
>>>               /tmp/a-b6cdf3.o:(main)
cc: error: linker command failed with exit code 1 (use -v to see invocation)
Comment 1 Dimitry Andric freebsd_committer 2018-12-04 19:08:16 UTC
Indeed.  Output from ld.lld 7.0.1 rc2:

$ ld.lld --eh-frame-hdr -dynamic-linker /libexec/ld-elf.so.1 --hash-style=both --enable-new-dtags -o bug233707 /usr/lib/crt1.o /usr/lib/crti.o /usr/lib/crtbegin.o -L/usr/lib -z nocopyreloc bug233707.o -lgcc --as-needed -lgcc_s --no-as-needed -lc -lgcc --as-needed -lgcc_s --no-as-needed /usr/lib/crtend.o /usr/lib/crtn.o
ld.lld: error: unresolvable relocation R_X86_64_PC32 against symbol '__stack_chk_guard'; recompile with -fPIC or remove '-z nocopyreloc'
>>> defined in /lib/libc.so.7
>>> referenced by bug233707.c
>>>               bug233707.o:(main)

Output from ld.bfd 2.17.50 (in base):

$ /usr/bin/ld.bfd --eh-frame-hdr -dynamic-linker /libexec/ld-elf.so.1 --hash-style=both --enable-new-dtags -o bug233707 /usr/lib/crt1.o /usr/lib/crti.o /usr/lib/crtbegin.o -L/usr/lib -z nocopyreloc bug233707.o -lgcc --as-needed -lgcc_s --no-as-needed -lc -lgcc --as-needed -lgcc_s --no-as-needed /usr/lib/crtend.o /usr/lib/crtn.o
<zilch>

Output from ld.bfd 2.30 (from ports):

$ ld.bfd --eh-frame-hdr -dynamic-linker /libexec/ld-elf.so.1 --hash-style=both --enable-new-dtags -o bug233707 /usr/lib/crt1.o /usr/lib/crti.o /usr/lib/crtbegin.o -L/usr/lib -z nocopyreloc bug233707.o -lgcc --as-needed -lgcc_s --no-as-needed -lc -lgcc --as-needed -lgcc_s --no-as-needed /usr/lib/crtend.o /usr/lib/crtn.o
ld.bfd: bug233707.o: relocation R_X86_64_PC32 against symbol `__stack_chk_guard@@FBSD_1.0' can not be used when making a PDE object; recompile with -fPIC
ld.bfd: final link failed: Bad value

It's interesting how ld.bfd is talking about a "PDE object" here.  I guess that means a Position Dependent Executable...

Maybe a workaround is to compile firefox with -fPIE? :)
Comment 2 Shawn Webb 2018-12-05 02:12:19 UTC
Compilation with -fstack-protector-all is working fine in HardenedBSD: https://github.com/HardenedBSD/hardenedbsd-ports/commit/03fb5f43e1322cb4c49e9834643b9c1361a04930

I haven't tried setting -Wl,-z,nocopyreloc though. I will soon.
Comment 3 Tijl Coosemans freebsd_committer 2018-12-05 10:52:32 UTC
It seems that on Linux __stack_check_guard is no longer used.  They use a TLS variable (%fs:40 on amd64).
Comment 4 Jan Beich freebsd_committer 2018-12-05 11:06:53 UTC
Default SSP_CFLAGS appear to cancel -fstack-protector-strong, so the port builds fine: https://ptpb.pw/G4f6

Upstream build isn't so fortunate:

$ pkg install python27
$ hash git 2>/dev/null || pkg install mercurial
$ hg clone https://hg.mozilla.org/mozilla-unified firefox ||
  git clone https://github.com/mozilla/gecko-dev firefox
$ cd firefox
$ hg update central || git checkout origin/master
$ ./mach bootstrap # select Firefox for Desktop
$ ./mach build
[...]
checking for clock_gettime(CLOCK_MONOTONIC)... no
[...]
mozbuild.frontend.reader.BuildReaderError:
==============================
FATAL ERROR PROCESSING MOZBUILD FILE
==============================
The error occurred while processing the following file:
    /path/to/mozilla-central/mozglue/misc/moz.build
A moz.build file called the error() function.
The error it encountered is:
    No TimeStamp implementation on this platform.  Build will not succeed

(In reply to Dimitry Andric from comment #1)
> Maybe a workaround is to compile firefox with -fPIE? :)

$ CFLAGS=-fPIE CXXFLAGS=$CFLAGS ./mach build
[...]
security/nss/lib/util/libnssutil3.so
ld: error: relocation R_X86_64_PC32 cannot be used against symbol SEC_PrintableStringTemplate; recompile with -fPIC
>>> defined in ../util_nssutil/secasn1d.o
>>> referenced by secasn1d.c
>>>               ../util_nssutil/secasn1d.o:(SEC_ASN1DecoderUpdate_Util)
[...]
Comment 5 Shawn Webb 2018-12-05 15:36:17 UTC
I think the reason why FreeBSD is exhibiting issues but not HardenedBSD is because we enforce -fPIC for all libraries, both in base and ports. We need to do so to properly build applications as PIEs. Forcing PIC also helps protect against a compiler-level security vulnerability[1].

[1]: http://www.cse.psu.edu/~trj1/papers/ndss17.pdf