diff -u gcc-4.3-4.3.2/debian/changelog gcc-4.3-4.3.2/debian/changelog --- gcc-4.3-4.3.2/debian/changelog +++ gcc-4.3-4.3.2/debian/changelog @@ -1,3 +1,9 @@ +gcc-4.3 (4.3.2-1ubuntu11.1~pie1) intrepid; urgency=low + + * gcc-default-pie.dpatch: Enable PIE by default on amd64. + + -- Kees Cook Thu, 11 Dec 2008 14:49:20 -0800 + gcc-4.3 (4.3.2-1ubuntu11) intrepid; urgency=low * Update the spu cross compiler from the cell-gcc-4_3-branch 20081023. diff -u gcc-4.3-4.3.2/debian/README.Debian gcc-4.3-4.3.2/debian/README.Debian --- gcc-4.3-4.3.2/debian/README.Debian +++ gcc-4.3-4.3.2/debian/README.Debian @@ -204,6 +204,9 @@ gcc-default-relro: Turn on -Wl,-z,relro by default. +gcc-default-pie: + Turn on -fPIE/-pie by default for C, C++, ObjC, ObjC++. + gcc-default-ssp: Turn on -fstack-protector by default for C, C++, ObjC, ObjC++. Build libgcc using -fno-stack-protector. @@ -241,0 +245,3 @@ + +gcc-multilib64dir: + Use lib instead of lib64 as multilibdir on amd64 and ppc64. diff -u gcc-4.3-4.3.2/debian/rules.parameters gcc-4.3-4.3.2/debian/rules.parameters --- gcc-4.3-4.3.2/debian/rules.parameters +++ gcc-4.3-4.3.2/debian/rules.parameters @@ -2,9 +2,9 @@ GCC_VERSION := 4.3.2 NEXT_GCC_VERSION := 4.3.3 BASE_VERSION := 4.3 -SOURCE_VERSION := 4.3.2-1ubuntu11 -DEB_VERSION := 4.3.2-1ubuntu11 -DEB_EVERSION := 1:4.3.2-1ubuntu11 +SOURCE_VERSION := 4.3.2-1ubuntu11.1~pie1 +DEB_VERSION := 4.3.2-1ubuntu11.1~pie1 +DEB_EVERSION := 1:4.3.2-1ubuntu11.1~pie1 GPC_BASE_VERSION := GDC_BASE_VERSION := DEB_GPC_VERSION := @@ -12,7 +12,7 @@ DEB_SOVERSION := 4.3 DEB_SOEVERSION := 1:4.3 DEB_LIBGCC_SOVERSION := 1:4.3 -DEB_LIBGCC_VERSION := 1:4.3.2-1ubuntu11 +DEB_LIBGCC_VERSION := 1:4.3.2-1ubuntu11.1~pie1 DEB_STDCXX_SOVERSION := 4.3 DEB_GCJ_SOVERSION := 4.3 PKG_GCJ_EXT := 9 diff -u gcc-4.3-4.3.2/debian/rules.patch gcc-4.3-4.3.2/debian/rules.patch --- gcc-4.3-4.3.2/debian/rules.patch +++ gcc-4.3-4.3.2/debian/rules.patch @@ -94,6 +94,9 @@ hardening_patches += gcc-default-format-security \ gcc-default-fortify-source gcc-default-relro endif + ifneq (,$(filter $(DEB_TARGET_ARCH), amd64)) + hardening_patches += gcc-default-pie + endif endif ifeq ($(with_ssp)-$(with_ssp_default),yes-yes) hardening_patches += gcc-default-ssp only in patch2: unchanged: --- gcc-4.3-4.3.2.orig/debian/patches/gcc-default-pie.dpatch +++ gcc-4.3-4.3.2/debian/patches/gcc-default-pie.dpatch @@ -0,0 +1,106 @@ +#! /bin/sh -e + +# DP: Turn on -fPIE/-pie by default for C, C++, ObjC, ObjC++. + +dir= +if [ $# -eq 3 -a "$2" = '-d' ]; then + pdir="-d $3" + dir="$3/" +elif [ $# -ne 1 ]; then + echo >&2 "`basename $0`: script expects -patch|-unpatch as argument" + exit 1 +fi +case "$1" in + -patch) + patch $pdir -f --no-backup-if-mismatch -p0 < $0 + ;; + -unpatch) + patch $pdir -f --no-backup-if-mismatch -R -p0 < $0 + ;; + *) + echo >&2 "`basename $0`: script expects -patch|-unpatch as argument" + exit 1 +esac +exit 0 + +diff -uNrp ../src~/gcc/config/linux.h gcc/config/linux.h +--- ../src~/gcc/config/linux.h 2008-12-11 16:21:51.000000000 -0800 ++++ gcc/config/linux.h 2008-12-13 00:53:08.000000000 -0800 +@@ -40,8 +40,8 @@ + #undef STARTFILE_SPEC + #if defined HAVE_LD_PIE + #define STARTFILE_SPEC \ +- "%{!shared: %{pg|p|profile:gcrt1.o%s;pie:Scrt1.o%s;:crt1.o%s}} \ +- crti.o%s %{static:crtbeginT.o%s;shared|pie:crtbeginS.o%s;:crtbegin.o%s}" ++ "%{!shared: %{pg|p|profile:gcrt1.o%s;nopie:crt1.o%s;:Scrt1.o%s}} \ ++ crti.o%s %{static:crtbeginT.o%s;nopie:crtbegin.o%s;:crtbeginS.o%s}" + #else + #define STARTFILE_SPEC \ + "%{!shared: %{pg|p|profile:gcrt1.o%s;:crt1.o%s}} \ +@@ -56,7 +56,7 @@ + + #undef ENDFILE_SPEC + #define ENDFILE_SPEC \ +- "%{shared|pie:crtendS.o%s;:crtend.o%s} crtn.o%s" ++ "%{static|nopie:crtend.o%s;:crtendS.o%s} crtn.o%s" + + /* FIXME: Is a Hurd-specific fallback mechanism necessary? */ + #undef MD_UNWIND_SUPPORT +diff -uNrp ../src~/gcc/config/i386/linux64.h gcc/config/i386/linux64.h +--- ../src~/gcc/config/i386/linux64.h 2008-12-11 16:21:31.000000000 -0800 ++++ gcc/config/i386/linux64.h 2008-12-13 00:53:42.000000000 -0800 +@@ -71,7 +71,9 @@ along with GCC; see the file COPYING3. + %{!static: \ + %{rdynamic:-export-dynamic} \ + %{" SPEC_32 ":%{!dynamic-linker:-dynamic-linker " LINUX_DYNAMIC_LINKER32 "}} \ +- %{" SPEC_64 ":%{!dynamic-linker:-dynamic-linker " LINUX_DYNAMIC_LINKER64 "}}} \ ++ %{" SPEC_64 ":%{!dynamic-linker:-dynamic-linker " LINUX_DYNAMIC_LINKER64 "} \ ++ %{!nopie:%{!A:%{!nostdlib:%{!nostartfiles:%{!fno-PIE:%{!fno-pie: -pie}}}}}} \ ++ }} \ + %{static:-static}}" + + /* Similar to standard Linux, but adding -ffast-math support. */ +@@ -81,7 +83,7 @@ along with GCC; see the file COPYING3. + %{mpc32:crtprec32.o%s} \ + %{mpc64:crtprec64.o%s} \ + %{mpc80:crtprec80.o%s} \ +- %{shared|pie:crtendS.o%s;:crtend.o%s} crtn.o%s" ++ %{static|nopie:crtend.o%s;:crtendS.o%s} crtn.o%s" + + #if TARGET_64BIT_DEFAULT + #define MULTILIB_DEFAULTS { "m64" } +diff -uNrp ../src~/gcc/doc/invoke.texi gcc/doc/invoke.texi +--- ../src~/gcc/doc/invoke.texi 2008-12-12 17:29:00.000000000 -0800 ++++ gcc/doc/invoke.texi 2008-12-13 00:34:33.000000000 -0800 +@@ -7525,6 +7525,10 @@ For predictable results, you must also s + that were used to generate code (@option{-fpie}, @option{-fPIE}, + or model suboptions) when you specify this option. + ++NOTE: In Ubuntu 9.10 and later versions this option is enabled by default ++for C, C++, ObjC, ObjC++. To disable, use @option{-nopie} or ++@option{-fno-PIE}. ++ + @item -rdynamic + @opindex rdynamic + Pass the flag @option{-export-dynamic} to the ELF linker, on targets +@@ -14987,6 +14991,9 @@ used during linking. + @code{__pie__} and @code{__PIE__}. The macros have the value 1 + for @option{-fpie} and 2 for @option{-fPIE}. + ++NOTE: In Ubuntu 9.10 and later versions this option is enabled by default ++for C, C++, ObjC, ObjC++. To disable, use @option{-fno-PIE}. ++ + @item -fno-jump-tables + @opindex fno-jump-tables + Do not use jump tables for switch statements even where it would be +diff -uNrp ../src~/gcc/gcc.c gcc/gcc.c +--- ../src~/gcc/gcc.c 2008-12-12 17:29:00.000000000 -0800 ++++ gcc/gcc.c 2008-12-13 00:34:33.000000000 -0800 +@@ -841,6 +841,7 @@ static const char *cc1_options = + %{--help=*:--help=%(VALUE)}\ + %{!fsyntax-only:%{S:%W{o*}%{!o*:-o %b.s}}}\ + %{fsyntax-only:-o %j} %{-param*}\ ++ %{!D__KERNEL__:%{!static:%{!fno-PIC:%{!fno-pic:%{!shared:%{!nostdlib:%{!nostartfiles:%{!fno-PIE:%{!fno-pie:%{!nopie:%{!fPIC:%{!fpic:-fPIE}}}}}}}}}}}}\ + %{fmudflap|fmudflapth:-fno-builtin -fno-merge-constants}\ + %{coverage:-fprofile-arcs -ftest-coverage}"; +