#9007: fails to build with hardening flags enabled (relocation R_X86_64_32 against `stg_CHARLIKE_closure'...) -------------------------------------+------------------------------------- Reporter: nomeata | Owner: nomeata Type: bug | Status: infoneeded Priority: high | Milestone: 7.12.1 Component: Compiler | Version: 7.9 Resolution: | Keywords: Operating System: Unknown/Multiple | Architecture: Type of failure: Building GHC | Unknown/Multiple failed | Test Case: Blocked By: | Blocking: Related Tickets: | Differential Revisions: -------------------------------------+------------------------------------- Comment (by mitchty): It appears I'm hitting an instance of this, or a related case after porting ghc to Alpine Linux. Though the situation I'm encountering is slightly different, the error I see is the same as rwbarton noted earlier with the stg function. What I am seeing with a ghc --make test.hs compile of a really simple haskell program: https://gist.githubusercontent.com/mitchty/296be0fd030aba6aa7b5/raw/f8459935... If you note from that make.out example, stg_bh_upd_frame_info is not PIC after its been statically linked. To explain a bit more, Alpine linux is setup to compile with PIE executables by default, as well as PIC libraries. This can be changed for errant things which cannot use aslr if needed, but the default ABI requires PIE/PIC. Effectively Alpine linux is running the same as Debian when hardened. However if necessary you can use an escape hatch of -nopie -fno-PIC, which is how I had to port ghc. This presents a problem however, as it appears ghc will not emit PIC assembly in this case. Nor is there apparently an option to do so that one can toggle via configure or auto tools or editing the settings file directly to achieve that goal. What would appear to be needed here after chatting with rwbarton on irc is some way to have ghc emit PIC assembly on Linux x86_64 platforms when necessary. Note that in the case of Alpine Linux, we would want PIC/PIE to always be on. For Debian hardened that may not hold true in that ghc itself might need to be built as a pie executable but executables it creates in this situation may not need to be pie. As an example, gcc on Alpine Linux has the following macros set by default with no feature switches enabled to gcc: $ echo ";" | gcc -E -dD -c -| grep PIC #define __PIC__ 2 $ echo ";" | gcc -E -dD -c -| grep PIE #define __PIE__ 2 Also note, unlike the Debian hardening, there is no easy way to change these defaults outside of possibly recompiling gcc. From the discussion in irc the following two options seem reasonable: - Add a value to the settings file to control if ghc will emit PIC assembly by default or not - Possibly attempt to detect that the Linux in use requires PIC/PIE via some trick like the above gcc preprocessor dumps The latter may be a better option overall but I will need to compare against the other hardened linux flavors in all their possible settings. As an example Gentoo linux allows you to change the gcc hardened settings at run time, which would make detection of the "right" thing to do rather difficult. Similar behavior would apply to fedora as well. I'm not sure the correct way forward but for the moment a setting to adjust what type of assembly ghc emits would seem the best option. Right now I have to force all binaries to be nopie as a workaround to this issue. -- Ticket URL: http://ghc.haskell.org/trac/ghc/ticket/9007#comment:15 GHC http://www.haskell.org/ghc/ The Glasgow Haskell Compiler