Bug 1335863

Summary: non-daemon ELF binaries are compiled as PIE, but without full RELRO
Product: Red Hat Enterprise Linux 7 Reporter: Jiri Jaburek <jjaburek>
Component: mariadbAssignee: Jakub Dorňák <jdornak>
Status: CLOSED ERRATA QA Contact: Jiri Jaburek <jjaburek>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.2CC: databases-maint, hhorak, kvolny, mcermak, mmuzila
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: mariadb-5.5.47-5.el7 Doc Type: Bug Fix
Doc Text:
Cause: Not properly chosen link flags Consequence: Binaries compiled as PIE but without RELRO. Fix: Choose proper link flags, Result: Binaries compiled as Full RELRO.
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-11-03 20:48:37 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On:    
Bug Blocks: 1343697, 1092574    
Description Flags
proposed patch none

Description Jiri Jaburek 2016-05-13 12:16:40 UTC
Description of problem:

At least the following binaries,


are compiled as Position Independent Executables (PIE), but with lazy binding enabled (no BIND_NOW / NOW). This not only slows the startup down (adding one layer of indirection for PIE), but also creates potential security issues.

Please compile these as either

- non-PIE, with "partial" RELRO: gcc -Wl,-z,relro
- PIE, with "full" RELRO: gcc -fPIE -pie -Wl,-z,relro,-z,now

*not* in any combination of the two (for one binary).

Generally speaking, PIE + "full" RELRO is recommended for anything that doesn't start too often (as it provides the best protection at a slight cost in startup time) such as daemons, SUID binaries or anything having extra privileges and handling unsafe user data.
For anything else, "Partial" RELRO is recommended.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. readelf -a <path-to-binary> | less
2. look for addresses, see them being relative, starting at 0
2.1. (also see ELF type at the top - should be DYN)
3. look for BIND_NOW or NOW, without success

Actual results:
binaries compiled as PIE with "partial" RELRO

Expected results:
binaries either compiled as PIE+"full" RELRO or non-PIE+"partial" RELRO

Additional info:
/usr/libexec/mysqld seems to have correctly PIE + "full" RELRO.

Comment 2 Honza Horak 2016-06-27 12:40:11 UTC
*** Bug 1092548 has been marked as a duplicate of this bug. ***

Comment 3 Matej Mužila 2016-06-29 10:28:26 UTC
Created attachment 1173765 [details]
proposed patch

Comment 8 errata-xmlrpc 2016-11-03 20:48:37 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.