1

Consider this GNU Assembler program for AMD64 Linux:

.globl _start
_start:
    movl $59, %eax # SYS_execve
    leaq .pathname(%rip), %rdi     # position-independent addressing
    leaq .argv(%rip), %rsi
    movq (%rsp), %rdx
    leaq 16(%rsp,%rdx,8), %rdx
    syscall
    movl $60, %eax # SYS_exit
    movl $1, %edi
    syscall

.section .data
.argv:
    .quad .argv0            # Absolute address as static data
    .quad .argv1
    .quad 0
.pathname:
    .ascii "/bin/"
.argv0:
    .asciz "echo"
.argv1:
    .asciz "hello"

When I build it with gcc -nostdlib -static-pie and run it, it fails, and strace shows me that this happens:

execve("/bin/echo", [0x301d, 0x3022], 0x7fff9bbe5a08 /* 28 vars */) = -1 EFAULT (Bad address)

It works fine if I build it as a static non-PIE binary or as a dynamic PIE binary, though. It looks like the problem is that relocations aren't getting processed.

In dynamic PIE binaries, the dynamic linker does that, and in non-PIE static binaries, you don't need runtime relocations; static addresses are link time constants.

But how are static PIE binaries supposed to work? Are they just not supposed to have any relocations at all, or is something else supposed to process them?

Peter Cordes
  • 328,167
  • 45
  • 605
  • 847
Joseph Sible-Reinstate Monica
  • 45,431
  • 5
  • 48
  • 98
  • I'd guess that data (and text) relocations simply don't work in a static-PIE. The only thing that could process them before user-space execution starts is the kernel, and probably nobody wants more code for that in the kernel. That could be the reason GCC won't make a static-pie by default, even if there no shared libraries. – Peter Cordes Jun 26 '20 at 02:01
  • @PeterCordes: But somehow, [this program](https://godbolt.org/z/UxiAO5), which does much the same thing, compiles and runs fine with `-fpie -static-pie` on my system (though not on godbolt). – Nate Eldredge Jun 26 '20 at 02:11
  • @NateEldredge That would seem to imply either (1) glibc takes care of it, and it didn't work for me since I didn't link glibc, or (2) GCC is hiding a magic function call to do it somewhere. Also, it's interesting that it doesn't work on godbolt. I wonder why that is. – Joseph Sible-Reinstate Monica Jun 26 '20 at 02:12
  • A quick test seems to point to theory (1). If I take my program, change `_start` to `main`, stop trying to set `envp` from the stack, and get rid of `-nostdlib`, then it works fine. – Joseph Sible-Reinstate Monica Jun 26 '20 at 02:16

2 Answers2

3

Apparently static-PIE still leaves runtime relocation to user-space. If you omit CRT startup code (with -nostdlib), it doesn't happen at all. That's presumably why gcc -nostdlib doesn't make a static-PIE by default.

If you do link with glibc's CRT start code, it will handle it for you with code specifically for that purpose.

Test case: your code with _start changed to main, or Nate's C example from comments. (I changed the global var names to be long and easy to find in searching readelf or nm output.)

#include <stdio.h>

int global_static_a = 7;
int *static_ptr = &global_static_a;

int main(void) {
  printf("%d\n", *static_ptr);   // load and deref the statically-initialized pointer
}

  • Compile with gcc -g -fpie -static-pie print.c (I used gcc 10.1.0 with glibc 2.31-5 on Arch GNU/Linux for x86-64)

  • Run gdb ./a.out. In GDB:

  • starti (I wanted to make sure GDB could see the correct addresses before setting watch points, in case that's necessary)

  • watch static_ptr

  • continue

The watchpoint was hit by _dl_relocate_static_pie+540 mov QWORD PTR [rcx],rdx.

Hardware watchpoint 2: static_ptr

Old value = (int *) 0xb7130
New value = (int *) 0x7ffff7ffb130 <global_static_a>

The fact that a function called _dl_relocate_static_pie got linked into my executable is pretty clear evidence that glibc provided that code.

Peter Cordes
  • 328,167
  • 45
  • 605
  • 847
  • 2
    [Here is the source code of `_dl_relocate_static_pie` in glibc](https://sourceware.org/git/?p=glibc.git;a=blob;f=elf/dl-reloc-static-pie.c;h=382482fa739f10934aeb916650c65a4db231c481;hb=HEAD) – Nate Eldredge Jun 26 '20 at 02:43
1

The problem is that you're using -nostdlib so you're missing the code that performs the relocations in the executable itself. It will work if you build a slightly different example using gcc -static-pie:

.globl main
main:
    movl $59, %eax # SYS_execve
    leaq .pathname(%rip), %rdi     # position-independent addressing
    leaq .argv(%rip), %rsi
    syscall
    movl $60, %eax # SYS_exit
    movl $1, %edi
    syscall

.section .data
.argv:
    .quad .argv0            # Absolute address as static data
    .quad .argv1
    .quad 0
.pathname:
    .ascii "/bin/"
.argv0:
    .asciz "echo"
.argv1:
    .asciz "hello"
Ross Ridge
  • 38,414
  • 7
  • 81
  • 112