meson: Stop setting -fPIE globally

Setting -fPIE globally can lead to miscompilations on certain
architectures. Instead use the b_pie=true build option, which was
introduced in meson 0.49. Bump the Build-Depends accordingly.

Closes: #909396

diff --git a/debian/control b/debian/control
index 8d879adcec57bdcbf2d79183028765dd1119a2ed..f6930a2675306f17b7c1746d9868502e600fd0b2 100644 (file)
--- a/debian/control
+++ b/debian/control
@@ -18,7 +18,7 @@ Build-Depends: debhelper (>= 10.4~),
                docbook-xsl,
                docbook-xml,
                m4,
-               meson (>= 0.44),
+               meson (>= 0.49),
                gettext,
                gperf,
                gnu-efi [amd64 i386 arm64],

diff --git a/debian/patches/debian/Revert-udev-rules-Permission-changes-for-dev-dri-renderD.patch b/debian/patches/debian/Revert-udev-rules-Permission-changes-for-dev-dri-renderD.patch
index 7742b55e18d4442c6c06c6f03add867e8ec06950..54066bddc1b580950539f85a4394215577b79d74 100644 (file)
--- a/debian/patches/debian/Revert-udev-rules-Permission-changes-for-dev-dri-renderD.patch
+++ b/debian/patches/debian/Revert-udev-rules-Permission-changes-for-dev-dri-renderD.patch
@@ -15,10 +15,10 @@ This reverts commit 4e15a7343cb389e97f3eb4f49699161862d8b8b2.
  4 files changed, 2 insertions(+), 9 deletions(-)
 
 diff --git a/meson.build b/meson.build
-index 6c74ada..65296dc 100644
+index a87bb57..8072f52 100644
 --- a/meson.build
 +++ b/meson.build
-@@ -815,7 +815,6 @@ conf.set10('ENABLE_WHEEL_GROUP', get_option('wheel-group'))
+@@ -808,7 +808,6 @@ conf.set10('ENABLE_WHEEL_GROUP', get_option('wheel-group'))
  dev_kvm_mode = get_option('dev-kvm-mode')
  substs.set('DEV_KVM_MODE', dev_kvm_mode)
  conf.set10('DEV_KVM_UACCESS', dev_kvm_mode != '0666')
@@ -26,7 +26,7 @@ index 6c74ada..65296dc 100644
  
  kill_user_processes = get_option('default-kill-user-processes')
  conf.set10('KILL_USER_PROCESSES', kill_user_processes)
-@@ -3094,7 +3093,6 @@ status = [
+@@ -3087,7 +3086,6 @@ status = [
          'minimum container UID base:        @0@'.format(container_uid_base_min),
          'maximum container UID base:        @0@'.format(container_uid_base_max),
          '/dev/kvm access mode:              @0@'.format(get_option('dev-kvm-mode')),

diff --git a/debian/patches/debian/fsckd-daemon-for-inter-fsckd-communication.patch b/debian/patches/debian/fsckd-daemon-for-inter-fsckd-communication.patch
index 992eeccc6d0940af04c3307b41971a3e5da845b8..8f9418378075e6c38d827a7fcfda58195f95bb74 100644 (file)
--- a/debian/patches/debian/fsckd-daemon-for-inter-fsckd-communication.patch
+++ b/debian/patches/debian/fsckd-daemon-for-inter-fsckd-communication.patch
@@ -239,10 +239,10 @@ index 0000000..b7ad58d
 +
 +</refentry>
 diff --git a/meson.build b/meson.build
-index b338886..6c74ada 100644
+index e6b28e1..a87bb57 100644
 --- a/meson.build
 +++ b/meson.build
-@@ -2379,6 +2379,14 @@ executable('systemd-makefs',
+@@ -2372,6 +2372,14 @@ executable('systemd-makefs',
             install : true,
             install_dir : rootlibexecdir)
  

diff --git a/debian/patches/meson-stop-setting-fPIE-globally.patch b/debian/patches/meson-stop-setting-fPIE-globally.patch
new file mode 100644 (file)
index 0000000..ae0eaa1
--- /dev/null
+++ b/debian/patches/meson-stop-setting-fPIE-globally.patch
@@ -0,0 +1,43 @@
+From: Michael Biebl <biebl@debian.org>
+Date: Thu, 10 Jan 2019 12:58:27 +0100
+Subject: meson: stop setting -fPIE globally
+
+Setting -fPIE globally can lead to miscompilations on certain
+architectures.
+This is caused by both -fPIE and -fPIC options being added to various
+compilation commands. Only -fPIC is being recorded in the LTO options
+section of the object. The gcc-8 LTO plugin merges -fPIC + -fPIE to
+nothing. So, the compilations done by the plugin are not
+position-independent and fail to link with -pie.
+
+The simplest solution is to stop setting -fPIE globally and instead
+using meson's b_pie=true option. This requires meson 0.49 or later.
+
+Since we don't set this option in meson.build but leave it up to the
+distro maintainer to set this option, do not bump the meson version
+requirement.
+
+Fixes: #10548
+(cherry picked from commit 4e4bbc439eb7f16a608f457d3eaac08c60633212)
+---
+ meson.build | 7 -------
+ 1 file changed, 7 deletions(-)
+
+diff --git a/meson.build b/meson.build
+index b338886..e6b28e1 100644
+--- a/meson.build
++++ b/meson.build
+@@ -362,13 +362,6 @@ possible_link_flags = [
+         '-Wl,-z,now',
+ ]
+ 
+-# the oss-fuzz fuzzers are not built with -fPIE, so don't
+-# enable it when we are linking against them
+-if not fuzzer_build
+-        possible_cc_flags += '-fPIE'
+-        possible_link_flags += '-pie'
+-endif
+-
+ if cc.get_id() == 'clang'
+         possible_cc_flags += [
+                 '-Wno-typedef-redefinition',

diff --git a/debian/patches/series b/debian/patches/series
index f22964bb6c96f6ad677d0263f451ca1cdf203fb6..dff9f647543e3d992154f8e78d3f236a743c0c5f 100644 (file)
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -38,6 +38,7 @@ network-rename-link_set_routing_policy_rule-to-link_reque.patch
 network-set-_configured-flags-to-false-before-requesting-.patch
 man-update-color-of-journal-logs-in-DEBUG-level.patch
 sd-device-monitor-fix-ordering-of-setting-buffer-size.patch
+meson-stop-setting-fPIE-globally.patch
 debian/Use-Debian-specific-config-files.patch
 debian/Bring-tmpfiles.d-tmp.conf-in-line-with-Debian-defaul.patch
 debian/Make-run-lock-tmpfs-an-API-fs.patch

diff --git a/debian/rules b/debian/rules
index 0d2fcdfdd192fa124626c5a307f7a5d311705ccb..09c133a6d30655374073d6e0185efc10b3c5f619 100755 (executable)
--- a/debian/rules
+++ b/debian/rules
@@ -37,6 +37,7 @@ endif
 
 CONFFLAGS = \
        -Db_lto=true \
+       -Db_pie=true \
        -Drootlibdir=/lib/$(DEB_HOST_MULTIARCH) \
        -Dsplit-usr=true \
        -Dquotaon-path=/sbin/quotaon \