guix: patch NSIS to remove .reloc sections from install stubs

With the release of binutils/ld 2.36, ld swapped to much improved
default settings when producing windows binaries with mingw-w64. One of
these changes was to stop stripping the .reloc section from binaries,
which is required for working ASLR.

.reloc section stripping is something we've accounted for previously,
see #18702. The related upstream discussion is in this thread:
https://sourceware.org/bugzilla/show_bug.cgi?id=19011.

When we switched to using a newer Guix time-machine in #23778, we begun
using binutils 2.37 to produce releases. Since then, our windows
installer (produced with makensis) has not functioned correctly when run on
a Windows system with the "Force randomization for images (Mandatory ASLR)"
option enabled. Note that all of our other release binaries, which all
contain .reloc sections, function fine under the same option, so it
cannot be just the presence of a .reloc section that is the issue.

For now, restore makensis to it's pre-binutils-2.36 behaviour, which
fixes the produced installer. The underlying issue can be further
investigated in future.
This commit is contained in:
fanquake 2022-08-05 11:48:15 +01:00
parent 7d3817b29a
commit 7a0b129c41
No known key found for this signature in database
GPG key ID: 2EEB9F5CC09526C1
2 changed files with 32 additions and 1 deletions

View file

@ -194,7 +194,8 @@ chain for " target " development."))
(define (make-nsis-for-gcc-10 base-nsis)
(package-with-extra-patches base-nsis
(search-our-patches "nsis-gcc-10-memmove.patch")))
(search-our-patches "nsis-gcc-10-memmove.patch"
"nsis-disable-installer-reloc.patch")))
(define (fix-ppc64-nx-default lief)
(package-with-extra-patches lief

View file

@ -0,0 +1,30 @@
Patch NSIS so that it's installer stubs, produced at NSIS build time,
do not contain .reloc sections, which will exist by default when using
binutils/ld 2.36+.
This ultimately fixes an issue when running the installer with the
"Force randomization for images (Mandatory ASLR)" setting active.
This patch has not yet been sent upstream, because it's not clear if this
is the best fix, for the underlying issue, which seems to be that makensis
doesn't account for .reloc sections when it builds installers.
The existence of a reloc section shouldn't be a problem, and, if anything,
is actually a requirement for working ASLR. All other Windows binaries we
produce contain them, and function correctly when under the same
"Force randomization for images (Mandatory ASLR)" setting.
See:
https://github.com/bitcoin/bitcoin/issues/25726
https://sourceforge.net/p/nsis/bugs/1131/
--- a/SCons/Config/gnu
+++ b/SCons/Config/gnu
@@ -102,6 +102,7 @@ stub_env.Append(LINKFLAGS = ['-mwindows']) # build windows executables
stub_env.Append(LINKFLAGS = ['$NODEFLIBS_FLAG']) # no standard libraries
stub_env.Append(LINKFLAGS = ['$ALIGN_FLAG']) # 512 bytes align
stub_env.Append(LINKFLAGS = ['$MAP_FLAG']) # generate map file
+stub_env.Append(LINKFLAGS = ['-Wl,--disable-reloc-section'])
conf = FlagsConfigure(stub_env)
conf.CheckCompileFlag('-fno-tree-loop-distribute-patterns') # GCC 10: Don't generate msvcrt!memmove calls (bug #1248)