-
Notifications
You must be signed in to change notification settings - Fork 29.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ASLR (pie) disabled in v12 Linux amd64 build from nodejs.org #33425
Comments
I can't find the issue but I remember it having been discussed. IIRC, the conclusion was to keep PIE disabled because of the sizable performance hit. It was something like 5 or 10%. PIE is enabled on macos but that's not a performance-critical platform like linux is. People don't run production servers on their macbooks. (I hope.) |
Lol, ya let's hope. I saw some comments that talked about performance when I went digging through previous PRs and pull requests but I don't remember seeing anywhere where it was decided definitively to disable because of any specific reasoning. If figured if it was intentional then this issue could just be closed and become an easy place to point to with the definitive response. And if it wasn't intentional then it'll get switched on. |
I think the big blocker was ia32/i386: position-independent code is expensive on that architecture because it's register starved. But we dropped support for ia32 and x64/amd64/x86_64 doesn't have that problem (rip-relative addressing and plenty of registers) so we could turn on PIE if someone is willing to investigate the performance impact. edit: comparing the |
Hey, is this still available to work on? |
I compiled Node based on the Markdown file instructions and then checked the flags with otool -hv. But there is no PIE flag set, neither under my freshly compiled binary, nor under the binary saved via the official macOS installer. Did I miss something here, because you said that PIE is enabled under macOS? |
I have now run some benchmarks with PIE enabled and disabled. As @bnoordhuis already mentioned, you can expect a performance penalty of 5-10%. Here are some results as text file: Is this too much cost for PIE being enabled? I think at least on OS X this can be activated. I will make a pull request which removes the -no_pie flags. |
After conducting several benchmarks, I noticed performance losses of 5-10%. As OS X is not a performance critical platform, as already mentioned by @bnoordhuis, I have removed the -no_pie flag at least for this platform. I'd love to enable PIE for other platforms if the 5-10% speed loss is not too high. I would be happy to hear your opinion on this. Refs: nodejs#33425
After conducting several benchmarks, I noticed performance losses of 5-10%. As OS X is not a performance critical platform, as already mentioned by @bnoordhuis, I have removed the -no_pie flag at least for this platform. I'd love to enable PIE for other platforms if the 5-10% speed loss is not too high. I would be happy to hear your opinion on this. Refs: #33425 PR-URL: #35704 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Richard Lau <rlau@redhat.com> Reviewed-By: David Carlier <devnexen@gmail.com> Reviewed-By: Rich Trott <rtrott@gmail.com> Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Should this be closed? The issue was about amd64 on Linux |
There has been no activity on this feature request for 5 months and it is unlikely to be implemented. It will be closed 6 months after the last non-automated comment. For more information on how the project manages feature requests, please consult the feature request management document. |
There has been no activity on this feature request and it is being closed. If you feel closing this issue is not the right thing to do, please leave a comment. For more information on how the project manages feature requests, please consult the feature request management document. |
The lack of ASLR on the |
“feature request” my ass! We all knew this was a vuln waiting to happen!! Why is this issue still closed??? |
I see there was some discussion on this back in 2016, but I couldn't really follow, it also looks like
-pie
still exists in some of the build files. Just wanted to report in case it's off by mistake.The text was updated successfully, but these errors were encountered: