Beware of Ubuntu 16.10 Upgrade Woes

I wanted to share a word of caution for anybody planning to update their development and test systems to Ubuntu 16.10: I can’t build kernels anymore. Ubuntu recommends a special patch to the kernel Makefile. This patch will work only on Ubuntu kernel sources and not the upstream Linux kernel trees.

Linux kernel builds fail with the following message

CHK include/config/kernel.release
Cannot use CONFIG_CC_STACKPROTECTOR_STRONG: -fstack-protector-strong not supported by compiler
Makefile:1058: recipe for target 'prepare-compiler-check' failed
make: *** [prepare-compiler-check] Error 1

The message about CONFIG_CC_STACKPROTECTOR_STRONG is misleading because this Kernel config option is enabled in most distro kernels; disabling it won’t solve the kernel build failure problem. It fails because the position independent executable option is set as default in gcc version 6.2.0 20161005 (Ubuntu 6.2.0-5ubuntu12). As a result, Linux Kernel Makefile needs to update to build the kernel with “-fno-pie” option.

The Ubuntu 16.10 release notes say

We have modified GCC to by-default compile programs with position independent executable support to improve the security benefits provided by Address Space Layout Randomization.

This may cause difficulty when trying to compile Linux kernels that still need this patch applied. Other programs may experience other problems; some debugging guidelines are at https://wiki.ubuntu.com/SecurityTeam/PIE

This clearly states a patch needs to applied to the Linux Kernel makefile. This patch forces no-pie for distro compilers that enable pie by default. So at the moment, I am going to refrain from upgrading my development and test systems.

I am following up with the Ubuntu kernel team and upstream on this issue. There is a patch in the works upstream to address the GCC change to enable position independent executable option by default. In the meantime, the following change worked for me on Linux 4.8.4 and Linux 4.9-rc1. I was able to build Linux 4.8.4 successfully and it is running nicely.

diff --git a/Makefile b/Makefile
index 82a36ab..0a01ad1 100644
--- a/Makefile
+++ b/Makefile
@@ -651,6 +651,11 @@ ifneq ($(CONFIG_FRAME_WARN),0)
KBUILD_CFLAGS += $(call cc-option,-Wframe-larger-than=${CONFIG_FRAME_WARN})
endif

+# force no-pie for distro compilers that enable pie by default
+KBUILD_CFLAGS += $(call cc-option, -fno-pie)
+KBUILD_CFLAGS += $(call cc-option, -no-pie)
+KBUILD_AFLAGS += $(call cc-option, -fno-pie)
+
# This selects the stack protector compiler flag. Testing it is delayed
# until after .config has been reprocessed, in the prepare-compiler-check
# target.

Author: Shuah Khan

Shuah contributes to multiple aspects of the Linux Kernel, and she maintains the Kernel Selftest framework.