-Db_pie=false builds executables with PIE enabled

[novafacing]

Describe the bug

When trying to build my project to generate no-pie executables by passing
-Db_pie=false, executables are still built with PIE enabled.

Repro is at the bottom, but with the same meson version:

• This is broken on Ubuntu 20.04
• This is not broken on Fedora Rawhide

To Reproduce

The affected project is here: https://github.com/novafacing/cgc-challenges

Building it with the following steps exhibits the issue:

meson -Db_pie=false -Dno_polls=true builddir
meson compile -C builddir

And the problematic result:

root@11928de7534a:/tests/cgc-challenges# checksec builddir/challenges/AIS-Lite/AIS-Lite
[*] '/tests/cgc-challenges/builddir/challenges/AIS-Lite/AIS-Lite'
    Arch:     amd64-64-little
    RELRO:    Full RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      PIE enabled

Expected behavior
I expect executables to be built with the -no-pie flag when
-Db_pie=false.

system parameters

Below is a dockerfile to reproduce this issue. The reelvant versions in the
container are:

• Ubuntu 20.04
• gcc 9.4.0-1ubuntu1~20.04.1
• meson 0.63.2
• Ninja 1.10.2.git.kitware.jobserver-1

Here is a minimal Dockerfile to reproduce the issue, which
can be repro'd with:

docker build -f Dockerfile -t repro-meson-pie-bug
docker run repro-meson-pie-bug

FROM ubuntu:20.04 AS repro-meson-pie-bug


SHELL ["/bin/bash", "-c"]
RUN dpkg --add-architecture i386
ARG DEBIAN_FRONTEND=noninteractive
ENV TZ=America/Phoenix

RUN apt-get update -y && apt-get install -y \
    python3 \
    python3-pip \
    git
RUN python3 -m pip install meson ninja pwntools

# Install tests
RUN mkdir -p /tests/ && \
    git clone https://github.com/novafacing/cgc-challenges.git /tests/cgc-challenges

WORKDIR /tests/cgc-challenges

RUN meson -Dno_polls=true -Db_pie=false builddir && \
    meson compile -C builddir && \
    meson install -C builddir

CMD checksec /tests/cgc-challenges/output/bin/*

[novafacing]

Ok, after a huge amount of headache, I've discovered that explicitly passing link_args: ['-no-pie] does in fact make no PIE happen. My hypothesis then is that b_pie=false does not correctly pass -no-pie to executable builds as a link arg, but it does pass it as a compiler arg.

[tristan957]

If you could look at submitting a PR, that would be great!

[tristan957]

I feel like this came up previously in another issue and it was determined that Meson didn't pass -fno-pie if the toolchain was pie by default. Can't remember

[novafacing]

I haven't contributed to meson before so it'll take me a bit to figure out where the relevant code is, but I'd like to help fix it :)

[eli-schwartz]

The b_pie argument is a boolean, and currently treated as "should Meson explicitly enable pie" rather than "determine whether the resulting binary is pie, regardless of compiler defaults".

Changing this into a tristate option is a topic that has come up before, I think.

I haven't contributed to meson before so it'll take me a bit to figure out where the relevant code is, but I'd like to help fix it :)

It's handled in the function get_pie_args() of:

• mesonbuild/compilers/, which takes no options and, for mixins/gnu.py, emits -fPIE`.
• mesonbuild/linkers/linkers.py, which takes no options and, for gnu, emits -pie.

In mesonbuild/backend/, particularly in:

• backends.py, we build the compiler command line for a given target with:

  elif isinstance(target, (build.StaticLibrary, build.Executable)) and target.pie:
      commands += compiler.get_pie_args()
  

• ninjabackend.py, we build the linker command line for a given target with:

  if target.pie:
      commands += linker.get_pie_link_args()
  

[eyelash]

Duplicate of #4651?

[dcbaker]

Yes, it’s a duplicate. I plan to fix this after my major rework of the build layer is done, so it’s on the radar