ASLR (pie) disabled in v12 Linux amd64 build from nodejs.org

[johnandersen777]

$ pwn checksec ./node/node-v12.16.3-linux-x64/bin/node
[*] '/home/pdxjohnny/Downloads/node/node-v12.16.3-linux-x64/bin/node'
    Arch:     amd64-64-little
    RELRO:    Full RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      No PIE (0x400000)  # <---- ASLR disabled

I see there was some discussion on this back in 2016, but I couldn't really follow, it also looks like -pie still exists in some of the build files. Just wanted to report in case it's off by mistake.

[bnoordhuis]

I can't find the issue but I remember it having been discussed. IIRC, the conclusion was to keep PIE disabled because of the sizable performance hit. It was something like 5 or 10%.

PIE is enabled on macos but that's not a performance-critical platform like linux is. People don't run production servers on their macbooks. (I hope.)

[johnandersen777]

Lol, ya let's hope. I saw some comments that talked about performance when I went digging through previous PRs and pull requests but I don't remember seeing anywhere where it was decided definitively to disable because of any specific reasoning. If figured if it was intentional then this issue could just be closed and become an easy place to point to with the definitive response. And if it wasn't intentional then it'll get switched on.

[bnoordhuis]

I think the big blocker was ia32/i386: position-independent code is expensive on that architecture because it's register starved.

But we dropped support for ia32 and x64/amd64/x86_64 doesn't have that problem (rip-relative addressing and plenty of registers) so we could turn on PIE if someone is willing to investigate the performance impact.

edit: comparing the benchmark/ benchmark numbers would be a good start. Light testing of native modules (add-ons) would be good too, to check if there are no compatibility issues.

[woodfairy]

Hey, is this still available to work on?

[woodfairy]

PIE is enabled on macos but that's not a performance-critical platform like linux is. People don't run production servers on their macbooks. (I hope.)

I compiled Node based on the Markdown file instructions and then checked the flags with otool -hv. But there is no PIE flag set, neither under my freshly compiled binary, nor under the binary saved via the official macOS installer. Did I miss something here, because you said that PIE is enabled under macOS?

[woodfairy]

I have now run some benchmarks with PIE enabled and disabled. As @bnoordhuis already mentioned, you can expect a performance penalty of 5-10%. Here are some results as text file:
nopie_1.txt
nopie_2.txt
nopie_3.txt
pie_1.txt
pie_2.txt
pie_3.txt

Is this too much cost for PIE being enabled? I think at least on OS X this can be activated. I will make a pull request which removes the -no_pie flags.

[johnandersen777]

Should this be closed? The issue was about amd64 on Linux

[github-actions]

There has been no activity on this feature request for 5 months and it is unlikely to be implemented. It will be closed 6 months after the last non-automated comment.

For more information on how the project manages feature requests, please consult the feature request management document.

[github-actions]

There has been no activity on this feature request and it is being closed. If you feel closing this issue is not the right thing to do, please leave a comment.

For more information on how the project manages feature requests, please consult the feature request management document.

[jvoisin]

The lack of ASLR on the .text segment of the nodejs binary was exploited by SonarSource recently.

[johnandersen777]

“feature request” my ass! We all knew this was a vuln waiting to happen!!

Why is this issue still closed???