| 1 |
hi Peter, |
| 2 |
|
| 3 |
first of all, i have been following your commitment to hardened stuff, |
| 4 |
grsecurity and related engagements during the last months and i am |
| 5 |
amazed by your technical skill level and expertise. |
| 6 |
|
| 7 |
On Wed, 2003-11-19 at 12:45, Peter S. Mazinger wrote: |
| 8 |
> On 18 Nov 2003, Ned Ludd wrote: |
| 9 |
> |
| 10 |
> > On Tue, 2003-11-18 at 18:57, Peter S. Mazinger wrote: |
| 11 |
> > > Hello! |
| 12 |
> > > |
| 13 |
> > > I have a clean uClibc environment (not gentoo based), and inspired by |
| 14 |
> > > hardened-gcc-3.3.2 the gcc specs file was changed to support ET_DYN |
| 15 |
> > > binaries, the only change I have done is replacing Scrt1.o with "crt1S.o |
| 16 |
building -pie executables emits this stuff which is normally done by |
| 17 |
interp.o, redundant this interp.o therefore is. |
| 18 |
> > > interp.o" (crt1S.o not yet in the uClibc tree, but in portage), due to the |
| 19 |
> > > fact that Scrt1.o does not exist in uClibc like in glibc-2.3.2. I do not |
| 20 |
yes, it is in a Redhat branch update of glibc-2.3.2 as far as i can tell |
| 21 |
> > > know what the difference is between Scrt1.o from glibc and crt1S.o coming |
| 22 |
basically there is only a small technical difference, the goal is the |
| 23 |
same: the function _start has the job of position independent calling |
| 24 |
the glibc function __libc_start_main with the arguments _init _fini and |
| 25 |
main that are given as arguments to __libc_start_main ;-) |
| 26 |
|
| 27 |
> > > from the hardened-gcc-2.4.6 (the version for uClibc is PaX version, so |
| 28 |
> > > similar to those in hardened-gcc-2.4.6). |
| 29 |
> > > Could someone comment on problems regarding this change? |
| 30 |
yo, we try to use mainstream as possible while not giving up our high |
| 31 |
security PaX environment. |
| 32 |
if the Scrt1.o proves good, there is no reason to use the pioneering |
| 33 |
version of pipacs any more ;-) |
| 34 |
In fact it should be noted that pageexec.virtualave.net introduced and |
| 35 |
coached us to this all stuff for such a long time and i am proud that |
| 36 |
Redhat is doing it this way also, by not telling anyone stole anything |
| 37 |
from anybody - but we all know how to say thank you ;-) |
| 38 |
> > ... |
| 39 |
> > |
| 40 |
> > > I have seen a dependency on binutils-2.14.90.0.7, but this one has some |
| 41 |
> > > problems with uClibc (does not correctly support canadian cross-compiling, |
| 42 |
> > > binutils-2.14.90.0.6 yes). Is it really needed, or is |
| 43 |
> > > binutils-2.14.90.0.6-r7 enough? |
| 44 |
you need "ld -pie" for the true compiling of etdyn. therefore you need |
| 45 |
the high binutils. |
| 46 |
|
| 47 |
using -shared instead is good but has issues with ./configure running of |
| 48 |
some program suites and missing functions because this happens: |
| 49 |
gcc -shared does transparently compile the binary as "dynamic library |
| 50 |
executable" which means the configure tests fail this way, i type the |
| 51 |
hardened-gcc stuff in brackets: |
| 52 |
./configure: gcc -lfoo-library-that-i-am -lsearching-for -lin-configure |
| 53 |
[-fPIC -shared] -o conftest -c conftest.c |
| 54 |
|
| 55 |
which leads to the false positive that the function tested in conftest.c |
| 56 |
gets compiled and no linker error is emitted which would normally be the |
| 57 |
situation when the library is not there. |
| 58 |
then the binary could not compile but fail later during Makefile because |
| 59 |
libs are not found. |
| 60 |
|
| 61 |
Jakub Jelinek then invented the -pie support which is a quick shot of |
| 62 |
-shared and uses library characteristics but without leaving unresolved |
| 63 |
symbols and functions hang around in the target binary! |
| 64 |
the other magic stuff i can't tell you because i would violate Redhat |
| 65 |
NDA's, *scnr* no, not really ;-) |
| 66 |
|
| 67 |
> > > |
| 68 |
> > > I have rebuilt about 50 packages (mainly development environment) with |
| 69 |
cool |
| 70 |
> |
| 71 |
> > > these changes, but there is some strange behaviour (it is not related |
| 72 |
> > > to the fact that everything is -fPIC built, I had this already defined |
| 73 |
> > > earlier in my CFLAGS for almost all packages) |
| 74 |
well, maybe the -shared bug i mentioned above? |
| 75 |
> > > I am also interested in an Scrt1.o version for uClibc, so a changes |
| 76 |
yeah go ahead and create one, take the crt1S.S from pipacs, it's great |
| 77 |
and maybe we could get him to contribute some comments and explaination |
| 78 |
too. |
| 79 |
> > > description between the PaX and the glibc-2.3.2 implementation would be |
| 80 |
> > > helpful. |
| 81 |
see pipacs for this too ;-) |
| 82 |
> > |
| 83 |
> > <rant> |
| 84 |
> > Quick rundown. Sctr1.S is a redhat knock off creation of PaX's ctr1S.S |
| 85 |
> > (ie somebody probably got paid to rip it off and claim it was a redhat |
| 86 |
> > original creation) they even fscked up the naming convention. I wont go |
| 87 |
> > to much in detail because I would end up ranting for hours. In short |
| 88 |
> > Scrt1 the way it gets built by redhat will most likely end up with text |
| 89 |
> > relocations from what I understand so the PaX crt1S.S should be used and |
| 90 |
> > preferred till such time as redhat finds a way to break that for us. |
| 91 |
> > </rant> |
| 92 |
> Why is then used Scrt1.o in hardened-gcc-3.3.2? |
| 93 |
forget about the rant. |
| 94 |
we use it for standardizing our stuff. |
| 95 |
> |
| 96 |
> > |
| 97 |
> > > Why was the default -fomit-frame-pointer option removed? From my |
| 98 |
> > > experience there are only a few packages, that are incompatible with it |
| 99 |
> > > (mainly libraries). |
| 100 |
solar already said that, the speed gain is almost useless compared to |
| 101 |
the problems you might encounter and bugs getting assigned to you, so |
| 102 |
better keep hands off that black magic ;-) |
| 103 |
> > |
| 104 |
> > You would have to ask the maintainer pappy@g.o about why this |
| 105 |
> > functionality was removed. However I can say from my personal testing we |
| 106 |
> > truly don't seem to gain any performance by trying to gain back an extra |
| 107 |
> > register from adding -fomit-frame-pointer when -fPIC steals away the ebx |
| 108 |
> > register, in fact I even get roughly exactly same number of instructions |
| 109 |
> > that get executed when using those flags together. Attached is a file I |
| 110 |
> > did this testing with. |
| 111 |
> > |
| 112 |
> > |
| 113 |
|
| 114 |
thanks for corresponding and hope i have helped, |
| 115 |
|
| 116 |
Alex |
| 117 |
|
| 118 |
|
| 119 |
-- |
| 120 |
gentoo-hardened@g.o mailing list |
Archives