| 1 |
On Thu, 20 Nov 2003, Alexander Gabert wrote: |
| 2 |
|
| 3 |
> hi Peter, |
| 4 |
> |
| 5 |
> first of all, i have been following your commitment to hardened stuff, |
| 6 |
> grsecurity and related engagements during the last months and i am |
| 7 |
> amazed by your technical skill level and expertise. |
| 8 |
Thanks |
| 9 |
|
| 10 |
> > > > I have a clean uClibc environment (not gentoo based), and inspired by |
| 11 |
> > > > hardened-gcc-3.3.2 the gcc specs file was changed to support ET_DYN |
| 12 |
> > > > binaries, the only change I have done is replacing Scrt1.o with "crt1S.o |
| 13 |
> building -pie executables emits this stuff which is normally done by |
| 14 |
> interp.o, redundant this interp.o therefore is. |
| 15 |
I have removed interp.o from gcc's specs and it really works (I had |
| 16 |
earlier 2 references for /lib/ld-uClibc.so.0 (strings binary) in the |
| 17 |
binary, now only one, thanks. Now the only change is Scrt1.o->crt1S.o. |
| 18 |
Probably it would be better to install the PaX version as Scrt1.o in |
| 19 |
uClibc, so I'll make a change to the uClibc patches, then no speciality is |
| 20 |
needed for hardened-gcc to support uClibc as well. |
| 21 |
|
| 22 |
> > > > interp.o" (crt1S.o not yet in the uClibc tree, but in portage), due to the |
| 23 |
> > > > fact that Scrt1.o does not exist in uClibc like in glibc-2.3.2. I do not |
| 24 |
> yes, it is in a Redhat branch update of glibc-2.3.2 as far as i can tell |
| 25 |
> > > > know what the difference is between Scrt1.o from glibc and crt1S.o coming |
| 26 |
> basically there is only a small technical difference, the goal is the |
| 27 |
> same: the function _start has the job of position independent calling |
| 28 |
> the glibc function __libc_start_main with the arguments _init _fini and |
| 29 |
> main that are given as arguments to __libc_start_main ;-) |
| 30 |
> |
| 31 |
> > > > from the hardened-gcc-2.4.6 (the version for uClibc is PaX version, so |
| 32 |
> > > > similar to those in hardened-gcc-2.4.6). |
| 33 |
> > > > Could someone comment on problems regarding this change? |
| 34 |
> yo, we try to use mainstream as possible while not giving up our high |
| 35 |
> security PaX environment. |
| 36 |
> if the Scrt1.o proves good, there is no reason to use the pioneering |
| 37 |
> version of pipacs any more ;-) |
| 38 |
> In fact it should be noted that pageexec.virtualave.net introduced and |
| 39 |
> coached us to this all stuff for such a long time and i am proud that |
| 40 |
> Redhat is doing it this way also, by not telling anyone stole anything |
| 41 |
> from anybody - but we all know how to say thank you ;-) |
| 42 |
> > > ... |
| 43 |
> > > |
| 44 |
> > > > I have seen a dependency on binutils-2.14.90.0.7, but this one has some |
| 45 |
> > > > problems with uClibc (does not correctly support canadian cross-compiling, |
| 46 |
> > > > binutils-2.14.90.0.6 yes). Is it really needed, or is |
| 47 |
> > > > binutils-2.14.90.0.6-r7 enough? |
| 48 |
> you need "ld -pie" for the true compiling of etdyn. therefore you need |
| 49 |
> the high binutils. |
| 50 |
The versions >= 2.14.90.0.6 support -pie, so it would be enough to define |
| 51 |
.6 as minimal requirement (but hardened-gcc requires > .7-r3, this was |
| 52 |
really the question). |
| 53 |
Well, probably I have to check it myself. I loose the function |
| 54 |
__fixunsxfdi from libgcc if gcc is rebuilt a second time in an uClibc |
| 55 |
buildroot environment, and I didn't find the cause until now (needed by |
| 56 |
coreutils-5.x) |
| 57 |
|
| 58 |
> using -shared instead is good but has issues with ./configure running of |
| 59 |
> some program suites and missing functions because this happens: |
| 60 |
> gcc -shared does transparently compile the binary as "dynamic library |
| 61 |
> executable" which means the configure tests fail this way, i type the |
| 62 |
> hardened-gcc stuff in brackets: |
| 63 |
> ./configure: gcc -lfoo-library-that-i-am -lsearching-for -lin-configure |
| 64 |
> [-fPIC -shared] -o conftest -c conftest.c |
| 65 |
> |
| 66 |
> which leads to the false positive that the function tested in conftest.c |
| 67 |
> gets compiled and no linker error is emitted which would normally be the |
| 68 |
> situation when the library is not there. |
| 69 |
> then the binary could not compile but fail later during Makefile because |
| 70 |
> libs are not found. |
| 71 |
> |
| 72 |
> Jakub Jelinek then invented the -pie support which is a quick shot of |
| 73 |
> -shared and uses library characteristics but without leaving unresolved |
| 74 |
> symbols and functions hang around in the target binary! |
| 75 |
> the other magic stuff i can't tell you because i would violate Redhat |
| 76 |
> NDA's, *scnr* no, not really ;-) |
| 77 |
> |
| 78 |
> > > > |
| 79 |
> > > > I have rebuilt about 50 packages (mainly development environment) with |
| 80 |
> cool |
| 81 |
> > |
| 82 |
> > > > these changes, but there is some strange behaviour (it is not related |
| 83 |
> > > > to the fact that everything is -fPIC built, I had this already defined |
| 84 |
> > > > earlier in my CFLAGS for almost all packages) |
| 85 |
> well, maybe the -shared bug i mentioned above? |
| 86 |
I have problems related to pie with gzip-1.3.3 and 1.3.5. Now, you where |
| 87 |
right, the ./configure ANSI header detection works (does not segfault), |
| 88 |
since I changed from -shared to -pie, but the executable is unusable. |
| 89 |
|
| 90 |
> > > > I am also interested in an Scrt1.o version for uClibc, so a changes |
| 91 |
> yeah go ahead and create one, take the crt1S.S from pipacs, it's great |
| 92 |
> and maybe we could get him to contribute some comments and explaination |
| 93 |
> too. |
| 94 |
> > > > description between the PaX and the glibc-2.3.2 implementation would be |
| 95 |
> > > > helpful. |
| 96 |
> see pipacs for this too ;-) |
| 97 |
> > > |
| 98 |
> > > <rant> |
| 99 |
> > > Quick rundown. Sctr1.S is a redhat knock off creation of PaX's ctr1S.S |
| 100 |
> > > (ie somebody probably got paid to rip it off and claim it was a redhat |
| 101 |
> > > original creation) they even fscked up the naming convention. I wont go |
| 102 |
> > > to much in detail because I would end up ranting for hours. In short |
| 103 |
> > > Scrt1 the way it gets built by redhat will most likely end up with text |
| 104 |
> > > relocations from what I understand so the PaX crt1S.S should be used and |
| 105 |
> > > preferred till such time as redhat finds a way to break that for us. |
| 106 |
> > > </rant> |
| 107 |
> > Why is then used Scrt1.o in hardened-gcc-3.3.2? |
| 108 |
> forget about the rant. |
| 109 |
> we use it for standardizing our stuff. |
| 110 |
> > |
| 111 |
> > > |
| 112 |
> > > > Why was the default -fomit-frame-pointer option removed? From my |
| 113 |
> > > > experience there are only a few packages, that are incompatible with it |
| 114 |
> > > > (mainly libraries). |
| 115 |
> solar already said that, the speed gain is almost useless compared to |
| 116 |
> the problems you might encounter and bugs getting assigned to you, so |
| 117 |
> better keep hands off that black magic ;-) |
| 118 |
> > > |
| 119 |
> > > You would have to ask the maintainer pappy@g.o about why this |
| 120 |
> > > functionality was removed. However I can say from my personal testing we |
| 121 |
> > > truly don't seem to gain any performance by trying to gain back an extra |
| 122 |
> > > register from adding -fomit-frame-pointer when -fPIC steals away the ebx |
| 123 |
> > > register, in fact I even get roughly exactly same number of instructions |
| 124 |
> > > that get executed when using those flags together. Attached is a file I |
| 125 |
> > > did this testing with. |
| 126 |
> > > |
| 127 |
> > > |
| 128 |
> |
| 129 |
> thanks for corresponding and hope i have helped, |
| 130 |
> |
| 131 |
> Alex |
| 132 |
|
| 133 |
Thanks for your explanations, |
| 134 |
|
| 135 |
Peter |
| 136 |
|
| 137 |
-- |
| 138 |
Peter S. Mazinger <ps.m@×××.net> ID: 0xA5F059F2 NIC: IXUYHSKQLI |
| 139 |
Key fingerprint = 92A4 31E1 56BC 3D5A 2D08 BB6E C389 975E A5F0 59F2 |
| 140 |
|
| 141 |
|
| 142 |
____________________________________________________________________ |
| 143 |
Miert fizetsz az internetert? Korlatlan, ingyenes internet hozzaferes a FreeStarttol. |
| 144 |
Probald ki most! http://www.freestart.hu |
| 145 |
|
| 146 |
-- |
| 147 |
gentoo-hardened@g.o mailing list |
Archives