1 |
On Thu, 20 Nov 2003, Alexander Gabert wrote: |
2 |
|
3 |
> hi Peter, |
4 |
> |
5 |
> first of all, i have been following your commitment to hardened stuff, |
6 |
> grsecurity and related engagements during the last months and i am |
7 |
> amazed by your technical skill level and expertise. |
8 |
Thanks |
9 |
|
10 |
> > > > I have a clean uClibc environment (not gentoo based), and inspired by |
11 |
> > > > hardened-gcc-3.3.2 the gcc specs file was changed to support ET_DYN |
12 |
> > > > binaries, the only change I have done is replacing Scrt1.o with "crt1S.o |
13 |
> building -pie executables emits this stuff which is normally done by |
14 |
> interp.o, redundant this interp.o therefore is. |
15 |
I have removed interp.o from gcc's specs and it really works (I had |
16 |
earlier 2 references for /lib/ld-uClibc.so.0 (strings binary) in the |
17 |
binary, now only one, thanks. Now the only change is Scrt1.o->crt1S.o. |
18 |
Probably it would be better to install the PaX version as Scrt1.o in |
19 |
uClibc, so I'll make a change to the uClibc patches, then no speciality is |
20 |
needed for hardened-gcc to support uClibc as well. |
21 |
|
22 |
> > > > interp.o" (crt1S.o not yet in the uClibc tree, but in portage), due to the |
23 |
> > > > fact that Scrt1.o does not exist in uClibc like in glibc-2.3.2. I do not |
24 |
> yes, it is in a Redhat branch update of glibc-2.3.2 as far as i can tell |
25 |
> > > > know what the difference is between Scrt1.o from glibc and crt1S.o coming |
26 |
> basically there is only a small technical difference, the goal is the |
27 |
> same: the function _start has the job of position independent calling |
28 |
> the glibc function __libc_start_main with the arguments _init _fini and |
29 |
> main that are given as arguments to __libc_start_main ;-) |
30 |
> |
31 |
> > > > from the hardened-gcc-2.4.6 (the version for uClibc is PaX version, so |
32 |
> > > > similar to those in hardened-gcc-2.4.6). |
33 |
> > > > Could someone comment on problems regarding this change? |
34 |
> yo, we try to use mainstream as possible while not giving up our high |
35 |
> security PaX environment. |
36 |
> if the Scrt1.o proves good, there is no reason to use the pioneering |
37 |
> version of pipacs any more ;-) |
38 |
> In fact it should be noted that pageexec.virtualave.net introduced and |
39 |
> coached us to this all stuff for such a long time and i am proud that |
40 |
> Redhat is doing it this way also, by not telling anyone stole anything |
41 |
> from anybody - but we all know how to say thank you ;-) |
42 |
> > > ... |
43 |
> > > |
44 |
> > > > I have seen a dependency on binutils-2.14.90.0.7, but this one has some |
45 |
> > > > problems with uClibc (does not correctly support canadian cross-compiling, |
46 |
> > > > binutils-2.14.90.0.6 yes). Is it really needed, or is |
47 |
> > > > binutils-2.14.90.0.6-r7 enough? |
48 |
> you need "ld -pie" for the true compiling of etdyn. therefore you need |
49 |
> the high binutils. |
50 |
The versions >= 2.14.90.0.6 support -pie, so it would be enough to define |
51 |
.6 as minimal requirement (but hardened-gcc requires > .7-r3, this was |
52 |
really the question). |
53 |
Well, probably I have to check it myself. I loose the function |
54 |
__fixunsxfdi from libgcc if gcc is rebuilt a second time in an uClibc |
55 |
buildroot environment, and I didn't find the cause until now (needed by |
56 |
coreutils-5.x) |
57 |
|
58 |
> using -shared instead is good but has issues with ./configure running of |
59 |
> some program suites and missing functions because this happens: |
60 |
> gcc -shared does transparently compile the binary as "dynamic library |
61 |
> executable" which means the configure tests fail this way, i type the |
62 |
> hardened-gcc stuff in brackets: |
63 |
> ./configure: gcc -lfoo-library-that-i-am -lsearching-for -lin-configure |
64 |
> [-fPIC -shared] -o conftest -c conftest.c |
65 |
> |
66 |
> which leads to the false positive that the function tested in conftest.c |
67 |
> gets compiled and no linker error is emitted which would normally be the |
68 |
> situation when the library is not there. |
69 |
> then the binary could not compile but fail later during Makefile because |
70 |
> libs are not found. |
71 |
> |
72 |
> Jakub Jelinek then invented the -pie support which is a quick shot of |
73 |
> -shared and uses library characteristics but without leaving unresolved |
74 |
> symbols and functions hang around in the target binary! |
75 |
> the other magic stuff i can't tell you because i would violate Redhat |
76 |
> NDA's, *scnr* no, not really ;-) |
77 |
> |
78 |
> > > > |
79 |
> > > > I have rebuilt about 50 packages (mainly development environment) with |
80 |
> cool |
81 |
> > |
82 |
> > > > these changes, but there is some strange behaviour (it is not related |
83 |
> > > > to the fact that everything is -fPIC built, I had this already defined |
84 |
> > > > earlier in my CFLAGS for almost all packages) |
85 |
> well, maybe the -shared bug i mentioned above? |
86 |
I have problems related to pie with gzip-1.3.3 and 1.3.5. Now, you where |
87 |
right, the ./configure ANSI header detection works (does not segfault), |
88 |
since I changed from -shared to -pie, but the executable is unusable. |
89 |
|
90 |
> > > > I am also interested in an Scrt1.o version for uClibc, so a changes |
91 |
> yeah go ahead and create one, take the crt1S.S from pipacs, it's great |
92 |
> and maybe we could get him to contribute some comments and explaination |
93 |
> too. |
94 |
> > > > description between the PaX and the glibc-2.3.2 implementation would be |
95 |
> > > > helpful. |
96 |
> see pipacs for this too ;-) |
97 |
> > > |
98 |
> > > <rant> |
99 |
> > > Quick rundown. Sctr1.S is a redhat knock off creation of PaX's ctr1S.S |
100 |
> > > (ie somebody probably got paid to rip it off and claim it was a redhat |
101 |
> > > original creation) they even fscked up the naming convention. I wont go |
102 |
> > > to much in detail because I would end up ranting for hours. In short |
103 |
> > > Scrt1 the way it gets built by redhat will most likely end up with text |
104 |
> > > relocations from what I understand so the PaX crt1S.S should be used and |
105 |
> > > preferred till such time as redhat finds a way to break that for us. |
106 |
> > > </rant> |
107 |
> > Why is then used Scrt1.o in hardened-gcc-3.3.2? |
108 |
> forget about the rant. |
109 |
> we use it for standardizing our stuff. |
110 |
> > |
111 |
> > > |
112 |
> > > > Why was the default -fomit-frame-pointer option removed? From my |
113 |
> > > > experience there are only a few packages, that are incompatible with it |
114 |
> > > > (mainly libraries). |
115 |
> solar already said that, the speed gain is almost useless compared to |
116 |
> the problems you might encounter and bugs getting assigned to you, so |
117 |
> better keep hands off that black magic ;-) |
118 |
> > > |
119 |
> > > You would have to ask the maintainer pappy@g.o about why this |
120 |
> > > functionality was removed. However I can say from my personal testing we |
121 |
> > > truly don't seem to gain any performance by trying to gain back an extra |
122 |
> > > register from adding -fomit-frame-pointer when -fPIC steals away the ebx |
123 |
> > > register, in fact I even get roughly exactly same number of instructions |
124 |
> > > that get executed when using those flags together. Attached is a file I |
125 |
> > > did this testing with. |
126 |
> > > |
127 |
> > > |
128 |
> |
129 |
> thanks for corresponding and hope i have helped, |
130 |
> |
131 |
> Alex |
132 |
|
133 |
Thanks for your explanations, |
134 |
|
135 |
Peter |
136 |
|
137 |
-- |
138 |
Peter S. Mazinger <ps.m@×××.net> ID: 0xA5F059F2 NIC: IXUYHSKQLI |
139 |
Key fingerprint = 92A4 31E1 56BC 3D5A 2D08 BB6E C389 975E A5F0 59F2 |
140 |
|
141 |
|
142 |
____________________________________________________________________ |
143 |
Miert fizetsz az internetert? Korlatlan, ingyenes internet hozzaferes a FreeStarttol. |
144 |
Probald ki most! http://www.freestart.hu |
145 |
|
146 |
-- |
147 |
gentoo-hardened@g.o mailing list |