1 |
On Sun, 23 Nov 2003, Alexander Gabert wrote: |
2 |
|
3 |
> hi Martin, |
4 |
> |
5 |
> sorry to disturb you but there has been a hot weekend with me sorting |
6 |
> out the side effects of the glibc transition to guard symbols. |
7 |
> |
8 |
> As this is becoming a technical challenge, i will explain it because i |
9 |
> am sure we are on the right path with |
10 |
> http://bugs.gentoo.org/show_bug.cgi?id=25299 containing a gcc ebuild |
11 |
> diff which can do it right if bootstrap.sh on stage1 installations goes |
12 |
> for building gcc directly after glibc (seemant told me this is a simple |
13 |
> change). |
14 |
> |
15 |
> If the existing glibc is to be found to have the functions and the |
16 |
> object of propolice inserted, the ebuild needs to search for binaries |
17 |
> containing references to the __guard@GCC Version symbol in the shared |
18 |
> library libgcc.so before removing the object and the functions in the |
19 |
> gcc libgcc. |
20 |
> |
21 |
> My personal thanks go to swtaylor for finding this issue with his |
22 |
> machine and reporting back with helping me sort out the troublemaker. |
23 |
> |
24 |
> As seen in the bugs and from my personal experiences with hacking a |
25 |
> crt1.o based __guard version that would have no issues with -nostdlib i |
26 |
> think it would not be worth the effort because the ebuilds filter |
27 |
> -fstack-protector when -nostdlib is used, hardened-gcc is also on a safe |
28 |
> path and last but not least we could use a gcc specs modification at the |
29 |
> gcc source level to also prevent this kind of happening. |
30 |
> |
31 |
> What is left to the propolice author is to solve the problems and |
32 |
> Internal Compiler Errors with C++ code that are still showing up with |
33 |
> recent gcc versions and ebuilds like OpenOffice as far as i can tell but |
34 |
> this is not related to our job here moving around and improving the |
35 |
> infrastructure of the functions exposed to the userland. |
36 |
> |
37 |
> The penalty of an additional copy relocation being used as a __guard |
38 |
> location for nonPIC binaries (instead of the glibc @GOT memory location |
39 |
> that would normally being used when a corresponding PIC dynamically |
40 |
> linked etdyn binary is started together with it's shared libraries) with |
41 |
> the guard loaded and initialized in the .BSS segment as @GOT-copy and |
42 |
> shared libraries also using this .BSS copy and also initialized by |
43 |
> __guard_setup in glibc is not affecting the proper operation of apache2 |
44 |
> -D PHP4 which is in my experiences a test case for the correct behaviour |
45 |
> of hardened-gcc because it failed with the previous behaviour of the php |
46 |
> library loading and writing "opposite" __guard canary setups over cross |
47 |
> :-) |
48 |
> |
49 |
> Please approve and submit my changes in |
50 |
> http://dev.gentoo.org/~pappy/gentoo-x86/sys-devel/gcc/ to the |
51 |
> appropriate ebuilds of gcc and report back any improvements you would |
52 |
> like to see in the progress of this movement. |
53 |
Is it possible to get these files also as a non-dev (now access is |
54 |
prohibited)? |
55 |
I would like to test it for uClibc too. |
56 |
|
57 |
Thanks, Peter |
58 |
|
59 |
-- |
60 |
Peter S. Mazinger <ps.m@×××.net> ID: 0xA5F059F2 NIC: IXUYHSKQLI |
61 |
Key fingerprint = 92A4 31E1 56BC 3D5A 2D08 BB6E C389 975E A5F0 59F2 |
62 |
|
63 |
|
64 |
____________________________________________________________________ |
65 |
Miert fizetsz az internetert? Korlatlan, ingyenes internet hozzaferes a FreeStarttol. |
66 |
Probald ki most! http://www.freestart.hu |
67 |
|
68 |
-- |
69 |
gentoo-hardened@g.o mailing list |