| 1 |
On Sun, 23 Nov 2003, Alexander Gabert wrote: |
| 2 |
|
| 3 |
> hi Martin, |
| 4 |
> |
| 5 |
> sorry to disturb you but there has been a hot weekend with me sorting |
| 6 |
> out the side effects of the glibc transition to guard symbols. |
| 7 |
> |
| 8 |
> As this is becoming a technical challenge, i will explain it because i |
| 9 |
> am sure we are on the right path with |
| 10 |
> http://bugs.gentoo.org/show_bug.cgi?id=25299 containing a gcc ebuild |
| 11 |
> diff which can do it right if bootstrap.sh on stage1 installations goes |
| 12 |
> for building gcc directly after glibc (seemant told me this is a simple |
| 13 |
> change). |
| 14 |
> |
| 15 |
> If the existing glibc is to be found to have the functions and the |
| 16 |
> object of propolice inserted, the ebuild needs to search for binaries |
| 17 |
> containing references to the __guard@GCC Version symbol in the shared |
| 18 |
> library libgcc.so before removing the object and the functions in the |
| 19 |
> gcc libgcc. |
| 20 |
> |
| 21 |
> My personal thanks go to swtaylor for finding this issue with his |
| 22 |
> machine and reporting back with helping me sort out the troublemaker. |
| 23 |
> |
| 24 |
> As seen in the bugs and from my personal experiences with hacking a |
| 25 |
> crt1.o based __guard version that would have no issues with -nostdlib i |
| 26 |
> think it would not be worth the effort because the ebuilds filter |
| 27 |
> -fstack-protector when -nostdlib is used, hardened-gcc is also on a safe |
| 28 |
> path and last but not least we could use a gcc specs modification at the |
| 29 |
> gcc source level to also prevent this kind of happening. |
| 30 |
> |
| 31 |
> What is left to the propolice author is to solve the problems and |
| 32 |
> Internal Compiler Errors with C++ code that are still showing up with |
| 33 |
> recent gcc versions and ebuilds like OpenOffice as far as i can tell but |
| 34 |
> this is not related to our job here moving around and improving the |
| 35 |
> infrastructure of the functions exposed to the userland. |
| 36 |
> |
| 37 |
> The penalty of an additional copy relocation being used as a __guard |
| 38 |
> location for nonPIC binaries (instead of the glibc @GOT memory location |
| 39 |
> that would normally being used when a corresponding PIC dynamically |
| 40 |
> linked etdyn binary is started together with it's shared libraries) with |
| 41 |
> the guard loaded and initialized in the .BSS segment as @GOT-copy and |
| 42 |
> shared libraries also using this .BSS copy and also initialized by |
| 43 |
> __guard_setup in glibc is not affecting the proper operation of apache2 |
| 44 |
> -D PHP4 which is in my experiences a test case for the correct behaviour |
| 45 |
> of hardened-gcc because it failed with the previous behaviour of the php |
| 46 |
> library loading and writing "opposite" __guard canary setups over cross |
| 47 |
> :-) |
| 48 |
> |
| 49 |
> Please approve and submit my changes in |
| 50 |
> http://dev.gentoo.org/~pappy/gentoo-x86/sys-devel/gcc/ to the |
| 51 |
> appropriate ebuilds of gcc and report back any improvements you would |
| 52 |
> like to see in the progress of this movement. |
| 53 |
Is it possible to get these files also as a non-dev (now access is |
| 54 |
prohibited)? |
| 55 |
I would like to test it for uClibc too. |
| 56 |
|
| 57 |
Thanks, Peter |
| 58 |
|
| 59 |
-- |
| 60 |
Peter S. Mazinger <ps.m@×××.net> ID: 0xA5F059F2 NIC: IXUYHSKQLI |
| 61 |
Key fingerprint = 92A4 31E1 56BC 3D5A 2D08 BB6E C389 975E A5F0 59F2 |
| 62 |
|
| 63 |
|
| 64 |
____________________________________________________________________ |
| 65 |
Miert fizetsz az internetert? Korlatlan, ingyenes internet hozzaferes a FreeStarttol. |
| 66 |
Probald ki most! http://www.freestart.hu |
| 67 |
|
| 68 |
-- |
| 69 |
gentoo-hardened@g.o mailing list |
Archives