| 1 |
Javier J. Martínez Cabezón wrote: |
| 2 |
> Why did you add ssp in CFLAGS?, why not using specs directly?. I only |
| 3 |
> added -D_FORTIFY_SOURCE=2 in CFLAGS. glibc doesn't compile with |
| 4 |
> -fstack-protector-all in the CFLAGS, so you should switch to the |
| 5 |
> -fstack-protector to compile which is less secure than using specs |
| 6 |
> which compile with -fstack-protector-all which could be done. |
| 7 |
> |
| 8 |
> |
| 9 |
|
| 10 |
The short answer is that its the easiest compromise if you want some ssp |
| 11 |
in gcc-4. Here's some points that I've found testing: |
| 12 |
|
| 13 |
1) Of the 630+ packages that make up either amd64 or i686 desktop |
| 14 |
systems, all compile fine with -fstack-protector-all with the exception |
| 15 |
of glibc-2.8 which still compiles with just -fstack-protector. |
| 16 |
|
| 17 |
2) This problem is not solved just using specs. You can't simply add |
| 18 |
some variation of |
| 19 |
|
| 20 |
*cc1_ssp: |
| 21 |
%{!nostdlib:%{!nodefaultlibs:-fstack-protector-all;:-fstack-protector}} |
| 22 |
|
| 23 |
It leads to problems. I'm looking at Zorry's work which is promising. |
| 24 |
|
| 25 |
3) Given points 1 and 2, a sloppy way of getting -fstack-protector-all |
| 26 |
is to start with a system compiled with -fstack-protector, then update |
| 27 |
to -fstack-protector-all, recompile with "emerge --keep-going -e world", |
| 28 |
and let glibc's recompilation fail. I've done this and it "works" but |
| 29 |
I'm not sure of the stability. |
| 30 |
|
| 31 |
4) You bring up a good point about -D_FORTIFY_SOURCE=2 which in |
| 32 |
retrospect I should include. Ubuntu has been using "-fstack-protector |
| 33 |
-O2 -D_FORTIFY_SOURCE=2" since 8.10. It adds run-time checks on buffers |
| 34 |
at runtime in glibc which can't hurt. |
| 35 |
|
| 36 |
5) The difference between -fstack-protector and -fstack-protector-all is |
| 37 |
that the former only applies ssp to functions with char buffers which |
| 38 |
are more vulnerable. When I tested using paxtest suite with either |
| 39 |
switch, I got the same results. In fact, I get the same results |
| 40 |
compiling with hardened gcc-3.4.6. You can see what I got at [1]. |
| 41 |
Paxtest doesn't cover everything, but it covers important checks and if |
| 42 |
any fail there is definitely reason for concern. |
| 43 |
|
| 44 |
[1] http://opensource.dyc.edu/pub/misc/ |
Archives