| 1 |
On Sun, 2004-07-18 at 09:22 -0700, wrote: |
| 2 |
> What do I need to do differently to emerge glibc-2.3.4.20040619? |
| 3 |
> |
| 4 |
> I recently emerged gcc 3.3.4-r1, WITHOUT the 'hardened' flag. I'm |
| 5 |
> trying to get everything compiled with ssp, but without ASLR (due to |
| 6 |
> memory consumption concerns) for the moment. From config.log in |
| 7 |
> glibc, I see that one of configure's tests failed, due to -nostdlib |
| 8 |
> excluding the definitions for __guard and __stack_smash_handler. This |
| 9 |
> caused glibc to think that -fexceptions fails for my gcc, later |
| 10 |
> leading to failure when building libio. |
| 11 |
|
| 12 |
By "without ASLR" I imagine you mean one of two things. Either you mean |
| 13 |
without PIE, which helps ASLR, or literally without ASLR, which is part |
| 14 |
of the kernel and has nothing to do with GCC. |
| 15 |
|
| 16 |
With the first, I'll admit that PIE executables seem to be slightly |
| 17 |
larger (acceptably, imo). but I am not aware of an additional strain on |
| 18 |
memory. Correct me here, Solar? |
| 19 |
|
| 20 |
Are you passing -nostdlib in CFLAGS, or is that coming from the Makefile |
| 21 |
in this following bit? Please file a proper bug report with this log and |
| 22 |
`emerge info`, along with any other relevant information to |
| 23 |
http://bugs.gentoo.org/ |
| 24 |
Thanks :) |
| 25 |
|
| 26 |
> configure:6211: checking for gcc -fexceptions |
| 27 |
> configure:6224: gcc -no-integrated-cpp -fstack-protector-all -O2 - |
| 28 |
> march=i586 -m3dnow -mmmx -freorder-blocks |
| 29 |
> -nostdlib -nostartfiles -fexceptions |
| 30 |
> -o conftest conftest.c 1>&5 |
| 31 |
> /var/tmp/portage/glibc-2.3.4.20040619/temp/ccgdsRzN.o(.text+0x8): In |
| 32 |
> function `_start': |
| 33 |
> : undefined reference to `__guard' |
| 34 |
> /var/tmp/portage/glibc-2.3.4.20040619/temp/ccgdsRzN.o(.text+0x22): In |
| 35 |
> function `_start': |
| 36 |
> : undefined reference to `__stack_smash_handler' |
| 37 |
> /var/tmp/portage/glibc-2.3.4.20040619/temp/ccgdsRzN.o(.text+0x48): In |
| 38 |
> function `__throw': |
| 39 |
> : undefined reference to `__guard' |
| 40 |
> /var/tmp/portage/glibc-2.3.4.20040619/temp/ccgdsRzN.o(.text+0x62): In |
| 41 |
> function `__throw': |
| 42 |
> : undefined reference to `__stack_smash_handler' |
| 43 |
> collect2: ld returned 1 exit status |
| 44 |
> configure:6227: $? = 1 |
| 45 |
> configure:6235: result: no |
| 46 |
> |
| 47 |
> From http://www.gentoo.org/proj/en/hardened/propolice.xml, I see notes |
| 48 |
> that __guard and __stack_smash_handler are moving(ed?) elsewhere, but: |
| 49 |
> |
| 50 |
> # readelf --syms /lib/libc-2.3.3.so | grep stack_smash |
| 51 |
> 336: 0001596e 485 FUNC GLOBAL DEFAULT 11 |
| 52 |
> __stack_smash_handler@@GLIBC_2.3.2 |
| 53 |
|
| 54 |
This move was many months ago now. It moved from libgcc to libc. |
| 55 |
|
| 56 |
> Now I can't find any relevant links on the hardened Gentoo "homepage" |
| 57 |
> for ASLR, propolice, hardened gcc, etc, so I'm wondering what docs I |
| 58 |
> should be reading instead of posting here? I noticed that Google |
| 59 |
> doesn't even show pages linking to the propolice.xml page I listed |
| 60 |
> above. ??? |
| 61 |
|
| 62 |
hardened-gcc as a package is deprecated in favor of USE=hardened gcc. |
| 63 |
The other missing docs were very much outdated, and are still around, |
| 64 |
but no longer linked to due to lack of relevance to the current |
| 65 |
toolchain. I'm looking for help to rectify this situation. |
| 66 |
|
| 67 |
Again with ASLR... Documentation both on what ASLR actually is (a |
| 68 |
function of PaX), and also on ET_DYN, the original conception of PIE |
| 69 |
(binaries linked for position independence in memory at runtime) can be |
| 70 |
found on the PaX homepage, http://pax.grsecurity.net/ |
| 71 |
|
| 72 |
The current implementation in our toolchain (PIE) is similar to ET_DYN |
| 73 |
conceptually, but implemented later, largely by RedHat and input from |
| 74 |
other players. You'll want to look around the toolchain mailinglist |
| 75 |
archives. |
| 76 |
|
| 77 |
Further documentation on SSP (-fstack-*) can be found at the project |
| 78 |
page hosted by IBM. |
| 79 |
http://www.trl.ibm.com/projects/security/ssp/ |
| 80 |
|
| 81 |
> Thanks for any and all tips, especially links so I can go RTFM .. or |
| 82 |
> is the answer RTFC (C=code)? |
| 83 |
> |
| 84 |
> Oh, and if anyone is still reading this far .. I haven't been able to |
| 85 |
> find docs that explain the impact of Jakub's prelink vs. Pax ASLR. |
| 86 |
> I'm guessing that prelink significantly reduces overall system |
| 87 |
> consumption of RAM (via shared objects using the same memory), while |
| 88 |
> ASLR has the opposite effect? Or does ASLR only prevent processes |
| 89 |
> from sharing the GOT for shared offset? I'll find out eventually when |
| 90 |
> I build my next text system and add Pax, and then compare with my |
| 91 |
> current system. However, I really prefer to understand the reasons |
| 92 |
> more deeply. |
| 93 |
|
| 94 |
The question you pose here gets pretty deep into the guts of the linker, |
| 95 |
and PaX's ASLR, which I admitedly don't understand enough to touch this. |
| 96 |
Perhaps the PaX Team would be kind enough to shed some further light on |
| 97 |
this subject. |
| 98 |
|
| 99 |
> Thanks to all for the awesome hardened Gentoo flavor! |
| 100 |
|
| 101 |
Thanks for playing along, I hope I've answered a few of your questions. |
| 102 |
Brandon Hale |
| 103 |
|
| 104 |
|
| 105 |
-- |
| 106 |
gentoo-hardened@g.o mailing list |
Archives