1 |
On Sun, 2004-07-18 at 09:22 -0700, wrote: |
2 |
> What do I need to do differently to emerge glibc-2.3.4.20040619? |
3 |
> |
4 |
> I recently emerged gcc 3.3.4-r1, WITHOUT the 'hardened' flag. I'm |
5 |
> trying to get everything compiled with ssp, but without ASLR (due to |
6 |
> memory consumption concerns) for the moment. From config.log in |
7 |
> glibc, I see that one of configure's tests failed, due to -nostdlib |
8 |
> excluding the definitions for __guard and __stack_smash_handler. This |
9 |
> caused glibc to think that -fexceptions fails for my gcc, later |
10 |
> leading to failure when building libio. |
11 |
|
12 |
By "without ASLR" I imagine you mean one of two things. Either you mean |
13 |
without PIE, which helps ASLR, or literally without ASLR, which is part |
14 |
of the kernel and has nothing to do with GCC. |
15 |
|
16 |
With the first, I'll admit that PIE executables seem to be slightly |
17 |
larger (acceptably, imo). but I am not aware of an additional strain on |
18 |
memory. Correct me here, Solar? |
19 |
|
20 |
Are you passing -nostdlib in CFLAGS, or is that coming from the Makefile |
21 |
in this following bit? Please file a proper bug report with this log and |
22 |
`emerge info`, along with any other relevant information to |
23 |
http://bugs.gentoo.org/ |
24 |
Thanks :) |
25 |
|
26 |
> configure:6211: checking for gcc -fexceptions |
27 |
> configure:6224: gcc -no-integrated-cpp -fstack-protector-all -O2 - |
28 |
> march=i586 -m3dnow -mmmx -freorder-blocks |
29 |
> -nostdlib -nostartfiles -fexceptions |
30 |
> -o conftest conftest.c 1>&5 |
31 |
> /var/tmp/portage/glibc-2.3.4.20040619/temp/ccgdsRzN.o(.text+0x8): In |
32 |
> function `_start': |
33 |
> : undefined reference to `__guard' |
34 |
> /var/tmp/portage/glibc-2.3.4.20040619/temp/ccgdsRzN.o(.text+0x22): In |
35 |
> function `_start': |
36 |
> : undefined reference to `__stack_smash_handler' |
37 |
> /var/tmp/portage/glibc-2.3.4.20040619/temp/ccgdsRzN.o(.text+0x48): In |
38 |
> function `__throw': |
39 |
> : undefined reference to `__guard' |
40 |
> /var/tmp/portage/glibc-2.3.4.20040619/temp/ccgdsRzN.o(.text+0x62): In |
41 |
> function `__throw': |
42 |
> : undefined reference to `__stack_smash_handler' |
43 |
> collect2: ld returned 1 exit status |
44 |
> configure:6227: $? = 1 |
45 |
> configure:6235: result: no |
46 |
> |
47 |
> From http://www.gentoo.org/proj/en/hardened/propolice.xml, I see notes |
48 |
> that __guard and __stack_smash_handler are moving(ed?) elsewhere, but: |
49 |
> |
50 |
> # readelf --syms /lib/libc-2.3.3.so | grep stack_smash |
51 |
> 336: 0001596e 485 FUNC GLOBAL DEFAULT 11 |
52 |
> __stack_smash_handler@@GLIBC_2.3.2 |
53 |
|
54 |
This move was many months ago now. It moved from libgcc to libc. |
55 |
|
56 |
> Now I can't find any relevant links on the hardened Gentoo "homepage" |
57 |
> for ASLR, propolice, hardened gcc, etc, so I'm wondering what docs I |
58 |
> should be reading instead of posting here? I noticed that Google |
59 |
> doesn't even show pages linking to the propolice.xml page I listed |
60 |
> above. ??? |
61 |
|
62 |
hardened-gcc as a package is deprecated in favor of USE=hardened gcc. |
63 |
The other missing docs were very much outdated, and are still around, |
64 |
but no longer linked to due to lack of relevance to the current |
65 |
toolchain. I'm looking for help to rectify this situation. |
66 |
|
67 |
Again with ASLR... Documentation both on what ASLR actually is (a |
68 |
function of PaX), and also on ET_DYN, the original conception of PIE |
69 |
(binaries linked for position independence in memory at runtime) can be |
70 |
found on the PaX homepage, http://pax.grsecurity.net/ |
71 |
|
72 |
The current implementation in our toolchain (PIE) is similar to ET_DYN |
73 |
conceptually, but implemented later, largely by RedHat and input from |
74 |
other players. You'll want to look around the toolchain mailinglist |
75 |
archives. |
76 |
|
77 |
Further documentation on SSP (-fstack-*) can be found at the project |
78 |
page hosted by IBM. |
79 |
http://www.trl.ibm.com/projects/security/ssp/ |
80 |
|
81 |
> Thanks for any and all tips, especially links so I can go RTFM .. or |
82 |
> is the answer RTFC (C=code)? |
83 |
> |
84 |
> Oh, and if anyone is still reading this far .. I haven't been able to |
85 |
> find docs that explain the impact of Jakub's prelink vs. Pax ASLR. |
86 |
> I'm guessing that prelink significantly reduces overall system |
87 |
> consumption of RAM (via shared objects using the same memory), while |
88 |
> ASLR has the opposite effect? Or does ASLR only prevent processes |
89 |
> from sharing the GOT for shared offset? I'll find out eventually when |
90 |
> I build my next text system and add Pax, and then compare with my |
91 |
> current system. However, I really prefer to understand the reasons |
92 |
> more deeply. |
93 |
|
94 |
The question you pose here gets pretty deep into the guts of the linker, |
95 |
and PaX's ASLR, which I admitedly don't understand enough to touch this. |
96 |
Perhaps the PaX Team would be kind enough to shed some further light on |
97 |
this subject. |
98 |
|
99 |
> Thanks to all for the awesome hardened Gentoo flavor! |
100 |
|
101 |
Thanks for playing along, I hope I've answered a few of your questions. |
102 |
Brandon Hale |
103 |
|
104 |
|
105 |
-- |
106 |
gentoo-hardened@g.o mailing list |