| 1 |
On 07/15/2011 04:52 AM, Markus Oehme wrote: |
| 2 |
> Hi Anthony, |
| 3 |
> |
| 4 |
> At Thu, 14 Jul 2011 12:59:59 -0400, |
| 5 |
> Anthony G. Basile wrote: |
| 6 |
>>> One thing that should possibly be said: I'm using gcc-4.6.1. I was using gcc |
| 7 |
>>> 4.6.0 for quite some time on ~amd64 ere I switched to hardened last week. I |
| 8 |
>>> didn't encounter any special problems during the transition. |
| 9 |
>>> |
| 10 |
>> Time for a bug report. If reproduceable, its a show stopper for |
| 11 |
>> hardened gcc-4.6.1 |
| 12 |
>> |
| 13 |
>>>> If you didn't do these, its possible you have some binaries left that |
| 14 |
>>>> will trigger pax violations. |
| 15 |
>>>> |
| 16 |
>>>> One way to quickly check if you got hardened binaries is to use a script |
| 17 |
>>>> called checksec.sh [1] and run it on /bin or /sbin. You should see that |
| 18 |
>>>> all your binaries have FULL RELRO, STACK CANARY, NX, PIE and ASLR. |
| 19 |
>>> I just executed the script for /bin and the result [1] was very mixed. Nearly all |
| 20 |
>>> binaries have FULL RELRO and PIE, but most have no STACK CANARY and NX. I |
| 21 |
>>> checked whether this could be changed and rebuilt coreutils twice, but the |
| 22 |
>>> output was the same every time. |
| 23 |
>>> |
| 24 |
>>> However this seems not to be a big problem since the system is currently |
| 25 |
>>> running normal (Xfce desktop session) with my current list [2] of exceptions |
| 26 |
>>> to mprotect which contains only binaries under /usr. |
| 27 |
>>> |
| 28 |
>> That's not right. Can you compile the following, run checksec.sh on it |
| 29 |
>> and see if you get all the hardening features: |
| 30 |
>> |
| 31 |
>> int main() |
| 32 |
>> { |
| 33 |
>> ; |
| 34 |
>> return 0; |
| 35 |
>> } |
| 36 |
> I think I've found the issue. I had some rather aggresive CFLAGS |
| 37 |
> enabled. Dropping them seems to correct the issue. The evil guy seems to be |
| 38 |
> link time optimization. This is reproducible with your minimal example, if |
| 39 |
> compiled with 'gcc' it turns out correctly. 'gcc -flto' gives the behaviour |
| 40 |
> I've seen (no stack canary and no nx). |
| 41 |
> |
| 42 |
> I'm currently in the process of remerging @world, but hopefully everything |
| 43 |
> will be ok afterwards. |
| 44 |
> |
| 45 |
> |
| 46 |
> Markus |
| 47 |
> |
| 48 |
> -- |
| 49 |
> For instance, on the planet Earth, man had always assumed that he was more |
| 50 |
> intelligent than dolphins because he had achieved so much---the wheel, New |
| 51 |
> York, wars and so on---while all the dolphins had ever done was muck about |
| 52 |
> in the water having a good time. But conversely, the dolphins had always |
| 53 |
> believed that they were far more intelligent than man---for precisely the |
| 54 |
> same reasons. (Douglas Adams, The Hitchhikers Guide to the Galaxy.) |
| 55 |
|
| 56 |
Markus, |
| 57 |
|
| 58 |
Thanks for discovering this, I was not aware. However, when I try to |
| 59 |
compile with -flto, I get an error: |
| 60 |
|
| 61 |
cc1: error: LTO support has not been enabled in this configuration |
| 62 |
|
| 63 |
I'm going to have to investigate. |
| 64 |
|
| 65 |
-- |
| 66 |
Anthony G. Basile, Ph.D. |
| 67 |
Gentoo Linux Developer [Hardened] |
| 68 |
E-Mail : blueness@g.o |
| 69 |
GnuPG FP : 8040 5A4D 8709 21B1 1A88 33CE 979C AF40 D045 5535 |
| 70 |
GnuPG ID : D0455535 |
Archives