Summary: | dev-libs/klibc fails to compile on hardened | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Natanael Copa <natanael.copa> |
Component: | New packages | Assignee: | The Gentoo Linux Hardened Team <hardened> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | azarah |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
See Also: | https://bugs.gentoo.org/show_bug.cgi?id=588076 | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- | |
Attachments: | Add '-nostdlib' to compilation lines. |
Description
Natanael Copa
2005-08-23 04:04:32 UTC
You neglected to post emerge --info output and actual errors encountered during emerge. Sorry... It's a standard linker error that fails to find the stack smashing protection funcs, naturally enough. The point is, klibc is a standard c library used for initramfs so the stack smashing protection isn't really expected to work. What is more interesting is how to disable stack smashing protection. And yes, I have tried switching to another, non-ssp gcc profile with gcc-config and I have tried setting -fno-stack-protector in CFLAGS. Here are the last lines (there are more similar linker errors) recv.o(.text+0x41):/var/tmp/portage/klibc-1.0.14/work/klibc-1.0.14/klibc/recv.c:11: undefined reference to `__stack_smash_handler' libgcc/__divdi3.o(.text+0x17): In function `__divdi3': libgcc/__divdi3.c:11: undefined reference to `__guard' libgcc/__divdi3.o(.text+0x7f):libgcc/__divdi3.c:29: undefined reference to `__stack_smash_handler' libgcc/__moddi3.o(.text+0x17): In function `__moddi3': libgcc/__moddi3.c:11: undefined reference to `__guard' libgcc/__moddi3.o(.text+0x90):libgcc/__moddi3.c:29: undefined reference to `__stack_smash_handler' libgcc/__udivdi3.o(.text+0x13): In function `__udivdi3': libgcc/__udivdi3.c:11: undefined reference to `__guard' libgcc/__udivdi3.o(.text+0x3f):libgcc/__udivdi3.c:13: undefined reference to `__stack_smash_handler' libgcc/__umoddi3.o(.text+0x13): In function `__umoddi3': libgcc/__umoddi3.c:11: undefined reference to `__guard' libgcc/__umoddi3.o(.text+0x4b):libgcc/__umoddi3.c:16: undefined reference to `__stack_smash_handler' libgcc/__udivmoddi4.o(.text+0x1d): In function `__udivmoddi4': libgcc/__udivmoddi4.c:5: undefined reference to `__guard' libgcc/__udivmoddi4.o(.text+0xda):libgcc/__udivmoddi4.c:32: undefined reference to `__stack_smash_handler' make[1]: *** [libc.so] Error 1 rm tests/microhello.o tests/malloctest.o tests/stat.o tests/statfs.o tests/fcntl.o tests/strtoimax.o tests/setenvtest.o tests/idtest.o tests/opentest.o tests/strlcpycat.o tests/malloctest2.o tests/minihello.o tests/hello.o tests/setjmptest.o tests/nfs_no_rpc.o tests/rtsig.o tests/memstrtest.o tests/strtotime.o tests/getopttest.o tests/sigint.o tests/getpagesize.o tests/environ.o tests/mmaptest.o tests/testrand48.o make[1]: Leaving directory `/var/tmp/portage/klibc-1.0.14/work/klibc-1.0.14/klibc' make: *** [all] Error 2 My environment is an uclibc chroot on a debian sarge box.. but that should also be irrelevant AFAIK. emerge --info: Portage 2.0.51.22-r2 (uclibc/x86/hardened, gcc-3.3.5-20050130, uclibc-0.9.27-r0, 2.6.8-2-686-smp i686) ================================================================= System uname: 2.6.8-2-686-smp i686 Intel(R) Xeon(TM) CPU 2.40GHz Gentoo Base System version 1.6.13 distcc 2.18.3 i386-gentoo-linux-uclibc (protocols 1 and 2) (default port 3632) [enabled] ccache version 2.3 [disabled] dev-lang/python: 2.3.5 sys-apps/sandbox: 1.2.11 sys-devel/autoconf: 2.13, 2.59-r6 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.5 sys-devel/binutils: 2.15.92.0.2-r10 sys-devel/libtool: 1.5.18-r1 virtual/os-headers: 2.6.11-r2 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CBUILD="i386-gentoo-linux-uclibc" CFLAGS="-march=i386 -Os -pipe -fomit-frame-pointer" CHOST="i386-gentoo-linux-uclibc" CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config /usr/share/config /var/qmail/control" CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d" CXXFLAGS="-Os -pipe" DISTDIR="/var/cache/distfiles" FEATURES="autoconfig buildpkg distcc distlocks nodoc noinfo noman sandbox sfperms strict" GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/Linux/distributions/gentoo" MAKEOPTS="-j4" PKGDIR="/var/cache/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/src/alpine/apks/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="x86 X509 berkdb bitmap-fonts cdr cracklib curl gd gdbm hardened jpeg mad minimal ncurses ogg pcmcia pic png readline rrdtool samba sqlite ssl truetype truetype-fonts uclibc vorbis winbind xml2 zlib userland_GNU kernel_linux elibc_uclibc" Unset: ASFLAGS, CTARGET, LANG, LC_ALL, LDFLAGS, LINGUAS Guys, how should we do this? Just disabled SSP for klibc ? Created attachment 66756 [details, diff]
Add '-nostdlib' to compilation lines.
For the kernel, glibc and uclibc, the GCC specs file is rigged to switch off
SSP on the target binary.
I had a peek at klibc, and I'm surprised it doesn't specify '-nostdlib' on
compilation - obviously, since it's a stdlib replacement, you don't want it to
include anything from the standard library, and -nostdlib will enforce this.
GLIBC does this, and the hardened specs use it to trigger an exception to
adding -fstack-protector-all.
I tried adding '-nostdlib' to REQFLAGS in MCONFIG, and it built fine (see
patch). This could be a change that upstream would accept. I think it makes
sense regardless of our hardened trickery.
Whether we later add ssp support to klibc can be handled as a separate issue.
Seems to be OK with upstream, fixed in klibc-1.0.14-r1. |