klibc does not work with stack smashing protection. I use an gentoo embedded environment but I guess it happens in any hardened installation. Reproducible: Always Steps to Reproduce: 1. emerge klibc 2. 3. Actual Results: emerge fails Expected Results: successful compile klibc is mostly used for initramfs and SSP is probably not really needed here. It would be nice if klibc would compile without stacksmashing protection in a haredened environment and a warning could be displayed telling that it was disabled and that every application linked against it should also disable SSP. I managed to compile klibc when adding "-fno-stack-protector" to REQFLAGS in the file MCONFIG. (CFLAGS didnt help, neither did OPTFLAGS)
You neglected to post emerge --info output and actual errors encountered during emerge.
Sorry... It's a standard linker error that fails to find the stack smashing protection funcs, naturally enough. The point is, klibc is a standard c library used for initramfs so the stack smashing protection isn't really expected to work. What is more interesting is how to disable stack smashing protection. And yes, I have tried switching to another, non-ssp gcc profile with gcc-config and I have tried setting -fno-stack-protector in CFLAGS. Here are the last lines (there are more similar linker errors) recv.o(.text+0x41):/var/tmp/portage/klibc-1.0.14/work/klibc-1.0.14/klibc/recv.c:11: undefined reference to `__stack_smash_handler' libgcc/__divdi3.o(.text+0x17): In function `__divdi3': libgcc/__divdi3.c:11: undefined reference to `__guard' libgcc/__divdi3.o(.text+0x7f):libgcc/__divdi3.c:29: undefined reference to `__stack_smash_handler' libgcc/__moddi3.o(.text+0x17): In function `__moddi3': libgcc/__moddi3.c:11: undefined reference to `__guard' libgcc/__moddi3.o(.text+0x90):libgcc/__moddi3.c:29: undefined reference to `__stack_smash_handler' libgcc/__udivdi3.o(.text+0x13): In function `__udivdi3': libgcc/__udivdi3.c:11: undefined reference to `__guard' libgcc/__udivdi3.o(.text+0x3f):libgcc/__udivdi3.c:13: undefined reference to `__stack_smash_handler' libgcc/__umoddi3.o(.text+0x13): In function `__umoddi3': libgcc/__umoddi3.c:11: undefined reference to `__guard' libgcc/__umoddi3.o(.text+0x4b):libgcc/__umoddi3.c:16: undefined reference to `__stack_smash_handler' libgcc/__udivmoddi4.o(.text+0x1d): In function `__udivmoddi4': libgcc/__udivmoddi4.c:5: undefined reference to `__guard' libgcc/__udivmoddi4.o(.text+0xda):libgcc/__udivmoddi4.c:32: undefined reference to `__stack_smash_handler' make[1]: *** [libc.so] Error 1 rm tests/microhello.o tests/malloctest.o tests/stat.o tests/statfs.o tests/fcntl.o tests/strtoimax.o tests/setenvtest.o tests/idtest.o tests/opentest.o tests/strlcpycat.o tests/malloctest2.o tests/minihello.o tests/hello.o tests/setjmptest.o tests/nfs_no_rpc.o tests/rtsig.o tests/memstrtest.o tests/strtotime.o tests/getopttest.o tests/sigint.o tests/getpagesize.o tests/environ.o tests/mmaptest.o tests/testrand48.o make[1]: Leaving directory `/var/tmp/portage/klibc-1.0.14/work/klibc-1.0.14/klibc' make: *** [all] Error 2 My environment is an uclibc chroot on a debian sarge box.. but that should also be irrelevant AFAIK. emerge --info: Portage 2.0.51.22-r2 (uclibc/x86/hardened, gcc-3.3.5-20050130, uclibc-0.9.27-r0, 2.6.8-2-686-smp i686) ================================================================= System uname: 2.6.8-2-686-smp i686 Intel(R) Xeon(TM) CPU 2.40GHz Gentoo Base System version 1.6.13 distcc 2.18.3 i386-gentoo-linux-uclibc (protocols 1 and 2) (default port 3632) [enabled] ccache version 2.3 [disabled] dev-lang/python: 2.3.5 sys-apps/sandbox: 1.2.11 sys-devel/autoconf: 2.13, 2.59-r6 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.5 sys-devel/binutils: 2.15.92.0.2-r10 sys-devel/libtool: 1.5.18-r1 virtual/os-headers: 2.6.11-r2 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CBUILD="i386-gentoo-linux-uclibc" CFLAGS="-march=i386 -Os -pipe -fomit-frame-pointer" CHOST="i386-gentoo-linux-uclibc" CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config /usr/share/config /var/qmail/control" CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d" CXXFLAGS="-Os -pipe" DISTDIR="/var/cache/distfiles" FEATURES="autoconfig buildpkg distcc distlocks nodoc noinfo noman sandbox sfperms strict" GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/Linux/distributions/gentoo" MAKEOPTS="-j4" PKGDIR="/var/cache/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/src/alpine/apks/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="x86 X509 berkdb bitmap-fonts cdr cracklib curl gd gdbm hardened jpeg mad minimal ncurses ogg pcmcia pic png readline rrdtool samba sqlite ssl truetype truetype-fonts uclibc vorbis winbind xml2 zlib userland_GNU kernel_linux elibc_uclibc" Unset: ASFLAGS, CTARGET, LANG, LC_ALL, LDFLAGS, LINGUAS
Guys, how should we do this? Just disabled SSP for klibc ?
Created attachment 66756 [details, diff] Add '-nostdlib' to compilation lines. For the kernel, glibc and uclibc, the GCC specs file is rigged to switch off SSP on the target binary. I had a peek at klibc, and I'm surprised it doesn't specify '-nostdlib' on compilation - obviously, since it's a stdlib replacement, you don't want it to include anything from the standard library, and -nostdlib will enforce this. GLIBC does this, and the hardened specs use it to trigger an exception to adding -fstack-protector-all. I tried adding '-nostdlib' to REQFLAGS in MCONFIG, and it built fine (see patch). This could be a change that upstream would accept. I think it makes sense regardless of our hardened trickery. Whether we later add ssp support to klibc can be handled as a separate issue.
Seems to be OK with upstream, fixed in klibc-1.0.14-r1.