Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 103437 - dev-libs/klibc fails to compile on hardened
Summary: dev-libs/klibc fails to compile on hardened
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: New packages (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: The Gentoo Linux Hardened Team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2005-08-23 04:04 UTC by Natanael Copa
Modified: 2016-08-25 16:16 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
Add '-nostdlib' to compilation lines. (klibc.dif,461 bytes, patch)
2005-08-24 09:15 UTC, Kevin F. Quinn (RETIRED)
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Natanael Copa 2005-08-23 04:04:32 UTC
klibc does not work with stack smashing protection. I use an gentoo embedded
environment but I guess it happens in any hardened installation.

Reproducible: Always
Steps to Reproduce:
1. emerge klibc
2.
3.

Actual Results:  
emerge fails

Expected Results:  
successful compile

klibc is mostly used for initramfs and SSP is probably not really needed here.
It would be nice if klibc would compile without stacksmashing protection in a
haredened environment and a warning could be displayed telling that it was
disabled and that every application linked against it should also disable SSP.

I managed to compile klibc when adding "-fno-stack-protector" to REQFLAGS in the
file MCONFIG. (CFLAGS didnt help, neither did OPTFLAGS)
Comment 1 Jakub Moc (RETIRED) gentoo-dev 2005-08-23 07:41:12 UTC
You neglected to post emerge --info output and actual errors encountered during
emerge.
Comment 2 Natanael Copa 2005-08-23 08:02:35 UTC
Sorry...

It's a standard linker error that fails to find the stack smashing protection
funcs, naturally enough. The point is, klibc is a standard c library used for
initramfs so the stack smashing protection isn't really expected to work. What
is more interesting is how to disable stack smashing protection.

And yes, I have tried switching to another, non-ssp gcc profile with gcc-config
and I have tried setting -fno-stack-protector in CFLAGS.

Here are the last lines (there are more similar linker errors)

recv.o(.text+0x41):/var/tmp/portage/klibc-1.0.14/work/klibc-1.0.14/klibc/recv.c:11:
undefined reference to `__stack_smash_handler'
libgcc/__divdi3.o(.text+0x17): In function `__divdi3':
libgcc/__divdi3.c:11: undefined reference to `__guard'
libgcc/__divdi3.o(.text+0x7f):libgcc/__divdi3.c:29: undefined reference to
`__stack_smash_handler'
libgcc/__moddi3.o(.text+0x17): In function `__moddi3':
libgcc/__moddi3.c:11: undefined reference to `__guard'
libgcc/__moddi3.o(.text+0x90):libgcc/__moddi3.c:29: undefined reference to
`__stack_smash_handler'
libgcc/__udivdi3.o(.text+0x13): In function `__udivdi3':
libgcc/__udivdi3.c:11: undefined reference to `__guard'
libgcc/__udivdi3.o(.text+0x3f):libgcc/__udivdi3.c:13: undefined reference to
`__stack_smash_handler'
libgcc/__umoddi3.o(.text+0x13): In function `__umoddi3':
libgcc/__umoddi3.c:11: undefined reference to `__guard'
libgcc/__umoddi3.o(.text+0x4b):libgcc/__umoddi3.c:16: undefined reference to
`__stack_smash_handler'
libgcc/__udivmoddi4.o(.text+0x1d): In function `__udivmoddi4':
libgcc/__udivmoddi4.c:5: undefined reference to `__guard'
libgcc/__udivmoddi4.o(.text+0xda):libgcc/__udivmoddi4.c:32: undefined reference
to `__stack_smash_handler'
make[1]: *** [libc.so] Error 1
rm tests/microhello.o tests/malloctest.o tests/stat.o tests/statfs.o
tests/fcntl.o tests/strtoimax.o tests/setenvtest.o tests/idtest.o
tests/opentest.o tests/strlcpycat.o tests/malloctest2.o tests/minihello.o
tests/hello.o tests/setjmptest.o tests/nfs_no_rpc.o tests/rtsig.o
tests/memstrtest.o tests/strtotime.o tests/getopttest.o tests/sigint.o
tests/getpagesize.o tests/environ.o tests/mmaptest.o tests/testrand48.o
make[1]: Leaving directory `/var/tmp/portage/klibc-1.0.14/work/klibc-1.0.14/klibc'
make: *** [all] Error 2



My environment is an uclibc chroot on a debian sarge box.. but that should also
be irrelevant AFAIK.

emerge --info:

Portage 2.0.51.22-r2 (uclibc/x86/hardened, gcc-3.3.5-20050130, uclibc-0.9.27-r0,
2.6.8-2-686-smp i686)
=================================================================
System uname: 2.6.8-2-686-smp i686 Intel(R) Xeon(TM) CPU 2.40GHz
Gentoo Base System version 1.6.13
distcc 2.18.3 i386-gentoo-linux-uclibc (protocols 1 and 2) (default port 3632)
[enabled]
ccache version 2.3 [disabled]
dev-lang/python:     2.3.5
sys-apps/sandbox:    1.2.11
sys-devel/autoconf:  2.13, 2.59-r6
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.5
sys-devel/binutils:  2.15.92.0.2-r10
sys-devel/libtool:   1.5.18-r1
virtual/os-headers:  2.6.11-r2
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CBUILD="i386-gentoo-linux-uclibc"
CFLAGS="-march=i386 -Os -pipe -fomit-frame-pointer"
CHOST="i386-gentoo-linux-uclibc"
CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config
/usr/share/config /var/qmail/control"
CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d"
CXXFLAGS="-Os -pipe"
DISTDIR="/var/cache/distfiles"
FEATURES="autoconfig buildpkg distcc distlocks nodoc noinfo noman sandbox
sfperms strict"
GENTOO_MIRRORS="http://distfiles.gentoo.org
http://distro.ibiblio.org/pub/Linux/distributions/gentoo"
MAKEOPTS="-j4"
PKGDIR="/var/cache/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/src/alpine/apks/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="x86 X509 berkdb bitmap-fonts cdr cracklib curl gd gdbm hardened jpeg mad
minimal ncurses ogg pcmcia pic png readline rrdtool samba sqlite ssl truetype
truetype-fonts uclibc vorbis winbind xml2 zlib userland_GNU kernel_linux
elibc_uclibc"
Unset:  ASFLAGS, CTARGET, LANG, LC_ALL, LDFLAGS, LINGUAS

Comment 3 Martin Schlemmer (RETIRED) gentoo-dev 2005-08-24 06:20:17 UTC
Guys, how should we do this?  Just disabled SSP for klibc ?
Comment 4 Kevin F. Quinn (RETIRED) gentoo-dev 2005-08-24 09:15:27 UTC
Created attachment 66756 [details, diff]
Add '-nostdlib' to compilation lines.

For the kernel, glibc and uclibc, the GCC specs file is rigged to switch off
SSP on the target binary.

I had a peek at klibc, and I'm surprised it doesn't specify '-nostdlib' on
compilation - obviously, since it's a stdlib replacement, you don't want it to
include anything from the standard library, and -nostdlib will enforce this. 
GLIBC does this, and the hardened specs use it to trigger an exception to
adding -fstack-protector-all.

I tried adding '-nostdlib' to REQFLAGS in MCONFIG, and it built fine (see
patch).  This could be a change that upstream would accept.  I think it makes
sense regardless of our hardened trickery.

Whether we later add ssp support to klibc can be handled as a separate issue.
Comment 5 Martin Schlemmer (RETIRED) gentoo-dev 2005-08-26 14:17:27 UTC
Seems to be OK with upstream, fixed in klibc-1.0.14-r1.