Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 312335 - sys-kernel/hardened-sources-2.6.32 build complains about missing -fstack-protector support with sys-devel/gcc-4.4.2-r2
Summary: sys-kernel/hardened-sources-2.6.32 build complains about missing -fstack-prot...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Hardened (show other bugs)
Hardware: AMD64 Linux
: High normal (vote)
Assignee: The Gentoo Linux Hardened Kernel Team (OBSOLETE)
URL:
Whiteboard:
Keywords:
: 330069 336625 (view as bug list)
Depends on:
Blocks:
 
Reported: 2010-03-31 08:07 UTC by Kai Dietrich
Modified: 2010-09-17 10:56 UTC (History)
8 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
fix for scripts/gcc-x86_64-has-stack-protector.sh (fix-fstack-protector-x86_64.patch,512 bytes, patch)
2010-03-31 08:11 UTC, Kai Dietrich
Details | Diff
Fix the KERNEL SSP check with hardened toolchain (Hardened_kernel_check_SSP_fix.patch,685 bytes, patch)
2010-03-31 15:06 UTC, Magnus Granberg
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Kai Dietrich 2010-03-31 08:07:21 UTC
I'm using the gcc 4.4.2-r2 from the hardened-dev overlay and recently tried to compile a kernel with the fstack-protector switch enabled
(menuconfig->processor type and features->stack-protector).

When building the kernel, the make-script complains with a message that there is no compiler-suppert ("stack protector enabled but no compiler support") which obviously is not true. I think it then discards the flag (not sure about that).

I looked into it. The kernel build system has a script which checks whether the kernel has support for fstack-protector or not (scripts/gcc-x86_64-has-stack-protector.sh)
On a non-hardened gcc-4.3.4 these scripts work well. But on gentoo-hardened gcc 4.4.2 the compiler throws an error (error: code model kernel does not support PIC mode). I think this is caused by the hardened profile. To fix this, the -fno-pic flag has to be added in the call to gcc in the scripts.

The fixed script is attached.

Reproducible: Always

Steps to Reproduce:
1. install gcc-4.4.2-r2 from hardened-dev overlay
2. install hardened-sources-2.6.32-r5 from hardened-dev overlay
3. enable CONFIG_CC_STACKPROTECTOR=y in kernel config
4. make
Actual Results:  
the kernel should build with fstack-protector enabled

Expected Results:  
the build system complains about missing compiler support

Portage 2.1.7.17 (hardened/linux/amd64/10.0, gcc-4.4.2, glibc-2.10.1-r1, 2.6.28-hardened-r9 x86_64)
=================================================================                                  
System uname: Linux-2.6.28-hardened-r9-x86_64-Intel-R-_Atom-TM-_CPU_330_@_1.60GHz-with-gentoo-1.12.13
Timestamp of tree: Tue, 30 Mar 2010 04:00:01 +0000                                                   
app-shells/bash:     4.0_p35                                                                         
dev-lang/python:     2.6.4-r1                                                                        
dev-python/pycrypto: 2.1.0_beta1                                                                     
dev-util/cmake:      2.6.4-r3                                                                        
sys-apps/baselayout: 1.12.13                                                                         
sys-apps/sandbox:    1.6-r2                                                                          
sys-devel/autoconf:  2.63-r1                                                                         
sys-devel/automake:  1.9.6-r3, 1.10.3                                                                
sys-devel/binutils:  2.18-r3                                                                         
sys-devel/gcc:       4.3.4, 4.4.2-r2                                                                 
sys-devel/gcc-config: 1.4.1                                                                          
sys-devel/libtool:   2.2.6b                                                                          
virtual/os-headers:  2.6.30-r1                                                                       
ACCEPT_KEYWORDS="amd64"
ACCEPT_LICENSE="* -@EULA"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-O2 -pipe -march=core2"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo"
CXXFLAGS="-O2 -pipe -march=core2"
DISTDIR="/usr/portage/distfiles"
FEATURES="assume-digests distlocks fixpackages news parallel-fetch protect-owned sandbox sfperms strict unmerge-logs unmerge-orphans userfetch"
GENTOO_MIRRORS="http://de-mirror.org/distro/gentoo/ http://gentoo.mneisen.org/ http://gentoo.tiscali.nl/"
LDFLAGS="-Wl,-O1"
LINGUAS="en"
MAKEOPTS="-j4"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage/layman/hardened-development /root/myOverlay"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="acl alsa amd64 bash-completion berkdb bzip2 cli cracklib crypt cups cxx dri gdbm gpm hardened iconv jpeg jpeg2k justify mmx modules mp3 mudflap multilib ncurses nls nptl nptlonly ogg openmp pam pcre perl pic png pppd python readline reflection session spl sse sse2 ssh ssl svg sysfs tcpd threads tiff tls unicode urandom utf8 vhosts vorbis xorg zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="fbdev glint intel mach64 mga neomagic nv r128 radeon savage sis tdfx trident vesa via vmware voodoo"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LANG, LC_ALL, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
Comment 1 Kai Dietrich 2010-03-31 08:11:03 UTC
Created attachment 225913 [details, diff]
fix for scripts/gcc-x86_64-has-stack-protector.sh
Comment 2 Kai Dietrich 2010-03-31 09:07:59 UTC
It should be noted, that there also is a
scripts/gcc-x86_32-has-stack-protector.sh check-script. I haven't tried/tested/fixed it, but I guess the same bug will occur there, too.
Comment 3 Magnus Granberg gentoo-dev 2010-03-31 15:06:44 UTC
Created attachment 225963 [details, diff]
Fix the KERNEL SSP check with hardened toolchain

Test this patch
It add CPPFLAGS to the commandline for the SSP test.
We use CPPFLAGS (-D__KERNEL__) to disabla hardened SSP/PIE as default.
Comment 4 Kai Dietrich 2010-03-31 18:13:05 UTC
Yes, your Makefile-patch works as well.
Comment 5 Jory A. Pratt gentoo-dev 2010-04-01 22:46:30 UTC
Zorry please leave bugs assigned to hardened alias so everyone in the group can track the bug.
Comment 6 Gordon Malm (RETIRED) gentoo-dev 2010-04-02 20:58:03 UTC
(In reply to comment #5)
> Zorry please leave bugs assigned to hardened alias so everyone in the group can
> track the bug.
> 

No, this is clearly hardened-kernel@ issue.  Add yourself to the hardened-kernel@ alias if you want.  CC'd you for now.

Comment 7 Kevin Pyle 2010-07-10 21:16:33 UTC
(In reply to comment #6)
> No, this is clearly hardened-kernel@ issue.

Could you explain the rationale behind this statement?  Using a Gentoo hardened gcc 4.4.4-r1 to build a non-hardened 2.6.34.1 kernel exhibits the same problem.  Both of the proposed patches result in correct behavior of the kernel test program and apply cleanly to non-hardened sources.  It seems like the greatest benefit would be to push the change from attachment #225963 [details, diff] upstream so that the test program is consistent in its specification of kernel versus user.  At present, it passes -mcmodel=kernel, but then omits -D__KERNEL__, which seems to be the traditional CPP define used for kernel code.
Comment 8 Anthony Basile gentoo-dev 2010-07-11 08:24:39 UTC
(In reply to comment #7)
> (In reply to comment #6)
> > No, this is clearly hardened-kernel@ issue.
> 
> Could you explain the rationale behind this statement?  Using a Gentoo hardened
> gcc 4.4.4-r1 to build a non-hardened 2.6.34.1 kernel exhibits the same problem.
>  Both of the proposed patches result in correct behavior of the kernel test

Its actually a kernel@ issue since the patch to fix it needs to go upstream to the kernel maintainers.  I've tried, but the patch was intercepted by one of the email list fiters (I think) and never even made it to lkml.  I'm cc-ing kernel@gentoo.org.  Maybe they can help in getting it accepted.  Otherwise, I will start to include the patch in the hardened-sources patchset.
Comment 9 Magnus Granberg gentoo-dev 2010-07-27 13:14:18 UTC
*** Bug 330069 has been marked as a duplicate of this bug. ***
Comment 10 Kevin Pyle 2010-09-05 18:37:10 UTC
(In reply to comment #8)
> Its actually a kernel@ issue since the patch to fix it needs to go upstream to
> the kernel maintainers.  I've tried, but the patch was intercepted by one of
> the email list fiters (I think) and never even made it to lkml.  I'm cc-ing
> kernel@gentoo.org.  Maybe they can help in getting it accepted.

To avoid it getting lost in mailing lists, I reported this upstream at <https://bugzilla.kernel.org/show_bug.cgi?id=17852>.
Comment 11 Kai Dietrich 2010-09-07 05:20:10 UTC
hardened-source-2.6.34-r2 has the same issue. could the patch be supplied with the ebuild?
Comment 12 Anthony Basile gentoo-dev 2010-09-07 09:30:13 UTC
(In reply to comment #11)
> hardened-source-2.6.34-r2 has the same issue. could the patch be supplied with
> the ebuild?
> 

I will wait a little longer to see if there's any progress on the bug upstream and if not, start including it.
Comment 13 Anthony Basile gentoo-dev 2010-09-13 16:47:19 UTC
(In reply to comment #12)
> (In reply to comment #11)
> > hardened-source-2.6.34-r2 has the same issue. could the patch be supplied with
> > the ebuild?
> > 
> 
> I will wait a little longer to see if there's any progress on the bug upstream
> and if not, start including it.

I resubmitted the patch as per the upstream bug request and this time it made it through to lkms.  I'm still including the patch in the next releases because who knows how long before it gets incorporated.

Comment 14 Anthony Basile gentoo-dev 2010-09-15 11:35:46 UTC
Okay good news and good news:

1) The patch was accepted.  Thanks Kai and Zorry :)

2) Since it will be a while until it trickles back down to us, the patch is in hardened-sources-2.6.32-r17 and hardened-sources-2.6.34-r5 which just hit the tree.

I'm going to close this one.  Please anyone, feel free to reopen if there's any problem or issue that further needs addressing.

Comment 15 Anthony Basile gentoo-dev 2010-09-17 10:56:55 UTC
*** Bug 336625 has been marked as a duplicate of this bug. ***