Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 616380 - net-misc/openssh does not respect stack-protection
Summary: net-misc/openssh does not respect stack-protection
Status: CONFIRMED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo's Team for Core System packages
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-04-23 11:02 UTC by Agostino Sarubbo
Modified: 2024-02-22 15:33 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
proposed patch (0001-net-misc-openssh-respect-user-s-fno-stack-protector.patch,955 bytes, patch)
2019-02-26 14:18 UTC, Michael Haubenwallner (RETIRED) 		Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2017-04-23 11:02:25 UTC 
While is good have stack-protector in packages like this, it does not respect the stack-protection of the user:

# checksec --file /usr/sbin/sshd 
RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      FORTIFY Fortified Fortifiable  FILE
Partial RELRO   Canary found      NX enabled    PIE enabled     No RPATH   No RUNPATH   Yes     11              23      /usr/sbin/sshd

My CFLAGS:
CFLAGS="-O2 -march=x86-64 -msse4.2 -fno-stack-protector"


net-misc/openssh-7.3_p1-r7::gentoo was built with the following:
USE="hpn pam pie ssl -X -X509 -bindist -debug -kerberos -ldap -ldns -libedit (-libressl) -livecd -sctp (-selinux) -skey -ssh1 -static -test" ABI_X86="64"
Comment 1 Michael Haubenwallner (RETIRED) gentoo-dev 2019-02-26 14:18:49 UTC 
Created attachment 566546 [details, diff]
proposed patch

Would need revbump though.
Comment 2 Agostino Sarubbo gentoo-dev 2019-02-26 14:57:23 UTC 
Thanks for the patch..but I think it will not work with some stack-protector settings.

It think is fine modify the buildsystem to let the user cflags after the default.
Comment 3 Michael Haubenwallner (RETIRED) gentoo-dev 2019-02-26 15:17:22 UTC 
(In reply to Agostino Sarubbo from comment #2)
> Thanks for the patch..but I think it will not work with some stack-protector
> settings.

The patch should disable openssh's logic to add any stack-protector flag. What do you think at here?

> It think is fine modify the buildsystem to let the user cflags after the
> default.

Just found the configure flags --with-cflags-after and --with-ldflags-after.
However, these are evaluated after running the configure checks...
Comment 4 Agostino Sarubbo gentoo-dev 2021-03-05 14:57:28 UTC 
(In reply to Michael Haubenwallner from comment #3)
> (In reply to Agostino Sarubbo from comment #2)
> > Thanks for the patch..but I think it will not work with some stack-protector
> > settings.
> 
> The patch should disable openssh's logic to add any stack-protector flag.
> What do you think at here?
> 
> > It think is fine modify the buildsystem to let the user cflags after the
> > default.
> 
> Just found the configure flags --with-cflags-after and --with-ldflags-after.
> However, these are evaluated after running the configure checks...

While it covers the scope, I guess it won't work if user would use something different than -fstack-protector-all (e.g. fstack-protector-strong) so the better thing to do here might be just change the order of default flags vs user flags, where user flags are the latest
Comment 5 Agostino Sarubbo gentoo-dev 2024-02-22 15:33:29 UTC 
Since nowadays the current toolchain uses -fstack-protector-strong, all we have to do is to use --without-stackprotect
Basically we are doing the same with --without-hardening:
https://github.com/gentoo/gentoo/blob/be46888368631cff17aebdec768f78e3ffae186d/net-misc/openssh/openssh-9.6_p1-r3.ebuild#L180