Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 99055 Details for
Bug 149649
develop independent gcc versions containing advanced security technology
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
portage-hardened-glibc-gcc.patch with needed files and ppc tryout
portage-hardened-glibc-gcc.patch (text/plain), 24.52 KB, created by
Alexander Gabert (RETIRED)
on 2006-10-07 09:50:39 UTC
(
hide
)
Description:
portage-hardened-glibc-gcc.patch with needed files and ppc tryout
Filename:
MIME Type:
Creator:
Alexander Gabert (RETIRED)
Created:
2006-10-07 09:50:39 UTC
Size:
24.52 KB
patch
obsolete
> Patch your current /usr/portage tree to this preliminary test for gcc-4 hardened > do not forget to run ebuild digesting because of modified Manifests and missing digest files > >diff -Nru portage.ORIG/profiles/hardened/package.mask portage/profiles/hardened/package.mask >--- portage.ORIG/profiles/hardened/package.mask 2006-10-07 01:06:18.000000000 +0200 >+++ portage/profiles/hardened/package.mask 2006-10-07 16:20:06.000000000 +0200 >@@ -11,14 +11,14 @@ > # If you want to play with it, unmask in /etc/portage/package.unmask > # but be prepared to rebuild anything you build with gcc-4, later. > # 2006-01-11 kevquinn >-=sys-devel/gcc-4* >+# BETA PATCH TESTING # =sys-devel/gcc-4* > > # Mask off glibc-2.4 until the approach for SSP compatibilty is > # resolved in a way that doesn't break running systems, and we > # have a sensible upgrade path. Advise having a static busybox > # around if you try it in a live system. > # 2006-03-13 kevquinn >-=sys-libs/glibc-2.4* >+# BETA PATCH TESTING # =sys-libs/glibc-2.4* > > # These packages do more harm than good w/ hardened. > # users must now the opensource xorg nv driver with nvidia cards. >diff -Nru portage.ORIG/sys-devel/gcc/files/4.1.0/gcc-4.1.0-hardened-minispec-callouts-asm-pic.patch portage/sys-devel/gcc/files/4.1.0/gcc-4.1.0-hardened-minispec-callouts-asm-pic.patch >--- portage.ORIG/sys-devel/gcc/files/4.1.0/gcc-4.1.0-hardened-minispec-callouts-asm-pic.patch 1970-01-01 01:00:00.000000000 +0100 >+++ portage/sys-devel/gcc/files/4.1.0/gcc-4.1.0-hardened-minispec-callouts-asm-pic.patch 2006-10-07 17:57:47.000000000 +0200 >@@ -0,0 +1,21 @@ >+diff -Nru gcc-4.1.1.ORIG/gcc/gcc.c gcc-4.1.1/gcc/gcc.c >+--- gcc-4.1.1.ORIG/gcc/gcc.c 2006-10-07 17:32:48.000000000 +0200 >++++ gcc-4.1.1/gcc/gcc.c 2006-10-07 17:56:14.000000000 +0200 >+@@ -559,6 +559,8 @@ >+ #ifndef ASM_SPEC >+ #define ASM_SPEC "" >+ #endif >++/* Gentoo: add minispecs for SSP and PIE compilation to asm */ >++#define ASM_SPEC_2 ASM_SPEC " %(asm_pic) " >+ >+ /* config.h can define ASM_FINAL_SPEC to run a post processor after >+ the assembler has run. */ >+@@ -738,7 +740,7 @@ >+ static const char *cc1plus_spec = CC1PLUS_SPEC; >+ static const char *link_gcc_c_sequence_spec = LINK_GCC_C_SEQUENCE_SPEC; >+ static const char *link_ssp_spec = LINK_SSP_SPEC; >+-static const char *asm_spec = ASM_SPEC; >++static const char *asm_spec = ASM_SPEC_2; >+ static const char *asm_final_spec = ASM_FINAL_SPEC; >+ static const char *link_spec = LINK_SPEC; >+ static const char *lib_spec = LIB_SPEC; >diff -Nru portage.ORIG/sys-devel/gcc/files/4.1.0/gcc-4.1.0-hardened-minispec-callouts.patch portage/sys-devel/gcc/files/4.1.0/gcc-4.1.0-hardened-minispec-callouts.patch >--- portage.ORIG/sys-devel/gcc/files/4.1.0/gcc-4.1.0-hardened-minispec-callouts.patch 1970-01-01 01:00:00.000000000 +0100 >+++ portage/sys-devel/gcc/files/4.1.0/gcc-4.1.0-hardened-minispec-callouts.patch 2006-10-07 16:19:24.000000000 +0200 >@@ -0,0 +1,53 @@ >+ Add callouts to minispecs to simplify gcc hardening. >+ Hardening is achieved through "minispecs" which adjust >+ the additional specs CC1_SSP, CC1_PIE, LINK_COMMAND_PIE >+ (and rewriting STARTFILE_SPEC/ENDFILE_SPEC for PIE). >+ These minispecs are supplied directly rather than >+ patching gcc itself. >+ Kevin F. Quinn, 2006-10-02 >+ >+--- gcc/gcc.c.orig 2006-10-03 03:13:30.000000000 +0200 >++++ gcc/gcc.c 2006-10-03 03:16:46.000000000 +0200 >+@@ -577,6 +577,8 @@ >+ #ifndef CC1_SPEC >+ #define CC1_SPEC "" >+ #endif >++/* Gentoo: add minispecs for SSP and PIE compilation to cc1 */ >++#define CC1_SPEC_2 CC1_SPEC " %(cc1_ssp) %(cc1_pie) " >+ >+ /* config.h can define CC1PLUS_SPEC to provide extra args to cc1plus >+ or extra switch-translations. */ >+@@ -682,9 +684,10 @@ >+ #endif >+ #endif >+ >++/* Gentoo: add minispec for PIE linking */ >+ #ifndef LINK_PIE_SPEC >+ #ifdef HAVE_LD_PIE >+-#define LINK_PIE_SPEC "%{pie:-pie} " >++#define LINK_PIE_SPEC "%{pie:-pie;:%(link_command_pie)} " >+ #else >+ #define LINK_PIE_SPEC "%{pie:} " >+ #endif >+@@ -696,10 +699,11 @@ >+ /* We want %{T*} after %{L*} and %D so that it can be used to specify linker >+ scripts which exist in user specified directories, or in standard >+ directories. */ >++/* Gentoo: add minispecs for RELRO, NOW linking */ >+ #ifndef LINK_COMMAND_SPEC >+ #define LINK_COMMAND_SPEC "\ >+ %{!fsyntax-only:%{!c:%{!M:%{!MM:%{!E:%{!S:\ >+- %(linker) %l " LINK_PIE_SPEC "%X %{o*} %{A} %{d} %{e*} %{m} %{N} %{n} %{r}\ >++ %(linker) %l " LINK_PIE_SPEC "%(link_command_zrelro) %(link_command_znow) %X %{o*} %{A} %{d} %{e*} %{m} %{N} %{n} %{r}\ >+ %{s} %{t} %{u*} %{x} %{z} %{Z} %{!A:%{!nostdlib:%{!nostartfiles:%S}}}\ >+ %{static:} %{L*} %(mfwrap) %(link_libgcc) %o %(mflib)\ >+ %{fprofile-arcs|fprofile-generate|coverage:-lgcov}\ >+@@ -730,7 +734,7 @@ >+ >+ static const char *asm_debug; >+ static const char *cpp_spec = CPP_SPEC; >+-static const char *cc1_spec = CC1_SPEC; >++static const char *cc1_spec = CC1_SPEC_2; >+ static const char *cc1plus_spec = CC1PLUS_SPEC; >+ static const char *link_gcc_c_sequence_spec = LINK_GCC_C_SEQUENCE_SPEC; >+ static const char *link_ssp_spec = LINK_SSP_SPEC; >diff -Nru portage.ORIG/sys-devel/gcc/files/specs/hardened.specs portage/sys-devel/gcc/files/specs/hardened.specs >--- portage.ORIG/sys-devel/gcc/files/specs/hardened.specs 1970-01-01 01:00:00.000000000 +0100 >+++ portage/sys-devel/gcc/files/specs/hardened.specs 2006-10-07 17:22:18.000000000 +0200 >@@ -0,0 +1,4 @@ >+%include <pie.specs> >+%include <ssp.specs> >+%include <zrelro.specs> >+%include <znow.specs> >diff -Nru portage.ORIG/sys-devel/gcc/files/specs/hardenednopie.specs portage/sys-devel/gcc/files/specs/hardenednopie.specs >--- portage.ORIG/sys-devel/gcc/files/specs/hardenednopie.specs 1970-01-01 01:00:00.000000000 +0100 >+++ portage/sys-devel/gcc/files/specs/hardenednopie.specs 2006-10-07 17:22:18.000000000 +0200 >@@ -0,0 +1,3 @@ >+%include <ssp.specs> >+%include <zrelro.specs> >+%include <znow.specs> >diff -Nru portage.ORIG/sys-devel/gcc/files/specs/hardenednopiessp.specs portage/sys-devel/gcc/files/specs/hardenednopiessp.specs >--- portage.ORIG/sys-devel/gcc/files/specs/hardenednopiessp.specs 1970-01-01 01:00:00.000000000 +0100 >+++ portage/sys-devel/gcc/files/specs/hardenednopiessp.specs 2006-10-07 17:22:18.000000000 +0200 >@@ -0,0 +1,2 @@ >+%include <zrelro.specs> >+%include <znow.specs> >diff -Nru portage.ORIG/sys-devel/gcc/files/specs/hardenednossp.specs portage/sys-devel/gcc/files/specs/hardenednossp.specs >--- portage.ORIG/sys-devel/gcc/files/specs/hardenednossp.specs 1970-01-01 01:00:00.000000000 +0100 >+++ portage/sys-devel/gcc/files/specs/hardenednossp.specs 2006-10-07 17:22:18.000000000 +0200 >@@ -0,0 +1,3 @@ >+%include <pie.specs> >+%include <zrelro.specs> >+%include <znow.specs> >diff -Nru portage.ORIG/sys-devel/gcc/files/specs/pie.specs portage/sys-devel/gcc/files/specs/pie.specs >--- portage.ORIG/sys-devel/gcc/files/specs/pie.specs 1970-01-01 01:00:00.000000000 +0100 >+++ portage/sys-devel/gcc/files/specs/pie.specs 2006-10-07 17:26:10.000000000 +0200 >@@ -0,0 +1,15 @@ >+*asm_pic: >+%{D__KERNEL__|static|nostdlib|nostartfiles|fPIC|fpic|fno-PIC|fno-pic|fPIE|fpie|fno-PIE|fno-pie|nopie:;:-K PIC} >+ >+*cc1_pie: >+%{D__KERNEL__|static|nostdlib|nostartfiles|fPIC|fpic|fno-PIC|fno-pic|fPIE|fpie|fno-PIE|fno-pie|nopie:;:-fPIE} >+ >+*startfile: >+%{!shared: %{nopie:%{pg|p|profile:gcrt1.o%s;pie:Scrt1.o%s;:crt1.o%s};:Scrt1.o%s}} crti.o%s %{nopie:%{static:crtbeginT.o%s;%{shared|pie:crtbeginS.o%s;:crtbegin.o%s}};:%{static:crtbeginT.o%s;:crtbeginS.o%s}} >+ >+*endfile: >+%{ffast-math|funsafe-math-optimizations:crtfastmath.o%s} %{static|nopie:%{shared|pie:crtendS.o%s;:crtend.o%s};:crtendS.o%s} crtn.o%s >+ >+*link_command_pie: >+%{pie:-pie;:%{nopie|static|A|shared|nostdlib|nostartfiles|fno-PIE|fno-pie:;:-pie}} >+ >diff -Nru portage.ORIG/sys-devel/gcc/files/specs/ssp.specs portage/sys-devel/gcc/files/specs/ssp.specs >--- portage.ORIG/sys-devel/gcc/files/specs/ssp.specs 1970-01-01 01:00:00.000000000 +0100 >+++ portage/sys-devel/gcc/files/specs/ssp.specs 2006-10-07 17:22:18.000000000 +0200 >@@ -0,0 +1,3 @@ >+*cc1_ssp: >+%{D__KERNEL__|nostdlib|nodefaultlibs|fno-stack-protector|fstack-protector|fno-stack-protector-all:;:-fstack-protector-all} >+ >diff -Nru portage.ORIG/sys-devel/gcc/files/specs/znow.specs portage/sys-devel/gcc/files/specs/znow.specs >--- portage.ORIG/sys-devel/gcc/files/specs/znow.specs 1970-01-01 01:00:00.000000000 +0100 >+++ portage/sys-devel/gcc/files/specs/znow.specs 2006-10-07 17:22:18.000000000 +0200 >@@ -0,0 +1,3 @@ >+*link_command_zrelro: >+%{!nonow: -z now} %{now: } >+ >diff -Nru portage.ORIG/sys-devel/gcc/files/specs/zrelro.specs portage/sys-devel/gcc/files/specs/zrelro.specs >--- portage.ORIG/sys-devel/gcc/files/specs/zrelro.specs 1970-01-01 01:00:00.000000000 +0100 >+++ portage/sys-devel/gcc/files/specs/zrelro.specs 2006-10-07 17:22:18.000000000 +0200 >@@ -0,0 +1,3 @@ >+*link_command_zrelro: >+%{!norelro: -z relro} %{relro: } >+ >diff -Nru portage.ORIG/sys-devel/gcc/gcc-4.1.1-r1.ebuild portage/sys-devel/gcc/gcc-4.1.1-r1.ebuild >--- portage.ORIG/sys-devel/gcc/gcc-4.1.1-r1.ebuild 2006-09-23 18:36:34.000000000 +0200 >+++ portage/sys-devel/gcc/gcc-4.1.1-r1.ebuild 2006-10-07 17:58:59.000000000 +0200 >@@ -57,5 +57,9 @@ > # Fix cross-compiling > epatch "${FILESDIR}"/4.1.0/gcc-4.1.0-cross-compile.patch > >+ # Add hardened minispec support >+ use hardened && epatch "${FILESDIR}"/4.1.0/gcc-4.1.0-hardened-minispec-callouts.patch >+ use hardened && use ppc && epatch "${FILESDIR}"/4.1.0/gcc-4.1.0-hardened-minispec-callouts-asm-pic.patch >+ > [[ ${CTARGET} == *-softfloat-* ]] && epatch "${FILESDIR}"/4.0.2/gcc-4.0.2-softfloat.patch > } >diff -Nru portage.ORIG/sys-libs/glibc/files/2.3.6/glibc-2.3.6-pt_chown-znow.patch portage/sys-libs/glibc/files/2.3.6/glibc-2.3.6-pt_chown-znow.patch >--- portage.ORIG/sys-libs/glibc/files/2.3.6/glibc-2.3.6-pt_chown-znow.patch 1970-01-01 01:00:00.000000000 +0100 >+++ portage/sys-libs/glibc/files/2.3.6/glibc-2.3.6-pt_chown-znow.patch 2006-10-07 16:17:59.000000000 +0200 >@@ -0,0 +1,12 @@ >+--- login/Makefile.orig 2006-02-10 11:40:05.000000000 +0100 >++++ login/Makefile 2006-02-10 11:44:36.000000000 +0100 >+@@ -29,6 +29,9 @@ >+ >+ CFLAGS-grantpt.c = -DLIBEXECDIR='"$(libexecdir)"' >+ >++# pt_chown is to be suid root, so link with BIND_NOW. >++LDFLAGS-pt_chown = -Wl,-z,now >++ >+ others = utmpdump pt_chown >+ install-others = $(inst_libexecdir)/pt_chown >+ >diff -Nru portage.ORIG/sys-libs/glibc/files/2.4/glibc-2.4-linuxssp.patch portage/sys-libs/glibc/files/2.4/glibc-2.4-linuxssp.patch >--- portage.ORIG/sys-libs/glibc/files/2.4/glibc-2.4-linuxssp.patch 1970-01-01 01:00:00.000000000 +0100 >+++ portage/sys-libs/glibc/files/2.4/glibc-2.4-linuxssp.patch 2006-10-07 16:18:12.000000000 +0200 >@@ -0,0 +1,394 @@ >+ Modifications to glibc-2.4 to allow it to build with stack-protection >+ enabled throughout, and to provide a logging stack_chk_fail handler. >+ >+ debug/stack_chk_fail.c: provide stack_chk_fail handler that logs to >+ syslog, and uses syscalls directly inline. >+ >+ debug/Makefile: build stack_chk_fail_local -fno-stack-protector >+ Leave stack_chk_fail alone, so checking __SSP__ will show whether >+ compiler is rigged to build SSP, and hence that we want the modified >+ handler (which will never trigger SSP because there are no function >+ calls). >+ >+ csu/Makefile, linuxthreads/Makefile, nptl/Makefile: inihibit SSP on >+ crti/crtn (i.e. compilation of initfini) >+ >+ elf/rtld-Rules: Add compilation rules for .oS targets (so that >+ stack_chk_fail_local will build for rtld). >+ >+ elf/Makefile: Add libc_nonshared.a to rtld build set so that >+ stack_chk_fail_local can be found (and other modifications >+ so that static objects are considered). >+ >+ Makerules: add stack_chk_fail_local.os to libc_pic.os (needed for >+ SSP builds on x86 so that it can resolve __stack_chk_fail_local). >+ Note this is a whole-archive link so adding libc_nonshared.a is >+ causes too much stuff to be included. >+ >+ Kevin F. Quinn 2006-09-30 >+ >+--- debug/stack_chk_fail.c.orig 2006-09-29 17:04:58.000000000 +0200 >++++ debug/stack_chk_fail.c 2006-09-29 17:06:37.000000000 +0200 >+@@ -16,22 +16,269 @@ >+ Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA >+ 02111-1307 USA. */ >+ >++#if defined __SSP__ || defined __SSP_ALL__ >++ >++/* An SSP failure handler that: >++ * 1) does not use any function calls - which would >++ * otherwise lead to nested calls to stack_chk_fail() >++ * 2) uses no functions from the rest of libc, which >++ * can lead to build problems pulling in copies of >++ * swathes of libc into the other libraries. >++ * This handler would not be valid on architectures for >++ * which a pointer is not either a 32-bit or 64-bit >++ * integer. It's definitely ok for i386, x86_64, and ppc. >++ */ >++ >++#if defined __linux__ >++ >++/* When including headers, define out the function names used >++ * via syscalls, since the syscall macros require that the functions >++ * they declare have the predefined names. This prevents duplicate >++ * declaration issues, which are warnings on gcc-3 but have become >++ * errors on gcc-4. >++ */ >++#include <stdlib.h> >++#include <unistd.h> >++#include <signal.h> >++#include <linux/unistd.h> >++#include <sys/types.h> >++ >++ >++#ifndef __dietlibc__ >++ >++#include <alloca.h> >++ >++/* from sysdeps */ >++#include <socketcall.h> >++ >++/* for the stuff in bits/socket.h */ >++#include <sys/socket.h> >++#include <sys/un.h> >++ >++#endif >++ >++/* Re-configure errno to a local one */ >++#ifdef errno >++#undef errno >++#endif >++#define errno __stack_chk_fail_errno >++static unsigned long int __stack_chk_fail_errno; >++ >++#define __NR_stack_chk_fail_write __NR_write >++static inline ssize_t stack_chk_fail_write(int fd, const void *buf, size_t count) __attribute__ ((always_inline)); >++static inline _syscall3(ssize_t,stack_chk_fail_write, int,fd, const void *,buf, size_t,count); >++ >++#define __NR_stack_chk_fail_exit __NR_exit >++static inline void stack_chk_fail_exit(int status) __attribute__ ((always_inline)); >++static inline _syscall1(void,stack_chk_fail_exit, int,status); >++ >++#define __NR_stack_chk_fail_kill __NR_kill >++static inline int stack_chk_fail_kill(pid_t pid, int sig) __attribute__ ((always_inline)); >++static inline _syscall2(int,stack_chk_fail_kill, pid_t,pid, int,sig); >++ >++#define __NR_stack_chk_fail_getpid __NR_getpid >++static inline pid_t stack_chk_fail_getpid(void) __attribute__ ((always_inline)); >++static inline _syscall0(pid_t,stack_chk_fail_getpid); >++ >++#ifndef __dietlibc__ >++ >++#define __NR_stack_chk_fail_close __NR_close >++static inline int stack_chk_fail_close(int fd) __attribute__ ((always_inline)); >++static inline _syscall1(int,stack_chk_fail_close, int,fd); >++ >++ >++/* socketcall is present on most arches (including x86, arm (some), ppc, ppc64, mips, mips64, sparc, sparc64) >++ * x86_86 and some arm do not have it, but does have socket and connect syscalls >++ * Assume this when socketcall is not available. >++ */ >++#ifdef __NR_socketcall >++ >++#define __NR_stack_chk_fail_socketcall __NR_socketcall >++static inline long stack_chk_fail_socketcall(int call, unsigned long *args) __attribute__ ((always_inline)); >++static inline _syscall2(long,stack_chk_fail_socketcall, int,call, unsigned long *,args); >++ >++#define DO_SOCKET(result,domain,type,protocol) \ >++ socketargs[0] = domain; \ >++ socketargs[1] = type; \ >++ socketargs[2] = protocol; \ >++ socketargs[3] = 0; \ >++ result = stack_chk_fail_socketcall(SOCKOP_socket, socketargs) >++ >++#define DO_CONNECT(result,sockfd,serv_addr,addrlen) \ >++ socketargs[0] = sockfd; \ >++ socketargs[1] = (unsigned long int)serv_addr; \ >++ socketargs[2] = addrlen; \ >++ socketargs[3] = 0; \ >++ result = stack_chk_fail_socketcall(SOCKOP_connect, socketargs) >++ >++#else >++ >++#define __NR_stack_chk_fail_socket __NR_socket >++static inline int stack_chk_fail_socket(int domain, int type, int protocol) __attribute__ ((always_inline)); >++static inline _syscall3(int,stack_chk_fail_socket, int,domain, int,type, int,protocol); >++ >++#define DO_SOCKET(result,domain,type,protocol) \ >++ result = stack_chk_fail_socket(domain,type,protocol) >++ >++#define __NR_stack_chk_fail_connect __NR_connect >++static inline int stack_chk_fail_connect(int sockfd, const struct sockaddr *serv_addr, socklen_t addrlen) __attribute__ ((always_inline)); >++static inline _syscall3(int,stack_chk_fail_connect, int,sockfd, const struct sockaddr *,serv_addr, socklen_t,addrlen); >++ >++#define DO_CONNECT(result,sockfd,serv_addr,addrlen) \ >++ result = stack_chk_fail_connect(sockfd,(struct sockaddr *)serv_addr, addrlen) >++ >++#endif >++ >++#ifndef _PATH_LOG >++#define _PATH_LOG "/dev/log" >++#endif >++ >++const char path_log[]=_PATH_LOG; >++ >++#ifdef IS_IN_rtld >++static char *__progname = "<rtld>"; >++#else >++extern char *__progname; >++#endif >++ >++#else >++ >++static char *__progname = "<dietapp>"; >++ >++#endif >++ >++#else >++/* not building on linux */ >++ >++#error "Gentoo SSP support: glibc can only be built with SSP on Linux" >++ >++#endif >++ >++#else >++/* not SSP */ >++ >++#warning "Gentoo SSP support: building standard upstream handler, glibc itself is not protected" >++ >+ #include <stdio.h> >+ #include <stdlib.h> >+ >+ >+ extern char **__libc_argv attribute_hidden; >+ >++#endif >++/* endif SSP */ >++ >+ void >+-__attribute__ ((noreturn)) >++__attribute__ ((__noreturn__)) >+ __stack_chk_fail (void) >+ { >++#if defined __SSP__ || defined __SSP_ALL__ >++ >++ #define MESSAGE_BUFSIZ 512 >++ pid_t pid; >++ int plen, i; >++ char message[MESSAGE_BUFSIZ]; >++ const char msg_prefix[]="*** stack smashing detected ***: "; >++ const char msg_suffix[]=" terminated\n"; >++ const char msg_unknown[]="<unknown>"; >++#ifndef __dietlibc__ >++ int log_socket, connect_result; >++ struct sockaddr_un sock; >++#ifdef __NR_socketcall >++ unsigned long int *socketargs=(unsigned long int *)alloca(sizeof(unsigned long int)*4); >++#endif >++#endif >++ >++ /* build message */ >++#define strconcat(str) \ >++ i=0; while ((str[i] != '\0') && ((i+plen)<(MESSAGE_BUFSIZ-1))) {\ >++ message[plen+i]=str[i];\ >++ i++;\ >++ }\ >++ plen+=i; >++ plen=0; >++ strconcat(msg_prefix); >++ if (__progname != (char *)0) { >++ strconcat(__progname); >++ } else { >++ strconcat(msg_unknown); >++ } >++ strconcat(msg_suffix); >++ message[plen++]='\0'; >++ >++ /* Write out error message to STDERR */ >++ stack_chk_fail_write(STDERR_FILENO, message, plen); >++ >++#ifndef __dietlibc__ >++ /* Log to syslog; socket write to /dev/log */ >++ >++ /* Build socket address */ >++ sock.sun_family = AF_UNIX; >++ i=0; while ((path_log[i] != '\0') && (i<(sizeof(sock.sun_path)-1))) { >++ sock.sun_path[i]=path_log[i]; >++ i++; >++ } >++ sock.sun_path[i]='\0'; >++ >++ /* Try SOCK_DGRAM connection to syslog */ >++ connect_result=-1; >++ DO_SOCKET(log_socket,AF_UNIX,SOCK_DGRAM,0); >++ if (log_socket != -1) { >++ DO_CONNECT(connect_result,log_socket,(&sock),(sizeof(sock))); >++ } >++ if (connect_result == -1) { >++ if (log_socket != -1) { >++ stack_chk_fail_close(log_socket); >++ } >++ /* Try SOCK_STREAM connection to syslog */ >++ DO_SOCKET(log_socket,AF_UNIX,SOCK_STREAM,0); >++ if (log_socket != -1) { >++ DO_CONNECT(connect_result,log_socket,(&sock),(sizeof(sock))); >++ } >++ } >++ /* If a successful connection was made, log the message */ >++ if (connect_result != -1) { >++ stack_chk_fail_write(log_socket,message,plen); >++ } >++ if (log_socket != -1) { >++ stack_chk_fail_close(log_socket); >++ } >++#endif >++ >++ /* Suicide - note; sigactions can't be added to SIGKILL, nor can it be masked */ >++ pid=stack_chk_fail_getpid(); >++ stack_chk_fail_kill(pid,SIGKILL); >++ >++ /* In case the kill didn't work, exit anyway >++ * The loop prevents gcc thinking this routine returns >++ */ >++ while (1) stack_chk_fail_exit(EXIT_FAILURE); >++ >++#else >++ >+ /* The loop is added only to keep gcc happy. */ >+ while (1) >+ __libc_message (1, "*** stack smashing detected ***: %s terminated\n", >+ __libc_argv[0] ?: "<unknown>"); >++ >++#endif >+ } >+ >+ #ifdef ENABLE_OLD_SSP_COMPAT >++#ifdef __x86_64 >++/* For reasons that are not yet clear, x86_64 refuses to allow the alias to >++ * be setup, giving the error: >++ * '__stack_smash_handler' aliased to external symbol '__stack_chk_fail' >++ * which usually means the same-file rule has been violated, although this >++ * is not the case here. >++ */ >++void >++__attribute__ ((__noreturn__)) >++__stack_smash_handler(void) >++{ >++ __stack_chk_fail(); >++} >++#else >+ strong_alias (__stack_chk_fail, __stack_smash_handler) >+ #endif >++#endif >+--- debug/Makefile.orig 2006-09-30 17:06:31.000000000 +0200 >++++ debug/Makefile 2006-09-30 17:12:45.000000000 +0200 >+@@ -70,6 +71,7 @@ >+ CFLAGS-pread64_chk.c = -fexceptions -fasynchronous-unwind-tables >+ CFLAGS-recv_chk.c = -fexceptions -fasynchronous-unwind-tables >+ CFLAGS-recvfrom_chk.c = -fexceptions -fasynchronous-unwind-tables >++CFLAGS-stack_chk_fail_local.c = -fno-stack-protector >+ >+ tst-chk1-ENV = LOCPATH=$(common-objpfx)localedata >+ tst-chk2-ENV = LOCPATH=$(common-objpfx)localedata >+--- csu/Makefile.orig 2006-09-30 13:22:19.000000000 +0200 >++++ csu/Makefile 2006-09-30 13:22:38.000000000 +0200 >+@@ -93,7 +93,7 @@ >+ $(crtstuff:%=$(objpfx)%.o): %.o: %.S $(objpfx)defs.h >+ $(compile.S) -g0 $(ASFLAGS-.os) -o $@ >+ >+-CFLAGS-initfini.s = -g0 -fPIC -fno-inline-functions $(fno-unit-at-a-time) >++CFLAGS-initfini.s = -g0 -fPIC -fno-inline-functions -fno-stack-protector $(fno-unit-at-a-time) >+ >+ vpath initfini.c $(sysdirs) >+ >+--- nptl/Makefile.orig 2006-09-30 14:36:46.000000000 +0200 >++++ nptl/Makefile 2006-09-30 14:37:06.000000000 +0200 >+@@ -335,7 +335,7 @@ >+ extra-objs += $(crti-objs) $(crtn-objs) >+ omit-deps += crti crtn >+ >+-CFLAGS-pt-initfini.s = -g0 -fPIC -fno-inline-functions $(fno-unit-at-a-time) >++CFLAGS-pt-initfini.s = -g0 -fPIC -fno-stack-protector -fno-inline-functions $(fno-unit-at-a-time) >+ endif >+ >+ CFLAGS-flockfile.c = -D_IO_MTSAFE_IO >+--- elf/Makefile.orig 2006-10-01 01:37:29.000000000 +0200 >++++ elf/Makefile 2006-10-01 01:44:19.000000000 +0200 >+@@ -263,7 +263,7 @@ >+ # are compiled with special flags, and puts these modules into rtld-libc.a >+ # for us. Then we do the real link using rtld-libc.a instead of libc_pic.a. >+ >+-$(objpfx)librtld.map: $(objpfx)dl-allobjs.os $(common-objpfx)libc_pic.a >++$(objpfx)librtld.map: $(objpfx)dl-allobjs.os $(common-objpfx)libc_pic.a $(common-objpfx)libc_nonshared.a >+ @-rm -f $@T >+ $(reloc-link) -o $@.o '-Wl,-(' $^ -lgcc '-Wl,-)' -Wl,-Map,$@T >+ rm -f $@.o >+@@ -271,7 +271,7 @@ >+ >+ $(objpfx)librtld.mk: $(objpfx)librtld.map Makefile >+ LC_ALL=C \ >+- sed -n 's@^$(common-objpfx)\([^(]*\)(\([^)]*\.os\)) *.*$$@\1 \2@p' \ >++ sed -n 's@^$(common-objpfx)\([^(]*\)(\([^)]*\.o[Ss]\)) *.*$$@\1 \2@p' \ >+ $< | \ >+ while read lib file; do \ >+ case $$lib in \ >+@@ -281,6 +281,12 @@ >+ LC_ALL=C \ >+ sed 's@^$(common-objpfx)\([^/]*\)/stamp\.os$$@rtld-\1'" +=$$file@"\ >+ ;; \ >++ libc_nonshared.a) \ >++ LC_ALL=C fgrep -l /$$file \ >++ $(common-objpfx)stamp.oS $(common-objpfx)*/stamp.oS | \ >++ LC_ALL=C \ >++ sed 's@^$(common-objpfx)\([^/]*\)/stamp\.oS$$@rtld-\1'" +=$$file@"\ >++ ;; \ >+ */*.a) \ >+ echo rtld-$${lib%%/*} += $$file ;; \ >+ *) echo "Wasn't expecting $$lib($$file)" >&2; exit 1 ;; \ >+--- elf/rtld-Rules.orig 2006-10-01 01:41:07.000000000 +0200 >++++ elf/rtld-Rules 2006-10-01 01:41:40.000000000 +0200 >+@@ -96,11 +96,13 @@ >+ $(objpfx)rtld-%.os: %.S $(before-compile); $(compile-command.S) >+ $(objpfx)rtld-%.os: %.s $(before-compile); $(compile-command.s) >+ $(objpfx)rtld-%.os: %.c $(before-compile); $(compile-command.c) >++$(objpfx)rtld-%.oS: %.c $(before-compile); $(compile-command.c) >+ >+ # The rules for generated source files. >+ $(objpfx)rtld-%.os: $(objpfx)%.S $(before-compile); $(compile-command.S) >+ $(objpfx)rtld-%.os: $(objpfx)%.s $(before-compile); $(compile-command.s) >+ $(objpfx)rtld-%.os: $(objpfx)%.c $(before-compile); $(compile-command.c) >++$(objpfx)rtld-%.oS: $(objpfx)%.c $(before-compile); $(compile-command.c) >+ >+ # The command line setting of rtld-modules (see above) tells us >+ # what we need to build, and that tells us what dependency files we need. >+--- Makerules.orig 2006-10-01 11:26:40.000000000 +0200 >++++ Makerules 2006-10-01 11:27:30.000000000 +0200 >+@@ -602,7 +602,7 @@ >+ # from being allocated in libc.so, which introduces evil dependencies >+ # between libc.so and ld.so, which can make it impossible to upgrade. >+ ifeq ($(elf),yes) >+-$(common-objpfx)libc_pic.os: $(common-objpfx)libc_pic.a >++$(common-objpfx)libc_pic.os: $(common-objpfx)libc_pic.a $(common-objpfx)debug/stack_chk_fail_local.oS >+ $(LINK.o) -nostdlib -nostartfiles -r -o $@ \ >+ $(LDFLAGS-c_pic.os) -Wl,-d -Wl,--whole-archive $^ >+ # Use our own special initializer and finalizer files for libc.so. >diff -Nru portage.ORIG/sys-libs/glibc/glibc-2.5.ebuild portage/sys-libs/glibc/glibc-2.5.ebuild >--- portage.ORIG/sys-libs/glibc/glibc-2.5.ebuild 2006-10-07 08:41:23.000000000 +0200 >+++ portage/sys-libs/glibc/glibc-2.5.ebuild 2006-10-07 16:29:24.000000000 +0200 >@@ -214,6 +214,14 @@ > epatch "${WORKDIR}"/patches > fi > >+ if use hardened ; then >+ einfo "Patching pt_chown to BIND_NOW" >+ epatch ${FILESDIR}/2.3.6/glibc-2.3.6-pt_chown-znow.patch >+ >+ einfo "Patching SSP handler so that glibc builds with hardened compiler" >+ epatch ${FILESDIR}/2.4/glibc-2.4-linuxssp.patch >+ fi >+ > gnuconfig_update > } >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 149649
:
99045
| 99055 |
99170
|
99192
|
99193
|
99204
|
99255
|
99257
|
99310
|
99312
|
99356
|
99357
|
103422
|
103458
|
103459
|
103879
|
103907
|
103909
|
104424
|
104775