Summary: | sys-kernel/hardened-sources-2.6.32 build complains about missing -fstack-protector support with sys-devel/gcc-4.4.2-r2 | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Kai Dietrich <mail> |
Component: | Hardened | Assignee: | The Gentoo Linux Hardened Kernel Team (OBSOLETE) <hardened-kernel+disabled> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | blueness, gentoo-bugs, hanno, jaak, jackdachef, kernel, kfm, mail |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | AMD64 | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- | |
Attachments: |
fix for scripts/gcc-x86_64-has-stack-protector.sh
Fix the KERNEL SSP check with hardened toolchain |
Description
Kai Dietrich
2010-03-31 08:07:21 UTC
Created attachment 225913 [details, diff]
fix for scripts/gcc-x86_64-has-stack-protector.sh
It should be noted, that there also is a scripts/gcc-x86_32-has-stack-protector.sh check-script. I haven't tried/tested/fixed it, but I guess the same bug will occur there, too. Created attachment 225963 [details, diff]
Fix the KERNEL SSP check with hardened toolchain
Test this patch
It add CPPFLAGS to the commandline for the SSP test.
We use CPPFLAGS (-D__KERNEL__) to disabla hardened SSP/PIE as default.
Yes, your Makefile-patch works as well. Zorry please leave bugs assigned to hardened alias so everyone in the group can track the bug. (In reply to comment #5) > Zorry please leave bugs assigned to hardened alias so everyone in the group can > track the bug. > No, this is clearly hardened-kernel@ issue. Add yourself to the hardened-kernel@ alias if you want. CC'd you for now. (In reply to comment #6) > No, this is clearly hardened-kernel@ issue. Could you explain the rationale behind this statement? Using a Gentoo hardened gcc 4.4.4-r1 to build a non-hardened 2.6.34.1 kernel exhibits the same problem. Both of the proposed patches result in correct behavior of the kernel test program and apply cleanly to non-hardened sources. It seems like the greatest benefit would be to push the change from attachment #225963 [details, diff] upstream so that the test program is consistent in its specification of kernel versus user. At present, it passes -mcmodel=kernel, but then omits -D__KERNEL__, which seems to be the traditional CPP define used for kernel code. (In reply to comment #7) > (In reply to comment #6) > > No, this is clearly hardened-kernel@ issue. > > Could you explain the rationale behind this statement? Using a Gentoo hardened > gcc 4.4.4-r1 to build a non-hardened 2.6.34.1 kernel exhibits the same problem. > Both of the proposed patches result in correct behavior of the kernel test Its actually a kernel@ issue since the patch to fix it needs to go upstream to the kernel maintainers. I've tried, but the patch was intercepted by one of the email list fiters (I think) and never even made it to lkml. I'm cc-ing kernel@gentoo.org. Maybe they can help in getting it accepted. Otherwise, I will start to include the patch in the hardened-sources patchset. *** Bug 330069 has been marked as a duplicate of this bug. *** (In reply to comment #8) > Its actually a kernel@ issue since the patch to fix it needs to go upstream to > the kernel maintainers. I've tried, but the patch was intercepted by one of > the email list fiters (I think) and never even made it to lkml. I'm cc-ing > kernel@gentoo.org. Maybe they can help in getting it accepted. To avoid it getting lost in mailing lists, I reported this upstream at <https://bugzilla.kernel.org/show_bug.cgi?id=17852>. hardened-source-2.6.34-r2 has the same issue. could the patch be supplied with the ebuild? (In reply to comment #11) > hardened-source-2.6.34-r2 has the same issue. could the patch be supplied with > the ebuild? > I will wait a little longer to see if there's any progress on the bug upstream and if not, start including it. (In reply to comment #12) > (In reply to comment #11) > > hardened-source-2.6.34-r2 has the same issue. could the patch be supplied with > > the ebuild? > > > > I will wait a little longer to see if there's any progress on the bug upstream > and if not, start including it. I resubmitted the patch as per the upstream bug request and this time it made it through to lkms. I'm still including the patch in the next releases because who knows how long before it gets incorporated. Okay good news and good news: 1) The patch was accepted. Thanks Kai and Zorry :) 2) Since it will be a while until it trickles back down to us, the patch is in hardened-sources-2.6.32-r17 and hardened-sources-2.6.34-r5 which just hit the tree. I'm going to close this one. Please anyone, feel free to reopen if there's any problem or issue that further needs addressing. *** Bug 336625 has been marked as a duplicate of this bug. *** |