| Summary: | [TRACKER] Merge SSP and >=gcc 4.4 hardened to the tree. | ||
|---|---|---|---|
| Product: | Gentoo Linux | Reporter: | Magnus Granberg <zorry> |
| Component: | Hardened | Assignee: | The Gentoo Linux Hardened Team <hardened> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | nikoli, pva, suertreus, toolchain |
| Priority: | High | Keywords: | Tracker |
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://forums.gentoo.org/viewtopic-t-790110.html | ||
| Whiteboard: | |||
| Package list: | Runtime testing required: | --- | |
| Bug Depends on: | 106690, 149292, 293721, 305283 | ||
| Bug Blocks: | 324743 | ||
| Attachments: |
Needed change for SSP and >=gcc 4.4 hardened support.
The needed specs files to enable SSP in gcc 4.3.4 The needed pie patchset for gcc 4.4.3 the needed specs files for gcc 4.4.3 Needed change for SSP with gcc 4.3.4 and >=gcc 4.4 hardened support. Needed change for >=gcc 4.4 hardened support. Needed change for >=gcc 4.4 hardened support. Patch to fix the gcc 4.X SSP build errors Needed change for >=gcc 4.4 and SSP hardened support. |
||
|
Description
Magnus Granberg
2010-05-02 16:05:41 UTC
Bug #293721 have the needed pathces for flag-o-matic or glibc. We need a bump of grub with that fix in the tree to enable SSP on >gcc 4.X (In reply to comment #2) > We need a bump of grub with that fix in the tree to enable SSP on >gcc 4.X > Bug #305283 Created attachment 230049 [details, diff]
Needed change for SSP and >=gcc 4.4 hardened support.
This patch is needed for toolchain.eclass for add SSP and >=gcc 4.4 hardened support
Created attachment 230063 [details]
The needed specs files to enable SSP in gcc 4.3.4
This specs files will enable SSP for gcc 4.3.4
Created attachment 230065 [details]
The needed pie patchset for gcc 4.4.3
This is the hardened patchset for gcc 4.4.3
Created attachment 230067 [details]
the needed specs files for gcc 4.4.3
This specs files is for the gcc-config options in 4.4.3
hardenednopiessp, hardenednopie, hardenednossp and vanilla
Bug #106690 will be WONTFIX. Will not add any ssp support to uclibc for some arch need TLS support in uclibc. And that patch to fix it don't work on some arch so i will wait for TLS support in uclibc to enable SSP in uclibc. But if toolchain want to add the fix fill free to put it in the uclibc patchset for gcc or any fix that fix it. gcc4-stack-protector-uclibc_no_tls.patch The fix for stack smashing attack in function ix86_split_to_parts() is in the pie patchset allready. Bug #149292 (In reply to comment #8) > Bug #106690 will be WONTFIX. > We don't use any split specs for default gcc and the pie patchset on >gcc 4.x don't support it. So that lines should be removed from the ebuilds. Created attachment 230089 [details, diff]
Needed change for SSP with gcc 4.3.4 and >=gcc 4.4 hardened support.
Updatef with a fix so we don't unpack piepatchset if we have USE -hardened nopie.
@ toolchain can you review the toolchain.eclass change and what to use for the glibc bug #293721 fix in glibc or fix in flag-o-matic. how are you guys dealing with SSP in <=gcc-3.4 ? is that no longer supported ? i dont have a problem culling all of the code related to those versions ... it would make things simpler i think. (In reply to comment #13) > how are you guys dealing with SSP in <=gcc-3.4 ? is that no longer supported ? > i dont have a problem culling all of the code related to those versions ... it > would make things simpler i think. > The GCC <= 3.4 SSP/PIE should work as it does now in the code. I have avoided and try to stay out of that code as it predates me. The old code does have some problems for example if you do -nopie the pie patch would not be unpack and all the defines for SSP/PIE would be gone and the code in make_gcc_hard() does not work as it should, and was even broken in the part for GCC 4.X (wantminispecs) and -nopie. Have fix that for the GCC 4.X and added the needed code for adding SSP support for GCC 4.x. On the piepatch for >=GCC 4.4 we use built-in hardened specs and only use specs files for gcc-config options. Created attachment 231461 [details, diff]
Needed change for >=gcc 4.4 hardened support.
Cleaned some code and removed SSP support for gcc 4.3.X for
Gcc 4.4.3 is going stable.
All this stuff is in the hardened-dev overlay http://git.overlays.gentoo.org/gitroot/proj/hardened-dev.git The piepatches and the specs is in the hardened-gccpatchset overlay http://git.overlays.gentoo.org/gitroot/proj/hardened-gccpatchset.git Tested with USE-flags hardened -hardened vanilla -nopie -nossp gcj fortran GCC versions 3.4.6/4.3.4/4.4.3/4.4.4/4.5.0 Deves/Users may have tested with more stuff. Forum tread see URL. Created attachment 231555 [details, diff]
Needed change for >=gcc 4.4 hardened support.
The last did have a error for want_minispecs with ${WORKDIR}"/specs/*.specs
This fix is needed if we want 4.3.x SSP support.
@@ -713,7 +727,12 @@
if hardened_gcc_works pie ; then
cat "${WORKDIR}"/specs/pie.specs >> "${WORKDIR}"/build.specs
fi
- for s in nostrict znow; do
+ if hardened_gcc_works ssp ; then
+ for s in ssp sspall ; do
+ cat "${WORKDIR}"/specs/${s}.specs >> "${WORKDIR}"/build.specs
+ done
+ fi
+ for s in nostrict znow ; do
cat "${WORKDIR}"/specs/${s}.specs >> "${WORKDIR}"/build.specs
done
export GCC_SPECS="${WORKDIR}"/build.specs
Created attachment 233051 [details, diff]
Patch to fix the gcc 4.X SSP build errors
@toolchain is this patch okey for glibc see more in #293721
Created attachment 233053 [details, diff]
Needed change for >=gcc 4.4 and SSP hardened support.
Updated the toolchain.eclass so it use more of the GCC 3.x code.
(In reply to comment #13) > how are you guys dealing with SSP in <=gcc-3.4 ? is that no longer supported ? > i dont have a problem culling all of the code related to those versions ... it > would make things simpler i think. > If i got it correct you are willing to drop hardened support for gcc <=3.4? Then we need to make it in steps or do we start from a new and clean toolchainX.eclass file and work from there? Do the last toolchain.eclass patch looks okey for commite to the tree?
Before we even can mask or remove code for <=gcc 3.4 we need
>=gcc 4.4 hardened ssp/pie full supported and stable in the tree and the packages that depend on <=gcc 3.4 fixed or masked.
Mike, Could you check these over as well? They look alright to me, but you know the eclass a hell of a lot better. Magnus, If we don't get a response in a day or so, go ahead and commit. Have commited the glibc fix and toolchain.eclass to cvs Have commited the ebuild and the files to mirrors so now it is only grub left before unmasking GCC 4.4.X with SSP support is in the tree and all deps to. |