Summary: | PIE hardening warning building sys-libs/glibc-2.23-r3 with sys-devel/gcc-6.3.0 | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Mitch Harder <mmharder> |
Component: | Hardened | Assignee: | The Gentoo Linux Hardened Team <hardened> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | alexander, aos, arfrever.fta, guillaume, toolchain |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- | |
Attachments: |
emerge --info
do not run the checks on >=gcc-6 disable checks that use spec files on >=sys-devel/gcc-6 |
Description
Mitch Harder
2017-05-11 00:43:55 UTC
Created attachment 472460 [details]
emerge --info
This caught my attention, too. Same behaviour with gcc-7.1.0-r1 and glibc-2.25 as well.
The reason is that gcc-specs-pie() from toolchain-funcs.eclass doesn't work with gcc-6 (or should not be used with gcc-6). BTW, it seems that gcc-specs-ssp() doesn't work as well. Should this block bug 617524? Does gcc-6 include hardened features (PIE, SSP) by default ? What I mean is: would the correct approach to propose a patch for toolchain-funcs.eclass or are there hardened features we're currently missing with gcc-6? (In reply to Guillaume Ceccarelli from comment #4) > Does gcc-6 include hardened features (PIE, SSP) by default ? > > What I mean is: would the correct approach to propose a patch for > toolchain-funcs.eclass or are there hardened features we're currently > missing with gcc-6? Features are enabled via pie and ssp useflag, these features are upstreamed and no profiles are used anymore. The warning is due to a regression in the toolchain-funcs.eclass namely functions gcc-specs-ssp and gcc-specs-pie (the spec file query fails for gcc-6 and newer). Lukily though, the warning is only cosmetic. The relevant code is toolchain-glibc.eclass: 267 if use hardened && gcc-specs-pie ; then 268 # Force PIC macro definition for all compilations since they're all 269 # either -fPIC or -fPIE with the default-PIE compiler. 270 append-cppflags -DPIC 271 else 272 # Don't build -fPIE without the default-PIE compiler and the 273 # hardened-pie patch 274 filter-flags -fPIE Filtering a _nonexistent_ "-fPIE" for gcc-6[pie] does not disable the pie feature, so all that seems left is a scary warning. Created attachment 476314 [details, diff]
do not run the checks on >=gcc-6
As spec files are no longer used we can skip the checks. Pie and SSP are both default enabled based on useflag in >=sys-devel/gcc-6
Created attachment 476316 [details, diff]
disable checks that use spec files on >=sys-devel/gcc-6
I missed a check, I have fully tested the attached patch and all is as users expect.
(In reply to Jory A. Pratt from comment #8) > Created attachment 476316 [details, diff] [details, diff] > disable checks that use spec files on >=sys-devel/gcc-6 > You should check version of the currently active compiler, e.g. with gcc-major-version(). (In reply to Jory A. Pratt from comment #8) > Created attachment 476316 [details, diff] [details, diff] > disable checks that use spec files on >=sys-devel/gcc-6 > > I missed a check, I have fully tested the attached patch and all is as users > expect. Thanks for your effort - there will be a slightly larger patchset incoming over the course of this week. A first version will be posted to the mailing list shortly. commit acaffff075a2be413e9dbca54cc682f2bb265bc8 (HEAD -> master, origin/master, origin/HEAD, toolchain-updates) Author: Matthias Maier <tamiko@gentoo.org> Date: Wed Jun 14 10:22:54 2017 -0500 eclass/toolchain-glibc.eclass: skip pie check for gcc-6 or newer For gcc-6 and newer the old logic in the toolchain-glibc eclass: if use hardened && gcc-specs-pie ; then append-cppflags -DPIC else filter-flags -fPIE fi is obsolete. Simply disable the check. commit d33b49b8ca2afafbb1e6827dea8cd851f6658f99 Author: Matthias Maier <tamiko@gentoo.org> Date: Wed Jun 14 10:20:39 2017 -0500 eclass/toolchain-glibc.eclass: use tc-enables-pie instead of gcc-specs-pie commit d20b5a7065950144775848c1401c4f61a44ecd43 Author: Arfrever Frehtes Taifersar Arahesis <Arfrever@Apache.Org> Date: Wed Jun 14 16:23:15 2017 +0200 toolchain-funcs.eclass: Add functions for detection of PIE / SSP in way compatible with GCC >=6. Newly added tc-enables-pie(), tc-enables-ssp(), tc-enables-ssp-strong() and tc-enables-ssp-all() check macros instead of specs. This solution also works with older GCC and with Clang. Signed-off-by: Matthias Maier <tamiko@gentoo.org> Hello, I'm using gcc version 4.9.4 (Gentoo Hardened 4.9.4 p1.0, pie-0.6.4) and was trying to compile glibc-2.23-r4. The approach fails on my system and I get the PIE hardening warning. My CCFLAGS contains "-g3". This causes gcc to print all built-in defines in the returned test program (e.g. #define __STDC__ 1) before "true" is output. A possible fix (tested locally) would be to compare the $ret variable against *true instead of true for all four new functions. (Note: I do not know/remember if it worked before this change.) @Eric Lesage Since this bug is closed, I suggest opening a new bug for your issue. I think your bug is sufficiently different to justify a new bug anyways. The warning should on be enable on older glibc. Newer glibc will detect if -DPIC is needed. |