This tracker is for mergeing SSP and >=gcc 4.4 with hardened support to the tree.
Bug #293721 have the needed pathces for flag-o-matic or glibc.
We need a bump of grub with that fix in the tree to enable SSP on >gcc 4.X
(In reply to comment #2) > We need a bump of grub with that fix in the tree to enable SSP on >gcc 4.X > Bug #305283
Created attachment 230049 [details, diff] Needed change for SSP and >=gcc 4.4 hardened support. This patch is needed for toolchain.eclass for add SSP and >=gcc 4.4 hardened support
Created attachment 230063 [details] The needed specs files to enable SSP in gcc 4.3.4 This specs files will enable SSP for gcc 4.3.4
Created attachment 230065 [details] The needed pie patchset for gcc 4.4.3 This is the hardened patchset for gcc 4.4.3
Created attachment 230067 [details] the needed specs files for gcc 4.4.3 This specs files is for the gcc-config options in 4.4.3 hardenednopiessp, hardenednopie, hardenednossp and vanilla
Bug #106690 will be WONTFIX.
Will not add any ssp support to uclibc for some arch need TLS support in uclibc. And that patch to fix it don't work on some arch so i will wait for TLS support in uclibc to enable SSP in uclibc. But if toolchain want to add the fix fill free to put it in the uclibc patchset for gcc or any fix that fix it. gcc4-stack-protector-uclibc_no_tls.patch The fix for stack smashing attack in function ix86_split_to_parts() is in the pie patchset allready. Bug #149292
(In reply to comment #8) > Bug #106690 will be WONTFIX. > We don't use any split specs for default gcc and the pie patchset on >gcc 4.x don't support it. So that lines should be removed from the ebuilds.
Created attachment 230089 [details, diff] Needed change for SSP with gcc 4.3.4 and >=gcc 4.4 hardened support. Updatef with a fix so we don't unpack piepatchset if we have USE -hardened nopie.
@ toolchain can you review the toolchain.eclass change and what to use for the glibc bug #293721 fix in glibc or fix in flag-o-matic.
how are you guys dealing with SSP in <=gcc-3.4 ? is that no longer supported ? i dont have a problem culling all of the code related to those versions ... it would make things simpler i think.
(In reply to comment #13) > how are you guys dealing with SSP in <=gcc-3.4 ? is that no longer supported ? > i dont have a problem culling all of the code related to those versions ... it > would make things simpler i think. > The GCC <= 3.4 SSP/PIE should work as it does now in the code. I have avoided and try to stay out of that code as it predates me. The old code does have some problems for example if you do -nopie the pie patch would not be unpack and all the defines for SSP/PIE would be gone and the code in make_gcc_hard() does not work as it should, and was even broken in the part for GCC 4.X (wantminispecs) and -nopie. Have fix that for the GCC 4.X and added the needed code for adding SSP support for GCC 4.x. On the piepatch for >=GCC 4.4 we use built-in hardened specs and only use specs files for gcc-config options.
Created attachment 231461 [details, diff] Needed change for >=gcc 4.4 hardened support. Cleaned some code and removed SSP support for gcc 4.3.X for Gcc 4.4.3 is going stable.
All this stuff is in the hardened-dev overlay http://git.overlays.gentoo.org/gitroot/proj/hardened-dev.git The piepatches and the specs is in the hardened-gccpatchset overlay http://git.overlays.gentoo.org/gitroot/proj/hardened-gccpatchset.git Tested with USE-flags hardened -hardened vanilla -nopie -nossp gcj fortran GCC versions 3.4.6/4.3.4/4.4.3/4.4.4/4.5.0 Deves/Users may have tested with more stuff. Forum tread see URL.
Created attachment 231555 [details, diff] Needed change for >=gcc 4.4 hardened support. The last did have a error for want_minispecs with ${WORKDIR}"/specs/*.specs This fix is needed if we want 4.3.x SSP support. @@ -713,7 +727,12 @@ if hardened_gcc_works pie ; then cat "${WORKDIR}"/specs/pie.specs >> "${WORKDIR}"/build.specs fi - for s in nostrict znow; do + if hardened_gcc_works ssp ; then + for s in ssp sspall ; do + cat "${WORKDIR}"/specs/${s}.specs >> "${WORKDIR}"/build.specs + done + fi + for s in nostrict znow ; do cat "${WORKDIR}"/specs/${s}.specs >> "${WORKDIR}"/build.specs done export GCC_SPECS="${WORKDIR}"/build.specs
Created attachment 233051 [details, diff] Patch to fix the gcc 4.X SSP build errors @toolchain is this patch okey for glibc see more in #293721
Created attachment 233053 [details, diff] Needed change for >=gcc 4.4 and SSP hardened support. Updated the toolchain.eclass so it use more of the GCC 3.x code.
(In reply to comment #13) > how are you guys dealing with SSP in <=gcc-3.4 ? is that no longer supported ? > i dont have a problem culling all of the code related to those versions ... it > would make things simpler i think. > If i got it correct you are willing to drop hardened support for gcc <=3.4? Then we need to make it in steps or do we start from a new and clean toolchainX.eclass file and work from there?
Do the last toolchain.eclass patch looks okey for commite to the tree? Before we even can mask or remove code for <=gcc 3.4 we need >=gcc 4.4 hardened ssp/pie full supported and stable in the tree and the packages that depend on <=gcc 3.4 fixed or masked.
Mike, Could you check these over as well? They look alright to me, but you know the eclass a hell of a lot better. Magnus, If we don't get a response in a day or so, go ahead and commit.
Have commited the glibc fix and toolchain.eclass to cvs
Have commited the ebuild and the files to mirrors so now it is only grub left before unmasking
GCC 4.4.X with SSP support is in the tree and all deps to.
