[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Switch on compiler hardening defaults

Hi,

On Tue, Oct 27, 2009 at 01:30:12PM -0200, Henrique de Moraes Holschuh wrote:
> On Mon, 26 Oct 2009, Gabor Gombas wrote:
> > On Mon, Oct 26, 2009 at 11:14:25AM +0100, Bastian Blank wrote:
> > > On Sun, Oct 25, 2009 at 11:55:25AM -0700, Kees Cook wrote:
> > > > I would like to propose enabling[1] the GCC hardening patches that Ubuntu
> > > > uses[2].
> > > 
> > > How do they work? Do they also change the free-standing compiler or only
> > > the hosted one? There is a lot of software, which (I would say) missuse
> > > the hosted compiler to build non-userspace-code, including the Linux
> > > kernel.
> > 
> > It seems the kernel will not be happy if the stack protector is switched
> > on unconditionally:
> > 
> > http://osdir.com/ml/linux-kernel/2009-10/msg07064.html
> 
> Indeed.  The kernel build system needs to be able to command whether
> stackprotect is enabled or not without surprises...
> 
> I assume very performance-critical applications will also need it disabled,
> if they have hot paths where dcache footprint matters.  But I think we can
> safely assume these will be quite rare, so as long as one can disable the
> stackprotector easily enough through CFLAGS, we could just do it in a
> case-by-case basis on debian/rules.

Right, -fno-stack-protector via CFLAGS will disable it (as will
-nostdlib).  The work-arounds for the default are all documented both in the
gcc manpage[1] (though this would need tweaking since it currently says
"Ubuntu") and on the Ubuntu wiki page I mentioned earlier[2].

The specific set of patch that would be enabled are:
 - http://patch-tracker.debian.org/patch/series/view/gcc-4.4/4.4.2-1/gcc-default-format-security.diff
 - http://patch-tracker.debian.org/patch/series/view/gcc-4.4/4.4.2-1/gcc-default-fortify-source.diff
 - http://patch-tracker.debian.org/patch/series/view/gcc-4.4/4.4.2-1/gcc-default-relro.diff
 - http://patch-tracker.debian.org/patch/series/view/gcc-4.4/4.4.2-1/gcc-default-ssp.diff
 - http://patch-tracker.debian.org/patch/series/view/gcc-4.4/4.4.2-1/testsuite-hardening-format.diff
 - http://patch-tracker.debian.org/patch/series/view/gcc-4.4/4.4.2-1/testsuite-hardening-fortify.diff
 - http://patch-tracker.debian.org/patch/series/view/gcc-4.4/4.4.2-1/testsuite-hardening-printf-types.diff

(I am trying[3], since they are general improvements, to get the latter
2 accepted by upstream gcc so our gcc package doesn't need to carry them.)

-Kees

[1] http://manpages.ubuntu.com/manpages/karmic/man1/gcc.1.html
    ...
    NOTE: In Ubuntu 6.10 and later versions this option is enabled by default
    for C, C++, ObjC, ObjC++, if neither @option{-fno-stack-protector}
    nor @option{-nostdlib} are found.
    ...

[2] https://wiki.ubuntu.com/CompilerFlags

[3] http://gcc.gnu.org/bugzilla/show_bug.cgi?id=39536
    http://gcc.gnu.org/bugzilla/show_bug.cgi?id=39537

-- 
Kees Cook                                            @debian.org
Reply to: