Re: Switch on compiler hardening defaults


On Wed, Jan 06, 2010 at 11:01:01AM +0800, Paul Wise wrote:
> On Wed, Jan 6, 2010 at 9:20 AM, Kees Cook <kees@debian.org> wrote:
> > There is a maintained (by RedHat) patch for dealing with PIE.  I already
> > maintain a delta for this in Ubuntu, but as you can see in the gdb bug,
> > the gdb maintainer doesn't want it until it's in upstream.  I, obviously,
> > think that's ridiculous.  PIE works and is useful.  Blocking its rollout
> > because gdb's support for it isn't upstream just furthers the catch-22.
> It is perfectly reasonable to reject patches until they are upstream.
> I personally will never add patches to Debian without either
> committing them upstream myself or some indication that they already
> have been or will be accepted upstream. IIRC the Debian kernel team
> has similar policies. Why hasn't RedHat upstreamed the patch? They are
> usually good about doing that. Perhaps you could push them to do so.

Normally, I'd totally agree.  I do not know why RedHat has chosen to carry
the PIE patches for 5 years[1], but they have.  I[2] and others[3]
have asked over the years, but no one with a deep enough understanding
of the affected code has had the time to get it upstream.

That said, the patches[4] in RedHat have a full test-suite associated with
them.  They're applied after their massive Archer patchset[5], so I had to
fiddle pretty hard to get the PIE support working in the Debian package.

As seen at the end of the Ubuntu gdb series file:

# RH stack that seems to be needed for sane PIE handling


[1] https://bugzilla.redhat.com/show_bug.cgi?id=130423
[2] http://sourceware.org/ml/gdb-patches/2008-05/msg00269.html
[3] http://sourceware.org/ml/gdb/2006-08/msg00188.html
[4] http://cvs.fedora.redhat.com/viewvc/devel/gdb/
[5] http://fedoraproject.org/wiki/Features/Archer

Kees Cook

