[RFC PATCH] dpkg-buildflags: Switch to -fstack-protector-strong

To: debian-dpkg@lists.debian.org
Cc: team@security.debian.org, David Suárez <david.sephirot@gmail.com>, Kees Cook <kees@debian.org>
Subject: [RFC PATCH] dpkg-buildflags: Switch to -fstack-protector-strong
From: Romain Francoise <rfrancoise@debian.org>
Date: Tue, 24 Jun 2014 11:29:31 +0200
Message-id: <[🔎] 87a9927j0k.fsf@kima.orebokech.com>

Hi,

GCC 4.9 supports a new stack protector implementation, enabled via the
-fstack-protector-strong flag, which provides a better balance between
security and performance than the default implementation that we're
currently using. This new flag is already used by Fedora 20 and
ChromeOS. See the following for more information:

 https://lwn.net/Articles/584225/
 http://www.outflux.net/blog/archives/2014/01/27/fstack-protector-strong/
 https://fedorahosted.org/fesco/ticket/1128

The Security Team has expressed interest in switching dpkg-buildflags
over to this new flag in Debian for jessie, now that GCC 4.9 is the
default compiler on all release architectures. In order to see the
impact on the archive, David Suárez did a full rebuild on EC2 with a
patched dpkg-dev which emits the new flag.

There are only 16 new failures, which can be categorized as follows:

* explicitly build-depends on and uses gcc/g++ 4.8, which doesn't
  understand -fstack-protector-strong:
  - ccbuild 2.0.6-2.1
  - chromium-browser 35.0.1916.153-2
  - contextfree 3.0.5+dfsg1-2.1
  - flexc++ 2.01.00-1
  - gpg-remailer 3.00.02-1
  - higan 094-4
  - llvm-toolchain-snapshot 1:3.5~svn209039-2
  - openimageio 1.4.9~dfsg0-1 (already fixed in -2)
  - oxref 1.00.01-1
  - spek 0.8.2-3.1
  - webkitgtk 2.4.3-2

* explicitly build-depends on and uses gcc 4.6:
  - estic 1.61-20.1 (#747980)

* explicitly build-depends on and uses Clang 3.4:
  - feel++ 1:0.98.0-final-1

* false positives:
  - gcc-4.7 4.7.4-1 (checks that dpkg-dev is 'ii')
  - seqan 1.4.1-3 (attempts to disable the stack protector using sed)

* needs test suite upgrade for -fstack-protector-strong:
  - hardening-wrapper 2.5

See http://aws-logs.debian.net/ftbfs-logs/buildflags/ for the full
results and build logs.

As the number of build failures is low, I think it's safe to simply
switch the default flag emitted by dpkg-buildflags and file bugs against
the above packages to ask the maintainers to disable the stack protector
or filter out/replace the new flag if they really can't upgrade to GCC
4.9.

So here is a prospective patch which changes dpkg-buildflags to emit the
new flag for all architectures known to use GCC 4.9 as of today. Let me
know if this looks workable for you.


diff --git a/scripts/Dpkg/Vendor/Debian.pm b/scripts/Dpkg/Vendor/Debian.pm
index c5020dc..4e19752 100644
--- a/scripts/Dpkg/Vendor/Debian.pm
+++ b/scripts/Dpkg/Vendor/Debian.pm
@@ -92,6 +92,7 @@ sub add_hardening_flags {
 	relro => 1,
 	bindnow => 0,
     );
+    my $use_stackprotector_strong = 1;
 
     # Adjust features based on Maintainer's desires.
     my $opts = Dpkg::BuildOptions->new(envvar => 'DEB_BUILD_MAINT_OPTIONS');
@@ -129,6 +130,12 @@ sub add_hardening_flags {
 	#   compiler supports it incorrectly (leads to SEGV)
 	$use_feature{stackprotector} = 0;
     }
+    if ($arch =~ /^(?:m68k|or1k|powerpcspe|sh4|x32)$/) {
+	# "Strong" stack protector disabled on m68k, or1k, powerpcspe, sh4, x32.
+	#   It requires GCC 4.9 and these archs are still using 4.8 as of
+	#   gcc-defaults 1.128.
+	$use_stackprotector_strong = 0;
+    }
     if ($cpu =~ /^(?:ia64|hppa|avr32)$/) {
 	# relro not implemented on ia64, hppa, avr32.
 	$use_feature{relro} = 0;
@@ -161,13 +168,23 @@ sub add_hardening_flags {
 
     # Stack protector
     if ($use_feature{stackprotector}) {
-	$flags->append('CFLAGS', '-fstack-protector --param=ssp-buffer-size=4');
-	$flags->append('OBJCFLAGS', '-fstack-protector --param=ssp-buffer-size=4');
-	$flags->append('OBJCXXFLAGS', '-fstack-protector --param=ssp-buffer-size=4');
-	$flags->append('FFLAGS', '-fstack-protector --param=ssp-buffer-size=4');
-	$flags->append('FCFLAGS', '-fstack-protector --param=ssp-buffer-size=4');
-	$flags->append('CXXFLAGS', '-fstack-protector --param=ssp-buffer-size=4');
-	$flags->append('GCJFLAGS', '-fstack-protector --param=ssp-buffer-size=4');
+	if ($use_stackprotector_strong) {
+	    $flags->append('CFLAGS', '-fstack-protector-strong');
+	    $flags->append('OBJCFLAGS', '-fstack-protector-strong');
+	    $flags->append('OBJCXXFLAGS', '-fstack-protector-strong');
+	    $flags->append('FFLAGS', '-fstack-protector-strong');
+	    $flags->append('FCFLAGS', '-fstack-protector-strong');
+	    $flags->append('CXXFLAGS', '-fstack-protector-strong');
+	    $flags->append('GCJFLAGS', '-fstack-protector-strong');
+	} else {
+	    $flags->append('CFLAGS', '-fstack-protector --param=ssp-buffer-size=4');
+	    $flags->append('OBJCFLAGS', '-fstack-protector --param=ssp-buffer-size=4');
+	    $flags->append('OBJCXXFLAGS', '-fstack-protector --param=ssp-buffer-size=4');
+	    $flags->append('FFLAGS', '-fstack-protector --param=ssp-buffer-size=4');
+	    $flags->append('FCFLAGS', '-fstack-protector --param=ssp-buffer-size=4');
+	    $flags->append('CXXFLAGS', '-fstack-protector --param=ssp-buffer-size=4');
+	    $flags->append('GCJFLAGS', '-fstack-protector --param=ssp-buffer-size=4');
+	}
     }
 
     # Fortify Source

Reply to:

Follow-Ups:
- Re: [RFC PATCH] dpkg-buildflags: Switch to -fstack-protector-strong
  - From: Guillem Jover <guillem@debian.org>
- Re: [RFC PATCH] dpkg-buildflags: Switch to -fstack-protector-strong
  - From: Kees Cook <kees@debian.org>

Prev by Date: dpkg_1.15.11_amd64.changes ACCEPTED into oldstable-proposed-updates->oldstable-new, oldstable-proposed-updates
Next by Date: Re: [RFC PATCH] dpkg-buildflags: Switch to -fstack-protector-strong
Previous by thread: dpkg_1.15.11_amd64.changes ACCEPTED into oldstable-proposed-updates->oldstable-new, oldstable-proposed-updates
Next by thread: Re: [RFC PATCH] dpkg-buildflags: Switch to -fstack-protector-strong
Index(es):
- Date
- Thread