[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [RFC PATCH] dpkg-buildflags: Switch to -fstack-protector-strong

Hi!

On Tue, 2014-06-24 at 11:29:31 +0200, Romain Francoise wrote:
> GCC 4.9 supports a new stack protector implementation, enabled via the
> -fstack-protector-strong flag, which provides a better balance between
> security and performance than the default implementation that we're
> currently using. This new flag is already used by Fedora 20 and
> ChromeOS. See the following for more information:
> 
>  https://lwn.net/Articles/584225/
>  http://www.outflux.net/blog/archives/2014/01/27/fstack-protector-strong/
>  https://fedorahosted.org/fesco/ticket/1128
> 
> The Security Team has expressed interest in switching dpkg-buildflags
> over to this new flag in Debian for jessie, now that GCC 4.9 is the
> default compiler on all release architectures. In order to see the
> impact on the archive, David Suárez did a full rebuild on EC2 with a
> patched dpkg-dev which emits the new flag.

Thanks a lot for doing this!

> * false positives:
>   - gcc-4.7 4.7.4-1 (checks that dpkg-dev is 'ii')

For what purpose?

>   - seqan 1.4.1-3 (attempts to disable the stack protector using sed)

I guess it should be switched to use DEB_foo_STRIP build variables.

> As the number of build failures is low, I think it's safe to simply
> switch the default flag emitted by dpkg-buildflags and file bugs against
> the above packages to ask the maintainers to disable the stack protector
> or filter out/replace the new flag if they really can't upgrade to GCC
> 4.9.

Yeah, given the analysis and references this seems pretty safe, and
we could always disable it by default if we end up finding something
onerous going on. I'm tentatively merging this locally for either
dpkg 1.17.11 or 1.17.12. I'd appreciate if you could send a mail to
debian-devel for a heads-up and to look for input from other people
in case there's any possible known showstopper.

> So here is a prospective patch which changes dpkg-buildflags to emit the
> new flag for all architectures known to use GCC 4.9 as of today. Let me
> know if this looks workable for you.

> diff --git a/scripts/Dpkg/Vendor/Debian.pm b/scripts/Dpkg/Vendor/Debian.pm
> index c5020dc..4e19752 100644
> --- a/scripts/Dpkg/Vendor/Debian.pm
> +++ b/scripts/Dpkg/Vendor/Debian.pm
> @@ -92,6 +92,7 @@ sub add_hardening_flags {
>  	relro => 1,
>  	bindnow => 0,
>      );
> +    my $use_stackprotector_strong = 1;

I've changed this to be just one more %use_feature key.

>      # Adjust features based on Maintainer's desires.
>      my $opts = Dpkg::BuildOptions->new(envvar => 'DEB_BUILD_MAINT_OPTIONS');
> @@ -129,6 +130,12 @@ sub add_hardening_flags {
>  	#   compiler supports it incorrectly (leads to SEGV)
>  	$use_feature{stackprotector} = 0;
>      }
> +    if ($arch =~ /^(?:m68k|or1k|powerpcspe|sh4|x32)$/) {
> +	# "Strong" stack protector disabled on m68k, or1k, powerpcspe, sh4, x32.
> +	#   It requires GCC 4.9 and these archs are still using 4.8 as of
> +	#   gcc-defaults 1.128.
> +	$use_stackprotector_strong = 0;
> +    }

It would be nicer to detect the gcc version and deactivate based on
that, but I don't think that might be reliable, as CC/CXX might not
have been setup in the correct place for this to work, so we'll go
with this for now.

Thanks,
Guillem
Reply to: