Re: [RFC PATCH] dpkg-buildflags: Switch to -fstack-protector-strong
On Tue, Jun 24, 2014 at 11:29:31AM +0200, Romain Francoise wrote:
> Hi,
>
> GCC 4.9 supports a new stack protector implementation, enabled via the
> -fstack-protector-strong flag, which provides a better balance between
> security and performance than the default implementation that we're
> currently using. This new flag is already used by Fedora 20 and
> ChromeOS. See the following for more information:
Thanks for testing this! I would love to see this change go into the
archive.
> https://lwn.net/Articles/584225/
> http://www.outflux.net/blog/archives/2014/01/27/fstack-protector-strong/
> https://fedorahosted.org/fesco/ticket/1128
>
> The Security Team has expressed interest in switching dpkg-buildflags
> over to this new flag in Debian for jessie, now that GCC 4.9 is the
> default compiler on all release architectures. In order to see the
> impact on the archive, David Suárez did a full rebuild on EC2 with a
> patched dpkg-dev which emits the new flag.
>
> There are only 16 new failures, which can be categorized as follows:
>
> * explicitly build-depends on and uses gcc/g++ 4.8, which doesn't
> understand -fstack-protector-strong:
> - ccbuild 2.0.6-2.1
> - chromium-browser 35.0.1916.153-2
> - contextfree 3.0.5+dfsg1-2.1
> - flexc++ 2.01.00-1
> - gpg-remailer 3.00.02-1
> - higan 094-4
> - llvm-toolchain-snapshot 1:3.5~svn209039-2
> - openimageio 1.4.9~dfsg0-1 (already fixed in -2)
> - oxref 1.00.01-1
> - spek 0.8.2-3.1
> - webkitgtk 2.4.3-2
>
> * explicitly build-depends on and uses gcc 4.6:
> - estic 1.61-20.1 (#747980)
>
> * explicitly build-depends on and uses Clang 3.4:
> - feel++ 1:0.98.0-final-1
I wonder if there is any sensible way for dpkg-buildflags to detect (or
maybe just be told) which compile will be used for a build? Perhaps it
could take a new argument that would allow it to select flags based on the
compiler name and version?
dpkg-buildflags --compiler=gcc-4.7
> * false positives:
> - gcc-4.7 4.7.4-1 (checks that dpkg-dev is 'ii')
> - seqan 1.4.1-3 (attempts to disable the stack protector using sed)
>
> * needs test suite upgrade for -fstack-protector-strong:
> - hardening-wrapper 2.5
I can get this fixed up. Though really hardening-wrapper should be
deprecated for Jessie.
> See http://aws-logs.debian.net/ftbfs-logs/buildflags/ for the full
> results and build logs.
>
> As the number of build failures is low, I think it's safe to simply
> switch the default flag emitted by dpkg-buildflags and file bugs against
> the above packages to ask the maintainers to disable the stack protector
> or filter out/replace the new flag if they really can't upgrade to GCC
> 4.9.
>
> So here is a prospective patch which changes dpkg-buildflags to emit the
> new flag for all architectures known to use GCC 4.9 as of today. Let me
> know if this looks workable for you.
>
>
> diff --git a/scripts/Dpkg/Vendor/Debian.pm b/scripts/Dpkg/Vendor/Debian.pm
> index c5020dc..4e19752 100644
> --- a/scripts/Dpkg/Vendor/Debian.pm
> +++ b/scripts/Dpkg/Vendor/Debian.pm
> @@ -92,6 +92,7 @@ sub add_hardening_flags {
> relro => 1,
> bindnow => 0,
> );
> + my $use_stackprotector_strong = 1;
>
> # Adjust features based on Maintainer's desires.
> my $opts = Dpkg::BuildOptions->new(envvar => 'DEB_BUILD_MAINT_OPTIONS');
> @@ -129,6 +130,12 @@ sub add_hardening_flags {
> # compiler supports it incorrectly (leads to SEGV)
> $use_feature{stackprotector} = 0;
> }
> + if ($arch =~ /^(?:m68k|or1k|powerpcspe|sh4|x32)$/) {
> + # "Strong" stack protector disabled on m68k, or1k, powerpcspe, sh4, x32.
> + # It requires GCC 4.9 and these archs are still using 4.8 as of
> + # gcc-defaults 1.128.
> + $use_stackprotector_strong = 0;
> + }
> if ($cpu =~ /^(?:ia64|hppa|avr32)$/) {
> # relro not implemented on ia64, hppa, avr32.
> $use_feature{relro} = 0;
> @@ -161,13 +168,23 @@ sub add_hardening_flags {
>
> # Stack protector
> if ($use_feature{stackprotector}) {
> - $flags->append('CFLAGS', '-fstack-protector --param=ssp-buffer-size=4');
> - $flags->append('OBJCFLAGS', '-fstack-protector --param=ssp-buffer-size=4');
> - $flags->append('OBJCXXFLAGS', '-fstack-protector --param=ssp-buffer-size=4');
> - $flags->append('FFLAGS', '-fstack-protector --param=ssp-buffer-size=4');
> - $flags->append('FCFLAGS', '-fstack-protector --param=ssp-buffer-size=4');
> - $flags->append('CXXFLAGS', '-fstack-protector --param=ssp-buffer-size=4');
> - $flags->append('GCJFLAGS', '-fstack-protector --param=ssp-buffer-size=4');
> + if ($use_stackprotector_strong) {
> + $flags->append('CFLAGS', '-fstack-protector-strong');
> + $flags->append('OBJCFLAGS', '-fstack-protector-strong');
> + $flags->append('OBJCXXFLAGS', '-fstack-protector-strong');
> + $flags->append('FFLAGS', '-fstack-protector-strong');
> + $flags->append('FCFLAGS', '-fstack-protector-strong');
> + $flags->append('CXXFLAGS', '-fstack-protector-strong');
> + $flags->append('GCJFLAGS', '-fstack-protector-strong');
> + } else {
> + $flags->append('CFLAGS', '-fstack-protector --param=ssp-buffer-size=4');
> + $flags->append('OBJCFLAGS', '-fstack-protector --param=ssp-buffer-size=4');
> + $flags->append('OBJCXXFLAGS', '-fstack-protector --param=ssp-buffer-size=4');
> + $flags->append('FFLAGS', '-fstack-protector --param=ssp-buffer-size=4');
> + $flags->append('FCFLAGS', '-fstack-protector --param=ssp-buffer-size=4');
> + $flags->append('CXXFLAGS', '-fstack-protector --param=ssp-buffer-size=4');
> + $flags->append('GCJFLAGS', '-fstack-protector --param=ssp-buffer-size=4');
> + }
> }
>
> # Fortify Source
This looks good, thanks!
-Kees
--
Kees Cook @debian.org
Reply to: