Re: [RFC PATCH] dpkg-buildflags: Switch to -fstack-protector-strong
On Thu, Jun 26, 2014 at 9:57 PM, Michael Gilbert wrote:
> On Thu, Jun 26, 2014 at 7:57 AM, Romain Francoise wrote:
>> I've already touched upon this elsewhere in this thread, but my personal
>> feeling is that we don't want to go down that road. Detecting which
>> compiler is used and parsing/comparing version numbers is bound to be
>> fragile and require a lot of maintenance over time.
>
> Version comparison is something computers do incredibly well and
> incredibly reliably all the time, so it isn't obvious why it would
> suddenly fall apart here.
Here is a slightly altered version of your patch that does this.
The following packages build correctly now with this applied:
chromium
contextfree
spek
These have already switched to gcc 4.9:
llvm-toolchain-snapshot
openimageio
These use an old style of passing buildflags that doesn't get CC/CXX
exported early enough for dpkg-buildflags:
flexc++
gpg-remailer
oxref
Those can be fixed by manually adding CC/CXX in time, e.g.
export CXXFLAGS=$(shell CXX=$(CXX) dpkg-buildflags --get CXXFLAGS)
but that would also require an nmu.
Best wishes,
Mike
diff -Nru dpkg-1.17.10/scripts/Dpkg/Vendor/Debian.pm dpkg-1.17.10+nmu1/scripts/Dpkg/Vendor/Debian.pm
--- dpkg-1.17.10/scripts/Dpkg/Vendor/Debian.pm 2014-05-30 16:30:50.000000000 +0000
+++ dpkg-1.17.10+nmu1/scripts/Dpkg/Vendor/Debian.pm 2014-06-29 04:53:06.000000000 +0000
@@ -93,6 +93,21 @@
bindnow => 0,
);
+ # Use -fstack-protector-strong starting with gcc 4.9.
+ my $cc = '';
+ if (defined $ENV{CXX}) {
+ $cc = $ENV{CXX};
+ } elsif (defined $ENV{CC}) {
+ $cc = $ENV{CC};
+ }
+ my $use_stackprotector_strong = 1;
+ if ($cc ne '') {
+ my @cc_version = split('\.', qx($cc -dumpversion));
+ if ($cc =~ /g??-/ and $cc_version[0] == 4 and $cc_version[1] < 9) {
+ $use_stackprotector_strong = 0;
+ }
+ }
+
# Adjust features based on Maintainer's desires.
my $opts = Dpkg::BuildOptions->new(envvar => 'DEB_BUILD_MAINT_OPTIONS');
foreach my $feature (split(/,/, $opts->get('hardening') // '')) {
@@ -129,6 +144,12 @@
# compiler supports it incorrectly (leads to SEGV)
$use_feature{stackprotector} = 0;
}
+ if ($arch =~ /^(?:m68k|or1k|powerpcspe|sh4|x32)$/) {
+ # "Strong" stack protector disabled on m68k, or1k, powerpcspe, sh4, x32.
+ # It requires GCC 4.9 and these archs are still using 4.8 as of
+ # gcc-defaults 1.128.
+ $use_stackprotector_strong = 0;
+ }
if ($cpu =~ /^(?:ia64|hppa|avr32)$/) {
# relro not implemented on ia64, hppa, avr32.
$use_feature{relro} = 0;
@@ -161,13 +182,23 @@
# Stack protector
if ($use_feature{stackprotector}) {
- $flags->append('CFLAGS', '-fstack-protector --param=ssp-buffer-size=4');
- $flags->append('OBJCFLAGS', '-fstack-protector --param=ssp-buffer-size=4');
- $flags->append('OBJCXXFLAGS', '-fstack-protector --param=ssp-buffer-size=4');
- $flags->append('FFLAGS', '-fstack-protector --param=ssp-buffer-size=4');
- $flags->append('FCFLAGS', '-fstack-protector --param=ssp-buffer-size=4');
- $flags->append('CXXFLAGS', '-fstack-protector --param=ssp-buffer-size=4');
- $flags->append('GCJFLAGS', '-fstack-protector --param=ssp-buffer-size=4');
+ if ($use_stackprotector_strong) {
+ $flags->append('CFLAGS', '-fstack-protector-strong');
+ $flags->append('OBJCFLAGS', '-fstack-protector-strong');
+ $flags->append('OBJCXXFLAGS', '-fstack-protector-strong');
+ $flags->append('FFLAGS', '-fstack-protector-strong');
+ $flags->append('FCFLAGS', '-fstack-protector-strong');
+ $flags->append('CXXFLAGS', '-fstack-protector-strong');
+ $flags->append('GCJFLAGS', '-fstack-protector-strong');
+ } else {
+ $flags->append('CFLAGS', '-fstack-protector --param=ssp-buffer-size=4');
+ $flags->append('OBJCFLAGS', '-fstack-protector --param=ssp-buffer-size=4');
+ $flags->append('OBJCXXFLAGS', '-fstack-protector --param=ssp-buffer-size=4');
+ $flags->append('FFLAGS', '-fstack-protector --param=ssp-buffer-size=4');
+ $flags->append('FCFLAGS', '-fstack-protector --param=ssp-buffer-size=4');
+ $flags->append('CXXFLAGS', '-fstack-protector --param=ssp-buffer-size=4');
+ $flags->append('GCJFLAGS', '-fstack-protector --param=ssp-buffer-size=4');
+ }
}
# Fortify Source
Reply to: