Re: [RFC PATCH] dpkg-buildflags: Switch to -fstack-protector-strong

To: Romain Francoise <rfrancoise@debian.org>
Cc: debian-dpkg@lists.debian.org, Debian Security Team <team@security.debian.org>
Subject: Re: [RFC PATCH] dpkg-buildflags: Switch to -fstack-protector-strong
From: Michael Gilbert <mgilbert@debian.org>
Date: Sun, 29 Jun 2014 01:15:37 -0400
Message-id: <[🔎] CANTw=MMgFLCj+J1DYLkRQpzmZ7Dw5WCXREb1PrdEk7uNWM-C=Q@mail.gmail.com>
In-reply-to: <[🔎] CANTw=MMytiuNYyGFTdp+ye8Qw5=cgc_pF_ZBvnHGVG3MCH_XQQ@mail.gmail.com>
References: <[🔎] 87a9927j0k.fsf@kima.orebokech.com> <[🔎] 20140624141158.GR5412@outflux.net> <[🔎] CANTw=MMqwJhT3Y-7QAUxkvce1ZxDc6W++Gyj8SdLXjH5iB4mCA@mail.gmail.com> <[🔎] 87lhsjdgsn.fsf@kima.orebokech.com> <[🔎] CANTw=MMytiuNYyGFTdp+ye8Qw5=cgc_pF_ZBvnHGVG3MCH_XQQ@mail.gmail.com>

On Thu, Jun 26, 2014 at 9:57 PM, Michael Gilbert wrote:
> On Thu, Jun 26, 2014 at 7:57 AM, Romain Francoise wrote:
>> I've already touched upon this elsewhere in this thread, but my personal
>> feeling is that we don't want to go down that road. Detecting which
>> compiler is used and parsing/comparing version numbers is bound to be
>> fragile and require a lot of maintenance over time.
>
> Version comparison is something computers do incredibly well and
> incredibly reliably all the time, so it isn't obvious why it would
> suddenly fall apart here.

Here is a slightly altered version of your patch that does this.

The following packages build correctly now with this applied:

chromium
contextfree
spek

These have already switched to gcc 4.9:

llvm-toolchain-snapshot
openimageio

These use an old style of passing buildflags that doesn't get CC/CXX
exported early enough for dpkg-buildflags:

flexc++
gpg-remailer
oxref

Those can be fixed by manually adding CC/CXX in time, e.g.

export CXXFLAGS=$(shell CXX=$(CXX) dpkg-buildflags --get CXXFLAGS)

but that would also require an nmu.

Best wishes,
Mike

diff -Nru dpkg-1.17.10/scripts/Dpkg/Vendor/Debian.pm dpkg-1.17.10+nmu1/scripts/Dpkg/Vendor/Debian.pm
--- dpkg-1.17.10/scripts/Dpkg/Vendor/Debian.pm	2014-05-30 16:30:50.000000000 +0000
+++ dpkg-1.17.10+nmu1/scripts/Dpkg/Vendor/Debian.pm	2014-06-29 04:53:06.000000000 +0000
@@ -93,6 +93,21 @@
 	bindnow => 0,
     );
 
+    # Use -fstack-protector-strong starting with gcc 4.9.
+    my $cc = '';
+    if (defined $ENV{CXX}) {
+        $cc = $ENV{CXX};
+    } elsif (defined $ENV{CC}) {
+        $cc = $ENV{CC};
+    }
+    my $use_stackprotector_strong = 1;
+    if ($cc ne '') {
+        my @cc_version = split('\.', qx($cc -dumpversion));
+        if ($cc =~ /g??-/ and $cc_version[0] == 4 and $cc_version[1] < 9) {
+            $use_stackprotector_strong = 0;
+	}
+    }
+
     # Adjust features based on Maintainer's desires.
     my $opts = Dpkg::BuildOptions->new(envvar => 'DEB_BUILD_MAINT_OPTIONS');
     foreach my $feature (split(/,/, $opts->get('hardening') // '')) {
@@ -129,6 +144,12 @@
 	#   compiler supports it incorrectly (leads to SEGV)
 	$use_feature{stackprotector} = 0;
     }
+    if ($arch =~ /^(?:m68k|or1k|powerpcspe|sh4|x32)$/) {
+       # "Strong" stack protector disabled on m68k, or1k, powerpcspe, sh4, x32.
+       #   It requires GCC 4.9 and these archs are still using 4.8 as of
+       #   gcc-defaults 1.128.
+       $use_stackprotector_strong = 0;
+    }
     if ($cpu =~ /^(?:ia64|hppa|avr32)$/) {
 	# relro not implemented on ia64, hppa, avr32.
 	$use_feature{relro} = 0;
@@ -161,13 +182,23 @@
 
     # Stack protector
     if ($use_feature{stackprotector}) {
-	$flags->append('CFLAGS', '-fstack-protector --param=ssp-buffer-size=4');
-	$flags->append('OBJCFLAGS', '-fstack-protector --param=ssp-buffer-size=4');
-	$flags->append('OBJCXXFLAGS', '-fstack-protector --param=ssp-buffer-size=4');
-	$flags->append('FFLAGS', '-fstack-protector --param=ssp-buffer-size=4');
-	$flags->append('FCFLAGS', '-fstack-protector --param=ssp-buffer-size=4');
-	$flags->append('CXXFLAGS', '-fstack-protector --param=ssp-buffer-size=4');
-	$flags->append('GCJFLAGS', '-fstack-protector --param=ssp-buffer-size=4');
+       if ($use_stackprotector_strong) {
+           $flags->append('CFLAGS', '-fstack-protector-strong');
+           $flags->append('OBJCFLAGS', '-fstack-protector-strong');
+           $flags->append('OBJCXXFLAGS', '-fstack-protector-strong');
+           $flags->append('FFLAGS', '-fstack-protector-strong');
+           $flags->append('FCFLAGS', '-fstack-protector-strong');
+           $flags->append('CXXFLAGS', '-fstack-protector-strong');
+           $flags->append('GCJFLAGS', '-fstack-protector-strong');
+       } else {
+           $flags->append('CFLAGS', '-fstack-protector --param=ssp-buffer-size=4');
+           $flags->append('OBJCFLAGS', '-fstack-protector --param=ssp-buffer-size=4');
+           $flags->append('OBJCXXFLAGS', '-fstack-protector --param=ssp-buffer-size=4');
+           $flags->append('FFLAGS', '-fstack-protector --param=ssp-buffer-size=4');
+           $flags->append('FCFLAGS', '-fstack-protector --param=ssp-buffer-size=4');
+           $flags->append('CXXFLAGS', '-fstack-protector --param=ssp-buffer-size=4');
+           $flags->append('GCJFLAGS', '-fstack-protector --param=ssp-buffer-size=4');
+       }
     }
 
     # Fortify Source

Reply to:

Follow-Ups:
- Re: [RFC PATCH] dpkg-buildflags: Switch to -fstack-protector-strong
  - From: Guillem Jover <guillem@debian.org>

References:
- [RFC PATCH] dpkg-buildflags: Switch to -fstack-protector-strong
  - From: Romain Francoise <rfrancoise@debian.org>
- Re: [RFC PATCH] dpkg-buildflags: Switch to -fstack-protector-strong
  - From: Kees Cook <kees@debian.org>
- Re: [RFC PATCH] dpkg-buildflags: Switch to -fstack-protector-strong
  - From: Michael Gilbert <mgilbert@debian.org>
- Re: [RFC PATCH] dpkg-buildflags: Switch to -fstack-protector-strong
  - From: Romain Francoise <rfrancoise@debian.org>
- Re: [RFC PATCH] dpkg-buildflags: Switch to -fstack-protector-strong
  - From: Michael Gilbert <mgilbert@debian.org>

Prev by Date: Re: [RFC PATCH] dpkg-buildflags: Switch to -fstack-protector-strong
Next by Date: Re: [RFC PATCH] dpkg-buildflags: Switch to -fstack-protector-strong
Previous by thread: Re: [RFC PATCH] dpkg-buildflags: Switch to -fstack-protector-strong
Next by thread: Re: [RFC PATCH] dpkg-buildflags: Switch to -fstack-protector-strong
Index(es):
- Date
- Thread