Re: Switch on compiler hardening defaults
On Thu, Oct 29, 2009 at 10:01:08PM -0200, Henrique de Moraes Holschuh wrote:
> On Tue, 27 Oct 2009, Kees Cook wrote:
> > On Mon, Oct 26, 2009 at 11:14:25AM +0100, Bastian Blank wrote:
> > > On Sun, Oct 25, 2009 at 11:55:25AM -0700, Kees Cook wrote:
> > > > I would like to propose enabling[1] the GCC hardening patches that Ubuntu
> > > > uses[2].
> > >
> > > How do they work? Do they also change the free-standing compiler or only
> > > the hosted one? There is a lot of software, which (I would say) missuse
> > > the hosted compiler to build non-userspace-code, including the Linux
> > > kernel.
> >
> > The stack protector is conditional on being linked with libc, so, if you
> > build with -nostdlib (as the kernel does), it is implicitly disabled.
>
> This doesn't make sense. The kernel can, and does use stack protector
> functionality for its built if you ask it to. Do you mean the defaults are
> changed only when -nostdlib is NOT given?
Yes, I was a bit unclear, sorry. The -fstack-protector option is not
added to the option list when either -fno-stack-protector or -nostdlib
are already in the option list. The GCC spec[1] for this is:
%{!fno-stack-protector:%{!nostdlib:-fstack-protector}}
If you add -fstack-protector to a build (regardless of -nostdlib), gcc
will attempt to use the stack protector. This is how the kernel builds
when the CC_STACKPROTECTOR option is enabled.
And I can prove this works. :) The Ubuntu kernel uses both the hardened
compiler and the CC_STACKPROTECTOR option, and you can see the results on
an Ubuntu system:
$ readelf -s /lib/modules/$(uname -r)/kernel/fs/nfs/nfs.ko | grep stack_chk
1114: 0000000000000000 0 NOTYPE GLOBAL DEFAULT UND __stack_chk_fail
-Kees
[1] http://patch-tracker.debian.org/patch/series/view/gcc-4.4/4.4.2-1/gcc-default-ssp.diff
--
Kees Cook @debian.org
Reply to: