From owner-freebsd-hackers@FreeBSD.ORG Wed Apr 25 22:39:50 2012 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 774E81065673 for ; Wed, 25 Apr 2012 22:39:50 +0000 (UTC) (envelope-from sendtomatt@gmail.com) Received: from mail-pz0-f44.google.com (mail-pz0-f44.google.com [209.85.210.44]) by mx1.freebsd.org (Postfix) with ESMTP id 462EA8FC0C for ; Wed, 25 Apr 2012 22:39:50 +0000 (UTC) Received: by dadz14 with SMTP id z14so2077477dad.17 for ; Wed, 25 Apr 2012 15:39:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:x-enigmail-version:content-type :content-transfer-encoding; bh=GAz57xTAStdZuDfFWvnn0pFRfVTce7IwGHAjCaIFess=; b=vNqQsfxMgBUsodbajMeODZFojk5wYAJc+7YapMHkWvd46PAnMl5DS2u5+T+Jr45kx5 KIz7RFifBVQzNXFCtJN7DgTNXxRk22kPwjScfeoSF8kP8mQcddnX5bAVs32XX7LndLYQ plX9QZn6T3vb7yFikTBUJm/QdDRHb0HYZeW3PkoJLr36md7igYUrkc38eKb2xPFf+HBf SQ6z3aZXxk/ae2HdBHMOA2ZuECCH3iSCq2DU0J7bCs9BDid8XIG1SlS2tkbMfkr35rGj h0TDOvHgznz50abSxxjrCky53plCZn9ojvgOKKkgE2nYJWpoK/odiCgOVHR834NXwhh0 +rng== Received: by 10.68.232.163 with SMTP id tp3mr4456153pbc.96.1335393589776; Wed, 25 Apr 2012 15:39:49 -0700 (PDT) Received: from bakeneko.local ([75.101.87.90]) by mx.google.com with ESMTPS id ud10sm1325793pbc.25.2012.04.25.15.39.46 (version=SSLv3 cipher=OTHER); Wed, 25 Apr 2012 15:39:47 -0700 (PDT) Message-ID: <4F987D0D.2000906@gmail.com> Date: Wed, 25 Apr 2012 15:39:09 -0700 From: matt User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:10.0.3) Gecko/20120326 Thunderbird/10.0.3 MIME-Version: 1.0 To: Bryan Drewery References: <4F4AFB53.8020503@shatow.net> <20120315223454.GA30360@felucia.tataz.chchile.org> <4F9850D9.90300@shatow.net> In-Reply-To: <4F9850D9.90300@shatow.net> X-Enigmail-Version: 1.3.5 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: freebsd-hackers@freebsd.org, jeremie@le-hen.org Subject: Re: compiling ports with SSP X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Apr 2012 22:39:50 -0000 On 04/25/12 12:30, Bryan Drewery wrote: > On 03/15/2012 05:34 PM, Jeremie Le Hen wrote: >> Hi Bryan >> >> On Sun, Feb 26, 2012 at 09:41:07PM -0600, Bryan Drewery wrote: >>> Thanks for this patch [1]! >>> >>> I've been building my ports tree with -fstack-protector on FreeBSD 6,= 7 >>> and 8. Once I upgraded to 8, I started running into the issue [2] thi= s >>> patch is fixing. >>> >>> I have a situation where non-ports applications are compiling >>> statically, which ran into this. Specifically, the application is >>> linking in security/openssl statically, which of course was compiled >>> with -fstack-protector. Adding the /usr/lib/libc.ld fixed it without >>> needing to hack at the failing non-port application. >>> >>> Would be nice if this, and PR 138228 were finally committed. >>> >>> Bryan Drewery >>> >>> [1] http://lists.freebsd.org/pipermail/freebsd-hackers/2011-June/0355= 38.html >>> [2] http://gcc.gnu.org/ml/gcc-help/2006-05/msg00092.html >> Wow, the perspective provided by those two posts makes me dizzy. This= >> has been a very long standing project. The base system is now compile= d >> with SSP, but doing so for ports still requires some manual hacking >> unfortenately. I've proposed a patch to compile ports with SSP a few >> years ago, but some ports with special building strategy suffered the >> problem described in [2]. Then I learned the possibilities of ld >> scripts and provided the patch in [1] last year. >> >> I think we have all the bits necessary to be able to compile ports wit= h >> SSP painlessly. >> >> First the patch in [1] has to be committed in the base system. I thin= k >> this can be done in CURRENT without any problem, I run it myself on my= >> own servers without problem. Unfortunately it will probably never app= ear >> in RELENG_9 because it may be deemed too dangerous to make such a chan= ge >> in a stable branch. It would be nice to hear what kib@ and kan@ think= >> about this. >> >> Next, the patch to bsd.port.mk in this PR [3] has to be applied to be >> able to compile ports with SSP using a single knob. (Other patches >> along this one can be thrown away, they were required hacks back when >> the libc ld script didn't exist.) Then portmgr@ will naturally want t= o >> make a full port build with this knob turned on to check, but last tim= e >> I was told they had very few resource and that this couldn't be >> scheduled in the next couple of week, IIRC. >> >> I admit the situation is partly my fault, because I did the fun >> technical work but I didn't keep up with the "lobbying" part :). >> I asked once or twice, without success, and then went to other subject= s. >> >> I would be really glad if we could proceed with this. FreeBSD-9.0 has= >> just been release, this is probably a good time to step forward. >> >> [3] http://www.freebsd.org/cgi/query-pr.cgi?pr=3Dports/138228 >> >> Cheers, > Something to keep an eye on is that some ports may run `file > /usr/lib/libc.so` and find that it is an ASCII text file. > > As I've mentioned, I've been running with SSP in my ports for at least = a > year now, and with this ld script for several months. > > The only issue I've ran into is the security/openssl port is looking at= > /usr/lib/libc.so to see if it is ELF or not, and due to this is falling= > back on a.out binary format and then generating incorrect ASM. I think > this is going to be a pretty rare and specific case though. > > Regards, > Bryan Drewery > Any reason not to use -fstack-protector-all as opposed to -fstack-protect= or? I've been using this on all ports for quite a while, I don't usually run into problems that make me need to revert to stock cflags. I don't use ports OpenSSL so that's maybe why I've escaped. Matt