From owner-freebsd-security@freebsd.org Fri Jun 5 14:36:41 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id B0A6332CC42 for ; Fri, 5 Jun 2020 14:36:41 +0000 (UTC) (envelope-from carpeddiem@gmail.com) Received: from mail-io1-f53.google.com (mail-io1-f53.google.com [209.85.166.53]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 49dlZw6m85z3yBT for ; Fri, 5 Jun 2020 14:36:40 +0000 (UTC) (envelope-from carpeddiem@gmail.com) Received: by mail-io1-f53.google.com with SMTP id q8so10518649iow.7 for ; Fri, 05 Jun 2020 07:36:40 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=5OVswxJObOipY+aWtTwIaK13l+DjnGlSUp9WdY/3ACc=; b=jc1mxhkbG5L82X/FWKDuL2FNzsw5W9oFI2AYc8uEcbM9xcDJ7kWrOxJeWWle1fKaaL 7N53uLi7sAyb9RrrVhHzaIfhItcHIWAxhlXuWG7A8tbAHH24wbOvZgDPE1BfhoQ5C8Y3 PvmRdcqPcSq7vAnvdt2cyWJQeLUHoL/AJUNktHO/Zx6Rt31vD6COqznqqcZkt37POTpK fPCH74oRfD1A34VI6se5G/HeiL3gyvoZ0mp72AmqkRYI5yQwlxRfYYE0PAn4tCemM6E+ laO4Cn6pviYPyOXx3szqCbcI7GfeJVjVmWDkjXn7S7jZjv1UKuRuxck9o5eXs0D4yv/z AZTg== X-Gm-Message-State: AOAM530wdECeahXkHC4szD9SeU11zGrqbCxmDsl7y0QMKa0sc+AAjIAC OdJHHKCQY+8Nn2c2fpjvQzn1tnHIm8ECf8YC6jW8eg== X-Google-Smtp-Source: ABdhPJyQim25gnhxtAkWKHGGmEY7cJN0psivnW6w/CA3ODXk/MMbwzymCxkDFDUEwTujx0w+SoP8w/u2BjnZ91Q9qL4= X-Received: by 2002:a05:6638:dd3:: with SMTP id m19mr9087199jaj.106.1591367800016; Fri, 05 Jun 2020 07:36:40 -0700 (PDT) MIME-Version: 1.0 References: <41b8b5b5-9589-d9f8-3844-3a9df15d86f2@heuristicsystems.com.au> In-Reply-To: <41b8b5b5-9589-d9f8-3844-3a9df15d86f2@heuristicsystems.com.au> From: Ed Maste Date: Fri, 5 Jun 2020 10:36:27 -0400 Message-ID: Subject: Re: Improved PIE binary tooling To: Dewayne Geraghty Cc: freebsd-security@freebsd.org Content-Type: text/plain; charset="UTF-8" X-Rspamd-Queue-Id: 49dlZw6m85z3yBT X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of carpeddiem@gmail.com designates 209.85.166.53 as permitted sender) smtp.mailfrom=carpeddiem@gmail.com X-Spamd-Result: default: False [-2.04 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.002]; RCVD_TLS_ALL(0.00)[]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:209.85.128.0/17:c]; NEURAL_HAM_LONG(-0.99)[-0.987]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; DMARC_NA(0.00)[freebsd.org]; TO_MATCH_ENVRCPT_SOME(0.00)[]; NEURAL_HAM_SHORT(-0.05)[-0.048]; RCPT_COUNT_TWO(0.00)[2]; RCVD_IN_DNSWL_NONE(0.00)[209.85.166.53:from]; FORGED_SENDER(0.30)[emaste@freebsd.org,carpeddiem@gmail.com]; RWL_MAILSPIKE_POSSIBLE(0.00)[209.85.166.53:from]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:15169, ipnet:209.85.128.0/17, country:US]; FROM_NEQ_ENVFROM(0.00)[emaste@freebsd.org,carpeddiem@gmail.com]; FREEMAIL_ENVFROM(0.00)[gmail.com]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Jun 2020 14:36:41 -0000 On Thu, 4 Jun 2020 at 20:15, Dewayne Geraghty wrote: > > Thank-you Ed. Though I have two questions: > > 1. We've recompiled all the ports I use with either -fPIC or -fPIE and > the linker flag -pie. Is there something required for ports to utilise > these changes, or are the changes only in the mk files affecting the > base system build? No additional change is needed - the linker will automatically add this flag when -pie is specified. > 2. I've also taken advantage of employing -fstack-clash-protection, > unfortunately this is currently only available via gcc (we're using gcc9 > at the moment). Does the fact that we use gcc9 and binutils 2.33.1 > influence the outcome of your changes? Mmm, good question - the LLD commit indicated that binutils should set this too, but I haven't tried. You can check `readelf -d` on one of your PIE binaries, and if the flag is not set probably submit a PR against devel/binutils. -fstack-clash-protection is in Clang now, but it landed after 10.0. The next Clang update will include it. (It was actually committed and reverted four times, but stuck on the fifth try.)