Date: Wed, 30 May 2012 09:19:53 +0200 From: Jeremie Le Hen <jlh@FreeBSD.org> To: Mel Flynn <rflynn@acsalaska.net> Cc: freebsd-hackers@freebsd.org Subject: Re: Activating libssp Message-ID: <20120530071953.GD47353@felucia.tataz.chchile.org> In-Reply-To: <4FC4C6EE.2020601@acsalaska.net> References: <4FC26F26.6000907@acsalaska.net> <20120528212236.GC47353@felucia.tataz.chchile.org> <4FC4C6EE.2020601@acsalaska.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Mel, On Tue, May 29, 2012 at 02:54:06PM +0200, Mel Flynn wrote: > On 28-5-2012 23:22, Jeremie Le Hen wrote: > > > > I'm not sure what you mean, but -fstack-protector is documented in GCC > > documentation, I suppose it's the same for Clang but I didn't check. > > You can disable it on FreeBSD by setting WITHOUT_SSP in src.conf(5). > > Right, I wasn't very clear with that, so let me clarify: > - _FORTIFY_SOURCE is used in /usr/include/ssp/ssp.h > - There is a shared library /lib/libssp.so > - In the sources of the software there is no mention of ssp.h or -lssp > - In the sources of the software there are conditionals based on > _FORTIFY_SOURCE being defined. > > So, for me as port maintainer, it looks as though adding > -D_FORTIFY_SOURCE=2 does absolutely nothing for the software, unless I > also #include <ssp/ssp.h> and add -lssp to LDFLAGS, unless there's some > magic in libc or the compiler that activates bits and overrides the > definitions for the symbols. > Based on the commit message, I assume that adding _FORTIFY_SOURCE to > CFLAGS does nothing, as the actual setting of this flag is compiled into > libc. > And -fstack-protector tells the compiler to activate the stack protector > callbacks that are again, implemented in libc. Without this, they won't > be activated. Does this sound correct? This is correct. The only way to activate SSP is to use -fstack-protector (or -fstack-protector-all). In the near future I intend to add a knob to enable this on all ports (at least on all which honor our CFLAGS), but this requires a patch to the base system which, in turn, requires an exp run before being committed (requested in PR 168010). So I would advice you not wasting your time to enable SSP on a per-port basis unless you have a strong need for it. Simply ensure that it honors CFLAGS and hopefully this will be turned on before the end of summer. -- Jeremie Le Hen Men are born free and equal. Later on, they're on their own. Jean Yanne
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20120530071953.GD47353>