Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 30 May 2012 09:19:53 +0200
From:      Jeremie Le Hen <jlh@FreeBSD.org>
To:        Mel Flynn <rflynn@acsalaska.net>
Cc:        freebsd-hackers@freebsd.org
Subject:   Re: Activating libssp
Message-ID:  <20120530071953.GD47353@felucia.tataz.chchile.org>
In-Reply-To: <4FC4C6EE.2020601@acsalaska.net>
References:  <4FC26F26.6000907@acsalaska.net> <20120528212236.GC47353@felucia.tataz.chchile.org> <4FC4C6EE.2020601@acsalaska.net>

next in thread | previous in thread | raw e-mail | index | archive | help
Mel,

On Tue, May 29, 2012 at 02:54:06PM +0200, Mel Flynn wrote:
> On 28-5-2012 23:22, Jeremie Le Hen wrote:
> > 
> > I'm not sure what you mean, but -fstack-protector is documented in GCC
> > documentation, I suppose it's the same for Clang but I didn't check.
> > You can disable it on FreeBSD by setting WITHOUT_SSP in src.conf(5).
> 
> Right, I wasn't very clear with that, so let me clarify:
> - _FORTIFY_SOURCE is used in /usr/include/ssp/ssp.h
> - There is a shared library /lib/libssp.so
> - In the sources of the software there is no mention of ssp.h or -lssp
> - In the sources of the software there are conditionals based on
> _FORTIFY_SOURCE being defined.
> 
> So, for me as port maintainer, it looks as though adding
> -D_FORTIFY_SOURCE=2 does absolutely nothing for the software, unless I
> also #include <ssp/ssp.h> and add -lssp to LDFLAGS, unless there's some
> magic in libc or the compiler that activates bits and overrides the
> definitions for the symbols.
> Based on the commit message, I assume that adding _FORTIFY_SOURCE to
> CFLAGS does nothing, as the actual setting of this flag is compiled into
> libc.
> And -fstack-protector tells the compiler to activate the stack protector
> callbacks that are again, implemented in libc. Without this, they won't
> be activated. Does this sound correct?

This is correct.  The only way to activate SSP is to use
-fstack-protector (or -fstack-protector-all).  In the near future I
intend to add a knob to enable this on all ports (at least on all which
honor our CFLAGS), but this requires a patch to the base system which,
in turn, requires an exp run before being committed (requested in PR
168010).

So I would advice you not wasting your time to enable SSP on a per-port
basis unless you have a strong need for it.  Simply ensure that it
honors CFLAGS and hopefully this will be turned on before the end of
summer.

-- 
Jeremie Le Hen

Men are born free and equal.  Later on, they're on their own.
				Jean Yanne



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20120530071953.GD47353>