From owner-freebsd-hackers@FreeBSD.ORG Wed May 30 07:20:03 2012 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id D5F441065673 for ; Wed, 30 May 2012 07:20:03 +0000 (UTC) (envelope-from jlh@FreeBSD.org) Received: from smtp5-g21.free.fr (smtp5-g21.free.fr [IPv6:2a01:e0c:1:1599::14]) by mx1.freebsd.org (Postfix) with ESMTP id 17DC08FC1E for ; Wed, 30 May 2012 07:20:01 +0000 (UTC) Received: from endor.tataz.chchile.org (unknown [82.233.239.98]) by smtp5-g21.free.fr (Postfix) with ESMTP id 4B4B7D480AE; Wed, 30 May 2012 09:19:54 +0200 (CEST) Received: from felucia.tataz.chchile.org (felucia.tataz.chchile.org [192.168.1.9]) by endor.tataz.chchile.org (Postfix) with ESMTP id E960CEC; Wed, 30 May 2012 09:19:53 +0200 (CEST) Received: by felucia.tataz.chchile.org (Postfix, from userid 1000) id D58E1EF1B; Wed, 30 May 2012 07:19:53 +0000 (UTC) Date: Wed, 30 May 2012 09:19:53 +0200 From: Jeremie Le Hen To: Mel Flynn Message-ID: <20120530071953.GD47353@felucia.tataz.chchile.org> Mail-Followup-To: Mel Flynn , freebsd-hackers@freebsd.org References: <4FC26F26.6000907@acsalaska.net> <20120528212236.GC47353@felucia.tataz.chchile.org> <4FC4C6EE.2020601@acsalaska.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4FC4C6EE.2020601@acsalaska.net> User-Agent: Mutt/1.5.21 (2010-09-15) Cc: freebsd-hackers@freebsd.org Subject: Re: Activating libssp X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 May 2012 07:20:03 -0000 Mel, On Tue, May 29, 2012 at 02:54:06PM +0200, Mel Flynn wrote: > On 28-5-2012 23:22, Jeremie Le Hen wrote: > > > > I'm not sure what you mean, but -fstack-protector is documented in GCC > > documentation, I suppose it's the same for Clang but I didn't check. > > You can disable it on FreeBSD by setting WITHOUT_SSP in src.conf(5). > > Right, I wasn't very clear with that, so let me clarify: > - _FORTIFY_SOURCE is used in /usr/include/ssp/ssp.h > - There is a shared library /lib/libssp.so > - In the sources of the software there is no mention of ssp.h or -lssp > - In the sources of the software there are conditionals based on > _FORTIFY_SOURCE being defined. > > So, for me as port maintainer, it looks as though adding > -D_FORTIFY_SOURCE=2 does absolutely nothing for the software, unless I > also #include and add -lssp to LDFLAGS, unless there's some > magic in libc or the compiler that activates bits and overrides the > definitions for the symbols. > Based on the commit message, I assume that adding _FORTIFY_SOURCE to > CFLAGS does nothing, as the actual setting of this flag is compiled into > libc. > And -fstack-protector tells the compiler to activate the stack protector > callbacks that are again, implemented in libc. Without this, they won't > be activated. Does this sound correct? This is correct. The only way to activate SSP is to use -fstack-protector (or -fstack-protector-all). In the near future I intend to add a knob to enable this on all ports (at least on all which honor our CFLAGS), but this requires a patch to the base system which, in turn, requires an exp run before being committed (requested in PR 168010). So I would advice you not wasting your time to enable SSP on a per-port basis unless you have a strong need for it. Simply ensure that it honors CFLAGS and hopefully this will be turned on before the end of summer. -- Jeremie Le Hen Men are born free and equal. Later on, they're on their own. Jean Yanne