Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 7 Feb 2013 23:52:42 +0100
From:      Jeremie Le Hen <jlh@FreeBSD.org>
To:        Dimitry Andric <dim@FreeBSD.org>
Cc:        Kimmo Paasiala <kpaasial@gmail.com>, FreeBSD current <freebsd-current@freebsd.org>, freebsd-stable@freebsd.org
Subject:   Re: CLANG and -fstack-protector
Message-ID:  <20130207225242.GA5900@felucia.tataz.chchile.org>
In-Reply-To: <51141769.5060905@FreeBSD.org>
References:  <CA%2B7WWSeFh9sJyo3kKD5wTEHoyTSjR6TuDDgDCV5Nhc_wMzVUkg@mail.gmail.com> <51141769.5060905@FreeBSD.org>

next in thread | previous in thread | raw e-mail | index | archive | help
Hi Kimmo,

On Thu, Feb 07, 2013 at 10:06:49PM +0100, Dimitry Andric wrote:
> On 2013-02-07 20:42, Kimmo Paasiala wrote:
> > Does the -fstack-protector option work on CLANG 3.1 and 3.2?
> 
> Yes, it works with both clang and gcc.
> 
> 
> > There is thread on FreeBSD forums about the stack protector and ports
> > and I'm wondering if it's possible to use the -fstack-protector option
> > with CLANG.
> >
> > http://forums.freebsd.org/showthread.php?t=36927
> 
> That thread seems to be full of confusion. :-)  The base system is mostly
> built with -fstack-protector, except for the ia64, arm and mips arches,
> and for some specific cases where it is not necessary, or unwanted.
> 
> Ports are largely independent of the base system, and their compilation
> flags are different from port to port.  You could set -fstack-protector
> for your ports in either make.conf or ports.conf, if you wanted.

You can do this, it will work for most of the ports but some ports do
not honor CFLAGS.  If those ports happen to be linked againsst libraries
that were compiled with -fstack-protector, you will get	a missing symbol
error.

Well, to be honest, I don't remember enough details, they faded from my
memory, I need to check this.

So if you care about security enough, go for it!  If you meet weird
error like a missing "stack_chk_fail" symbol for some ports (lang/perl
might be a candidate in my memory), then look at the PR below, it will
probably solve your problem.  Time has passed and I am interested in
your feedback without the patch (and then with, if relevant).

Basically the following PR contains a patch that waits for an exp run to
be committed into the base system.  This just turns libc.so into an ld
script that pulls in libssp_nonshared.a.  You just have to run "make all
install" in src/lib/libc after applying it.

http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/168010

I run it on my servers with -fstack-protector enabled for ports without
any problem.

Cheers!
-- 
Jeremie Le Hen

Scientists say the world is made up of Protons, Neutrons and Electrons.
They forgot to mention Morons.



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20130207225242.GA5900>