From owner-freebsd-current@FreeBSD.ORG Thu Feb 7 22:52:55 2013 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id BDFA232B; Thu, 7 Feb 2013 22:52:55 +0000 (UTC) (envelope-from jlh@FreeBSD.org) Received: from smtp5-g21.free.fr (smtp5-g21.free.fr [IPv6:2a01:e0c:1:1599::14]) by mx1.freebsd.org (Postfix) with ESMTP id 4A20F34E; Thu, 7 Feb 2013 22:52:52 +0000 (UTC) Received: from endor.tataz.chchile.org (unknown [82.233.239.98]) by smtp5-g21.free.fr (Postfix) with ESMTP id 435FED48098; Thu, 7 Feb 2013 23:52:44 +0100 (CET) Received: from felucia.tataz.chchile.org (felucia.tataz.chchile.org [192.168.1.9]) by endor.tataz.chchile.org (Postfix) with ESMTP id 2998E278; Thu, 7 Feb 2013 23:52:43 +0100 (CET) Received: by felucia.tataz.chchile.org (Postfix, from userid 1000) id 02CDE13096; Thu, 7 Feb 2013 22:52:42 +0000 (UTC) Date: Thu, 7 Feb 2013 23:52:42 +0100 From: Jeremie Le Hen To: Dimitry Andric Subject: Re: CLANG and -fstack-protector Message-ID: <20130207225242.GA5900@felucia.tataz.chchile.org> Mail-Followup-To: Dimitry Andric , Kimmo Paasiala , freebsd-stable@freebsd.org, FreeBSD current References: <51141769.5060905@FreeBSD.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <51141769.5060905@FreeBSD.org> User-Agent: Mutt/1.5.21 (2010-09-15) Cc: Kimmo Paasiala , FreeBSD current , freebsd-stable@freebsd.org X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Feb 2013 22:52:55 -0000 Hi Kimmo, On Thu, Feb 07, 2013 at 10:06:49PM +0100, Dimitry Andric wrote: > On 2013-02-07 20:42, Kimmo Paasiala wrote: > > Does the -fstack-protector option work on CLANG 3.1 and 3.2? > > Yes, it works with both clang and gcc. > > > > There is thread on FreeBSD forums about the stack protector and ports > > and I'm wondering if it's possible to use the -fstack-protector option > > with CLANG. > > > > http://forums.freebsd.org/showthread.php?t=36927 > > That thread seems to be full of confusion. :-) The base system is mostly > built with -fstack-protector, except for the ia64, arm and mips arches, > and for some specific cases where it is not necessary, or unwanted. > > Ports are largely independent of the base system, and their compilation > flags are different from port to port. You could set -fstack-protector > for your ports in either make.conf or ports.conf, if you wanted. You can do this, it will work for most of the ports but some ports do not honor CFLAGS. If those ports happen to be linked againsst libraries that were compiled with -fstack-protector, you will get a missing symbol error. Well, to be honest, I don't remember enough details, they faded from my memory, I need to check this. So if you care about security enough, go for it! If you meet weird error like a missing "stack_chk_fail" symbol for some ports (lang/perl might be a candidate in my memory), then look at the PR below, it will probably solve your problem. Time has passed and I am interested in your feedback without the patch (and then with, if relevant). Basically the following PR contains a patch that waits for an exp run to be committed into the base system. This just turns libc.so into an ld script that pulls in libssp_nonshared.a. You just have to run "make all install" in src/lib/libc after applying it. http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/168010 I run it on my servers with -fstack-protector enabled for ports without any problem. Cheers! -- Jeremie Le Hen Scientists say the world is made up of Protons, Neutrons and Electrons. They forgot to mention Morons.