From owner-freebsd-hackers@FreeBSD.ORG Tue May 29 12:54:11 2012 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 557241065673 for ; Tue, 29 May 2012 12:54:11 +0000 (UTC) (envelope-from rflynn@acsalaska.net) Received: from mailhub.rachie.is-a-geek.net (rachie.is-a-geek.net [66.230.99.27]) by mx1.freebsd.org (Postfix) with ESMTP id 1C44C8FC1A for ; Tue, 29 May 2012 12:54:11 +0000 (UTC) Received: from [127.0.0.1] (squeeze.lan.rachie.is-a-geek.net [192.168.2.30]) by mailhub.rachie.is-a-geek.net (Postfix) with ESMTP id 805B67E851 for ; Tue, 29 May 2012 04:54:09 -0800 (AKDT) Message-ID: <4FC4C6EE.2020601@acsalaska.net> Date: Tue, 29 May 2012 14:54:06 +0200 From: Mel Flynn User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0) Gecko/20120428 Thunderbird/12.0.1 MIME-Version: 1.0 To: freebsd-hackers@freebsd.org References: <4FC26F26.6000907@acsalaska.net> <20120528212236.GC47353@felucia.tataz.chchile.org> In-Reply-To: <20120528212236.GC47353@felucia.tataz.chchile.org> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: Re: Activating libssp X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 May 2012 12:54:11 -0000 On 28-5-2012 23:22, Jeremie Le Hen wrote: > Hi Mel, > > On Sun, May 27, 2012 at 08:15:02PM +0200, Mel Flynn wrote: >> Hi, >> >> for a port, I'm seeing: >> #ifdef _FORTIFY_SOURCE >> ... >> #endif >> >> I did a bit of reading (http://wiki.debian.org/Hardening) for example, >> searching through /usr/share/mk/* /usr/include/libssp, /usr/src/gnu/libssp. >> >> However, it's not clear to me, where the magic is that pulls in the >> libssp library that is in /lib. >> >> Also - it seems to be part of gcc, so does that mean on systems without >> gcc, that this library is not available or does clang have a variant? > > gnu/lib/libssp is built for compatibility reasons. See > http://svnweb.freebsd.org/base?view=revision&revision=169718 This clarifies a bit about the existence of libssp as a shared lib. Thanks. > Our libc provides the necessary symbols. > http://svnweb.freebsd.org/base/head/lib/libc/sys/stack_protector.c > >> I do see -fstack-protector is added to CFLAGS by default, so I'm >> thinking there's some magic somewhere, but I'm just missing the docs >> that tell me "if you add foo to CFLAGS then bar will happen, unless baz". > > I'm not sure what you mean, but -fstack-protector is documented in GCC > documentation, I suppose it's the same for Clang but I didn't check. > You can disable it on FreeBSD by setting WITHOUT_SSP in src.conf(5). Right, I wasn't very clear with that, so let me clarify: - _FORTIFY_SOURCE is used in /usr/include/ssp/ssp.h - There is a shared library /lib/libssp.so - In the sources of the software there is no mention of ssp.h or -lssp - In the sources of the software there are conditionals based on _FORTIFY_SOURCE being defined. So, for me as port maintainer, it looks as though adding -D_FORTIFY_SOURCE=2 does absolutely nothing for the software, unless I also #include and add -lssp to LDFLAGS, unless there's some magic in libc or the compiler that activates bits and overrides the definitions for the symbols. Based on the commit message, I assume that adding _FORTIFY_SOURCE to CFLAGS does nothing, as the actual setting of this flag is compiled into libc. And -fstack-protector tells the compiler to activate the stack protector callbacks that are again, implemented in libc. Without this, they won't be activated. Does this sound correct? As a side note, the code in question does not apply to FreeBSD at all as we have no __FD_SETSIZE symbol anywhere that I can find: #ifndef _FORTIFY_SOURCE #include #undef __FD_SETSIZE #define __FD_SETSIZE 8192 #endif so I'm patching that to read FD_SETSIZE or add -DFD_SETSIZE=8192 to CFLAGS (not sure which I'll use yet). -- Mel