On Tue, Jun 24, 2014 at 11:29:31AM +0200, Romain Francoise wrote: > Hi, > > GCC 4.9 supports a new stack protector implementation, enabled via the > -fstack-protector-strong flag, which provides a better balance between > security and performance than the default implementation that we're > currently using. This new flag is already used by Fedora 20 and > ChromeOS. See the following for more information:
Thanks for testing this! I would love to see this change go into the archive. > https://lwn.net/Articles/584225/ > http://www.outflux.net/blog/archives/2014/01/27/fstack-protector-strong/ > https://fedorahosted.org/fesco/ticket/1128 > > The Security Team has expressed interest in switching dpkg-buildflags > over to this new flag in Debian for jessie, now that GCC 4.9 is the > default compiler on all release architectures. In order to see the > impact on the archive, David Suárez did a full rebuild on EC2 with a > patched dpkg-dev which emits the new flag. > > There are only 16 new failures, which can be categorized as follows: > > * explicitly build-depends on and uses gcc/g++ 4.8, which doesn't > understand -fstack-protector-strong: > - ccbuild 2.0.6-2.1 > - chromium-browser 35.0.1916.153-2 > - contextfree 3.0.5+dfsg1-2.1 > - flexc++ 2.01.00-1 > - gpg-remailer 3.00.02-1 > - higan 094-4 > - llvm-toolchain-snapshot 1:3.5~svn209039-2 > - openimageio 1.4.9~dfsg0-1 (already fixed in -2) > - oxref 1.00.01-1 > - spek 0.8.2-3.1 > - webkitgtk 2.4.3-2 > > * explicitly build-depends on and uses gcc 4.6: > - estic 1.61-20.1 (#747980) > > * explicitly build-depends on and uses Clang 3.4: > - feel++ 1:0.98.0-final-1 I wonder if there is any sensible way for dpkg-buildflags to detect (or maybe just be told) which compile will be used for a build? Perhaps it could take a new argument that would allow it to select flags based on the compiler name and version? dpkg-buildflags --compiler=gcc-4.7 > * false positives: > - gcc-4.7 4.7.4-1 (checks that dpkg-dev is 'ii') > - seqan 1.4.1-3 (attempts to disable the stack protector using sed) > > * needs test suite upgrade for -fstack-protector-strong: > - hardening-wrapper 2.5 I can get this fixed up. Though really hardening-wrapper should be deprecated for Jessie. > See http://aws-logs.debian.net/ftbfs-logs/buildflags/ for the full > results and build logs. > > As the number of build failures is low, I think it's safe to simply > switch the default flag emitted by dpkg-buildflags and file bugs against > the above packages to ask the maintainers to disable the stack protector > or filter out/replace the new flag if they really can't upgrade to GCC > 4.9. > > So here is a prospective patch which changes dpkg-buildflags to emit the > new flag for all architectures known to use GCC 4.9 as of today. Let me > know if this looks workable for you. > > > diff --git a/scripts/Dpkg/Vendor/Debian.pm b/scripts/Dpkg/Vendor/Debian.pm > index c5020dc..4e19752 100644 > --- a/scripts/Dpkg/Vendor/Debian.pm > +++ b/scripts/Dpkg/Vendor/Debian.pm > @@ -92,6 +92,7 @@ sub add_hardening_flags { > relro => 1, > bindnow => 0, > ); > + my $use_stackprotector_strong = 1; > > # Adjust features based on Maintainer's desires. > my $opts = Dpkg::BuildOptions->new(envvar => 'DEB_BUILD_MAINT_OPTIONS'); > @@ -129,6 +130,12 @@ sub add_hardening_flags { > # compiler supports it incorrectly (leads to SEGV) > $use_feature{stackprotector} = 0; > } > + if ($arch =~ /^(?:m68k|or1k|powerpcspe|sh4|x32)$/) { > + # "Strong" stack protector disabled on m68k, or1k, powerpcspe, sh4, x32. > + # It requires GCC 4.9 and these archs are still using 4.8 as of > + # gcc-defaults 1.128. > + $use_stackprotector_strong = 0; > + } > if ($cpu =~ /^(?:ia64|hppa|avr32)$/) { > # relro not implemented on ia64, hppa, avr32. > $use_feature{relro} = 0; > @@ -161,13 +168,23 @@ sub add_hardening_flags { > > # Stack protector > if ($use_feature{stackprotector}) { > - $flags->append('CFLAGS', '-fstack-protector --param=ssp-buffer-size=4'); > - $flags->append('OBJCFLAGS', '-fstack-protector > --param=ssp-buffer-size=4'); > - $flags->append('OBJCXXFLAGS', '-fstack-protector > --param=ssp-buffer-size=4'); > - $flags->append('FFLAGS', '-fstack-protector --param=ssp-buffer-size=4'); > - $flags->append('FCFLAGS', '-fstack-protector > --param=ssp-buffer-size=4'); > - $flags->append('CXXFLAGS', '-fstack-protector > --param=ssp-buffer-size=4'); > - $flags->append('GCJFLAGS', '-fstack-protector > --param=ssp-buffer-size=4'); > + if ($use_stackprotector_strong) { > + $flags->append('CFLAGS', '-fstack-protector-strong'); > + $flags->append('OBJCFLAGS', '-fstack-protector-strong'); > + $flags->append('OBJCXXFLAGS', '-fstack-protector-strong'); > + $flags->append('FFLAGS', '-fstack-protector-strong'); > + $flags->append('FCFLAGS', '-fstack-protector-strong'); > + $flags->append('CXXFLAGS', '-fstack-protector-strong'); > + $flags->append('GCJFLAGS', '-fstack-protector-strong'); > + } else { > + $flags->append('CFLAGS', '-fstack-protector > --param=ssp-buffer-size=4'); > + $flags->append('OBJCFLAGS', '-fstack-protector > --param=ssp-buffer-size=4'); > + $flags->append('OBJCXXFLAGS', '-fstack-protector > --param=ssp-buffer-size=4'); > + $flags->append('FFLAGS', '-fstack-protector > --param=ssp-buffer-size=4'); > + $flags->append('FCFLAGS', '-fstack-protector > --param=ssp-buffer-size=4'); > + $flags->append('CXXFLAGS', '-fstack-protector > --param=ssp-buffer-size=4'); > + $flags->append('GCJFLAGS', '-fstack-protector > --param=ssp-buffer-size=4'); > + } > } > > # Fortify Source This looks good, thanks! -Kees -- Kees Cook @debian.org -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: https://lists.debian.org/[email protected]
