On Wed, Jul 27, 2016 at 3:55 PM, Shawn Webb <shawn.w...@hardenedbsd.org> wrote:
> Hey All,
> I'm interested in getting SafeStack working in FreeBSD base. Below is a
> link to a simplistic (maybe too simplistic?) patch to enable SafeStack.
> The patch applies against HardenedBSD's hardened/current/master branch.
> Given how simple the patch is, it'd be extremely easy to port over to
> FreeBSD (just line numbers would change).
> I am running into a bit of a problem, though. When linking
> lib/libcom_err, I get the following error:
> com_err.So: In function `com_err':
> /usr/src/lib/libcom_err/../../contrib/com_err/com_err.c:100: undefined 
> reference to `__safestack_unsafe_stack_ptr'
> cc: error: linker command failed with exit code 1 (use -v to see invocation)
> *** [libcom_err.so.5.full] Error code 1
> llvm's documentation says that SafeStack has been tested on FreeBSD.
> When and how was it tested? Apparently someone has done some work to
> enable it on FreeBSD, but I can't find any relevant FreeBSD-specific
> documentation.
> If someone could point me in the right direction, I'd love to help get
> SafeStack working (and commited?) in FreeBSD.
> Link to simplistic patch: http://ix.io/186A
> Link to build log: 
> https://gist.github.com/lattera/5d94f44a5f3e10a28425cd59104dd169

Hey Shawn,

The relevant link line is:

> -- libcom_err.so.5.full ---
> building shared library libcom_err.so.5
> cc -target x86_64-unknown-freebsd12.0 --sysroot=/usr/obj/usr/src/tmp 
> -B/usr/obj/usr/src/tmp/usr/bin -Wl,--no-undefined -Wl,-z,relro -Wl,-z,now 
> -fsanitize=safe-stack 
> -Wl,--version-script=/usr/src/lib/libcom_err/../../contrib/com_err/version-script.map
>  -fstack-protector-strong -shared -Wl,-x -Wl,--fatal-warnings 
> -Wl,--warn-shared-textrel  -o libcom_err.so.5.full 
> -Wl,-soname,libcom_err.so.5  `NM='nm' NMFLAGS='' lorder com_err.So error.So | 
> tsort -q`

The problem appears to be an upstream limitation of
-fsanitize=safe-stack: "Most programs, static libraries, or individual
files can be compiled with SafeStack as is. … Linking a DSO with
SafeStack is not currently supported." [0]

That probably needs to be addressed upstream before it can be enabled globally.


[0]: http://clang.llvm.org/docs/SafeStack.html
freebsd-current@freebsd.org mailing list
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

Reply via email to