On Wed, Jul 27, 2016 at 3:55 PM, Shawn Webb <shawn.w...@hardenedbsd.org> wrote: > Hey All, > > I'm interested in getting SafeStack working in FreeBSD base. Below is a > link to a simplistic (maybe too simplistic?) patch to enable SafeStack. > The patch applies against HardenedBSD's hardened/current/master branch. > Given how simple the patch is, it'd be extremely easy to port over to > FreeBSD (just line numbers would change). > > I am running into a bit of a problem, though. When linking > lib/libcom_err, I get the following error: > > com_err.So: In function `com_err': > /usr/src/lib/libcom_err/../../contrib/com_err/com_err.c:100: undefined > reference to `__safestack_unsafe_stack_ptr' > cc: error: linker command failed with exit code 1 (use -v to see invocation) > *** [libcom_err.so.5.full] Error code 1 > > llvm's documentation says that SafeStack has been tested on FreeBSD. > When and how was it tested? Apparently someone has done some work to > enable it on FreeBSD, but I can't find any relevant FreeBSD-specific > documentation. > > If someone could point me in the right direction, I'd love to help get > SafeStack working (and commited?) in FreeBSD. > > Link to simplistic patch: http://ix.io/186A > Link to build log: > https://gist.github.com/lattera/5d94f44a5f3e10a28425cd59104dd169
Hey Shawn, The relevant link line is: > -- libcom_err.so.5.full --- > building shared library libcom_err.so.5 > cc -target x86_64-unknown-freebsd12.0 --sysroot=/usr/obj/usr/src/tmp > -B/usr/obj/usr/src/tmp/usr/bin -Wl,--no-undefined -Wl,-z,relro -Wl,-z,now > -fsanitize=safe-stack > -Wl,--version-script=/usr/src/lib/libcom_err/../../contrib/com_err/version-script.map > -fstack-protector-strong -shared -Wl,-x -Wl,--fatal-warnings > -Wl,--warn-shared-textrel -o libcom_err.so.5.full > -Wl,-soname,libcom_err.so.5 `NM='nm' NMFLAGS='' lorder com_err.So error.So | > tsort -q` The problem appears to be an upstream limitation of -fsanitize=safe-stack: "Most programs, static libraries, or individual files can be compiled with SafeStack as is. … Linking a DSO with SafeStack is not currently supported."  That probably needs to be addressed upstream before it can be enabled globally. Best, Conrad : http://clang.llvm.org/docs/SafeStack.html _______________________________________________ firstname.lastname@example.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"