On Wed, Jul 27, 2016 at 05:02:07PM -0700, Conrad Meyer wrote: > On Wed, Jul 27, 2016 at 3:55 PM, Shawn Webb <shawn.w...@hardenedbsd.org> > wrote: > > Hey All, > > > > I'm interested in getting SafeStack working in FreeBSD base. Below is a > > link to a simplistic (maybe too simplistic?) patch to enable SafeStack. > > The patch applies against HardenedBSD's hardened/current/master branch. > > Given how simple the patch is, it'd be extremely easy to port over to > > FreeBSD (just line numbers would change). > > > > I am running into a bit of a problem, though. When linking > > lib/libcom_err, I get the following error: > > > > com_err.So: In function `com_err': > > /usr/src/lib/libcom_err/../../contrib/com_err/com_err.c:100: undefined > > reference to `__safestack_unsafe_stack_ptr' > > cc: error: linker command failed with exit code 1 (use -v to see invocation) > > *** [libcom_err.so.5.full] Error code 1 > > > > llvm's documentation says that SafeStack has been tested on FreeBSD. > > When and how was it tested? Apparently someone has done some work to > > enable it on FreeBSD, but I can't find any relevant FreeBSD-specific > > documentation. > > > > If someone could point me in the right direction, I'd love to help get > > SafeStack working (and commited?) in FreeBSD. > > > > Link to simplistic patch: http://ix.io/186A > > Link to build log: > > https://gist.github.com/lattera/5d94f44a5f3e10a28425cd59104dd169 > > Hey Shawn, > > The relevant link line is: > > > -- libcom_err.so.5.full --- > > building shared library libcom_err.so.5 > > cc -target x86_64-unknown-freebsd12.0 --sysroot=/usr/obj/usr/src/tmp > > -B/usr/obj/usr/src/tmp/usr/bin -Wl,--no-undefined -Wl,-z,relro -Wl,-z,now > > -fsanitize=safe-stack > > -Wl,--version-script=/usr/src/lib/libcom_err/../../contrib/com_err/version-script.map > > -fstack-protector-strong -shared -Wl,-x -Wl,--fatal-warnings > > -Wl,--warn-shared-textrel -o libcom_err.so.5.full > > -Wl,-soname,libcom_err.so.5 `NM='nm' NMFLAGS='' lorder com_err.So error.So > > | tsort -q` > > The problem appears to be an upstream limitation of > -fsanitize=safe-stack: "Most programs, static libraries, or individual > files can be compiled with SafeStack as is. ??? Linking a DSO with > SafeStack is not currently supported."  > > That probably needs to be addressed upstream before it can be enabled > globally.
Gotcha. If I'm reading correctly, then, SafeStack can only be enabled in bsd.prog.mk (and _not_ bsd.lib.mk). Is that correct? Thanks, -- Shawn Webb Cofounder and Security Engineer HardenedBSD GPG Key ID: 0x6A84658F52456EEE GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89 3D9E 6A84 658F 5245 6EEE
Description: PGP signature