On Wed, Jul 27, 2016 at 05:02:07PM -0700, Conrad Meyer wrote:
> On Wed, Jul 27, 2016 at 3:55 PM, Shawn Webb <shawn.w...@hardenedbsd.org> 
> wrote:
> > Hey All,
> >
> > I'm interested in getting SafeStack working in FreeBSD base. Below is a
> > link to a simplistic (maybe too simplistic?) patch to enable SafeStack.
> > The patch applies against HardenedBSD's hardened/current/master branch.
> > Given how simple the patch is, it'd be extremely easy to port over to
> > FreeBSD (just line numbers would change).
> >
> > I am running into a bit of a problem, though. When linking
> > lib/libcom_err, I get the following error:
> >
> > com_err.So: In function `com_err':
> > /usr/src/lib/libcom_err/../../contrib/com_err/com_err.c:100: undefined 
> > reference to `__safestack_unsafe_stack_ptr'
> > cc: error: linker command failed with exit code 1 (use -v to see invocation)
> > *** [libcom_err.so.5.full] Error code 1
> >
> > llvm's documentation says that SafeStack has been tested on FreeBSD.
> > When and how was it tested? Apparently someone has done some work to
> > enable it on FreeBSD, but I can't find any relevant FreeBSD-specific
> > documentation.
> >
> > If someone could point me in the right direction, I'd love to help get
> > SafeStack working (and commited?) in FreeBSD.
> >
> > Link to simplistic patch: http://ix.io/186A
> > Link to build log: 
> > https://gist.github.com/lattera/5d94f44a5f3e10a28425cd59104dd169
> 
> Hey Shawn,
> 
> The relevant link line is:
> 
> > -- libcom_err.so.5.full ---
> > building shared library libcom_err.so.5
> > cc -target x86_64-unknown-freebsd12.0 --sysroot=/usr/obj/usr/src/tmp 
> > -B/usr/obj/usr/src/tmp/usr/bin -Wl,--no-undefined -Wl,-z,relro -Wl,-z,now 
> > -fsanitize=safe-stack 
> > -Wl,--version-script=/usr/src/lib/libcom_err/../../contrib/com_err/version-script.map
> >  -fstack-protector-strong -shared -Wl,-x -Wl,--fatal-warnings 
> > -Wl,--warn-shared-textrel  -o libcom_err.so.5.full 
> > -Wl,-soname,libcom_err.so.5  `NM='nm' NMFLAGS='' lorder com_err.So error.So 
> > | tsort -q`
> 
> The problem appears to be an upstream limitation of
> -fsanitize=safe-stack: "Most programs, static libraries, or individual
> files can be compiled with SafeStack as is. ??? Linking a DSO with
> SafeStack is not currently supported." [0]
> 
> That probably needs to be addressed upstream before it can be enabled 
> globally.

Gotcha. If I'm reading correctly, then, SafeStack can only be enabled in
bsd.prog.mk (and _not_ bsd.lib.mk). Is that correct?

Thanks,

-- 
Shawn Webb
Cofounder and Security Engineer
HardenedBSD

GPG Key ID:          0x6A84658F52456EEE
GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89  3D9E 6A84 658F 5245 6EEE

Attachment: signature.asc
Description: PGP signature

Reply via email to