On 07/15/2011 04:52 AM, Markus Oehme wrote:
> Hi Anthony,
>
> At Thu, 14 Jul 2011 12:59:59 -0400,
> Anthony G. Basile wrote:
>>> One thing that should possibly be said: I'm using gcc-4.6.1. I was using gcc
>>> 4.6.0 for quite some time on ~amd64 ere I switched to hardened last week. I
>>> didn't encounter any special problems during the transition.
>>>
>> Time for a bug report. If reproduceable, its a show stopper for
>> hardened gcc-4.6.1
>>
>>>> If you didn't do these, its possible you have some binaries left that
>>>> will trigger pax violations.
>>>>
>>>> One way to quickly check if you got hardened binaries is to use a script
>>>> called checksec.sh [1] and run it on /bin or /sbin. You should see that
>>>> all your binaries have FULL RELRO, STACK CANARY, NX, PIE and ASLR.
>>> I just executed the script for /bin and the result [1] was very mixed.
>>> Nearly all
>>> binaries have FULL RELRO and PIE, but most have no STACK CANARY and NX. I
>>> checked whether this could be changed and rebuilt coreutils twice, but the
>>> output was the same every time.
>>>
>>> However this seems not to be a big problem since the system is currently
>>> running normal (Xfce desktop session) with my current list [2] of exceptions
>>> to mprotect which contains only binaries under /usr.
>>>
>> That's not right. Can you compile the following, run checksec.sh on it
>> and see if you get all the hardening features:
>>
>> int main()
>> {
>> ;
>> return 0;
>> }
> I think I've found the issue. I had some rather aggresive CFLAGS
> enabled. Dropping them seems to correct the issue. The evil guy seems to be
> link time optimization. This is reproducible with your minimal example, if
> compiled with 'gcc' it turns out correctly. 'gcc -flto' gives the behaviour
> I've seen (no stack canary and no nx).
>
> I'm currently in the process of remerging @world, but hopefully everything
> will be ok afterwards.
>
>
> Markus
>
> --
> For instance, on the planet Earth, man had always assumed that he was more
> intelligent than dolphins because he had achieved so much---the wheel, New
> York, wars and so on---while all the dolphins had ever done was muck about
> in the water having a good time. But conversely, the dolphins had always
> believed that they were far more intelligent than man---for precisely the
> same reasons. (Douglas Adams, The Hitchhikers Guide to the Galaxy.)
Markus,
Thanks for discovering this, I was not aware. However, when I try to
compile with -flto, I get an error:
cc1: error: LTO support has not been enabled in this configuration
I'm going to have to investigate.
--
Anthony G. Basile, Ph.D.
Gentoo Linux Developer [Hardened]
E-Mail : [email protected]
GnuPG FP : 8040 5A4D 8709 21B1 1A88 33CE 979C AF40 D045 5535
GnuPG ID : D0455535
