subject:"\[OpenWrt\-Devel\] Hardening Issues \/ Revert r46146 \?"

Re: [OpenWrt-Devel] Hardening Issues / Revert r46146 ?

2015-07-08 Thread Dirk Neukirchen

On 08.07.2015 09:41, Steven Barth wrote:
 The reason for the commit was that supporting hardening such as SSP
 accross 3 libcs is a PITA to maintain. I'm fine if someone comes up
 with a patch that would fix it, though.
 
 In general, you suggest to always enabled UCLIBCs SSP options and get
 rid of the GCCs libssp?
 

If I read the documents correctly libssp will be empty because
glibc and uclibc both contain the symbols for SSP in libc.so/ldso
(by default (?) in glibc, if enabled in uclibc case)
This since around 2005/2006.

Most normal software should link/use that glibc/uclibc implementation in 
OpenWrt environment.

Since libssp is empty the libssp switch should have no effect on building 
binaries
because gcc decides what to link against in both cases of 
--disable/enable-libssp
(If your libc does not provide SSP, then libssp will be linked automatically.)

so we only need libssp when:
- using a libc without SSP that requires libssp from gcc (dietlibc)
- we disable the SSP features that are in uclibc/glibc
- software not linked against libc (?, example: grub2 upstream disables ssp)

The main issues are probably bad __FLAGS handling when cross compiling and
most of these issues are/should be already fixed by upstream, other hardened 
distros 
or variants of these.


 
 Cheers,
 
 Steven
 ___
 openwrt-devel mailing list
 openwrt-devel@lists.openwrt.org
 https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
 
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel

[OpenWrt-Devel] Hardening Issues / Revert r46146 ?

2015-07-07 Thread Dirk Neukirchen

r46146 change broke uclibc compile in x86/x86_64 target/linux/install with 
Error:
arch/x86/Makefile:114: stack-protector enabled but compiler support broken

Reason in Config-build.in:
depends on USE_MUSL - means no PKG_CC_STACKPROTECTOR_REGULAR or 
PKG_CC_STACKPROTECTOR_STRONG are set

toolchain/uClibc/common.mk has

-e 's,^.*UCLIBC_HAS_SSP[^_].*,UCLIBC_HAS_SSP=$(if $(or 
$(CONFIG_PKG_CC_STACKPROTECTOR_REGULAR),$(CONFIG_PKG_CC_STACKPROTECTOR_STRONG)),y,n),g'
 \

which now will set 

UCLIBC_HAS_SSP=n

This breaks compiler support because Kernel SSP is enabled by default
- the Kernel runs kernel_dir/scripts/gcc-x86_bits-has-stack-protector.sh 
to determine support/breakage

Reading documentation like [1]
suggests that SSP (Stack Smashing Protection) should work with
a GCC that has --disable libssp (toolchain/gcc/common.mk), because uclibc and 
glibc do
provide these since 2005/2006 according to commits/versions involved.

[2] : GCC does not have to provide libssp, the needed functions are added to 
ldso/libc instead.

References:
[1] http://www.linuxfromscratch.org/hints/downloads/files/ssp.txt
[2] http://git.buildroot.net/uClibc/tree/extra/Configs/Config.in
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel

Re: [OpenWrt-Devel] Hardening Issues / Revert r46146 ?

[OpenWrt-Devel] Hardening Issues / Revert r46146 ?

2 matches

Site Navigation

Mail list logo

Footer information