compiling ports with SSP

Bryan Drewery bryan at shatow.net
Wed Apr 25 19:30:43 UTC 2012 

On 03/15/2012 05:34 PM, Jeremie Le Hen wrote:
> Hi Bryan
> 
> On Sun, Feb 26, 2012 at 09:41:07PM -0600, Bryan Drewery wrote:
>>
>> Thanks for this patch [1]!
>>
>> I've been building my ports tree with -fstack-protector on FreeBSD 6, 7
>> and 8. Once I upgraded to 8, I started running into the issue [2] this
>> patch is fixing.
>>
>> I have a situation where non-ports applications are compiling
>> statically, which ran into this. Specifically, the application is
>> linking in security/openssl statically, which of course was compiled
>> with -fstack-protector. Adding the /usr/lib/libc.ld fixed it without
>> needing to hack at the failing non-port application.
>>
>> Would be nice if this, and PR 138228 were finally committed.
>>
>> Bryan Drewery
>>
>> [1] http://lists.freebsd.org/pipermail/freebsd-hackers/2011-June/035538.html
>> [2] http://gcc.gnu.org/ml/gcc-help/2006-05/msg00092.html
> 
> Wow, the perspective provided by those two posts makes me dizzy.  This
> has been a very long standing project.  The base system is now compiled
> with SSP, but doing so for ports still requires some manual hacking
> unfortenately.  I've proposed a patch to compile ports with SSP a few
> years ago, but some ports with special building strategy suffered the
> problem described in [2].  Then I learned the possibilities of ld
> scripts and provided the patch in [1] last year.
> 
> I think we have all the bits necessary to be able to compile ports with
> SSP painlessly.
> 
> First the patch in [1] has to be committed in the base system.  I think
> this can be done in CURRENT without any problem, I run it myself on my
> own servers without problem.  Unfortunately it will probably never appear
> in RELENG_9 because it may be deemed too dangerous to make such a change
> in a stable branch.  It would be nice to hear what kib@ and kan@ think
> about this.
> 
> Next, the patch to bsd.port.mk in this PR [3] has to be applied to be
> able to compile ports with SSP using a single knob.  (Other patches
> along this one can be thrown away, they were required hacks back when
> the libc ld script didn't exist.)  Then portmgr@ will naturally want to
> make a full port build with this knob turned on to check, but last time
> I was told they had very few resource and that this couldn't be
> scheduled in the next couple of week, IIRC.
> 
> I admit the situation is partly my fault, because I did the fun
> technical work but I didn't keep up with the "lobbying" part :).
> I asked once or twice, without success, and then went to other subjects.
> 
> I would be really glad if we could proceed with this.  FreeBSD-9.0 has
> just been release, this is probably a good time to step forward.
> 
> [3] http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/138228
> 
> Cheers,

Something to keep an eye on is that some ports may run `file
/usr/lib/libc.so` and find that it is an ASCII text file.

As I've mentioned, I've been running with SSP in my ports for at least a
year now, and with this ld script for several months.

The only issue I've ran into is the security/openssl port is looking at
/usr/lib/libc.so to see if it is ELF or not, and due to this is falling
back on a.out binary format and then generating incorrect ASM. I think
this is going to be a pretty rare and specific case though.

Regards,
Bryan Drewery

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 900 bytes
Desc: OpenPGP digital signature
Url : http://lists.freebsd.org/pipermail/freebsd-hackers/attachments/20120425/da477e65/signature.pgp

More information about the freebsd-hackers mailing list