From patchwork Sun Dec 27 11:07:31 2015
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: "Yann E. MORIN" <yann.morin.1998@free.fr>
X-Patchwork-Id: 561139
Return-Path: <buildroot-bounces@busybox.net>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from hemlock.osuosl.org (smtp2.osuosl.org [140.211.166.133])
	by ozlabs.org (Postfix) with ESMTP id 17818140CA9
	for <incoming@patchwork.ozlabs.org>;
	Sun, 27 Dec 2015 22:07:50 +1100 (AEDT)
Authentication-Results: ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
	unprotected) header.d=gmail.com header.i=@gmail.com header.b=lvpPNZUO;
	dkim-atps=neutral
Received: from localhost (localhost [127.0.0.1])
	by hemlock.osuosl.org (Postfix) with ESMTP id 5137C93397;
	Sun, 27 Dec 2015 11:07:49 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from hemlock.osuosl.org ([127.0.0.1])
	by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id rQGb6SW2Lack; Sun, 27 Dec 2015 11:07:45 +0000 (UTC)
Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34])
	by hemlock.osuosl.org (Postfix) with ESMTP id AA1BF933D1;
	Sun, 27 Dec 2015 11:07:45 +0000 (UTC)
X-Original-To: buildroot@lists.busybox.net
Delivered-To: buildroot@osuosl.org
Received: from fraxinus.osuosl.org (smtp4.osuosl.org [140.211.166.137])
	by ash.osuosl.org (Postfix) with ESMTP id E0BE81C16B8
	for <buildroot@lists.busybox.net>;
	Sun, 27 Dec 2015 11:07:43 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
	by fraxinus.osuosl.org (Postfix) with ESMTP id DCD8BA2923
	for <buildroot@lists.busybox.net>;
	Sun, 27 Dec 2015 11:07:43 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from fraxinus.osuosl.org ([127.0.0.1])
	by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id vViIc4wI-j6w for <buildroot@lists.busybox.net>;
	Sun, 27 Dec 2015 11:07:40 +0000 (UTC)
X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6
Received: from mail-wm0-f53.google.com (mail-wm0-f53.google.com
	[74.125.82.53])
	by fraxinus.osuosl.org (Postfix) with ESMTPS id 894799793D
	for <buildroot@buildroot.org>; Sun, 27 Dec 2015 11:07:39 +0000 (UTC)
Received: by mail-wm0-f53.google.com with SMTP id p187so240060126wmp.0
	for <buildroot@buildroot.org>; Sun, 27 Dec 2015 03:07:39 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
	h=sender:from:to:cc:subject:date:message-id;
	bh=IhrHVgLcIV1QGCReLBUMbBAFWRoUN6ATjQ92ZpoofxI=;
	b=lvpPNZUO3ziSMt1N8IowUcpJt38lMiD3PEwAnrc4nlql06bYTCuqDwV8Buowj/WkMg
	KrO8RoZfV3XdsCuLURPhKv45d2SpeIsaqts1xVOCTrVw0HkfLAIwHYfr5wAmMRkrPlCG
	HduFPB87MIG+w3RDnzJmS9uxPZPNFDjxdyy8W0GuYbhvhTIZNENa+SY7XDV3pcgiw4sS
	dNwcjt+D2lQBt4Klev2VD37WmW2Qve6Fvhcj8AUSzQgz8Ah4+/QHgRz0pBD7XhCdOjYf
	u8xHbtobkpO4SnUrGlAn2euB+i9Z9wqU3q3hQCKE5mfS77+/uiRRARcF+HpwQK+pUtuu
	8P/w==
X-Received: by 10.28.85.129 with SMTP id j123mr57479996wmb.77.1451214458152;
	Sun, 27 Dec 2015 03:07:38 -0800 (PST)
Received: from gourin.bzh.lan (ns304657.ip-46-105-103.eu. [46.105.103.66])
	by smtp.gmail.com with ESMTPSA id
	u4sm52147632wjz.4.2015.12.27.03.07.36
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
	Sun, 27 Dec 2015 03:07:36 -0800 (PST)
From: "Yann E. MORIN" <yann.morin.1998@free.fr>
To: buildroot@buildroot.org
Date: Sun, 27 Dec 2015 12:07:31 +0100
Message-Id: <1451214451-26133-1-git-send-email-yann.morin.1998@free.fr>
X-Mailer: git-send-email 1.9.1
Cc: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>,
	"Yann E. MORIN" <yann.morin.1998@free.fr>
Subject: [Buildroot] [PATCHv3] toolchain: granular choice for stack protector
X-BeenThere: buildroot@busybox.net
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: Discussion and development of buildroot <buildroot.busybox.net>
List-Unsubscribe: <http://lists.busybox.net/mailman/options/buildroot>,
	<mailto:buildroot-request@busybox.net?subject=unsubscribe>
List-Archive: <http://lists.busybox.net/pipermail/buildroot/>
List-Post: <mailto:buildroot@busybox.net>
List-Help: <mailto:buildroot-request@busybox.net?subject=help>
List-Subscribe: <http://lists.busybox.net/mailman/listinfo/buildroot>,
	<mailto:buildroot-request@busybox.net?subject=subscribe>
MIME-Version: 1.0
Errors-To: buildroot-bounces@busybox.net
Sender: "buildroot" <buildroot-bounces@busybox.net>

From: Steven Noonan <steven@uplinklabs.net>

Currently, we only support two levels of stach-smashing protection:
  - entirely disabled,
  - protect _all_ functions with -fstack-protector-all.

-fstack-protector-all tends to be far too aggressive and impacts
performance too much to be worth on a real product.

Add a choice that allows us to select between different levels of
stack-smashing protection:
  - none
  - basic   (NEW)
  - strong  (NEW)
  - all

The differences are documented in the GCC online documentation:
    https://gcc.gnu.org/onlinedocs/gcc-4.9.2/gcc/Optimize-Options.html

Signed-off-by: Steven Noonan <steven@uplinklabs.net>
[yann.morin.1998@free.fr:
  - rebase
  - add legacy handling
  - SSP-strong depends on gcc >= 4.9
  - slightly simple ifeq-block in package/Makefile.in
  - keep the comment in the choice; add a comment shen strong is not
    available
  - drop the defaults (only keep the legacy)
  - update commit log
]
Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Cc: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
---
Changes v2 -> v3:
  - drop the new defaults, only keep legacy  (Thomas)

Changes v1 -> v2:
  - rebase
  - add legacy handling
  - SSP-strong depends on gcc >= 4.9
  - slightly simple ifeq-block in package/Makefile.in
  - keep the comment in the choice; add a comment shen strong is not
    available
  - update commit log

---
Note: I (Yann) have only slightly tested this patch. More testing is in
order before we can apply this. Steven, care to see if it still fits
your need? Thanks! :-)
---
 Config.in           | 48 +++++++++++++++++++++++++++++++++++++++++++-----
 Config.in.legacy    |  8 ++++++++
 package/Makefile.in |  8 +++++++-
 3 files changed, 58 insertions(+), 6 deletions(-)

diff --git a/Config.in b/Config.in
index 0be44d9..e892d6d 100644
--- a/Config.in
+++ b/Config.in
@@ -522,12 +522,12 @@ config BR2_GOOGLE_BREAKPAD_INCLUDE_FILES
 
 endif
 
-config BR2_ENABLE_SSP
+choice
 	bool "build code with Stack Smashing Protection"
-	depends on BR2_TOOLCHAIN_HAS_SSP
+	default BR2_SSP_ALL if BR2_ENABLE_SSP # legacy
 	help
-	  Enable stack smashing protection support using GCCs
-	  -fstack-protector-all option.
+	  Enable stack smashing protection support using GCC's
+	  -fstack-protector option family.
 
 	  See http://www.linuxfromscratch.org/hints/downloads/files/ssp.txt
 	  for details.
@@ -536,9 +536,47 @@ config BR2_ENABLE_SSP
 	  support. This is always the case for glibc and eglibc
 	  toolchain, but is optional in uClibc toolchains.
 
-comment "enabling Stack Smashing Protection requires support in the toolchain"
+config BR2_SSP_NONE
+	bool "None"
+	help
+	  Disable stack-smashing protection.
+
+comment "Stack Smashing Protection needs a toolchain w/ SSP"
 	depends on !BR2_TOOLCHAIN_HAS_SSP
 
+config BR2_SSP_REGULAR
+	bool "-fstack-protector"
+	depends on BR2_TOOLCHAIN_HAS_SSP
+	help
+	  Emit extra code to check for buffer overflows, such as stack
+	  smashing attacks. This is done by adding a guard variable to
+	  functions with vulnerable objects. This includes functions
+	  that call alloca, and functions with buffers larger than 8
+	  bytes. The guards are initialized when a function is entered
+	  and then checked when the function exits. If a guard check
+	  fails, an error message is printed and the program exits.
+
+config BR2_SSP_STRONG
+	bool "-fstack-protector-strong"
+	depends on BR2_TOOLCHAIN_HAS_SSP
+	depends on BR2_TOOLCHAIN_GCC_AT_LEAST_4_9
+	help
+	  Like -fstack-protector but includes additional functions to be
+	  protected - those that have local array definitions, or have
+	  references to local frame addresses.
+
+comment "Stack Smashing Protection strong needs a toolchain w/ gcc >= 4.9"
+	depends on BR2_TOOLCHAIN_HAS_SSP
+	depends on !BR2_TOOLCHAIN_GCC_AT_LEAST_4_9
+
+config BR2_SSP_ALL
+	bool "-fstack-protector-all"
+	depends on BR2_TOOLCHAIN_HAS_SSP
+	help
+	  Like -fstack-protector except that all functions are protected.
+
+endchoice
+
 choice
 	bool "libraries"
 	default BR2_SHARED_LIBS if BR2_BINFMT_SUPPORTS_SHARED
diff --git a/Config.in.legacy b/Config.in.legacy
index 2628796..5d45d04 100644
--- a/Config.in.legacy
+++ b/Config.in.legacy
@@ -145,6 +145,14 @@ endif
 ###############################################################################
 comment "Legacy options removed in 2016.02"
 
+# BR2_ENABLE_SSP is still referenced in Config.in (default in choice)
+config BR2_ENABLE_SSP
+	bool "Stack Smashing protection now has different levels"
+	help
+	  The protection offered by SSP can now be selected from different
+	  protection levels. Be sure to review the SSP level in the build
+	  options menu.
+
 config BR2_PACKAGE_DIRECTFB_CLE266
 	bool "cle266 driver for directfb removed"
 	select BR2_LEGACY
diff --git a/package/Makefile.in b/package/Makefile.in
index 82a66c2..c5652af 100644
--- a/package/Makefile.in
+++ b/package/Makefile.in
@@ -159,7 +159,13 @@ TARGET_CFLAGS += -msep-data
 TARGET_CXXFLAGS += -msep-data
 endif
 
-ifeq ($(BR2_ENABLE_SSP),y)
+ifeq ($(BR2_SSP_REGULAR),y)
+TARGET_CFLAGS += -fstack-protector
+TARGET_CXXFLAGS += -fstack-protector
+else ifeq ($(BR2_SSP_STRONG),y)
+TARGET_CFLAGS += -fstack-protector-strong
+TARGET_CXXFLAGS += -fstack-protector-strong
+else ifeq ($(BR2_SSP_ALL),y)
 TARGET_CFLAGS += -fstack-protector-all
 TARGET_CXXFLAGS += -fstack-protector-all
 endif