From patchwork Mon Dec 19 11:15:14 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Nix X-Patchwork-Id: 707054 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from sourceware.org (server1.sourceware.org [209.132.180.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 3thzCs4frDz9t1d for ; Mon, 19 Dec 2016 22:27:21 +1100 (AEDT) Authentication-Results: ozlabs.org; dkim=pass (1024-bit key; secure) header.d=sourceware.org header.i=@sourceware.org header.b="M75GnWRl"; dkim-atps=neutral DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:from:to:cc:subject:date:message-id:in-reply-to :references; q=dns; s=default; b=dbrzK6SR5eoAiCXhqECPBWlwaOMgsrQ ICYusx7mIcRnUJNeaIG++k3O6TN70ZMfoPeyUm9pArkOcbHr2BC+i3PD+NLW7T5o v59ZrZG6hEjV7M84m3BVAHYVTyEEfkOypOdTU+ivn6hrnM8l5uP3usD+/DgVf2tW jpCVsTb+KdHI= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:from:to:cc:subject:date:message-id:in-reply-to :references; s=default; bh=Nz52kLgoFbwUsjaGPE6r+S+oT9M=; b=M75Gn WRlipFuCvUi4oGOf5bt051VfBpRIdP+1MzmAchY5xV9ezTr7MYALzjMt9IgwJBR2 5IcsWQMsQSv9nzHb6Rig4UfNJgzaMImU3vvKYfY2Dwcxb66Zd/tEB2tiLeU9FGij q7ryAfgK/BzKC3C+hSnvqLJ+zT0CowkftxkbDg= Received: (qmail 130625 invoked by alias); 19 Dec 2016 11:26:59 -0000 Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Unsubscribe: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: libc-alpha-owner@sourceware.org Delivered-To: mailing list libc-alpha@sourceware.org Received: (qmail 130313 invoked by uid 89); 19 Dec 2016 11:26:56 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-3.6 required=5.0 tests=AWL, BAYES_00, KAM_LAZY_DOMAIN_SECURITY, RP_MATCHES_RCVD autolearn=ham version=3.3.2 spammy=Allocation, stronger, configureac, UD:configure.ac X-HELO: mail.esperi.org.uk From: Nix To: libc-alpha@sourceware.org Cc: fweimer@redhat.com Subject: [PATCH 01/15] Configury support for --enable-stack-protector. Date: Mon, 19 Dec 2016 11:15:14 +0000 Message-Id: <20161219111528.14969-2-nix@esperi.org.uk> In-Reply-To: <20161219111528.14969-1-nix@esperi.org.uk> References: <20161219111528.14969-1-nix@esperi.org.uk> X-DCC--Metrics: spindle 1480; Body=2 Fuz1=2 Fuz2=2 From: Nick Alcock This adds =all and =strong, with obvious semantics, and with a rather arbitrarily-chosen default off, which we might well want to change to something stronger once this patch has been tested by people other than me. We don't validate the value of the option yet: that's in a later patch. Nor do we use it for anything at this stage. We differentiate between 'the compiler understands -fstack-protector' and 'the user wanted -fstack-protector' so that we can pass -fno-stack-protector in appropriate places even if the user didn't want to turn on -fstack-protector for other parts. (This helps us overcome another existing limitation, that glibc doesn't work with GCCs hacked to pass in -fstack-protector by default.) We also arrange to set the STACK_PROTECTOR_LEVEL #define to a value appropriate for the stack-protection level in use for each file in particular. We might want to add another configuration option to turn on -fstack-protector for nscd and other network-facing operations by default, but for now I've stuck with one option to control everything. v2: documentation in install.texi; better description of the option. INSTALL regenerated. v3: Substitute in no_stack_protector. v6: Small quoting/spacing revisions following Mike Frysinger's review. Add STACK_PROTECTOR_LEVEL. v7: Quoting changes. Report --enable-stack-protector argument values on error. v10: Only define STACK_PROTECTOR_LEVEL if not already defined. Define it to 0 in the no_stack_protector case. [BZ #7065] * configure.ac (libc_cv_ssp): Move up. (libc_cv_ssp_strong): Likewise. (libc_cv_ssp_all): New. (stack_protector): Augment, adding -fstack-protector-all. (no_stack_protector): New. (STACK_PROTECTOR_LEVEL): New. (AC_ARG_ENABLE(stack-protector)): New configure flag. * manual/install.texi (--enable-stack-protector): Document it. * config.h.in (STACK_PROTECTOR_LEVEL): New macro. * INSTALL: Regenerate. --- INSTALL | 39 ++++++++++++++++++----------- config.h.in | 6 +++++ configure.ac | 70 ++++++++++++++++++++++++++++++++++++++--------------- manual/install.texi | 12 +++++++++ 4 files changed, 93 insertions(+), 34 deletions(-) diff --git a/INSTALL b/INSTALL index b5acedc..2b0abf9 100644 --- a/INSTALL +++ b/INSTALL @@ -135,20 +135,31 @@ will be used, and CFLAGS sets optimization options for the compiler. '--enable-lock-elision=yes' Enable lock elision for pthread mutexes by default. -'--enable-pt_chown' - The file 'pt_chown' is a helper binary for 'grantpt' (*note - Pseudo-Terminals: Allocation.) that is installed setuid root to fix - up pseudo-terminal ownership. It is not built by default because - systems using the Linux kernel are commonly built with the 'devpts' - filesystem enabled and mounted at '/dev/pts', which manages - pseudo-terminal ownership automatically. By using - '--enable-pt_chown', you may build 'pt_chown' and install it setuid - and owned by 'root'. The use of 'pt_chown' introduces additional - security risks to the system and you should enable it only if you - understand and accept those risks. - -'--disable-werror' - By default, the GNU C Library is built with '-Werror'. If you wish +`--enable-stack-protector' +`--enable-stack-protector=strong' +`--enable-stack-protector=all' + Compile the C library and all other parts of the glibc package + (including the threading and math libraries, NSS modules, and + transliteration modules) using the GCC `-fstack-protector', + `-fstack-protector-strong' or `-fstack-protector-all' options to + detect stack overruns. Only the dynamic linker and a small number + of routines called directly from assembler are excluded from this + protection. + +`--enable-pt_chown' + The file `pt_chown' is a helper binary for `grantpt' (*note + Pseudo-Terminals: Allocation.) that is installed setuid root to + fix up pseudo-terminal ownership. It is not built by default + because systems using the Linux kernel are commonly built with the + `devpts' filesystem enabled and mounted at `/dev/pts', which + manages pseudo-terminal ownership automatically. By using + `--enable-pt_chown', you may build `pt_chown' and install it + setuid and owned by `root'. The use of `pt_chown' introduces + additional security risks to the system and you should enable it + only if you understand and accept those risks. + +`--disable-werror' + By default, the GNU C Library is built with `-Werror'. If you wish to build without this option (for example, if building with a newer version of GCC than this version of the GNU C Library was tested with, so new warnings cause the build with '-Werror' to fail), you diff --git a/config.h.in b/config.h.in index 33757bd..d96ce0f 100644 --- a/config.h.in +++ b/config.h.in @@ -48,6 +48,12 @@ /* Define if compiler accepts -ftree-loop-distribute-patterns. */ #undef HAVE_CC_INHIBIT_LOOP_TO_LIBCALL +/* The level of stack protection in use for glibc as a whole. + May be overridden on a file-by-file basis. */ +#ifndef STACK_PROTECTOR_LEVEL +#undef STACK_PROTECTOR_LEVEL +#endif + /* Define if the regparm attribute shall be used for local functions (gcc on ix86 only). */ #undef USE_REGPARMS diff --git a/configure.ac b/configure.ac index de0a40f..f131e97 100644 --- a/configure.ac +++ b/configure.ac @@ -235,6 +235,18 @@ if test "x$bindnow" = xyes; then AC_DEFINE(BIND_NOW) fi +dnl Build glibc with -fstack-protector, -fstack-protector-all, or +dnl -fstack-protector-strong. +AC_ARG_ENABLE([stack-protector], + AC_HELP_STRING([--enable-stack-protector=@<:@yes|no|all|strong@:>@], + [Use -fstack-protector[-all|-strong] to detect glibc buffer overflows]), + [enable_stack_protector=$enableval], + [enable_stack_protector=no]) +case "$enable_stack_protector" in +all|yes|no|strong) ;; +*) AC_MSG_ERROR([Not a valid argument for --enable-stack-protector: \"$enable_stack_protector\"]);; +esac + dnl On some platforms we cannot use dynamic loading. We must provide dnl static NSS modules. AC_ARG_ENABLE([static-nss], @@ -605,6 +617,44 @@ fi test -n "$base_machine" || base_machine=$machine AC_SUBST(base_machine) +AC_CACHE_CHECK(for -fstack-protector, libc_cv_ssp, [dnl +LIBC_TRY_CC_OPTION([$CFLAGS $CPPFLAGS -Werror -fstack-protector], + [libc_cv_ssp=yes], + [libc_cv_ssp=no]) +]) + +AC_CACHE_CHECK(for -fstack-protector-strong, libc_cv_ssp_strong, [dnl +LIBC_TRY_CC_OPTION([$CFLAGS $CPPFLAGS -Werror -fstack-protector-strong], + [libc_cv_ssp_strong=yes], + [libc_cv_ssp_strong=no]) +]) + +AC_CACHE_CHECK(for -fstack-protector-all, libc_cv_ssp_all, [dnl +LIBC_TRY_CC_OPTION([$CFLAGS $CPPFLAGS -Werror -fstack-protector-all], + [libc_cv_ssp_all=yes], + [libc_cv_ssp_all=no]) +]) + +stack_protector= +no_stack_protector= +if test "$libc_cv_ssp" = yes; then + no_stack_protector="-fno-stack-protector -DSTACK_PROTECTOR_LEVEL=0" +fi + +if test "$enable_stack_protector" = yes && test "$libc_cv_ssp" = yes; then + stack_protector="-fstack-protector" + AC_DEFINE(STACK_PROTECTOR_LEVEL, 1) +elif test "$enable_stack_protector" = all && test "$libc_cv_ssp_all" = yes; then + stack_protector="-fstack-protector-all" + AC_DEFINE(STACK_PROTECTOR_LEVEL, 2) +elif test "$enable_stack_protector" = strong && test "$libc_cv_ssp_strong" = yes; then + stack_protector="-fstack-protector-strong" + AC_DEFINE(STACK_PROTECTOR_LEVEL, 3) +fi +AC_SUBST(libc_cv_ssp) +AC_SUBST(stack_protector) +AC_SUBST(no_stack_protector) + # For the multi-arch option we need support in the assembler & linker. AC_CACHE_CHECK([for assembler and linker STT_GNU_IFUNC support], libc_cv_ld_gnu_indirect_function, [dnl @@ -1433,26 +1483,6 @@ else fi AC_SUBST(fno_unit_at_a_time) -AC_CACHE_CHECK(for -fstack-protector, libc_cv_ssp, [dnl -LIBC_TRY_CC_OPTION([$CFLAGS $CPPFLAGS -Werror -fstack-protector], - [libc_cv_ssp=yes], - [libc_cv_ssp=no]) -]) - -AC_CACHE_CHECK(for -fstack-protector-strong, libc_cv_ssp_strong, [dnl -LIBC_TRY_CC_OPTION([$CFLAGS $CPPFLAGS -Werror -fstack-protector-strong], - [libc_cv_ssp_strong=yes], - [libc_cv_ssp_strong=no]) -]) - -stack_protector= -if test "$libc_cv_ssp_strong" = "yes"; then - stack_protector="-fstack-protector-strong" -elif test "$libc_cv_ssp" = "yes"; then - stack_protector="-fstack-protector" -fi -AC_SUBST(stack_protector) - AC_CACHE_CHECK([for -mtls-dialect=gnu2], libc_cv_mtls_dialect_gnu2, [dnl cat > conftest.c <