Opened 11 years ago
Last modified 8 years ago
#13879 new patch
Add gcc and linker hardening options to configure.ac
| Reported by: | Owned by: | EionRobb | |
|---|---|---|---|
| Milestone: | Patches Needing Review | Component: | unclassified |
| Version: | Keywords: | security | |
| Cc: | MarkDoliner |
Description
I've added two new (off by default) flags to configure.ac:
--enable-gcc-hardening
+ CFLAGS="$CFLAGS -fstack-protector-all" + CFLAGS="$CFLAGS -fwrapv -fPIE -Wstack-protector" + CFLAGS="$CFLAGS --param ssp-buffer-size=1" + LDFLAGS="$LDFLAGS -pie -fPIC"
--enable-linker-hardening
+ LDFLAGS="$LDFLAGS -z relro -z now"
I suspect these should be enabled by default.
I also added a small bit of feedback to the configure status message:
+echo Build with FORTIFY............ : $enable_fortify +echo Build with GCC hardening...... : $enable_gcchardening +echo Build with linker hardening... : $enable_linkerhardening
Attachments (1)
Change History (16)
Changed 11 years ago by
| Attachment: | configure.ac-hardening.patch added |
|---|
comment:1 Changed 10 years ago by
comment:2 Changed 10 years ago by
How does it break? Ubuntu already uses most of the hardening flags at build time with the debhardening wrapper.
comment:3 Changed 10 years ago by
I suspect you need to:
sudo apt-get build-dep pidgin
And then:
./configure --enable-gcc-hardening --enable-linker-hardening --disable-perl
It turns out that my patch breaks the perl build support. How utterly annoying. Everything else works with the above on Ubuntu 11.04 - does that work for you?
comment:4 Changed 10 years ago by
Ok, I wanted to attach a compile log that includes all of the perl plugin errors but it was 9MB.
Here's a sample:
cc -shared -O2 -g -L/usr/local/lib -fstack-protector Account.o AccountOpts.o BuddyIcon.o BuddyList.o Certificate.o Cipher.o Cmds.o Connection.o Conversation.o Core.o Debug.o FT.o Idle.o ImgStore.o Log.o Network.o Notify.o Plugin.o PluginPref.o Pounce.o Prefs.o Privacy.o Proxy.o Prpl.o Purple.o Request.o Roomlist.o SSLConn.o SavedStatuses.o Server.o Signal.o Smiley.o Sound.o Status.o Stringref.o Util.o Whiteboard.o XMLNode.o -pie -fPIC -z relro -z now -o blib/arch/auto/Purple/Purple.so \ \ /usr/bin/ld: /usr/lib/debug/usr/lib/Scrt1.o(.debug_info): relocation 0 has invalid symbol index 11 /usr/bin/ld: /usr/lib/debug/usr/lib/Scrt1.o(.debug_info): relocation 1 has invalid symbol index 12 /usr/bin/ld: /usr/lib/debug/usr/lib/Scrt1.o(.debug_info): relocation 2 has invalid symbol index 2 /usr/bin/ld: /usr/lib/debug/usr/lib/Scrt1.o(.debug_info): relocation 3 has invalid symbol index 2 /usr/bin/ld: /usr/lib/debug/usr/lib/Scrt1.o(.debug_info): relocation 4 has invalid symbol index 11 /usr/bin/ld: /usr/lib/debug/usr/lib/Scrt1.o(.debug_info): relocation 5 has invalid symbol index 13 /usr/bin/ld: /usr/lib/debug/usr/lib/Scrt1.o(.debug_info): relocation 6 has invalid symbol index 13 /usr/bin/ld: /usr/lib/debug/usr/lib/Scrt1.o(.debug_info): relocation 7 has invalid symbol index 13 /usr/bin/ld: /usr/lib/debug/usr/lib/Scrt1.o(.debug_info): relocation 8 has invalid symbol index 2 /usr/bin/ld: /usr/lib/debug/usr/lib/Scrt1.o(.debug_info): relocation 9 has invalid symbol index 2 /usr/bin/ld: /usr/lib/debug/usr/lib/Scrt1.o(.debug_info): relocation 10 has invalid symbol index 12 /usr/bin/ld: /usr/lib/debug/usr/lib/Scrt1.o(.debug_info): relocation 11 has invalid symbol index 13 /usr/bin/ld: /usr/lib/debug/usr/lib/Scrt1.o(.debug_info): relocation 12 has invalid symbol index 13 /usr/bin/ld: /usr/lib/debug/usr/lib/Scrt1.o(.debug_info): relocation 13 has invalid symbol index 13 /usr/bin/ld: /usr/lib/debug/usr/lib/Scrt1.o(.debug_info): relocation 14 has invalid symbol index 13 /usr/bin/ld: /usr/lib/debug/usr/lib/Scrt1.o(.debug_info): relocation 15 has invalid symbol index 13 /usr/bin/ld: /usr/lib/debug/usr/lib/Scrt1.o(.debug_info): relocation 16 has invalid symbol index 13 /usr/bin/ld: /usr/lib/debug/usr/lib/Scrt1.o(.debug_info): relocation 17 has invalid symbol index 13 /usr/bin/ld: /usr/lib/debug/usr/lib/Scrt1.o(.debug_info): relocation 18 has invalid symbol index 13 /usr/bin/ld: /usr/lib/debug/usr/lib/Scrt1.o(.debug_info): relocation 19 has invalid symbol index 13 /usr/bin/ld: /usr/lib/debug/usr/lib/Scrt1.o(.debug_info): relocation 20 has invalid symbol index 21 /usr/lib/gcc/x86_64-linux-gnu/4.4.3/../../../../lib/Scrt1.o: In function `_start': (.text+0x20): undefined reference to `main' Account.o: In function `boot_Purple__Account': /tmp/pidgin-2.8.0/libpurple/plugins/perl/common/Account.c:1261: undefined reference to `Perl_Gthr_key_ptr' /tmp/pidgin-2.8.0/libpurple/plugins/perl/common/Account.c:1261: undefined reference to `pthread_getspecific'
And more like this:
Account.o: In function `XS_Purple__Account_add_buddies': /tmp/pidgin-2.8.0/libpurple/plugins/perl/common/Account.c:927: undefined reference to `Perl_Gthr_key_ptr' /tmp/pidgin-2.8.0/libpurple/plugins/perl/common/Account.c:927: undefined reference to `pthread_getspecific' /tmp/pidgin-2.8.0/libpurple/plugins/perl/common/Account.c:927: undefined reference to `Perl_Istack_sp_ptr' /tmp/pidgin-2.8.0/libpurple/plugins/perl/common/Account.c:907: undefined reference to `Perl_Gthr_key_ptr' /tmp/pidgin-2.8.0/libpurple/plugins/perl/common/Account.c:907: undefined reference to `pthread_getspecific'
comment:5 Changed 10 years ago by
| Cc: | MarkDoliner added |
|---|---|
| Milestone: | → Patches Needing Review |
| Type: | enhancement → patch |
comment:6 Changed 9 years ago by
Hi, you may be interested in my recent article about automatic binary hardening with Autoconf:
http://mainisusuallyafunction.blogspot.com/2012/05/automatic-binary-hardening-with.html
comment:8 Changed 9 years ago by
I haven't worked on this in a while - I guess I'll re-factor the patch and try again.
comment:9 Changed 9 years ago by
I'm wondering if an approach to take would be to simply not have the perl plugin build if the hardening is enabled. Although it was a few years ago, last time I checked that plugin it wasn't ... that pretty. I'd even go as far to say it should be (if not already) disabled by default. But that's no doubt a different ticket ;)
comment:10 follow-up: 12 Changed 9 years ago by
It appears that Pidgin has added some of these options since I started. It should be pretty easy to compare my suggestions with the current list. Just add the differences, I think.
comment:11 Changed 9 years ago by
There's a suggestion on IRC that the perl problem may be due to AppArmor?.
comment:12 follow-up: 13 Changed 9 years ago by
comment:13 Changed 9 years ago by
Replying to bleeter:
Replying to ioerror:
It appears that Pidgin has added some of these options since I started. It should be pretty easy to compare my suggestions with the current list. Just add the differences, I think.
Do you still get the horrible perl-plugin problems?
I haven't hacked up a diff for the the options that are missing. When I do, I'll try this build again and post the results.
Is this on an AppArmor?'d box?
There is no AppArmor? profile for gcc on this machine. I'm not sure why AppArmor? would be at fault here...
comment:15 Changed 8 years ago by
| Owner: | changed from John Bailey to Eion Robb |
|---|
I think this patch is very important to incorporate and that these options are turned on by default. However, unfortunately as it stands this breaks the build on my system (Ubuntu 10.04: Linux ubuntu 2.6.32-32-generic #62-Ubuntu SMP Wed Apr 20 21:52:38 UTC 2011 x86_64 GNU/Linux). Pushing for this change is in keeping with a larger effort to improve security within the pidgin code base. There will be a separate email introducing the project sent to the pidgin development team, but in the mean time, I wanted to comment on this patch as a one-off.