Opened 8 years ago

Last modified 5 years ago

#13879 new patch

Add gcc and linker hardening options to configure.ac

Reported by: ioerror Owned by: EionRobb
Milestone: Patches Needing Review Component: unclassified
Version: 2.7.11 Keywords: security
Cc: MarkDoliner

Description

I've added two new (off by default) flags to configure.ac:

--enable-gcc-hardening

+ CFLAGS="$CFLAGS -fstack-protector-all" + CFLAGS="$CFLAGS -fwrapv -fPIE -Wstack-protector" + CFLAGS="$CFLAGS --param ssp-buffer-size=1" + LDFLAGS="$LDFLAGS -pie -fPIC"

--enable-linker-hardening

+ LDFLAGS="$LDFLAGS -z relro -z now"

I suspect these should be enabled by default.

I also added a small bit of feedback to the configure status message:

+echo Build with FORTIFY............ : $enable_fortify +echo Build with GCC hardening...... : $enable_gcchardening +echo Build with linker hardening... : $enable_linkerhardening

Attachments (1)

configure.ac-hardening.patch (1.7 KB) - added by ioerror 8 years ago.

Download all attachments as: .zip

Change History (16)

Changed 8 years ago by ioerror

comment:1 Changed 8 years ago by dtauerbach

I think this patch is very important to incorporate and that these options are turned on by default. However, unfortunately as it stands this breaks the build on my system (Ubuntu 10.04: Linux ubuntu 2.6.32-32-generic #62-Ubuntu SMP Wed Apr 20 21:52:38 UTC 2011 x86_64 GNU/Linux). Pushing for this change is in keeping with a larger effort to improve security within the pidgin code base. There will be a separate email introducing the project sent to the pidgin development team, but in the mean time, I wanted to comment on this patch as a one-off.

comment:2 Changed 8 years ago by ioerror

How does it break? Ubuntu already uses most of the hardening flags at build time with the debhardening wrapper.

comment:3 Changed 8 years ago by ioerror

I suspect you need to:

sudo apt-get build-dep pidgin          

And then:

./configure --enable-gcc-hardening --enable-linker-hardening --disable-perl

It turns out that my patch breaks the perl build support. How utterly annoying. Everything else works with the above on Ubuntu 11.04 - does that work for you?

comment:4 Changed 8 years ago by ioerror

Ok, I wanted to attach a compile log that includes all of the perl plugin errors but it was 9MB.

Here's a sample:

cc  -shared -O2 -g -L/usr/local/lib -fstack-protector Account.o AccountOpts.o BuddyIcon.o BuddyList.o Certificate.o Cipher.o Cmds.o Connection.o Conversation.o Core.o Debug.o FT.o Idle.o ImgStore.o Log.o Network.o Notify.o Plugin.o PluginPref.o Pounce.o Prefs.o Privacy.o Proxy.o Prpl.o Purple.o Request.o Roomlist.o SSLConn.o SavedStatuses.o Server.o Signal.o Smiley.o Sound.o Status.o Stringref.o Util.o Whiteboard.o XMLNode.o -pie -fPIC -z relro -z now -o blib/arch/auto/Purple/Purple.so 	\
	     	\
	  
/usr/bin/ld: /usr/lib/debug/usr/lib/Scrt1.o(.debug_info): relocation 0 has invalid symbol index 11
/usr/bin/ld: /usr/lib/debug/usr/lib/Scrt1.o(.debug_info): relocation 1 has invalid symbol index 12
/usr/bin/ld: /usr/lib/debug/usr/lib/Scrt1.o(.debug_info): relocation 2 has invalid symbol index 2
/usr/bin/ld: /usr/lib/debug/usr/lib/Scrt1.o(.debug_info): relocation 3 has invalid symbol index 2
/usr/bin/ld: /usr/lib/debug/usr/lib/Scrt1.o(.debug_info): relocation 4 has invalid symbol index 11
/usr/bin/ld: /usr/lib/debug/usr/lib/Scrt1.o(.debug_info): relocation 5 has invalid symbol index 13
/usr/bin/ld: /usr/lib/debug/usr/lib/Scrt1.o(.debug_info): relocation 6 has invalid symbol index 13
/usr/bin/ld: /usr/lib/debug/usr/lib/Scrt1.o(.debug_info): relocation 7 has invalid symbol index 13
/usr/bin/ld: /usr/lib/debug/usr/lib/Scrt1.o(.debug_info): relocation 8 has invalid symbol index 2
/usr/bin/ld: /usr/lib/debug/usr/lib/Scrt1.o(.debug_info): relocation 9 has invalid symbol index 2
/usr/bin/ld: /usr/lib/debug/usr/lib/Scrt1.o(.debug_info): relocation 10 has invalid symbol index 12
/usr/bin/ld: /usr/lib/debug/usr/lib/Scrt1.o(.debug_info): relocation 11 has invalid symbol index 13
/usr/bin/ld: /usr/lib/debug/usr/lib/Scrt1.o(.debug_info): relocation 12 has invalid symbol index 13
/usr/bin/ld: /usr/lib/debug/usr/lib/Scrt1.o(.debug_info): relocation 13 has invalid symbol index 13
/usr/bin/ld: /usr/lib/debug/usr/lib/Scrt1.o(.debug_info): relocation 14 has invalid symbol index 13
/usr/bin/ld: /usr/lib/debug/usr/lib/Scrt1.o(.debug_info): relocation 15 has invalid symbol index 13
/usr/bin/ld: /usr/lib/debug/usr/lib/Scrt1.o(.debug_info): relocation 16 has invalid symbol index 13
/usr/bin/ld: /usr/lib/debug/usr/lib/Scrt1.o(.debug_info): relocation 17 has invalid symbol index 13
/usr/bin/ld: /usr/lib/debug/usr/lib/Scrt1.o(.debug_info): relocation 18 has invalid symbol index 13
/usr/bin/ld: /usr/lib/debug/usr/lib/Scrt1.o(.debug_info): relocation 19 has invalid symbol index 13
/usr/bin/ld: /usr/lib/debug/usr/lib/Scrt1.o(.debug_info): relocation 20 has invalid symbol index 21
/usr/lib/gcc/x86_64-linux-gnu/4.4.3/../../../../lib/Scrt1.o: In function `_start':
(.text+0x20): undefined reference to `main'
Account.o: In function `boot_Purple__Account':
/tmp/pidgin-2.8.0/libpurple/plugins/perl/common/Account.c:1261: undefined reference to `Perl_Gthr_key_ptr'
/tmp/pidgin-2.8.0/libpurple/plugins/perl/common/Account.c:1261: undefined reference to `pthread_getspecific'

And more like this:

Account.o: In function `XS_Purple__Account_add_buddies':
/tmp/pidgin-2.8.0/libpurple/plugins/perl/common/Account.c:927: undefined reference to `Perl_Gthr_key_ptr'
/tmp/pidgin-2.8.0/libpurple/plugins/perl/common/Account.c:927: undefined reference to `pthread_getspecific'
/tmp/pidgin-2.8.0/libpurple/plugins/perl/common/Account.c:927: undefined reference to `Perl_Istack_sp_ptr'
/tmp/pidgin-2.8.0/libpurple/plugins/perl/common/Account.c:907: undefined reference to `Perl_Gthr_key_ptr'
/tmp/pidgin-2.8.0/libpurple/plugins/perl/common/Account.c:907: undefined reference to `pthread_getspecific'

comment:5 Changed 8 years ago by MarkDoliner

  • Cc MarkDoliner added
  • Milestone set to Patches Needing Review
  • Type changed from enhancement to patch

comment:6 Changed 7 years ago by kmcallister

Hi, you may be interested in my recent article about automatic binary hardening with Autoconf:

http://mainisusuallyafunction.blogspot.com/2012/05/automatic-binary-hardening-with.html

comment:7 Changed 7 years ago by bleeter

I presume this is still breaking Perl plugin builds.

comment:8 Changed 7 years ago by ioerror

I haven't worked on this in a while - I guess I'll re-factor the patch and try again.

comment:9 Changed 7 years ago by bleeter

I'm wondering if an approach to take would be to simply not have the perl plugin build if the hardening is enabled. Although it was a few years ago, last time I checked that plugin it wasn't ... that pretty. I'd even go as far to say it should be (if not already) disabled by default. But that's no doubt a different ticket ;)

comment:10 follow-up: Changed 7 years ago by ioerror

It appears that Pidgin has added some of these options since I started. It should be pretty easy to compare my suggestions with the current list. Just add the differences, I think.

comment:11 Changed 7 years ago by bleeter

There's a suggestion on IRC that the perl problem may be due to AppArmor?.

comment:12 in reply to: ↑ 10 ; follow-up: Changed 7 years ago by bleeter

Replying to ioerror:

It appears that Pidgin has added some of these options since I started. It should be pretty easy to compare my suggestions with the current list. Just add the differences, I think.

Do you still get the horrible perl-plugin problems? Is this on an AppArmor?'d box?

comment:13 in reply to: ↑ 12 Changed 7 years ago by ioerror

Replying to bleeter:

Replying to ioerror:

It appears that Pidgin has added some of these options since I started. It should be pretty easy to compare my suggestions with the current list. Just add the differences, I think.

Do you still get the horrible perl-plugin problems?

I haven't hacked up a diff for the the options that are missing. When I do, I'll try this build again and post the results.

Is this on an AppArmor?'d box?

There is no AppArmor? profile for gcc on this machine. I'm not sure why AppArmor? would be at fault here...

comment:14 Changed 6 years ago by DrWhax

Any update on this?

comment:15 Changed 5 years ago by rekkanoryo

  • Owner changed from rekkanoryo to EionRobb
Note: See TracTickets for help on using tickets.
All information, including names and email addresses, entered onto this website or sent to mailing lists affiliated with this website will be public. Do not post confidential information, especially passwords!