Hardening flags

Julien ÉLIE julien at trigofacile.com
Tue Jan 5 15:49:23 UTC 2021


Hi Russ,

>> INN_PROG_CC_FLAG([-fstack-protector-strong],
>>                   [CFLAGS="${CFLAGS} -fstack-protector-strong"], [])
> 
> This looks fine for the stack protector flag.  I'm not sure about PIE; it
> seems to be rather complicated.

It appears to be trickier than expected for -fstack-protector-strong.
Only adding it to CFLAGS seem to work well almost everywhere.

But Solaris also needs it in LDFLAGS.  Otherwise the build fails when 
linking executables:

Undefined                       first referenced
  symbol                             in file
__stack_chk_fail                    art.o
__stack_chk_guard                   art.o
ld: fatal: symbol referencing errors



... and regarding AIX, though the compiler supports it, the linker does 
not...
configure saw that, and therefore does not add -fstack-protector-strong 
when linking:

libtool: link: gcc -pie -o .libs/innd art.o cc.o chan.o icd.o innd.o 
keywords.o lc.o nc.o newsfeeds.o ng.o perl.o proc.o python.o rc.o site.o 
status.o util.o wip.o /home/iulius/autobuild/inn-gcc119/lib/perl.o 
-L/home/iulius/autobuild/inn-gcc119/storage/.libs 
-L/home/iulius/autobuild/inn-gcc119/history/.libs 
-L/home/iulius/autobuild/inn-gcc119/lib/.libs -linnhist -lstorage -linn 
-ldb -lz 
-Wl,-blibpath:/usr/local/news/lib:/opt/freeware/lib/gcc/powerpc-ibm-aix7.2.0.0/7.2.0:/opt/freeware/lib/gcc/powerpc-ibm-aix7.2.0.0/7.2.0/../../..:/usr/lib:/lib
ld: 0711-317 ERROR: Undefined symbol: __stack_chk_guard
ld: 0711-345 Use the -bloadmap or -bnoquiet option to obtain more 
information.
collect2: error: ld returned 8 exit status
make: 1254-004 The error code from the last command is 1.


Stop.



If I add it manually:

libtool: link: gcc -pie -o .libs/innd art.o cc.o chan.o icd.o innd.o 
keywords.o lc.o nc.o newsfeeds.o ng.o perl.o proc.o python.o rc.o site.o 
status.o util.o wip.o /home/iulius/autobuild/inn-gcc119/lib/perl.o 
-fstack-protector-strong 
-L/home/iulius/autobuild/inn-gcc119/storage/.libs 
-L/home/iulius/autobuild/inn-gcc119/history/.libs 
-L/home/iulius/autobuild/inn-gcc119/lib/.libs -linnhist -lstorage -linn 
-ldb -lz 
-Wl,-blibpath:/usr/local/news/lib:/opt/freeware/lib/gcc/powerpc-ibm-aix7.2.0.0/7.2.0:/opt/freeware/lib/gcc/powerpc-ibm-aix7.2.0.0/7.2.0/../../..:/usr/lib:/lib
collect2: fatal error: library libssp_nonshared not found
compilation terminated.



So there are cases where the compiler needs -fstack-protector-strong for 
linking and also where the compiler accepts -fstack-protector-strong but 
the build will nevertheless fail...

I've tried a patch for configure.ac.  Hopefully we now get it right for 
that flag.

-- 
Julien ÉLIE

« J'ai un copain, il est pilote d'essai… Enfin, il ne l'est pas encore ;
   pour l'instant, il essaie d'être pilote ! » (Raymond Devos)


More information about the inn-workers mailing list