Hardening flags
Julien ÉLIE
julien at trigofacile.com
Tue Jan 5 15:49:23 UTC 2021
Hi Russ,
>> INN_PROG_CC_FLAG([-fstack-protector-strong],
>> [CFLAGS="${CFLAGS} -fstack-protector-strong"], [])
>
> This looks fine for the stack protector flag. I'm not sure about PIE; it
> seems to be rather complicated.
It appears to be trickier than expected for -fstack-protector-strong.
Only adding it to CFLAGS seem to work well almost everywhere.
But Solaris also needs it in LDFLAGS. Otherwise the build fails when
linking executables:
Undefined first referenced
symbol in file
__stack_chk_fail art.o
__stack_chk_guard art.o
ld: fatal: symbol referencing errors
... and regarding AIX, though the compiler supports it, the linker does
not...
configure saw that, and therefore does not add -fstack-protector-strong
when linking:
libtool: link: gcc -pie -o .libs/innd art.o cc.o chan.o icd.o innd.o
keywords.o lc.o nc.o newsfeeds.o ng.o perl.o proc.o python.o rc.o site.o
status.o util.o wip.o /home/iulius/autobuild/inn-gcc119/lib/perl.o
-L/home/iulius/autobuild/inn-gcc119/storage/.libs
-L/home/iulius/autobuild/inn-gcc119/history/.libs
-L/home/iulius/autobuild/inn-gcc119/lib/.libs -linnhist -lstorage -linn
-ldb -lz
-Wl,-blibpath:/usr/local/news/lib:/opt/freeware/lib/gcc/powerpc-ibm-aix7.2.0.0/7.2.0:/opt/freeware/lib/gcc/powerpc-ibm-aix7.2.0.0/7.2.0/../../..:/usr/lib:/lib
ld: 0711-317 ERROR: Undefined symbol: __stack_chk_guard
ld: 0711-345 Use the -bloadmap or -bnoquiet option to obtain more
information.
collect2: error: ld returned 8 exit status
make: 1254-004 The error code from the last command is 1.
Stop.
If I add it manually:
libtool: link: gcc -pie -o .libs/innd art.o cc.o chan.o icd.o innd.o
keywords.o lc.o nc.o newsfeeds.o ng.o perl.o proc.o python.o rc.o site.o
status.o util.o wip.o /home/iulius/autobuild/inn-gcc119/lib/perl.o
-fstack-protector-strong
-L/home/iulius/autobuild/inn-gcc119/storage/.libs
-L/home/iulius/autobuild/inn-gcc119/history/.libs
-L/home/iulius/autobuild/inn-gcc119/lib/.libs -linnhist -lstorage -linn
-ldb -lz
-Wl,-blibpath:/usr/local/news/lib:/opt/freeware/lib/gcc/powerpc-ibm-aix7.2.0.0/7.2.0:/opt/freeware/lib/gcc/powerpc-ibm-aix7.2.0.0/7.2.0/../../..:/usr/lib:/lib
collect2: fatal error: library libssp_nonshared not found
compilation terminated.
So there are cases where the compiler needs -fstack-protector-strong for
linking and also where the compiler accepts -fstack-protector-strong but
the build will nevertheless fail...
I've tried a patch for configure.ac. Hopefully we now get it right for
that flag.
--
Julien ÉLIE
« J'ai un copain, il est pilote d'essai… Enfin, il ne l'est pas encore ;
pour l'instant, il essaie d'être pilote ! » (Raymond Devos)
More information about the inn-workers
mailing list