Mailing List Archive: how to turn off hardened gcc flags reliably?

how to turn off hardened gcc flags reliably?

dcoutts at gentoo

Mar 1, 2006, 8:35 AM

Post #1 of 9 (1080 views)

All,

I'm hoping for some suggestions particularly from the toolchain and
hardened profile folk.

We have a compiler that goes via C and uses gcc as it's backend. This
compiler does some pretty unpleasant things with the assembler output of
gcc. For one thing it doesn't use the C stack. It strips off the prelude
and epilogue of each function. Anyway, Suffice to say that it doesn't
work with hardened gcc; that is both PIE and the stack protector.

However turning these features off (by passing -nopie
-fno-stack-protector to gcc) is not so easy when we consider that people
can upgrade their gcc or change from a vanilla to a hardened profile
*after* emerging ghc.

gcc-3 supports both -nopie and -fno-stack-protector. So always using
these would be ok if it were not for gcc-4 which doesn't grok
-fno-stack-protector.

If we don't use -fno-stack-protector then if someone changes from a
vanilla gcc profile to a hardened one then the users will get breakage
when they start using ghc again.

We could have the ghc driver script work out dynamically which flags to
pass to gcc to suppress the hardened stuff but I think we can all see
the downside to that.

We could say "don't switch to a hardened gcc profile - it doesn't work".

We could say "don't use gcc 4 - it' not supported". However this will
not last forever.

We could ask the gcc-config people for some assistance. Perhaps by
adding an extra env var GHC_CFLAGS that gives us the right flags. Or
perhaps by hooking into gcc-config to have our flags updated whenever
the user changes profile.

Does anyone have any other suggestions?

--
Duncan Coutts : Gentoo Developer (Haskell herd team lead)
email : dcoutts at gentoo dot org

--
gentoo-dev@gentoo.org mailing list

Re: how to turn off hardened gcc flags reliably? [ In reply to ]

vapier at gentoo

Mar 1, 2006, 9:39 AM

Post #2 of 9 (1076 views)

On Wednesday 01 March 2006 10:35, Duncan Coutts wrote:
> gcc-3 supports both -nopie and -fno-stack-protector. So always using
> these would be ok if it were not for gcc-4 which doesn't grok
> -fno-stack-protector.

yes it does

every gcc in portage by default supports -fno-stack-protector
-mike
--
gentoo-dev@gentoo.org mailing list

Re: how to turn off hardened gcc flags reliably? [ In reply to ]

dcoutts at gentoo

Mar 1, 2006, 10:17 AM

Post #3 of 9 (1074 views)

On Wed, 2006-03-01 at 11:39 -0500, Mike Frysinger wrote:
> On Wednesday 01 March 2006 10:35, Duncan Coutts wrote:
> > gcc-3 supports both -nopie and -fno-stack-protector. So always using
> > these would be ok if it were not for gcc-4 which doesn't grok
> > -fno-stack-protector.
>
> yes it does

Oh. I had reports from ppc devs who said that gcc-4 didn't recognise
that flag.

I also heard that gcc-4 contains a re-written stack protector
implementation with different semantics and that was why it didn't
recognise the flag anymore.

> every gcc in portage by default supports -fno-stack-protector

So that includes gcc 4 then. Well that makes life easier. :-)

I presume it's a gentoo patch to gcc-4 to add back in
-fno-stack-protector?

--
Duncan Coutts : Gentoo Developer (Haskell herd team lead)
email : dcoutts at gentoo dot org

--
gentoo-dev@gentoo.org mailing list

Re: how to turn off hardened gcc flags reliably? [ In reply to ]

solar at gentoo

Mar 1, 2006, 10:41 AM

Post #4 of 9 (1074 views)

On Wed, 2006-03-01 at 17:17 +0000, Duncan Coutts wrote:
> On Wed, 2006-03-01 at 11:39 -0500, Mike Frysinger wrote:
> > On Wednesday 01 March 2006 10:35, Duncan Coutts wrote:
> > > gcc-3 supports both -nopie and -fno-stack-protector. So always using
> > > these would be ok if it were not for gcc-4 which doesn't grok
> > > -fno-stack-protector.
> >
> > yes it does
>
> Oh. I had reports from ppc devs who said that gcc-4 didn't recognise
> that flag.
>
> I also heard that gcc-4 contains a re-written stack protector
> implementation with different semantics and that was why it didn't
> recognise the flag anymore.
>
> > every gcc in portage by default supports -fno-stack-protector
>
> So that includes gcc 4 then. Well that makes life easier. :-)
>
> I presume it's a gentoo patch to gcc-4 to add back in
> -fno-stack-protector?

For the 4.0.x it should be just a dummy call.
For 4.1 it is included. What does change and is really uncool with 4.1
is that -fno-stack-protector-all is missing and wont be added
back without several somebodies making a case for it upstream.

--
solar <solar@gentoo.org>
Gentoo Linux

--
gentoo-dev@gentoo.org mailing list

Re: how to turn off hardened gcc flags reliably? [ In reply to ]

vapier at gentoo

Mar 1, 2006, 11:47 AM

Post #5 of 9 (1078 views)

On Wednesday 01 March 2006 12:17, Duncan Coutts wrote:
> On Wed, 2006-03-01 at 11:39 -0500, Mike Frysinger wrote:
> > On Wednesday 01 March 2006 10:35, Duncan Coutts wrote:
> > > gcc-3 supports both -nopie and -fno-stack-protector. So always using
> > > these would be ok if it were not for gcc-4 which doesn't grok
> > > -fno-stack-protector.
> >
> > yes it does
>
> Oh. I had reports from ppc devs who said that gcc-4 didn't recognise
> that flag.

it does and it doesnt ... official gcc-4.0.x lacks ssp support, but official
gcc-4.1.x has it

> I presume it's a gentoo patch to gcc-4 to add back in
> -fno-stack-protector?

yes
-mike
--
gentoo-dev@gentoo.org mailing list

Re: how to turn off hardened gcc flags reliably? [ In reply to ]

uberlord at gentoo

Mar 1, 2006, 5:41 PM

Post #6 of 9 (1075 views)

On Wednesday 01 March 2006 17:41, solar wrote:
> On Wed, 2006-03-01 at 17:17 +0000, Duncan Coutts wrote:
> > I presume it's a gentoo patch to gcc-4 to add back in
> > -fno-stack-protector?
>
> For the 4.0.x it should be just a dummy call.
> For 4.1 it is included. What does change and is really uncool with 4.1
> is that -fno-stack-protector-all is missing and wont be added
> back without several somebodies making a case for it upstream.
>

For the non technically minded folks whats the difference between
-fno-stack-protector and -fno-stack-protector-all?

Thanks

Roy
--
gentoo-dev@gentoo.org mailing list

Re: how to turn off hardened gcc flags reliably? [ In reply to ]

dcoutts at gentoo

Mar 1, 2006, 5:54 PM

Post #7 of 9 (1078 views)

On Thu, 2006-03-02 at 00:41 +0000, Roy Marples wrote:
> On Wednesday 01 March 2006 17:41, solar wrote:
> > On Wed, 2006-03-01 at 17:17 +0000, Duncan Coutts wrote:
> > > I presume it's a gentoo patch to gcc-4 to add back in
> > > -fno-stack-protector?
> >
> > For the 4.0.x it should be just a dummy call.
> > For 4.1 it is included. What does change and is really uncool with 4.1
> > is that -fno-stack-protector-all is missing and wont be added
> > back without several somebodies making a case for it upstream.
> >
>
> For the non technically minded folks whats the difference between
> -fno-stack-protector and -fno-stack-protector-all?

It was explained to me like this:

-fno-stack-protector makes gcc use a heuristic to decide whether or not
change a function to use stack-smashing protection.

-fno-stack-protector-all makes gcc just do it for every function.

there is also:

-fno-stack-protector-to-all which if supplied makes -fno-stack-protector
get promoted to -fno-stack-protector-all. Apparently
-fno-stack-protector-to-all is on by default in all current gcc profiles
so that means that at the moment if you specify -fno-stack-protector you
really get -fno-stack-protector-all.

Hope that's clear! :-)

--
Duncan Coutts : Gentoo Developer (Haskell herd team lead)
email : dcoutts at gentoo dot org

--
gentoo-dev@gentoo.org mailing list

Re: how to turn off hardened gcc flags reliably? [ In reply to ]

vapier at gentoo

Mar 1, 2006, 6:03 PM

Post #8 of 9 (1078 views)

On Wednesday 01 March 2006 10:35, Duncan Coutts wrote:
> Does anyone have any other suggestions?

i dont know exactly what you're trying to accomplish, but the way wine does it
is by faking out the ssp symbols

in their loader, they add (for gcc-4.1+):
void *__stack_chk_guard = 0;
void _stack_chk_fail(void) { return; }

older versions of ssp used diff symbols, so i patch in these for wine:
void *__guard = 0;
void __stack_smash_handler(void) { return; }
-mike
--
gentoo-dev@gentoo.org mailing list

Re: how to turn off hardened gcc flags reliably? [ In reply to ]

kevquinn at gentoo

Mar 2, 2006, 1:14 AM

Post #9 of 9 (1094 views)

On Thu, 02 Mar 2006 00:54:25 +0000
Duncan Coutts <dcoutts@gentoo.org> wrote:

> On Thu, 2006-03-02 at 00:41 +0000, Roy Marples wrote:
> > For the non technically minded folks whats the difference between
> > -fno-stack-protector and -fno-stack-protector-all?
> [...]
> It was explained to me like this:
>
> -fno-stack-protector makes gcc use a heuristic to decide whether or
> not change a function to use stack-smashing protection.
>
> -fno-stack-protector-all makes gcc just do it for every function.

not quite (note the 'no-'!):

In gcc-3:

-fstack-protector switches on stack protection for functions that gcc
decides heuristically to be most vulnerable according to their
parameters and local data.

-fstack-protector-all switches on stack protection for (almost) all
functions

-fno-stack-protector switches off -fstack-protector

-fno-stack-protector-all switches off -fstack-protector-all

Of note is that:
... -fstack-protector -fstack-protector-all -fno-stack-protector
results in no ssp at all

... -fstack-protector -fstack-protector-all -fno-stack-protector-all
results in heuristic ssp switched on

For gcc-4.1, the semantics have changed as RedHat Did Their Own Thing
and broke backwards compatibility:
1) -fno-stack-protector-all does not exist
2) stack protection is viewed as a three-state setting configured by
the last occurring switch from the set

-fno-stack-protector - no stack protection
-fstack-protector - heuristic stack protection
-fstack-protector-all - stack protection on all functions

(imo they should have done something like -fstack-protect[N] for
N=0,1,2 which would have been clearer, but I got ignored when I
suggested it)

Since 'last option wins' in the RedHat version,

'-fstack-protector-all -fstack-protector' gives heuristic ssp, whereas
on gcc-3 it gives full ssp.

Upshot - managing ssp has become a bit of a pita :/ (gcc-4 is
currently masked in the hardened profile, primarily because gcc-4.0 has
no ssp, but going forward also until we decide what to do with the
hardened specs on gcc-4.1).

> there is also:
>
> -fno-stack-protector-to-all which if supplied makes
> -fno-stack-protector get promoted to -fno-stack-protector-all.
> Apparently -fno-stack-protector-to-all is on by default in all
> current gcc profiles so that means that at the moment if you specify
> -fno-stack-protector you really get -fno-stack-protector-all.

there is no '-fno-stack-protector-to-all' as such. the gcc specs we
change (in gcc-3) currently switch -fstack-protector-all on if
-fstack-protector is set (either on the command line or automatically
in the case of the hardened compiler). This occurs also with the
vanilla compiler - which is a bug although very few people
(if any) come across it as the only supported way to use the
stack protector at the moment is by using the hardened compiler.

--
Kevin F. Quinn