(no subject)

Kevin Day drealin01 at cox.net
Fri Jun 16 10:49:51 PDT 2006


On Thu, 15 Jun 2006 23:21:24 -0400
Robert Connolly <robert at linuxfromscratch.org> wrote:

> Hi. I'm having problems getting ssp working with uclibc-20060613 and 
> gcc-4.1.1. Anything I build with -fstack-protector-all does a
> Segmentation fault, but -fstack-protector seems to be okay. This
> happens after the second gcc is installed. I have tried everything I
> can think of, and I'm out of ideas.
> 
> In the second gcc I'm using 'make gcc_cv_libc_provides_ssp=yes', with
I am unfamiliar with gcc_cv_libc_provides_ssp=yes, I might try that
sometime and return results.
> and without --disable-libssp. When I rebuild uClibc with the second
> gcc then everything in /tools segfaults, so it looks like the
> segfault is coming from libuClibc.so (because our uClibc config file
> builds uClibc with -fstack-protector*).
> 
> I have my non-working uclibc differences here:
> http://www.linuxfromscratch.org/~robert/new/uclibc_gcc-4.1.1-HLFS.txt
> 
> P.S.
> I have had the same results with binutils-2.16.93 and 2.16.94.
> 2.16.93 is known to be working with uClibc, 2.16.94 was released this
> week but seems to be okay.
I'll look into 2.16.94 as well.
> 
> robert

Okay, I have been finally getting around to re-enabling SSP into my
systems, so it is helping me identify SSP problems.

My system is currently compiled with (in this order):

uClibc pass_1 0.9.28
gcc pass_1 4.1.1 
uClibc pass_2 0.9.28 (problems with -fstack-protector)
gcc pass_2 4.1.1 (can we build ssp safely into this?)
binutils pass_1 2.16.1 (problems with -fstack-protector)
zlib pass_1 1.2.3 (ssp enabled)
ncurses turtle-kevux-core_pass_1 5.5 (problems with -fstack-protector)

My -fstack-protector problems:
  undefined reference to `__stack_chk_guard'
  undefined reference to `__stack_chk_fail'
  These problems have something to do with gcc/targhooks.c and
  get_identifier(..). The only things that will not work are dealing
  with the get_identifier calls. I donot know enough about
  get_identifier to safeley touch anything with it.

The following patches were applied on all passes mentioned:
(NOTE: my previous gcc-4.1.0 system, I used my own patches, but
overall, Robert's was much better than mine, so I switched over to
his, where possible)
uClibc-0.9.28-add_round-2
uClibc-0.9.28-libc_stack_end-1
gcc-4.1.0-uClibc_conf-1
gcc-4.1.0-specs_x86-1
gcc-4.1.1-no_locale-1
gcc-4.1.0-index_macro-1
gcc-4.1.0-uClibc_libstdc++-1
gcc-4.1.1-no_static_ssp-1
binutils-2.16.1-uClibc_conf-1

Notes on patches:
  - gcc-4.1.1-no_locale-1, does not disable locale, it instead applies
a fix so that a system compiled with --disable-locale will properly
compile.
  - gcc-4.1.1-no_static_ssp-1, this needs to be cleaned up, but it is
the result of fixes some problems with hardened flags on things like
binutils.  It contains three fixes (one hack, one tweak, and one actual
fix)
    - The hack: __stack_chk_fail_local causes problems with binutils,
not being able to leak. I suspect this is not gcc itself, but the fact
that I may be using a binutils-2.16.1, but I cannot confirm exactly
whats wrong.  zlib is another of the three to six packages I've tested
thusfar.
    - The fix: somebody screwed up big time in the libssp coding.  In
the file gcc/targhooks.c, __stack_chk_fail_local is called, only when
HAVE_HIDDEN_VISIBILITY is NOT defined.  However, the only time
HAVE_HIDDEN_VISIBILITY is define in libssp/ssp.c and libssp/ssp-local.c
is when HAVE_HIDDEN_VISIBILITY is defined. WTF!? So I changed the
__stack_chk_fail_local to __stack_chk_fail inside of gcc/targhooks.c
file. (The __stack_chk_fail_local is just wrapper function to
__stack_chk_fail, but this may be some method of security I am unaware
of; nevertheless, I cannot get things to compile properly without this
fix.  Hopefuly this may fix your segfaulting problems.
  - uClibc-0.9.28-add_round-2, is the second pass of my patch to add
round and trunc support to uClibc.  Unlike the previous one, this patch
provides everything needed, so only the patch is needed. (works
flawlessly for me)

How everything was compiled:
  (NOTE: I am doing numerous experiments on file-system structure and
security thereof by moving away from the insecurely designed FHS
standard, and these are the EXACT commands I used, but you can safely
ignore the --prefix, --bindir, and friends)
  (NOTE: I supplied in this mail, my linux-2.6.16.20 headers, than have
had one or two fixes to them. I donot remember if I applied the
arc4random patches.., but these headers work flawlessly for me on an
i686)
  (NOTE: $PR = path to my pre-made files, such as the uClibc
configuration files, TA=target system path (say../mnt/hda/3/), TO =
path to the /tools directory, $WO = path to were all extraction and
compilation is done)
  (NOTE: /toolchain is my path for all compilation stuff for my target
system, so that when I need to squeeze things on an embeded device I
can easily safely add/remove the compilation tools.  I can even mount
them back on using a cd without changing any other files and not
having the toolchain files on a system will probably make it even more
secure)

uClibc_pass1:
  cp -v $PR/uc-1.conf .config
  sed -i -e 's|check_gcc,-Os|check_gcc|' test/Rules.mak Rules.mak
  sed -i -e 's|-Os ||' ldso/ldso/Makefile
  make DEVEL_PREFIX=/usr/ SHARED_LIB_LOADER_PREFIX=/lib \
RUNTIME_PREFIX=/ KERNEL_SOURCE=/toolchain LIBGCC=-lgcc_s all
  rm include/asm include/asm-generic include/linux
  make DEVEL_PREFIX=/usr/ SHARED_LIB_LOADER_PREFIX=/lib \
RUNTIME_PREFIX=/ KERNEL_SOURCE=/toolchain LIBGCC=-lgcc_s install
  mv -v /usr/lib/* /lib
  rm -Rf /usr/lib /lib/*.a

(NOTE: LIBGCC=-lgcc_s was added on later in the install, as I was
removing all static files, even in the lib/gcc/$target/*.a
It looks like libgcc.a and libgcc_s.so are the same, except gcc
continues the bad practice of naming their static libraries and their
identical shared twin file with seperate name, thus screwing up the
linker when you want either ONLY static or ONLY shared systems.  The
original value for LIBGCC=-lgcc.
 IMPORTANT NOTE: it may be better to just symlink libgcc.a to
libgcc_s.so, once this is done libgcc.a can be removed and no other
projects have to have libgcc tests changed to libgcc_s tests: "ln -vs
libgcc_s.so /lib/libgcc.a", assuming that libgcc_s.so is in /lib )

gcc_pass1:
  sed -i -e 's|\(^CROSS_SYSTEM_HEADER_DIR=\).*|\1 /toolchain/include|g'\
gcc/Makefile.in
  echo -e "\n#undef STARTFILE_PREFIX_SPEC\n#define \
STARTFILE_PREFIX_SPEC \"/lib/\"" >> gcc/config/linux.h
  touch $ldso
  mkdir -vp $WO/build-gcc
  cd $WO/build-gcc
  ../gcc-$VERSION/configure --prefix=/toolchain --disable-static \
--enable-shared --disable-nls --with-local-prefix=/toolchain \
--with-nostdinc --enable-languages=c --with-dynamic-linker=$ldso \
--libexecdir=/toolchain/lib --with-pic --enable-long-long \
--target=$target --build=$target --host=$target --enable-libssp
  make
  make install
  cd $WO
  rm -Rf build-gcc
  ln -vsf gcc /toolchain/bin/cc
  mv -v /toolchain/lib/*.so* /lib
  rm -Rf /toolchain/{info,man} /toolchain/bin/${target}* \
/toolchain/lib/libiberty.a /toolchain/lib/$target/*/*.a
  chmod +x /lib/*.so

  It turns out to be safer to NOT install binutils until uClibc and gcc
BOTH get bootstrapped, to work around the hardcoded specs file issues.
  Also, here is a warning: I am not using locale/NLS, so my
uc-{1,2}.conf donot have locale supported, don't forget to add those as
most other people need them

uClibc_pass2:
 cp -v $PR/uc-2.conf .config
  sed -i -e 's|check_gcc,-Os|check_gcc|' test/Rules.mak Rules.mak
  sed -i -e 's|-Os ||' ldso/ldso/Makefile
  make DEVEL_PREFIX=/usr/ SHARED_LIB_LOADER_PREFIX=/lib \
RUNTIME_PREFIX=/ KERNEL_SOURCE=/toolchain LIBGCC=-lgcc_s all
  rm include/asm include/asm-generic include/linux
  make DEVEL_PREFIX=/usr/ SHARED_LIB_LOADER_PREFIX=/lib \
RUNTIME_PREFIX=/ KERNEL_SOURCE=/toolchain LIBGCC=-lgcc_s install
  make DEVEL_PREFIX=/usr/ SHARED_LIB_LOADER_PREFIX=/lib \
RUNTIME_PREFIX=/ KERNEL_SOURCE=/toolchain LIBGCC=-lgcc_s headers
  make DEVEL_PREFIX=/usr/ SHARED_LIB_LOADER_PREFIX=/lib \
RUNTIME_PREFIX=/ KERNEL_SORUCE=/toolchain LIBGCC=-lgcc_s CC="gcc \
-Wl,--dynamic-linker,/lib/ld-uClibc.so.0 /lib/ld-uClibc.so.0" -C utils
  make DEVEL_PREFIX=/usr/ SHARED_LIB_LOADER_PREFIX=/lib \
RUNTIME_PREFIX=/ KERNEL_SOURCE=/toolchain LIBGCC=-lgcc_s -C utils \
install
  ldconfig
  mkdir -vp /etc/sysconfig
  echo "CST6CDT" > /etc/sysconfig/timezone
  rm -Rf /lib/*.a /usr/lib/*.{a,so,0}
  chmod +x /lib/*.so*
  ln -vsf libc.so.0 /lib/libc.so
  ln -vsf libcrypt.so.0 /lib/libcrypt.so
  ln -vsf libdl.so.0 /lib/libdl.so
  ln -vsf libm.so.0 /lib/libm.so
  ln -vsf libnsl.so.0 /lib/libnsl.so
  ln -vsf libpthread.so.0 /lib/libpthread.so
  ln -vsf libresolv.so.0 /lib/libresolv.so
  ln -vsf librt.so.0 /lib/librt.so

gcc_pass2:
  sed -i -e 's|\(^CROSS_SYSTEM_HEADER_DIR\
=\).*|\1 /toolchain/include|g' gcc/Makefile.in
  sed -i -e 's|\(^NATIVE_SYSTEM_HEADER_DIR\
=\).*|\1 /toolchain/include|g' gcc/Makefile.in
  echo -e "\n#undef STARTFILE_PREFIX_SPEC\n#define\
STARTFILE_PREFIX_SPEC \"/lib/\"" >> gcc/config/linux.h
  mkdir -vp $WO/build-gcc
  cd $WO/build-gcc
  ../gcc-$VERSION/configure --prefix=/toolchain --disable-static\
--enable-shared --disable-nls --with-local-prefix=/toolchain\
--with-nostdinc --enable-languages=c,c++ --with-dynamic-linker=$ldso\
--libexecdir=/toolchain/lib --with-pic --enable-long-long\
--target=$target --build=$target --host=$target --enable-libs
  make
  make install
  cd $WO
  rm -Rf build-gcc
  mv -v /toolchain/lib/*.so* /lib
  rm -Rf /toolchain/{info,man} /toolchain/bin/${target}* \
/toolchain/lib/lib{iberty,stdc++_pic,supc++,ssp_nonshared}.a \
/toolchain/lib/lib{supc++,ssp_nonshared}.la /toolchain/lib/$target/*/*.a

binutils_pass1:
  $MD $WO/build-binutils
  cd $WO/build-binutils
  ../binutils-$VERSION/configure --prefix=/ \
--includedir=/toolchain/include --bindir=/bin --sbindir=/sbin \
--localstatedir=/var --datadir=/share --sysconfdir=/etc \
--libexecdir=/lib --disable-static --enable-shared --disable-nls \
--with-pic --target=$target --host=$target --build=$target \
--with-lib-path=/lib
  make
  make install
  rm -Rf /lib/ldscripts
  mv -v /$target/bin/* /toolchain/bin
  mv -v /$target/lib/* /lib
  mv -v /bin/{addr2line,c++filt,gprof,nm,objcopy,size,strings} \
/toolchain/bin
 cd $WO
 rm -Rf build-binutils /$target /lib/*.{a,la} /info /man \
/bin/{ar,as,ld,nm,objdump,ranlib,strip}

zlib_pass1
  old_CFLAGS="$CFLAGS"
  export CFLAGS="-fstack-protector $CFLAGS" 
  ./configure --prefix=/ --includedir=/toolchain/include --libdir=/lib \
--sharedir=/share --enable-shared --disable-nls --shared
  make
  make install
  rm -Rf /share/man
  export CFLAGS="$old_CFLAGS"
  unset old_CFLAGS

ncurses_pass1
./configure --prefix=/ --includedir=/toolchain/include --bindir=/bin \
--sbindir=/sbin --localstatedir=/var --datadir=/share --sysconfdir=/etc\
 --libexecdir=/lib --disable-static --enable-shared --disable-nls \
--with-pic --without-normal --without-debug --without-ada \
--enable-overwrite --with-shared --enable-colorfgbg --enable-symlinks \
--enable-ext-mouse --with-termlib --without-gpm --enable-termcap \
--with-termpath=/etc/termcap --enable-getcap --enable-const \
--enable-sigwinch --enable-tcap-names
  make
  make install
  rm -Rf /lib/*.a /man
  chmod +x /lib/*.so

-- 
Kevin Day


-- 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: uc-2.conf
Type: application/octet-stream
Size: 4326 bytes
Desc: not available
URL: <http://lists.linuxfromscratch.org/pipermail/hlfs-dev/attachments/20060616/6736bfa4/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: uClibc-0.9.28-add_round-2.patch
Type: text/x-patch
Size: 22639 bytes
Desc: not available
URL: <http://lists.linuxfromscratch.org/pipermail/hlfs-dev/attachments/20060616/6736bfa4/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: gcc-4.1.1-no_static_ssp-1.patch
Type: text/x-patch
Size: 2456 bytes
Desc: not available
URL: <http://lists.linuxfromscratch.org/pipermail/hlfs-dev/attachments/20060616/6736bfa4/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: gcc-4.1.1-no_locale-1.patch
Type: text/x-patch
Size: 1417 bytes
Desc: not available
URL: <http://lists.linuxfromscratch.org/pipermail/hlfs-dev/attachments/20060616/6736bfa4/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: uc-1.conf
Type: application/octet-stream
Size: 4348 bytes
Desc: not available
URL: <http://lists.linuxfromscratch.org/pipermail/hlfs-dev/attachments/20060616/6736bfa4/attachment-0001.obj>


More information about the hlfs-dev mailing list