toolchain stuff

Robert Connolly robert at
Mon May 28 17:59:47 PDT 2007

I made a new gcc-specs patch that seems to be working. I used gcc/ 
from netbsd... it checks:
nm $(gcc -print-file-name=libc.a) | grep __stack_chk_fail
for libc_provides_ssp, so it works with uclibc, and glibc, and in /tools. It 
doesn't work if you don't have a libc.a though.

The new patch does nothing by default, we need to:
echo #define DEFAULT_SSP >> gcc/hardened-config.h
and so on, to turn stuff on. It appends to cpp_spec, cc1_spec, and 
cc1plus_spec, so it's a little bit more portable to non-x86. except I 
couldn't do that with the startfile and endfile specs, they have to be 
completely replaced.

I removed -fpic completely. Libraries use -fpic anyway, and packages like 
mesa-lib that don't use -fpic need patches whether the gcc specs use -fpic or 
not.. so just add -fpic to the patch.

I've also been experimenting with glibc builds:
echo 'build-programs=no
CFLAGS += -fno-stack-protector -D_FORTIFY_SOURCE=0
CXXFLAGS += -fno-stack-protector -D_FORTIFY_SOURCE=0' > configparms &&
make &&
echo 'CFLAGS += -fstack-protector-all -D_FORTIFY_SOURCE=2
CXXFLAGS += -fstack-protector-all -D_FORTIFY_SOURCE=2' > configparms &&
make &&
echo 'CFLAGS += -fno-stack-protector -D_FORTIFY_SOURCE=0
CXXFLAGS += -fno-stack-protector -D_FORTIFY_SOURCE=0' > configparms
make check

Glibc has some serious issues when building with ssp or fortify_source, and 
there isn't really a way around it. The above commands will leave the 
libraries alone, but harden the programs. It's probably as good as it'll get, 
except that minor libraries like libresolv could probably also be hardened. 
It also means the libc workarounds can come out of the gcc specs. I didn't 
get the above working with -pie though, but eventually it should.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <>

More information about the hlfs-dev mailing list