| View previous topic :: View next topic |
| Author |
Message |
pennedinil
Tux's lil' helper
Joined: 08 Aug 2003
Posts: 95
|
 Posted: Tue Apr 13, 2004 5:58 am Post subject: hardened xorg-x11 |
 |
|
I was able to get xorg to compile with
USE+="hardened pic"
and
CFLAGS+="-fstack-protector"
But I couldn't get the X server to start. I'm using binary nvidia drivers and I was getting a bunch of messages about missing symbols in nvidia.o. I tried downgrading/upgrading nvidia-kernel & nvidia-glx, but that didn't help.
I also re-emerged xorg with and without -fstack-protector but couldn't get X to load my nvidia driver.
I finally compiled xorg with
USE="-hardened -pic"
and no -fstack-protector in CCFLAGS. I have X server up and running now, but I was wondering if anyone else had experienced similar problems, or if I was just doing soimething wrong.
My CCFLAGS settings are quite conservative -
CFLAGS="-pipe -O2 -march=pentium4 -fomit-frame-pointers -ftracer"
Anyone else with similar experiences?
EDIT:
Fixed issue with Xorg-x11, but I don't think it's the right approach. Only consolation is that now Xorg-x11 works.
I had to change -
1. USE="-hardened -pie -pic"
2. CFLAGS="... -fno-stack-protector -fno-PIE -fno-PIC"
3. Edit ebuild so it would not strip out the above options from CFLAGS
Means Xorg-x11 has none of the SSP or PIE security built into it. But it now works!
I know some claims have been made that -fstack-protector will not break xorg-x11, but I tried comparing the logs/stderrs generated with and without the above flags, and I feel much more comfortable just removing all of the security flags.
EDIT: (on 19-10-2004)
More an update for latest Xorg.
With the hardened toolchain, CFLAGS need to be stripped of -fPIE (or -fpie) and replaced with -fno-pie. I also added -DPIC because supposedly this makes the builds more robust. Seems to be working fine thus far.
And yes, -fstack-protector can be left in CFLAGS.
Last edited by pennedinil on Tue Oct 19, 2004 6:53 pm; edited 2 times in total |
|
| Back to top |
|
 |
asimon
l33t
Joined: 27 Jun 2002
Posts: 979
Location: Germany, Old Europe
|
|
| Back to top |
|
|
revo
n00b
Joined: 02 Feb 2003
Posts: 57
|
| Posted: Thu May 13, 2004 9:26 am Post subject: |
|
|
well, for me it seems compiling with -fstack-protector is _not_ fine, cause i am unable to start the X server when compiled with this.
the last output was:
Symbol __guard from module /usr/X11R6/lib/modules/fonts/libbitmap.a is unresolved!
Symbol __stack_smash_handler from module /usr/X11R6/lib/modules/fonts/libbitmap.a is unresolved!
Symbol __guard from module /usr/X11R6/lib/modules/fonts/libbitmap.a is unresolved!
Symbol __guard from module /usr/X11R6/lib/modules/fonts/libbitmap.a is unresolved!
btw, i don't use any binary nvidia-drivers, just plain nv driver.
_________________
3 wang-tan soup, 3 garlic chicken and 3 orders of fortune cookies, that's it. - and then? |
|
| Back to top |
|
|
Target
Apprentice
Joined: 25 Apr 2002
Posts: 200
|
| Posted: Wed Jul 21, 2004 5:58 pm Post subject: |
|
|
| Exact same errors as revo, using either nvidia or nv driver. |
|
| Back to top |
|
|
reeder
n00b
Joined: 02 Apr 2003
Posts: 45
Location: Plano, TX
|
| Posted: Wed Sep 29, 2004 8:45 pm Post subject: |
|
|
After reading this week's newsletter about -fstack-protector I added it to my CFLAGS and did my normal weekly update. xorg-x11-6.7.0-r2 was new and got emerged. But restarting X failed with the errors about the symbols __guard and __stack_smash_handler being unresolved in libbitmap.a.
Removing -fstack-protector and re-emerging xorg-x11 solved the problem.
My CFLAGS are "-O2 -march=athlon-xp -fomit-frame-pointer"
I suspect that the problem is with some other thing that depends on libbitmap wasn't compiled with -fstack-protector and that recompiling it would solve the problem. But how do you find out what that is?
I like the idea of protecting myself from common programming errors and would like to be able to use -fstack-protector.
-- William |
|
| Back to top |
|
|
didl
Retired Dev
Joined: 09 Sep 2003
Posts: 1106
Location: Pittsburgh, PA
|
| Posted: Wed Sep 29, 2004 8:50 pm Post subject: |
|
|
Have a look at
http://www.gentoo.org/proj/en/hardened/hardenedxorg.xml
Pretty much, if you use the hardened toolchain you either
have to compile X statically (which works) or use the dlloader
and fiddle with the modules section (which might or might not work)
in your xorg.conf. |
|
| Back to top |
|
|
reeder
n00b
Joined: 02 Apr 2003
Posts: 45
Location: Plano, TX
|
| Posted: Wed Sep 29, 2004 10:33 pm Post subject: |
|
|
Thanks! I'm not using the hardened toolchain, just the -fstack-protector flag. But I'll try the static linking and see if that helps. I'll post the results when I'm done.
-- William |
|
| Back to top |
|
|
haz3l
n00b
Joined: 11 Dec 2003
Posts: 39
Location: San Francisco
|
|
| Back to top |
|
|
reeder
n00b
Joined: 02 Apr 2003
Posts: 45
Location: Plano, TX
|
| Posted: Thu Sep 30, 2004 3:46 am Post subject: |
|
|
didl, I put -fstack-protector back in my CFLAGS and recompiled xorg-x11 statically (directions in the link you referenced) and it seems to have worked.
THANKS!
Just in case anyone is wondering, my kernel is 2.6.7-gentoo-r11 (from gentoo-dev-sources) and I'm still using the nv driver for my ancient nvidia card.
Thanks again,
-- William |
|
| Back to top |
|
|
|
Kernel & Hardware
