How long until hardened and toolchain will produce a hardene

Xake · Posted: Thu Apr 17, 2008 2:54 pm Post subject:

Should we really ditch eselect compiler support? They have left it inside gentoo, and currently it does not break anything. I tend to have things as close to gentoo as possible.

zorry · Posted: Thu Apr 17, 2008 10:22 pm Post subject:

zorry · Posted: Thu Apr 17, 2008 10:38 pm Post subject:

Xake · Posted: Fri Apr 18, 2008 6:54 am Post subject:

Xake · Posted: Fri Apr 18, 2008 6:56 am Post subject:

zorry · Posted: Fri Apr 18, 2008 10:01 am Post subject:

zorry · Posted: Fri Apr 18, 2008 3:17 pm Post subject:

zorry · Posted: Sat Apr 19, 2008 2:09 pm Post subject:

gcc vanilla
sandra / # gcc -v
Läser specifikationer från /usr/lib/gcc/x86_64-pc-linux-gnu/4.2.3/specs
Läser specifikationer från /usr/lib/gcc/x86_64-pc-linux-gnu/4.2.3/vanilla.specs
Läser specifikationer från /usr/lib/gcc/x86_64-pc-linux-gnu/4.2.3/nopie.specs
Läser specifikationer från /usr/lib/gcc/x86_64-pc-linux-gnu/4.2.3/nossp.specs
Läser specifikationer från /usr/lib/gcc/x86_64-pc-linux-gnu/4.2.3/nosspall.specs
Läser specifikationer från /usr/lib/gcc/x86_64-pc-linux-gnu/4.2.3/nozrelro.specs
Läser specifikationer från /usr/lib/gcc/x86_64-pc-linux-gnu/4.2.3/noznow.specs
Mål: x86_64-pc-linux-gnu
Konfigurerad med: /var/tmp/portage/sys-devel/gcc-4.2.3-r1/work/gcc-4.2.3/configure --prefix=/usr --bindir=/usr/x86_64-pc-linux-gnu/gcc-bin/4.2.3 --includedir=/usr/lib/gcc/x86_64-pc-linux-gnu/4.2.3/include --datadir=/usr/share/gcc-data/x86_64-pc-linux-gnu/4.2.3 --mandir=/usr/share/gcc-data/x86_64-pc-linux-gnu/4.2.3/man --infodir=/usr/share/gcc-data/x86_64-pc-linux-gnu/4.2.3/info --with-gxx-include-dir=/usr/lib/gcc/x86_64-pc-linux-gnu/4.2.3/include/g++-v4 --host=x86_64-pc-linux-gnu --build=x86_64-pc-linux-gnu --disable-altivec --enable-nls --without-included-gettext --with-system-zlib --disable-checking --disable-werror --enable-secureplt --disable-libunwind-exceptions --enable-multilib --enable-libmudflap --disable-libssp --disable-libgcj --enable-languages=c,c++,treelang --enable-shared --enable-threads=posix --enable-__cxa_atexit --enable-clocale=gnu --with-bugurl=https://bugs.gentoo.org/ --with-pkgversion=Gentoo Hardened 4.2.3-r1, ssp-builtin, pie-9.0.7
Trådmodell: posix
gcc version 4.2.3 (Gentoo Hardened 4.2.3-r1, ssp-builtin, pie-9.0.7)
sandra / #
Still som bugs with minispaces

zorry · Posted: Sat Apr 19, 2008 10:55 pm Post subject:

#include<stdio.h>
#include<stdlib.h>

void buffer_overflow() {
long int val = 0;
char str[29];
for (val = 0; val < 50; val++) {
str[val] = 'a';
}
printf("%s\n", str);
}

int main ()
{
buffer_overflow();
exit (0);
}

sandra / # gcc -o test test.c
sandra / # ./test
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa▒▒
*** stack smashing detected ***: test - terminated
test: stack smashing attack in function <unknown> - terminated
Report to https://bugs.gentoo.org/
Killed
sandra / # gcc -v
Läser specifikationer från /usr/lib/gcc/x86_64-pc-linux-gnu/4.2.3/specs
Mål: x86_64-pc-linux-gnu
Konfigurerad med: /var/tmp/portage/sys-devel/gcc-4.2.3-r1/work/gcc-4.2.3/configure --prefix=/usr --bindir=/usr/x86_64-pc-linux-gnu/gcc-bin/4.2.3 --includedir=/usr/lib/gcc/x86_64-pc-linux-gnu/4.2.3/include --datadir=/usr/share/gcc-data/x86_64-pc-linux-gnu/4.2.3 --mandir=/usr/share/gcc-data/x86_64-pc-linux-gnu/4.2.3/man --infodir=/usr/share/gcc-data/x86_64-pc-linux-gnu/4.2.3/info --with-gxx-include-dir=/usr/lib/gcc/x86_64-pc-linux-gnu/4.2.3/include/g++-v4 --host=x86_64-pc-linux-gnu --build=x86_64-pc-linux-gnu --disable-altivec --enable-nls --without-included-gettext --with-system-zlib --disable-checking --disable-werror --enable-secureplt --disable-libunwind-exceptions --enable-multilib --enable-libmudflap --disable-libssp --disable-libgcj --enable-languages=c,c++,treelang --enable-shared --enable-threads=posix --enable-__cxa_atexit --enable-clocale=gnu --with-bugurl=https://bugs.gentoo.org/ --with-pkgversion=Gentoo Hardened 4.2.3-r1, ssp-builtin, pie-9.0.7
Trådmodell: posix
gcc version 4.2.3 (Gentoo Hardened 4.2.3-r1, ssp-builtin, pie-9.0.7)
sandra / #

steveL · Posted: Sun Apr 20, 2008 11:46 pm Post subject:

YAY! Well done zorry!

zorry · Posted: Mon Apr 21, 2008 9:06 pm Post subject:

How are we going to add -D_FORTIFY_SOURCE=2 to the specs file?
Somthing like this?
File: gcc.c
#define CC1_HARDENED_SPEC " %{!D__KERNEL__: %(cc1_pie) %(cc1_ssp) %(cc1_fofy) }"

File: fortify.specs
*cc1_fofy:
%{!U_FORTIFY_SOURCE:-D_FORTIFY_SOURCE=2}

File: nofortify.specs
*cc1_fofy:

Will it work?
Need som help with this.
Edit: minispece i working now for me.

zorry · Posted: Tue Apr 22, 2008 11:01 pm Post subject:

toolchain.eclass
http://www.ume.nu/~zorry/filer/Gentoo-hardened/portage/eclass/toolchain.eclass
Only for testing.
Need GCC 4.2, Glibc 2.7, kevquinn overlay pie-patch, spece files and ebuild from https://forums.gentoo.org/viewtopic-t-657209.html

EDIT: link's
_________________
gcc version 6.1.0 (Gentoo Hardened 6.1.0 p1.1)

zorry · Posted: Wed Apr 23, 2008 3:53 pm Post subject:

zorry · Posted: Wed Apr 23, 2008 10:39 pm Post subject:

Working on getting -D_FORTIFY_SOURCE=2 to work and updating pie-patch.
Any one have test code to test it?

zorry · Posted: Thu Apr 24, 2008 10:10 pm Post subject:

Playing with spece file for FORTIFY_SOUCE.
sandra / # paxtest blackhat
PaXtest - Copyright(c) 2003,2004 by Peter Busser <peter@adamantix.org>
Released under the GNU Public Licence version 2 or later

Writing output to paxtest.log
It may take a while for the tests to complete
*** buffer overflow detected ***: /usr/lib64/paxtest/rettofunc1 terminated
...
Return to function (strcpy) : Killed
Return to function (memcpy) : Killed
Return to function (strcpy, RANDEXEC) : Killed
Return to function (memcpy, RANDEXEC) : Killed

Need to update toolchain-funcs.eclass and flag-o-matic.eclass to support flitring of FORTIFY.
spece filehttp://www.ume.nu/~zorry/filer/specs

Xake · Posted: Thu Apr 24, 2008 10:33 pm Post subject:

zorry · Posted: Thu Apr 24, 2008 10:53 pm Post subject:

zorry · Posted: Fri Apr 25, 2008 11:33 pm Post subject:

Any code to test flitring in the toolchain ?
Are we only going to support fortify_source=2 or even 0 and 1?

Xake · Posted: Fri Apr 25, 2008 11:51 pm Post subject:

zorry · Posted: Sat Apr 26, 2008 12:42 am Post subject:

zorry · Posted: Sat Apr 26, 2008 9:44 pm Post subject:

Have gott fliter flags working for fortify.
Uppdated glibc to filter-flags -D_FORTIFY_SOURCE=2
ebuild
Unpack: OK
Compile: OK
Install: OK

Will try to sort out the fortify bug in glibc so it can be built with fortify.

http://www.ume.nu/~zorry/filer/Gentoo-hardened/ for files.
Only tested on x86_64 (amd64)
Any one try to fix toolchain.eclass so it work for 3.x without minispaces.

Next step to do? build toolchain and se if it don't brek anyting and try emerge -e system?

zorry · Posted: Sun Apr 27, 2008 1:17 am Post subject:

Bug glibc-2.7-r2 fortify
build-x86-x86_64-pc-linux-gnu-nptl/debug/getwd_chk.o -MD -MP -MF /var/tmp/portage/sys-libs/glibc-2.7-r3/work/build-x86-x86_64-pc-linux-gnu-nptl/debug/getwd_chk.o.dt -MT /var/tmp/portage/sys-libs/glibc-2.7-r3/work/build-x86-x86_64-pc-linux-gnu-nptl/debug/getwd_chk.o
readlinkat_chk.c:26: error: conflicting types for '__readlinkat_chk'
../posix/bits/unistd.h:159: error: previous declaration of '__readlinkat_chk' was here
readlink_chk.c:29: error: conflicting types for '__readlink_chk'
../posix/bits/unistd.h:127: error: previous declaration of '__readlink_chk' was here
make[2]: *** [/var/tmp/portage/sys-libs/glibc-2.7-r3/work/build-x86-x86_64-pc-linux-gnu-nptl/debug/readlinkat_chk.o] Error 1
make[2]: *** Waiting for unfinished jobs....
make[2]: *** [/var/tmp/portage/sys-libs/glibc-2.7-r3/work/build-x86-x86_64-pc-linux-gnu-nptl/debug/readlink_chk.o] Error 1
make[2]: Leaving directory `/var/tmp/portage/sys-libs/glibc-2.7-r3/work/glibc-2.7/debug'
make[1]: *** [debug/subdir_lib] Error 2
make[1]: Leaving directory `/var/tmp/portage/sys-libs/glibc-2.7-r3/work/glibc-2.7'
make: *** [all] Error 2
*
* ERROR: sys-libs/glibc-2.7-r3 failed.
* Call stack:
* ebuild.sh, line 49: Called src_compile
* environment, line 3343: Called eblit-run 'src_compile'
* environment, line 1077: Called eblit-glibc-src_compile
* src_compile.eblit, line 168: Called src_compile
* environment, line 3343: Called eblit-run 'src_compile'
* environment, line 1077: Called eblit-glibc-src_compile
* src_compile.eblit, line 179: Called toolchain-glibc_src_compile
* src_compile.eblit, line 122: Called die
* The specific snippet of code:
* make PARALLELMFLAGS="${MAKEOPTS}" || die "make for ${ABI} failed"
* The die message:
* make for x86 failed
*
* If you need support, post the topmost build error, and the call stack if relevant.
* A complete build log is located at '/var/log/portage/sys-libs:glibc-2.7-r3:20080427-004446.log'.
* The ebuild environment file is located at '/var/tmp/portage/sys-libs/glibc-2.7-r3/temp/environment'.
* This ebuild used the following eclasses from overlays:
* /usr/local/portage/eclass/toolchain-funcs.eclass
* /usr/local/portage/eclass/flag-o-matic.eclass
* This ebuild is from an overlay: '/usr/local/portage/'
*
sandra ~ #
Any on vanilla gcc-4.2.3 and glibc-2.7 thet can test to add -D_FORTIFY_SOURCE=2 to CFLAGS
if it hit the bug to?