From owner-freebsd-current@freebsd.org Thu Jul 28 00:05:34 2016 Return-Path: Delivered-To: freebsd-current@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B8021BA77C9 for ; Thu, 28 Jul 2016 00:05:34 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Received: from mail-qk0-x22f.google.com (mail-qk0-x22f.google.com [IPv6:2607:f8b0:400d:c09::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 6D67E1810 for ; Thu, 28 Jul 2016 00:05:34 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Received: by mail-qk0-x22f.google.com with SMTP id p74so49269788qka.0 for ; Wed, 27 Jul 2016 17:05:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hardenedbsd-org.20150623.gappssmtp.com; s=20150623; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=odV5tY7WfGgpBYMaRq9jfNs8rpE07E/8rH5z7Sa+Ybg=; b=BpK9ofOn8DWrBAstFrvdVW/7AJCHsxZ9ozGUTEVFSLt6BBn6n2YPwOmBo5ZvIzAHcH RYPipPvVTXK/LW2pNZISk8FqYQItocJiFTxqkukTmBG0veUfeBIKpzBTv0T9bUVKeQC3 AlRFWMXutmHTtWj98Zr650v2UWRn7NIikFOz2N3agMpvYFWklYIbGdsPZbvu8SUfMsJe og6bVim4rh7ek6YdyjNdGRcA5tYtIn/hXRKS1Pcdub3YIi3apbbWTrmmyPdy9hIaa7u2 AMzACE7VKV3dF3uWo2ShM1xzIEfKwRWDVu9hm9CNAx4EJLhw3UX848a9RRhLW/dc799W Id9w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=odV5tY7WfGgpBYMaRq9jfNs8rpE07E/8rH5z7Sa+Ybg=; b=fXz/sJGOOYImcvdFDBVxQHktX21WSejFNAdlznQ5Z42VinYyZAMRZgYuzz6YfoqGBQ irE0Vw+aVmx3H5t84yRawRW9SlwM/ixpCdVeU8YhqDP7TA9nP+GmxTolCXiaHTsz0Tq9 Z2Gs5CR6qS3F3iaWQ+UpvqRx5PYuwFPwYz05Zt+xWaqhFLgkiRg4p8eeRFLd0RswokXj p/gThxmvXcNWWBnzttPcjLnbanG5oruIXhvKNGjD4Q+S6oh46gxVLOqQNGxNq/FGU0+E qqMxrD/uR87QhM+CpDSW/XJFsdZsxZ1nrqbeO7q0zDdSVrZHOQ3fs7+Ao7h+1YTRpUWh Tj+g== X-Gm-Message-State: AEkoouvnZ7lgtYgdfiPd2tLYi3UNqu3UYDRRQw19UMOEEhx1kA48FSnkm7tLFonaZVbmOV4d X-Received: by 10.55.64.140 with SMTP id n134mr37742342qka.201.1469664333539; Wed, 27 Jul 2016 17:05:33 -0700 (PDT) Received: from mutt-hardenedbsd (pool-100-16-217-171.bltmmd.fios.verizon.net. [100.16.217.171]) by smtp.gmail.com with ESMTPSA id q13sm5739294qkq.6.2016.07.27.17.05.31 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Wed, 27 Jul 2016 17:05:32 -0700 (PDT) Date: Wed, 27 Jul 2016 20:05:30 -0400 From: Shawn Webb To: Conrad Meyer Cc: freebsd-current , Ed Maste Subject: Re: SafeStack in base Message-ID: <20160728000530.GH13428@mutt-hardenedbsd> References: <20160727225527.GG13428@mutt-hardenedbsd> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="Q59ABw34pTSIagmi" Content-Disposition: inline In-Reply-To: X-Operating-System: FreeBSD mutt-hardenedbsd 12.0-CURRENT-HBSD FreeBSD 12.0-CURRENT-HBSD X-PGP-Key: http://pgp.mit.edu/pks/lookup?op=vindex&search=0x6A84658F52456EEE User-Agent: Mutt/1.6.1 (2016-04-27) X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Jul 2016 00:05:34 -0000 --Q59ABw34pTSIagmi Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Jul 27, 2016 at 05:02:07PM -0700, Conrad Meyer wrote: > On Wed, Jul 27, 2016 at 3:55 PM, Shawn Webb = wrote: > > Hey All, > > > > I'm interested in getting SafeStack working in FreeBSD base. Below is a > > link to a simplistic (maybe too simplistic?) patch to enable SafeStack. > > The patch applies against HardenedBSD's hardened/current/master branch. > > Given how simple the patch is, it'd be extremely easy to port over to > > FreeBSD (just line numbers would change). > > > > I am running into a bit of a problem, though. When linking > > lib/libcom_err, I get the following error: > > > > com_err.So: In function `com_err': > > /usr/src/lib/libcom_err/../../contrib/com_err/com_err.c:100: undefined = reference to `__safestack_unsafe_stack_ptr' > > cc: error: linker command failed with exit code 1 (use -v to see invoca= tion) > > *** [libcom_err.so.5.full] Error code 1 > > > > llvm's documentation says that SafeStack has been tested on FreeBSD. > > When and how was it tested? Apparently someone has done some work to > > enable it on FreeBSD, but I can't find any relevant FreeBSD-specific > > documentation. > > > > If someone could point me in the right direction, I'd love to help get > > SafeStack working (and commited?) in FreeBSD. > > > > Link to simplistic patch: http://ix.io/186A > > Link to build log: https://gist.github.com/lattera/5d94f44a5f3e10a28425= cd59104dd169 >=20 > Hey Shawn, >=20 > The relevant link line is: >=20 > > -- libcom_err.so.5.full --- > > building shared library libcom_err.so.5 > > cc -target x86_64-unknown-freebsd12.0 --sysroot=3D/usr/obj/usr/src/tmp = -B/usr/obj/usr/src/tmp/usr/bin -Wl,--no-undefined -Wl,-z,relro -Wl,-z,now -= fsanitize=3Dsafe-stack -Wl,--version-script=3D/usr/src/lib/libcom_err/../..= /contrib/com_err/version-script.map -fstack-protector-strong -shared -Wl,-x= -Wl,--fatal-warnings -Wl,--warn-shared-textrel -o libcom_err.so.5.full -W= l,-soname,libcom_err.so.5 `NM=3D'nm' NMFLAGS=3D'' lorder com_err.So error.= So | tsort -q` >=20 > The problem appears to be an upstream limitation of > -fsanitize=3Dsafe-stack: "Most programs, static libraries, or individual > files can be compiled with SafeStack as is. ??? Linking a DSO with > SafeStack is not currently supported." [0] >=20 > That probably needs to be addressed upstream before it can be enabled glo= bally. Gotcha. If I'm reading correctly, then, SafeStack can only be enabled in bsd.prog.mk (and _not_ bsd.lib.mk). Is that correct? Thanks, --=20 Shawn Webb Cofounder and Security Engineer HardenedBSD GPG Key ID: 0x6A84658F52456EEE GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89 3D9E 6A84 658F 5245 6EEE --Q59ABw34pTSIagmi Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJXmUxHAAoJEGqEZY9SRW7uVmcQAMk2DRvYMSyRPNj01IxwW3BP BYPPgkdAEXLUOba81rpZ9+3PW8zpdNacAp2zlseU+uqlh/XCHDpP3A3MTpPPegXD 9JOZI5xmXcaAJxPlOGxeMIfm0H9l9UKMIUYrr5UJnW4XHyAo6Be1jqIiXVFM8+Td plXnUA1O1Dyv/LKK6DTPlv035duSV0MG6zJYFfa2vnFiDN/lPxPFpC8gqz7BBrap awYDEnwl7Gkeh2P/wMrYIkw24vuDsDy56k3nR/Ez1VTVr0IejwRbQOK8L1pAqBho 5ScUu4HknxjwKwfxlW8xA3jme9MWPwKqqznmZsSTPNIviK+gSK5qLACzzrvyG5MC 86GNfNm7kffvb7Jkz345Vrl9Ihimu1jL47VWgJLqdK2wdm6EpJTMvu7vzVvprijx 1A7kllUCeuhvkQ3/RQ8KO7UKimXKE2hStE0ixWmg1pN7r4Pdr+yo8sB5Amv2fHnX Du/DOf3Wvq/Qzpem5oFqzqHePuntRuHWwN0CLkxSLJazxywrC6meDqes5+YZZABo dCRFXoQxT21t3xJph+/dYWvljR3SMr05BgWzjUA2WKCZVR0bNOsq3nxQt0aNpZrh mySsVB1eORpMjkYJ+HjbASVr+HGw5pRlM3Hp1JeK1ONIEDPPXrdfaXIJcNFI9pZu LvsNb1CyQkDKZNO4dMEC =TV7+ -----END PGP SIGNATURE----- --Q59ABw34pTSIagmi--