Date: Thu, 7 Feb 2013 23:52:42 +0100 From: Jeremie Le Hen <jlh@FreeBSD.org> To: Dimitry Andric <dim@FreeBSD.org> Cc: Kimmo Paasiala <kpaasial@gmail.com>, FreeBSD current <freebsd-current@freebsd.org>, freebsd-stable@freebsd.org Subject: Re: CLANG and -fstack-protector Message-ID: <20130207225242.GA5900@felucia.tataz.chchile.org> In-Reply-To: <51141769.5060905@FreeBSD.org> References: <CA%2B7WWSeFh9sJyo3kKD5wTEHoyTSjR6TuDDgDCV5Nhc_wMzVUkg@mail.gmail.com> <51141769.5060905@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Kimmo, On Thu, Feb 07, 2013 at 10:06:49PM +0100, Dimitry Andric wrote: > On 2013-02-07 20:42, Kimmo Paasiala wrote: > > Does the -fstack-protector option work on CLANG 3.1 and 3.2? > > Yes, it works with both clang and gcc. > > > > There is thread on FreeBSD forums about the stack protector and ports > > and I'm wondering if it's possible to use the -fstack-protector option > > with CLANG. > > > > http://forums.freebsd.org/showthread.php?t=36927 > > That thread seems to be full of confusion. :-) The base system is mostly > built with -fstack-protector, except for the ia64, arm and mips arches, > and for some specific cases where it is not necessary, or unwanted. > > Ports are largely independent of the base system, and their compilation > flags are different from port to port. You could set -fstack-protector > for your ports in either make.conf or ports.conf, if you wanted. You can do this, it will work for most of the ports but some ports do not honor CFLAGS. If those ports happen to be linked againsst libraries that were compiled with -fstack-protector, you will get a missing symbol error. Well, to be honest, I don't remember enough details, they faded from my memory, I need to check this. So if you care about security enough, go for it! If you meet weird error like a missing "stack_chk_fail" symbol for some ports (lang/perl might be a candidate in my memory), then look at the PR below, it will probably solve your problem. Time has passed and I am interested in your feedback without the patch (and then with, if relevant). Basically the following PR contains a patch that waits for an exp run to be committed into the base system. This just turns libc.so into an ld script that pulls in libssp_nonshared.a. You just have to run "make all install" in src/lib/libc after applying it. http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/168010 I run it on my servers with -fstack-protector enabled for ports without any problem. Cheers! -- Jeremie Le Hen Scientists say the world is made up of Protons, Neutrons and Electrons. They forgot to mention Morons.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20130207225242.GA5900>