Date: Wed, 27 Jul 2016 20:05:30 -0400 From: Shawn Webb <shawn.webb@hardenedbsd.org> To: Conrad Meyer <cem@freebsd.org> Cc: freebsd-current <freebsd-current@freebsd.org>, Ed Maste <emaste@freebsd.org> Subject: Re: SafeStack in base Message-ID: <20160728000530.GH13428@mutt-hardenedbsd> In-Reply-To: <CAG6CVpWgXMNHsdo0doL0FDygykZY3vYm9w8897p4nyetTmGfew@mail.gmail.com> References: <20160727225527.GG13428@mutt-hardenedbsd> <CAG6CVpWgXMNHsdo0doL0FDygykZY3vYm9w8897p4nyetTmGfew@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--Q59ABw34pTSIagmi Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Jul 27, 2016 at 05:02:07PM -0700, Conrad Meyer wrote: > On Wed, Jul 27, 2016 at 3:55 PM, Shawn Webb <shawn.webb@hardenedbsd.org> = wrote: > > Hey All, > > > > I'm interested in getting SafeStack working in FreeBSD base. Below is a > > link to a simplistic (maybe too simplistic?) patch to enable SafeStack. > > The patch applies against HardenedBSD's hardened/current/master branch. > > Given how simple the patch is, it'd be extremely easy to port over to > > FreeBSD (just line numbers would change). > > > > I am running into a bit of a problem, though. When linking > > lib/libcom_err, I get the following error: > > > > com_err.So: In function `com_err': > > /usr/src/lib/libcom_err/../../contrib/com_err/com_err.c:100: undefined = reference to `__safestack_unsafe_stack_ptr' > > cc: error: linker command failed with exit code 1 (use -v to see invoca= tion) > > *** [libcom_err.so.5.full] Error code 1 > > > > llvm's documentation says that SafeStack has been tested on FreeBSD. > > When and how was it tested? Apparently someone has done some work to > > enable it on FreeBSD, but I can't find any relevant FreeBSD-specific > > documentation. > > > > If someone could point me in the right direction, I'd love to help get > > SafeStack working (and commited?) in FreeBSD. > > > > Link to simplistic patch: http://ix.io/186A > > Link to build log: https://gist.github.com/lattera/5d94f44a5f3e10a28425= cd59104dd169 >=20 > Hey Shawn, >=20 > The relevant link line is: >=20 > > -- libcom_err.so.5.full --- > > building shared library libcom_err.so.5 > > cc -target x86_64-unknown-freebsd12.0 --sysroot=3D/usr/obj/usr/src/tmp = -B/usr/obj/usr/src/tmp/usr/bin -Wl,--no-undefined -Wl,-z,relro -Wl,-z,now -= fsanitize=3Dsafe-stack -Wl,--version-script=3D/usr/src/lib/libcom_err/../..= /contrib/com_err/version-script.map -fstack-protector-strong -shared -Wl,-x= -Wl,--fatal-warnings -Wl,--warn-shared-textrel -o libcom_err.so.5.full -W= l,-soname,libcom_err.so.5 `NM=3D'nm' NMFLAGS=3D'' lorder com_err.So error.= So | tsort -q` >=20 > The problem appears to be an upstream limitation of > -fsanitize=3Dsafe-stack: "Most programs, static libraries, or individual > files can be compiled with SafeStack as is. ??? Linking a DSO with > SafeStack is not currently supported." [0] >=20 > That probably needs to be addressed upstream before it can be enabled glo= bally. Gotcha. If I'm reading correctly, then, SafeStack can only be enabled in bsd.prog.mk (and _not_ bsd.lib.mk). Is that correct? Thanks, --=20 Shawn Webb Cofounder and Security Engineer HardenedBSD GPG Key ID: 0x6A84658F52456EEE GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89 3D9E 6A84 658F 5245 6EEE --Q59ABw34pTSIagmi Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJXmUxHAAoJEGqEZY9SRW7uVmcQAMk2DRvYMSyRPNj01IxwW3BP BYPPgkdAEXLUOba81rpZ9+3PW8zpdNacAp2zlseU+uqlh/XCHDpP3A3MTpPPegXD 9JOZI5xmXcaAJxPlOGxeMIfm0H9l9UKMIUYrr5UJnW4XHyAo6Be1jqIiXVFM8+Td plXnUA1O1Dyv/LKK6DTPlv035duSV0MG6zJYFfa2vnFiDN/lPxPFpC8gqz7BBrap awYDEnwl7Gkeh2P/wMrYIkw24vuDsDy56k3nR/Ez1VTVr0IejwRbQOK8L1pAqBho 5ScUu4HknxjwKwfxlW8xA3jme9MWPwKqqznmZsSTPNIviK+gSK5qLACzzrvyG5MC 86GNfNm7kffvb7Jkz345Vrl9Ihimu1jL47VWgJLqdK2wdm6EpJTMvu7vzVvprijx 1A7kllUCeuhvkQ3/RQ8KO7UKimXKE2hStE0ixWmg1pN7r4Pdr+yo8sB5Amv2fHnX Du/DOf3Wvq/Qzpem5oFqzqHePuntRuHWwN0CLkxSLJazxywrC6meDqes5+YZZABo dCRFXoQxT21t3xJph+/dYWvljR3SMr05BgWzjUA2WKCZVR0bNOsq3nxQt0aNpZrh mySsVB1eORpMjkYJ+HjbASVr+HGw5pRlM3Hp1JeK1ONIEDPPXrdfaXIJcNFI9pZu LvsNb1CyQkDKZNO4dMEC =TV7+ -----END PGP SIGNATURE----- --Q59ABw34pTSIagmi--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20160728000530.GH13428>