Date: Wed, 27 Jul 2016 17:02:07 -0700 From: Conrad Meyer <cem@freebsd.org> To: Shawn Webb <shawn.webb@hardenedbsd.org> Cc: freebsd-current <freebsd-current@freebsd.org>, Ed Maste <emaste@freebsd.org> Subject: Re: SafeStack in base Message-ID: <CAG6CVpWgXMNHsdo0doL0FDygykZY3vYm9w8897p4nyetTmGfew@mail.gmail.com> In-Reply-To: <20160727225527.GG13428@mutt-hardenedbsd> References: <20160727225527.GG13428@mutt-hardenedbsd>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Jul 27, 2016 at 3:55 PM, Shawn Webb <shawn.webb@hardenedbsd.org> wr= ote: > Hey All, > > I'm interested in getting SafeStack working in FreeBSD base. Below is a > link to a simplistic (maybe too simplistic?) patch to enable SafeStack. > The patch applies against HardenedBSD's hardened/current/master branch. > Given how simple the patch is, it'd be extremely easy to port over to > FreeBSD (just line numbers would change). > > I am running into a bit of a problem, though. When linking > lib/libcom_err, I get the following error: > > com_err.So: In function `com_err': > /usr/src/lib/libcom_err/../../contrib/com_err/com_err.c:100: undefined re= ference to `__safestack_unsafe_stack_ptr' > cc: error: linker command failed with exit code 1 (use -v to see invocati= on) > *** [libcom_err.so.5.full] Error code 1 > > llvm's documentation says that SafeStack has been tested on FreeBSD. > When and how was it tested? Apparently someone has done some work to > enable it on FreeBSD, but I can't find any relevant FreeBSD-specific > documentation. > > If someone could point me in the right direction, I'd love to help get > SafeStack working (and commited?) in FreeBSD. > > Link to simplistic patch: http://ix.io/186A > Link to build log: https://gist.github.com/lattera/5d94f44a5f3e10a28425cd= 59104dd169 Hey Shawn, The relevant link line is: > -- libcom_err.so.5.full --- > building shared library libcom_err.so.5 > cc -target x86_64-unknown-freebsd12.0 --sysroot=3D/usr/obj/usr/src/tmp -B= /usr/obj/usr/src/tmp/usr/bin -Wl,--no-undefined -Wl,-z,relro -Wl,-z,now -fs= anitize=3Dsafe-stack -Wl,--version-script=3D/usr/src/lib/libcom_err/../../c= ontrib/com_err/version-script.map -fstack-protector-strong -shared -Wl,-x -= Wl,--fatal-warnings -Wl,--warn-shared-textrel -o libcom_err.so.5.full -Wl,= -soname,libcom_err.so.5 `NM=3D'nm' NMFLAGS=3D'' lorder com_err.So error.So= | tsort -q` The problem appears to be an upstream limitation of -fsanitize=3Dsafe-stack: "Most programs, static libraries, or individual files can be compiled with SafeStack as is. =E2=80=A6 Linking a DSO with SafeStack is not currently supported." [0] That probably needs to be addressed upstream before it can be enabled globa= lly. Best, Conrad [0]: http://clang.llvm.org/docs/SafeStack.html
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAG6CVpWgXMNHsdo0doL0FDygykZY3vYm9w8897p4nyetTmGfew>