Attached is a patch for uClibc-svn for gcc41's ssp. I'm not sure exactly what was causing the ssp segfaults, but they're fixed in the patch. The uClibc-svn branch is causing segfaults for anything statically linked, but it has nothing to do with any of the security options. The statically-linked segfaults go away if I enable uClibc's debugging.
I backported the attached patch to 0.9.28.3 and the static linking was fine. I haven't done the gcc3 parts yet, so I haven't submitted this patch to uClibc's bugs site yet. I'm pretty sure gcc2/3 and gcc41 can both use the same library at the same time. The attached patch also adds _dl__sysctl to ld.so. The sysctl erandom now works with a single system call, so it should perform better than reading /dev/*random. Adding the fortify_source stuff is complicated. GCC did it in libssp, even though it has nothing to do with ssp. I think its best added to uClibc integrated with libc like Glibc did, but with uClibc it has to be optional and that makes the installed headers complicated to patch. I plan to add it under the debugging options instead of security options. I'm taking a break from libssp/fortify_source and adding the sysctl erandom back to arc4random.c, with a small gcc4 warning fix, and arc4random back to mktemp to see if it'll be accepted this time. Glibc recently added hp-timing.h (high precision timing) to ssp, which gets entropy from the clock on modern hardware, and random mmap on 2.6 kernels. uClibc isn't supporting it currently, but I want to look into it. robert
diff -Naur uClibc-20070404.orig/extra/Configs/Config.in uClibc-20070404/extra/Configs/Config.in --- uClibc-20070404.orig/extra/Configs/Config.in 2007-04-04 03:10:08.000000000 -0400 +++ uClibc-20070404/extra/Configs/Config.in 2007-04-11 04:59:40.000000000 -0400 @@ -1296,19 +1296,48 @@ It requires gcc-3.4 and binutils-2.15 (for arm 2.16) or later. More about ET_DYN/PIE binaries on <http://pax.grsecurity.net/> . WARNING: This option also enables FORCE_SHAREABLE_TEXT_SEGMENTS, so all - libraries have to be built with -fPIC or -fpic, and all assembler - functions must be written as position independent code (PIC). + libraries have to be built with the -fPIC or -fpic compiler + options, and all assembler functions must be written as + Position Independent Code (PIC). + +config UCLIBC_BUILD_RELRO + bool "Build uClibc with PT_GNU_RELRO segment headers" + depends on HAVE_SHARED + default y + help + Build all libraries and executables with the '-z relro' linker option. + This option tells the dynamic linker to mark the memory region as + read-only after it has completed the relocations. + +config UCLIBC_BUILD_NOW + bool "Build uClibc to resolve all symbols at run time" + depends on HAVE_SHARED + default n + help + Build all libraries and executables with the '-z now' linker option. + This marking tells the dynamic linker to resolve all symbols when + the program or library is first loaded, instead of when the when + when the function is called. This is more secure but causes a + slight load time performance overhead. + +config UCLIBC_BUILD_NOEXECSTACK + bool "Build uClibc with noexecstack marking" + default y + help + Mark all assembler files as noexecstack. This will result in marking + all programs and libraries built against uClibc to not require + an executable stack. config UCLIBC_HAS_ARC4RANDOM bool "Include the arc4random() function" default n help - Answer Y to support the OpenBSD-like arc4random() function. This + Answer Y to support the OpenBSD-like arc4random(3) function. This function picks a random number between 0 and N, and will always return something even if the random driver is dead. If urandom fails then gettimeofday(2) will be used as the random seed. This function is designed to be more dependable than invoking /dev/urandom directly. - OpenSSL and OpenNTPD currently support this function. + OpenSSL, OpenNTPD, and ICS-Bind currently support this function. Most people will answer N. @@ -1317,46 +1346,106 @@ default n config UCLIBC_HAS_SSP - bool "Support for propolice smashing stack protector" + bool "Support for Stack Smashing Protector (SSP). a.k.a. ProPolice" depends on !HAVE_NO_SSP default n help - Add propolice smashing stack protector to the library. - This requires GCC 4.1, supporting the -fstack-protector[-all] - options. GCC does not have to provide libssp, the needed - functions are added to ldso/libc instead. + This option requires the GCC -fstack-protector[-all] feature to + utilize. This option replaces "libssp", from GCC 4.1+, and is ideal + if you build all or most of your system with -fstack-protector[-all]. + If you only build a small number of applications with this protection + then linking to "libssp" may be more appropriate. Build GCC 4.1+ with + 'make gcc_cv_libc_provides_ssp=yes' to force GCC 4.1+ to use SSP from + ldso/libc. + Third-party patches for older GCC versions are available, and will + require you to enable the UCLIBC_HAS_SSP_LEGACY option to use. + For more information see: + <http://www.research.ibm.com/trl/projects/security/ssp/> + Note about entropy: + By default Stack Smashing Protector uses /dev/urandom as a source of + entropy each time a protected program is run. This can lead to the + /dev/random device running out of entropy, causing cryptographic + software to block and wait for more entropy. There are alternatives + for SSP. The /dev/erandom device is ideal for non-cryptographic + applications like SSP. It is also possible to use High Precision + Timing (hp-timing), kernel stack, and memory-map (mmap) XOR values, + and finally gettimeofday(2) XOR values. Each in turn is higher + performance and less secure. The sysctl interface for erandom, + hp-timing, and gettimeofday(2) have the advantage of working + from inside a chroot without /dev/*random devices. Most people will answer N. -config UCLIBC_HAS_SSP_COMPAT - bool "Support for gcc-3.x propolice smashing stack protector" +config UCLIBC_HAS_SSP_LEGACY + bool "Support for legacy Stack Smashing Protector" depends on UCLIBC_HAS_SSP default n help - Add gcc-3.x propolice smashing stack protector to the library. - This requires a patched version of GCC, supporting the - -fstack-protector[-all] options, with the __guard and - __stack_smash_handler functions removed from libgcc. - These functions are added to ldso/libc instead. - More information at: - <http://www.research.ibm.com/trl/projects/security/ssp/> + This option enables support for GCC 2.95.3 and 3.x Stack + Smashing Protector to the library. This requires a modified + GCC supporting the -fstack-protector[-all] options, with + the __guard and __stack_smash_handler functions removed from + libgcc. Most people will answer N. -config SSP_QUICK_CANARY - bool "Use simple guard values without accessing /dev/urandom" +config SSP_STATIC_CANARY + bool "Only use the 'terminator canary' for the SSP guard value" depends on UCLIBC_HAS_SSP default n help - Use gettimeofday(2) to define the __guard without accessing - /dev/urandom. - WARNING: This makes smashing stack protector vulnerable to timing - attacks. + Use a static (never changing) value for the SSP guard value. + This option has the least security and highest performance. + This option should only be used for debugging, or very low security + environments. + WARNING: This makes Stack Smashing Protector vulnerable to attack. + Most people will answer N. + +config SSP_QUICK_CANARY + bool "Use simple SSP guard values without accessing a random device" + depends on UCLIBC_HAS_SSP && !SSP_STATIC_CANARY + default n + help + Use gettimeofday(2) to define the SSP guard value without accessing + /dev/urandom. If gettimeofday(2) fails then a static canary will be + used. + WARNING: This makes Stack Smashing Protector vulnerable to timing + attacks. + Most people will answer N. + +config SSP_USES_ERND + bool "Use the erandom (economical random) device for SSP guard values" + depends on UCLIBC_HAS_SSP && !SSP_STATIC_CANARY && !SSP_QUICK_CANARY + default n + help + This option tells uClibc to use /dev/erandom instead of /dev/urandom + for Stack Smashing Protector guard values. The 'erandom' device + does not consume the kernel's random pool entropy, but instead uses + the state of the kernel entropy pool (which is constantly changing). + There is no performance or security loss with this option. This + feature requires a modified kernel. + For more information see: + <http://frandom.sourceforge.net/> + Most people will answer N. + +config SSP_USES_SYSCTL_ERND + bool "Use the sysctl(3) erandom interface for SSP guard values" + depends on SSP_USES_ERND + default n + help + This option tells uClibc to use sysctl(3), instead of opening + /dev/erandom. This has the advantage of working from inside a + chroot. If this option is enabled then it will be the priority + way of fetching entropy, /dev/erandom will be used only if + sysctl(3) fails. Additionally to requiring a modified kernel, + this option requires a modified <linux/sysctl.h> header file. + This option only uses one system call to perform, while opening, + reading, and closing a device file uses three. Most people will answer N. choice - prompt "Propolice protection blocking signal" + prompt "Stack Smashing Protector kill signal" depends on UCLIBC_HAS_SSP - default PROPOLICE_BLOCK_ABRT if ! DODEBUG - default PROPOLICE_BLOCK_SEGV if DODEBUG + default SSP_BLOCK_ABRT if ! DODEBUG + default SSP_BLOCK_SEGV if DODEBUG help "abort" use SIGABRT to block offending programs. This is the default implementation. @@ -1366,42 +1455,22 @@ If unsure, answer "abort". -config PROPOLICE_BLOCK_ABRT +config SSP_BLOCK_ABRT bool "abort" -config PROPOLICE_BLOCK_SEGV +config SSP_BLOCK_SEGV bool "segfault" endchoice config UCLIBC_BUILD_SSP - bool "Build uClibc with propolice protection" + bool "Build uClibc with stack protection" depends on UCLIBC_HAS_SSP default n help - Build all libraries and executables with propolice protection enabled. - -config UCLIBC_BUILD_RELRO - bool "Build uClibc with RELRO" - depends on HAVE_SHARED - default y - help - Build all libraries and executables with -z relro. - -config UCLIBC_BUILD_NOW - bool "Build uClibc with NOW" - depends on HAVE_SHARED - default n - help - Build all libraries and executables with -z now. - -config UCLIBC_BUILD_NOEXECSTACK - bool "Build uClibc with noexecstack marking" - default y - help - Mark all assembler files as noexecstack. This will result in marking - all libraries and executables built against uClibc not requiring - executable stack. + Build all programs and libraries with -fstack-protector[-all]. + This adds approximately 4-8% performance overhead, and increases + the size of the uClibc library by about 1.5%. endmenu diff -Naur uClibc-20070404.orig/ldso/include/dl-syscall.h uClibc-20070404/ldso/include/dl-syscall.h --- uClibc-20070404.orig/ldso/include/dl-syscall.h 2007-04-04 03:10:11.000000000 -0400 +++ uClibc-20070404/ldso/include/dl-syscall.h 2007-04-11 03:39:41.000000000 -0400 @@ -129,9 +129,20 @@ # else void *, tz); # endif +# ifdef SSP_USES_SYSCTL_ERND +# include <sys/sysctl.h> +# define __NR__dl__sysctl __NR__sysctl + + _syscall1(int, _dl__sysctl, struct __sysctl_args *, args); + int _dl_sysctl(int *name, int nlen, void *oldval, size_t *oldlenp, + void *newval, size_t newlen) + { + struct __sysctl_args args={name,nlen,oldval,oldlenp,newval,newlen}; + return _dl__sysctl(&args); + } +# endif #endif - /* handle all the fun mmap intricacies */ #if (defined(__UCLIBC_MMAP_HAS_6_ARGS__) && defined(__NR_mmap)) || !defined(__NR_mmap2) # define _dl_MAX_ERRNO 4096 diff -Naur uClibc-20070404.orig/ldso/ldso/ldso.c uClibc-20070404/ldso/ldso/ldso.c --- uClibc-20070404.orig/ldso/ldso/ldso.c 2007-04-04 03:10:11.000000000 -0400 +++ uClibc-20070404/ldso/ldso/ldso.c 2007-04-11 03:28:39.000000000 -0400 @@ -100,10 +100,10 @@ /* Only exported for architectures that don't store the stack guard canary * in local thread area. */ uintptr_t __stack_chk_guard attribute_relro; -# ifdef __UCLIBC_HAS_SSP_COMPAT__ +# ifdef __UCLIBC_HAS_SSP_LEGACY__ strong_alias(__stack_chk_guard,__guard) # endif -# elif __UCLIBC_HAS_SSP_COMPAT__ +# elif __UCLIBC_HAS_SSP_LEGACY__ uintptr_t __guard attribute_relro; # endif #endif @@ -229,7 +229,7 @@ stack_chk_guard = _dl_setup_stack_chk_guard (); # ifdef THREAD_SET_STACK_GUARD THREAD_SET_STACK_GUARD (stack_chk_guard); -# ifdef __UCLIBC_HAS_SSP_COMPAT__ +# ifdef __UCLIBC_HAS_SSP_LEGACY__ __guard = stack_chk_guard; # endif # else diff -Naur uClibc-20070404.orig/libc/misc/internals/__uClibc_main.c uClibc-20070404/libc/misc/internals/__uClibc_main.c --- uClibc-20070404.orig/libc/misc/internals/__uClibc_main.c 2007-04-04 03:10:29.000000000 -0400 +++ uClibc-20070404/libc/misc/internals/__uClibc_main.c 2007-04-11 03:28:39.000000000 -0400 @@ -61,14 +61,14 @@ /* for gcc-4.1 non-TLS */ uintptr_t __stack_chk_guard attribute_relro; /* for gcc-3.x + Etoh ssp */ -# ifdef __UCLIBC_HAS_SSP_COMPAT__ +# ifdef __UCLIBC_HAS_SSP_LEGACY__ # ifdef __HAVE_SHARED__ strong_alias(__stack_chk_guard,__guard) # else uintptr_t __guard attribute_relro; # endif # endif -# elif defined __UCLIBC_HAS_SSP_COMPAT__ +# elif defined __UCLIBC_HAS_SSP_LEGACY__ uintptr_t __guard attribute_relro; # endif # endif @@ -208,12 +208,12 @@ stack_chk_guard = _dl_setup_stack_chk_guard(); # ifdef THREAD_SET_STACK_GUARD THREAD_SET_STACK_GUARD (stack_chk_guard); -# ifdef __UCLIBC_HAS_SSP_COMPAT__ +# ifdef __UCLIBC_HAS_SSP_LEGACY__ __guard = stack_chk_guard; # endif # else __stack_chk_guard = stack_chk_guard; -# if !defined __HAVE_SHARED__ && defined __UCLIBC_HAS_SSP_COMPAT__ +# if !defined __HAVE_SHARED__ && defined __UCLIBC_HAS_SSP_LEGACY__ __guard = stack_chk_guard; # endif # endif diff -Naur uClibc-20070404.orig/libc/sysdeps/linux/common/dl-osinfo.h uClibc-20070404/libc/sysdeps/linux/common/dl-osinfo.h --- uClibc-20070404.orig/libc/sysdeps/linux/common/dl-osinfo.h 2007-04-04 03:10:23.000000000 -0400 +++ uClibc-20070404/libc/sysdeps/linux/common/dl-osinfo.h 2007-04-11 04:41:00.000000000 -0400 @@ -13,56 +13,94 @@ # if defined IS_IN_libc || defined IS_IN_rtld # if defined __SSP__ || defined __SSP_ALL__ -# error "file must not be compiled with stack protection enabled on it. Use -fno-stack-protector" +# error "This file must not be compiled with stack protection. Use -fno-stack-protector" # endif # include <stdint.h> -# include <sys/time.h> -# ifdef IS_IN_libc -#include <fcntl.h> +# ifndef __SSP_STATIC_CANARY__ +# include <sys/time.h> +# ifdef IS_IN_libc +libc_hidden_proto(gettimeofday) +# define GETTIMEOFDAY gettimeofday +# else +# define GETTIMEOFDAY _dl_gettimeofday +# endif + +# if !defined(__SSP_QUICK_CANARY__) && !defined(__SSP_STATIC_CANARY__) +# ifdef IS_IN_libc +# include <fcntl.h> libc_hidden_proto(open) libc_hidden_proto(read) libc_hidden_proto(close) -libc_hidden_proto(gettimeofday) -# define OPEN open -# define READ read -# define CLOSE close -# define GETTIMEOFDAY gettimeofday -# else -# define OPEN _dl_open -# define READ _dl_read -# define CLOSE _dl_close -# define GETTIMEOFDAY _dl_gettimeofday +# define OPEN open +# define READ read +# define CLOSE close +# else +# define OPEN _dl_open +# define READ _dl_read +# define CLOSE _dl_close +# endif +# endif +# endif + +# ifdef __SSP_USES_SYSCTL_ERND__ +# include <sys/sysctl.h> +# ifdef IS_IN_libc +libc_hidden_proto(sysctl) +# define SYSCTL sysctl +# else +# define SYSCTL _dl_sysctl +# endif # endif static __always_inline uintptr_t _dl_setup_stack_chk_guard(void) { uintptr_t ret; -# ifndef __SSP_QUICK_CANARY__ - { - int fd = OPEN("/dev/urandom", O_RDONLY, 0); - if (fd >= 0) { - size_t size = READ(fd, &ret, sizeof(ret)); - CLOSE(fd); - if (size == (size_t) sizeof(ret)) - return ret; - } - } -# endif /* !__SSP_QUICK_CANARY__ */ - - /* Start with the "terminator canary". */ - ret = 0xFF0A0D00UL; - - /* Everything failed? Or we are using a weakened model of the - * terminator canary */ - { - struct timeval tv; - if (GETTIMEOFDAY(&tv, NULL) != (-1)) - ret ^= tv.tv_usec ^ tv.tv_sec; - } + +# ifdef __SSP_USES_SYSCTL_ERND__ + int mib[3]={CTL_KERN, KERN_RANDOM, RANDOM_ERANDOM}; + size_t len; + + len = sizeof(ret); + if (SYSCTL(mib, 3, &ret, &len, NULL, 0) != (-1) && + len == sizeof(ret)) + { + return ret; + } +# endif + +# if !defined(__SSP_QUICK_CANARY__) && !defined(__SSP_STATIC_CANARY__) +# ifdef __SSP_USES_ERND__ + if ((int fd = OPEN("/dev/erandom", O_RDONLY)) == (-1)) +# endif + int fd = OPEN ("/dev/urandom", O_RDONLY, 0); + if (fd >= 0) + { + ssize_t reslen = READ (fd, &ret, sizeof (ret)); + CLOSE (fd); + if (reslen == (ssize_t) sizeof (ret)) + return ret; + } +# endif + +# ifndef __SSP_STATIC_CANARY__ + struct timeval tv; + if (GETTIMEOFDAY(&tv, NULL) != (-1)) + { + ret ^= tv.tv_usec ^ tv.tv_sec; + return ret; + } +# endif + + /* __SSP_STATIC_CANARY__ */ + ret = 0; + unsigned char *p = (unsigned char *) &ret; + p[sizeof (ret) - 1] = 255; + p[sizeof (ret) - 2] = '\n'; return ret; } + # endif /* libc || rtld */ #endif /* __UCLIBC_HAS_SSP__ */ diff -Naur uClibc-20070404.orig/libc/sysdeps/linux/common/ssp.c uClibc-20070404/libc/sysdeps/linux/common/ssp.c --- uClibc-20070404.orig/libc/sysdeps/linux/common/ssp.c 2007-04-04 03:10:23.000000000 -0400 +++ uClibc-20070404/libc/sysdeps/linux/common/ssp.c 2007-04-11 04:42:19.000000000 -0400 @@ -3,7 +3,7 @@ * $Header: $ * * This is a modified version of Hiroaki Etoh's stack smashing routines - * implemented for glibc. + * implemented for uClibc. * * The following people have contributed input to this code. * Ned Ludd - <[EMAIL PROTECTED]> @@ -17,10 +17,10 @@ */ #if defined __SSP__ || defined __SSP_ALL__ -#error "file must not be compiled with stack protection enabled on it. Use -fno-stack-protector" +#error "This file must not be compiled with stack protection. Use -fno-stack-protector" #endif -#ifdef __PROPOLICE_BLOCK_SEGV__ +#ifdef __SSP_BLOCK_SEGV__ # define SSP_SIGTYPE SIGSEGV #else # define SSP_SIGTYPE SIGABRT @@ -50,20 +50,18 @@ struct sigaction sa; sigset_t mask; - sigfillset(&mask); + (void)sigfillset(&mask); + (void)sigdelset(&mask, SSP_SIGTYPE); /* Block signals. */ + (void)sigprocmask(SIG_BLOCK, &mask, NULL); /* except SIGABRT */ - sigdelset(&mask, SSP_SIGTYPE); /* Block all signal handlers */ - sigprocmask(SIG_BLOCK, &mask, NULL); /* except SSP_SIGTYPE */ - - /* Make the default handler associated with the signal handler */ - memset(&sa, 0, sizeof(struct sigaction)); - sigfillset(&sa.sa_mask); /* Block all signals */ + (void)memset(&sa, 0, sizeof(sa)); sa.sa_flags = 0; sa.sa_handler = SIG_DFL; - sigaction(SSP_SIGTYPE, &sa, NULL); + (void)sigaction(SSP_SIGTYPE, &sa, NULL); } -static void ssp_write(int fd, const char *msg1, const char *msg2, const char *msg3) +static void ssp_write(int fd, const char *msg1, + const char *msg2, const char *msg3) { write(fd, msg1, strlen(msg1)); write(fd, msg2, strlen(msg2)); @@ -74,28 +72,9 @@ closelog(); } -static attribute_noreturn void terminate(void) -{ - (void) kill(getpid(), SSP_SIGTYPE); - _exit(127); -} - -void __stack_smash_handler(char func[], int damaged __attribute__ ((unused))) attribute_noreturn; -void __stack_smash_handler(char func[], int damaged) -{ - static const char message[] = ": stack smashing attack in function "; - - block_signals(); - - ssp_write(STDERR_FILENO, __uclibc_progname, message, func); - - /* The loop is added only to keep gcc happy. */ - while(1) - terminate(); -} - -void __stack_chk_fail(void) attribute_noreturn; -void __stack_chk_fail(void) +void __stack_chk_fail(void) __attribute__((__noreturn__)); +void +__stack_chk_fail(void) { static const char msg1[] = "stack smashing detected: "; static const char msg3[] = " terminated"; @@ -104,24 +83,9 @@ ssp_write(STDERR_FILENO, msg1, __uclibc_progname, msg3); - /* The loop is added only to keep gcc happy. */ - while(1) - terminate(); + while(1) /* Make GCC happy with __attribute__((__noreturn__)). */ + { + (void)kill(getpid(), SSP_SIGTYPE); + _exit(127); + } } - -#if 0 -void __chk_fail(void) attribute_noreturn; -void __chk_fail(void) -{ - static const char msg1[] = "buffer overflow detected: "; - static const char msg3[] = " terminated"; - - block_signals(); - - ssp_write(STDERR_FILENO, msg1, __uclibc_progname, msg3); - - /* The loop is added only to keep gcc happy. */ - while(1) - terminate(); -} -#endif diff -Naur uClibc-20070404.orig/libc/sysdeps/linux/common/sysctl.c uClibc-20070404/libc/sysdeps/linux/common/sysctl.c --- uClibc-20070404.orig/libc/sysdeps/linux/common/sysctl.c 2007-04-04 03:10:23.000000000 -0400 +++ uClibc-20070404/libc/sysdeps/linux/common/sysctl.c 2007-04-11 03:36:00.000000000 -0400 @@ -39,3 +39,4 @@ return _sysctl(&args); } +libc_hidden_def(sysctl)
pgpuomE2Cpzlr.pgp
Description: PGP signature
-- http://linuxfromscratch.org/mailman/listinfo/hlfs-dev FAQ: http://www.linuxfromscratch.org/faq/ Unsubscribe: See the above information page
