[CFT] SSP Package Repository available
On 9/21/2013 5:49 AM, Bryan Drewery wrote:
> Ports now support enabling Stack Protector [1] support on FreeBSD 10
> i386 and amd64, and older releases on amd64 only currently.
>
> Support may be added for earlier i386 releases once all ports properly
> respect LDFLAGS.
>
> To enable, just add WITH_SSP=yes to your make.conf and rebuild all ports.
>
> The default SSP_CLFAGS is -fstack-protector, but -fstack-protector-all
> may optionally be set instead.
>
> Please help test this on your system. We would like to eventually enable
> this by default, but need to identify any major ports that have run-time
> issues due to it.
>
> [1] https://en.wikipedia.org/wiki/Buffer_overflow_protection
>
We have not had any feedback on this yet and want to get it enabled by
default for ports and packages.
We now have a repository that you can use rather than the default to
help test. We need your help to identify any issues before switching the
default.
This repository is available for:
head
10.0
9.1,9.2,9.3
It is not available for 8.4. If someone is willing to test on 8.4 I will
build a repository for it.
Place this in /usr/local/etc/pkgs/repos/FreeBSD_ssp.conf:
FreeBSD: { enabled: no }
FreeBSD_ssp: {
url: "pkg+http://pkg.FreeBSD.org/${ABI}/ssp";,
mirror_type: "srv",
signature_type: "fingerprints",
fingerprints: "/usr/share/keys/pkg",
enabled: yes
}
Once that is done you should force reinstall packages from this repository:
pkg update
pkg upgrade -f
Thanks for your help!
Bryan Drewery
On behalf of portmgr.
signature.asc
Description: OpenPGP digital signature
Re: [CFT] SSP Package Repository available
Bryan Drewery wrote: Ports now support enabling Stack Protector [1] support on FreeBSD 10 i386 and amd64, and older releases on amd64 only currently. Support may be added for earlier i386 releases once all ports properly respect LDFLAGS. To enable, just add WITH_SSP=yes to your make.conf and rebuild all ports. The default SSP_CLFAGS is -fstack-protector, but -fstack-protector-all may optionally be set instead. That's probably SSP_CFLAGS, not SSP_CLFAGS. Does clang (in 10-STABLE or CURRENT) support also the option -fstack-protector-strong ? Is 'world' by default compiled with -fstack-protector (and if not, why not). Mark ___ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: [CFT] SSP Package Repository available
On 8/21/2014 5:34 AM, Mark Martinec wrote: > Bryan Drewery wrote: >> Ports now support enabling Stack Protector [1] support on FreeBSD 10 >> i386 and amd64, and older releases on amd64 only currently. >> >> Support may be added for earlier i386 releases once all ports properly >> respect LDFLAGS. >> >> To enable, just add WITH_SSP=yes to your make.conf and rebuild all ports. >> >> The default SSP_CLFAGS is -fstack-protector, but -fstack-protector-all >> may optionally be set instead. > > That's probably SSP_CFLAGS, not SSP_CLFAGS. Nice find. > > > Does clang (in 10-STABLE or CURRENT) support also the > option -fstack-protector-strong ? Not sure if clang 3.4 has it, but I found a patch for it here: https://github.com/archlinuxarm/PKGBUILDs/blob/master/extra/llvm/clang-3.4-fstack-protector-strong.patch > > Is 'world' by default compiled with -fstack-protector > (and if not, why not). World has been built with -fstack-protector by default since 2008. At least in 8.0+. > > Mark > ___ > freebsd-current@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-current > To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org" -- Regards, Bryan Drewery signature.asc Description: OpenPGP digital signature
Re: [CFT] SSP Package Repository available
On 8/21/2014 10:53 AM, Bryan Drewery wrote: > On 8/21/2014 5:34 AM, Mark Martinec wrote: >> Bryan Drewery wrote: >>> Ports now support enabling Stack Protector [1] support on FreeBSD 10 >>> i386 and amd64, and older releases on amd64 only currently. >>> >>> Support may be added for earlier i386 releases once all ports properly >>> respect LDFLAGS. >>> >>> To enable, just add WITH_SSP=yes to your make.conf and rebuild all ports. >>> >>> The default SSP_CLFAGS is -fstack-protector, but -fstack-protector-all >>> may optionally be set instead. >> >> That's probably SSP_CFLAGS, not SSP_CLFAGS. > > Nice find. > >> >> >> Does clang (in 10-STABLE or CURRENT) support also the >> option -fstack-protector-strong ? > > Not sure if clang 3.4 has it, but I found a patch for it here: I'm told that clang 3.5 has support for it. We do not (yet) have 3.5 in CURRENT. -- Regards, Bryan Drewery signature.asc Description: OpenPGP digital signature
Re: [CFT] SSP Package Repository available
On 21 Aug 2014, at 18:07, Bryan Drewery wrote: > On 8/21/2014 10:53 AM, Bryan Drewery wrote: >> On 8/21/2014 5:34 AM, Mark Martinec wrote: >>> Bryan Drewery wrote: Ports now support enabling Stack Protector [1] support on FreeBSD 10 i386 and amd64, and older releases on amd64 only currently. Support may be added for earlier i386 releases once all ports properly respect LDFLAGS. To enable, just add WITH_SSP=yes to your make.conf and rebuild all ports. The default SSP_CLFAGS is -fstack-protector, but -fstack-protector-all may optionally be set instead. >>> >>> That's probably SSP_CFLAGS, not SSP_CLFAGS. >> >> Nice find. >> >>> >>> >>> Does clang (in 10-STABLE or CURRENT) support also the >>> option -fstack-protector-strong ? >> >> Not sure if clang 3.4 has it, but I found a patch for it here: > > I'm told that clang 3.5 has support for it. We do not (yet) have 3.5 in > CURRENT. Indeed, support for -fstack-protector-strong was added after clang 3.4. Upstream is in the process of releasing clang 3.5; they're currently at -rc3, and unless something weird happens, the actual release should be soonish. That said, it might take a while to get this version into the base system, because there are some problems to overcome. The major one being, after 3.4 llvm and clang require a C++11-compatible compiler and standard library to build. :-) If there is a great demand for -fstack-protector-strong support, I can see if it can be backported to our 3.4 version. -Dimitry signature.asc Description: Message signed with OpenPGP using GPGMail
Re: [CFT] SSP Package Repository available
2014-08-22 18:07, Dimitry Andric wrote: On 21 Aug 2014, at 18:07, Bryan Drewery wrote: On 8/21/2014 10:53 AM, Bryan Drewery wrote: On 8/21/2014 5:34 AM, Mark Martinec wrote: Does clang (in 10-STABLE or CURRENT) support also the option -fstack-protector-strong ? Not sure if clang 3.4 has it, but I found a patch for it here: I'm told that clang 3.5 has support for it. We do not (yet) have 3.5 in CURRENT. Indeed, support for -fstack-protector-strong was added after clang 3.4. Upstream is in the process of releasing clang 3.5; they're currently at -rc3, and unless something weird happens, the actual release should be soonish. That said, it might take a while to get this version into the base system, because there are some problems to overcome. The major one being, after 3.4 llvm and clang require a C++11-compatible compiler and standard library to build. :-) If there is a great demand for -fstack-protector-strong support, I can see if it can be backported to our 3.4 version. Don't know how much demand there is. Just these days I was investigating what looks like a memory corruption in perl under FreeBSD 10, and realized the -fstack-protector-strong would be just the right thing to try first. (I ended up recompiling perl with gcc48). Just some random references I came across: https://en.wikipedia.org/wiki/Buffer_overflow_protection All Fedora packages are compiled with -fstack-protector since Fedora Core 5, and -fstack-protector-strong since Fedora 20. [...] All Arch Linux packages built since 4 May 2014 use -fstack-protector-strong. https://fedorahosted.org/fesco/ticket/1128 Benefit over the current default "-fstack-protector" => "-fstack-protector" is regarded as "not secure enough" (only "protects" < 2% functions in Chromium project). "-fstack-protector-strong" hits the balance between the over-simplified "-fstack-protector" and over-killing "-fstack-protector-all". [...] The stack-protector option is over-simplified, which ignores pointer cast, address computation, while the stack-protector-all is over-killing, using this option results in too much performance overhead. http://www.outflux.net/blog/archives/2014/01/27/fstack-protector-strong/ A normal x86_64 “defconfig” build, without stack protector had a kernel text size of 11430641 bytes with 36110 function bodies. Adding CONFIG_CC_STACKPROTECTOR_REGULAR increased the kernel text size to 11468490 (a +0.33% change), with 1015 of 36110 functions stack-protected (2.81%). Using CONFIG_CC_STACKPROTECTOR_STRONG increased the kernel text size to 11692790 (+2.24%), with 7401 of 36110 functions stack-protected (20.5%). And 20% is a far-cry from 100% if support for -fstack-protector-all was added back to the kernel. If there is a great demand for -fstack-protector-strong support, I can see if it can be backported to our 3.4 version. I guess the answer to that question is whether the goal/wish of a default WITH_SSP_PORTS / SSP_CFLAGS would be to switch to the -fstack-protector-strong before clang 3.5 comes into base. Mark ___ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
