subject:"Re\: \[gentoo\-user\] Stack Clash and \-fstack\-check"

Re: [gentoo-user] Stack Clash and -fstack-check

2017-06-20 Thread Adam Carter

Hmm, emerge --info from before and after (with added -fstack-check) looks
dodgy

# tail bind.info
=
Package Settings
=

net-dns/bind-9.11.1_p1::gentoo was built with the following:
USE="berkdb caps dlz filter- ipv6 ssl threads xml zlib -dnstap -doc
-fixed-rrset -geoip -gost -gssapi -idn -json -ldap -libressl -lmdb -mysql
-nslint -odbc -postgres -python -rpz (-seccomp) (-selinux) -static-libs
-urandom" ABI_X86="(64)" PYTHON_TARGETS="python2_7 python3_4 -python3_5
-python3_6"
CFLAGS="-O2 -march=amdfam10 -mcx16 -mpopcnt -pipe -msahf -mabm
-fomit-frame-pointer -I/usr/include/db5.3"
CXXFLAGS="-O2 -march=amdfam10 -mcx16 -mpopcnt -pipe -msahf -mabm
-fomit-frame-pointer -I/usr/include/db5.3"
LDFLAGS="-Wl,-O1 -Wl,--as-needed -O2 -march=amdfam10 -mcx16 -mpopcnt -pipe
-msahf -mabm -fomit-frame-pointer"

# tail bind.info2

=
Package Settings
=

net-dns/bind-9.11.1_p1::gentoo was built with the following:
USE="berkdb caps dlz filter- ipv6 ssl threads xml zlib -dnstap -doc
-fixed-rrset -geoip -gost -gssapi -idn -json -ldap -libressl -lmdb -mysql
-nslint -odbc -postgres -python -rpz (-seccomp) (-selinux) -static-libs
-urandom" ABI_X86="(64)" PYTHON_TARGETS="python2_7 python3_4 -python3_5
-python3_6"
CFLAGS="-O2 -march=amdfam10 -mcx16 -mpopcnt -pipe -msahf -mabm
-fomit-frame-pointer -fstack-check -I/usr/include/db5.3"
CXXFLAGS="-O2 -march=amdfam10 -mcx16 -mpopcnt -pipe -msahf -mabm
-fomit-frame-pointer -fstack-check -I/usr/include/db5.3"

===> LDFLAGS has been clobbered



# tail apache.info
=
Package Settings
=

www-servers/apache-2.4.25::gentoo was built with the following:
USE="ssl threads -debug -doc -ldap (-libressl) (-selinux) -static -suexec"
ABI_X86="(64)" APACHE2_MODULES="actions alias auth_basic auth_digest
authn_alias authn_anon authn_core authn_dbm authn_file authz_core authz_dbm
authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid
dav dav_fs dav_lock deflate dir env expires ext_filter file_cache filter
headers http2 include info log_config logio mime mime_magic negotiation
proxy proxy_connect proxy_http rewrite setenvif socache_shmcb speling
status unique_id unixd userdir usertrack vhost_alias -access_compat -asis
-authn_dbd -authz_dbd -cache_disk -cache_socache -cern_meta -charset_lite
-dbd -dumpio -ident -imagemap -lbmethod_bybusyness -lbmethod_byrequests
-lbmethod_bytraffic -lbmethod_heartbeat -log_forensic -macro -proxy_ajp
-proxy_balancer -proxy_fcgi -proxy_ftp -proxy_html -proxy_scgi
-proxy_wstunnel -ratelimit -remoteip -reqtimeout -slotmem_shm -substitute
-version" APACHE2_MPMS="-event -prefork -worker"
CFLAGS="-O2 -march=amdfam10 -mcx16 -mpopcnt -pipe -msahf -mabm
-fomit-frame-pointer -fPIC"
CXXFLAGS="-O2 -march=amdfam10 -mcx16 -mpopcnt -pipe -msahf -mabm
-fomit-frame-pointer -fPIC"
LDFLAGS="-Wl,-O1 -Wl,--as-needed -O2 -march=amdfam10 -mcx16 -mpopcnt -pipe
-msahf -mabm -fomit-frame-pointer -fPIC -Wl,--no-as-needed"

# tail apache.info2
Unset:  CC, CPPFLAGS, CTARGET, CXX, INSTALL_MASK, LC_ALL,
PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS,
PORTAGE_RSYNC_EXTRA_OPTS, USE_PYTHON

=
Package Settings
=

www-servers/apache-2.4.25::gentoo was built with the following:
USE="ssl threads -debug -doc -ldap (-libressl) (-selinux) -static -suexec"
ABI_X86="(64)" APACHE2_MODULES="actions alias auth_basic auth_digest
authn_alias authn_anon authn_core authn_dbm authn_file authz_core authz_dbm
authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid
dav dav_fs dav_lock deflate dir env expires ext_filter file_cache filter
headers http2 include info log_config logio mime mime_magic negotiation
proxy proxy_connect proxy_http rewrite setenvif socache_shmcb speling
status unique_id unixd userdir usertrack vhost_alias -access_compat -asis
-authn_dbd -authz_dbd -cache_disk -cache_socache -cern_meta -charset_lite
-dbd -dumpio -ident -imagemap -lbmethod_bybusyness -lbmethod_byrequests
-lbmethod_bytraffic -lbmethod_heartbeat -log_forensic -macro -proxy_ajp
-proxy_balancer -proxy_fcgi -proxy_ftp -proxy_html -proxy_scgi
-proxy_wstunnel -ratelimit -remoteip -reqtimeout -slotmem_shm -substitute
-version" APACHE2_MPMS="-event -prefork -worker"
LDFLAGS="-Wl,-O1 -Wl,--as-needed -O2 -march=amdfam10 -mcx16 -mpopcnt -pipe
-msahf -mabm -fomit-frame-pointer -fstack-check -Wl,--no-as-needed"

> CFLAGS and CXXFLAGS clobbered

I assume this behaviour in unintentional

Re: [gentoo-user] Stack Clash and -fstack-check

2017-06-20 Thread Adam Carter

On Tue, Jun 20, 2017 at 4:01 PM, Rasmus Thomsen <
rasmus.thom...@protonmail.com> wrote:

> Hi,
>
> -fstack-check seems to be kind of broken on gcc right now:
>
> https://gcc.gnu.org/bugzilla/show_bug.cgi?id=68065
> https://gcc.gnu.org/bugzilla/show_bug.cgi?id=66479
>

Ok, i'll quickpkg first just in case.

Re: [gentoo-user] Stack Clash and -fstack-check

2017-06-20 Thread Rasmus Thomsen

Hi,

-fstack-check seems to be kind of broken on gcc right now:

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=68065
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=66479

it's a no-op for clang IIRC

Regards,
Rasmus
 Original Message 
On 20 Jun 2017, 07:50, Adam Carter wrote:

Given;
https://www.theregister.co.uk/2017/06/20/stack_clash_linux_local_root_holes/

would it make sense to add -fstack-check to CFLAGS and rebuild everything, 
starting with packages that install suid root binary(ies)?

Re: [gentoo-user] Stack Clash and -fstack-check

Re: [gentoo-user] Stack Clash and -fstack-check

Re: [gentoo-user] Stack Clash and -fstack-check

3 matches

Site Navigation

Mail list logo

Footer information