Hi, GCC 4.9 supports a new stack protector implementation, enabled via the -fstack-protector-strong flag, which provides a better balance between security and performance than the default implementation that we're currently using. This new flag is already used by Fedora 20 and ChromeOS. See the following for more information:
https://lwn.net/Articles/584225/ http://www.outflux.net/blog/archives/2014/01/27/fstack-protector-strong/ https://fedorahosted.org/fesco/ticket/1128 The Security Team has expressed interest in switching dpkg-buildflags over to this new flag in Debian for jessie, now that GCC 4.9 is the default compiler on all release architectures. In order to see the impact on the archive, David Suárez did a full rebuild on EC2 with a patched dpkg-dev which emits the new flag. There are only 16 new failures, which can be categorized as follows: * explicitly build-depends on and uses gcc/g++ 4.8, which doesn't understand -fstack-protector-strong: - ccbuild 2.0.6-2.1 - chromium-browser 35.0.1916.153-2 - contextfree 3.0.5+dfsg1-2.1 - flexc++ 2.01.00-1 - gpg-remailer 3.00.02-1 - higan 094-4 - llvm-toolchain-snapshot 1:3.5~svn209039-2 - openimageio 1.4.9~dfsg0-1 (already fixed in -2) - oxref 1.00.01-1 - spek 0.8.2-3.1 - webkitgtk 2.4.3-2 * explicitly build-depends on and uses gcc 4.6: - estic 1.61-20.1 (#747980) * explicitly build-depends on and uses Clang 3.4: - feel++ 1:0.98.0-final-1 * false positives: - gcc-4.7 4.7.4-1 (checks that dpkg-dev is 'ii') - seqan 1.4.1-3 (attempts to disable the stack protector using sed) * needs test suite upgrade for -fstack-protector-strong: - hardening-wrapper 2.5 See http://aws-logs.debian.net/ftbfs-logs/buildflags/ for the full results and build logs. As the number of build failures is low, I think it's safe to simply switch the default flag emitted by dpkg-buildflags and file bugs against the above packages to ask the maintainers to disable the stack protector or filter out/replace the new flag if they really can't upgrade to GCC 4.9. So here is a prospective patch which changes dpkg-buildflags to emit the new flag for all architectures known to use GCC 4.9 as of today. Let me know if this looks workable for you. diff --git a/scripts/Dpkg/Vendor/Debian.pm b/scripts/Dpkg/Vendor/Debian.pm index c5020dc..4e19752 100644 --- a/scripts/Dpkg/Vendor/Debian.pm +++ b/scripts/Dpkg/Vendor/Debian.pm @@ -92,6 +92,7 @@ sub add_hardening_flags { relro => 1, bindnow => 0, ); + my $use_stackprotector_strong = 1; # Adjust features based on Maintainer's desires. my $opts = Dpkg::BuildOptions->new(envvar => 'DEB_BUILD_MAINT_OPTIONS'); @@ -129,6 +130,12 @@ sub add_hardening_flags { # compiler supports it incorrectly (leads to SEGV) $use_feature{stackprotector} = 0; } + if ($arch =~ /^(?:m68k|or1k|powerpcspe|sh4|x32)$/) { + # "Strong" stack protector disabled on m68k, or1k, powerpcspe, sh4, x32. + # It requires GCC 4.9 and these archs are still using 4.8 as of + # gcc-defaults 1.128. + $use_stackprotector_strong = 0; + } if ($cpu =~ /^(?:ia64|hppa|avr32)$/) { # relro not implemented on ia64, hppa, avr32. $use_feature{relro} = 0; @@ -161,13 +168,23 @@ sub add_hardening_flags { # Stack protector if ($use_feature{stackprotector}) { - $flags->append('CFLAGS', '-fstack-protector --param=ssp-buffer-size=4'); - $flags->append('OBJCFLAGS', '-fstack-protector --param=ssp-buffer-size=4'); - $flags->append('OBJCXXFLAGS', '-fstack-protector --param=ssp-buffer-size=4'); - $flags->append('FFLAGS', '-fstack-protector --param=ssp-buffer-size=4'); - $flags->append('FCFLAGS', '-fstack-protector --param=ssp-buffer-size=4'); - $flags->append('CXXFLAGS', '-fstack-protector --param=ssp-buffer-size=4'); - $flags->append('GCJFLAGS', '-fstack-protector --param=ssp-buffer-size=4'); + if ($use_stackprotector_strong) { + $flags->append('CFLAGS', '-fstack-protector-strong'); + $flags->append('OBJCFLAGS', '-fstack-protector-strong'); + $flags->append('OBJCXXFLAGS', '-fstack-protector-strong'); + $flags->append('FFLAGS', '-fstack-protector-strong'); + $flags->append('FCFLAGS', '-fstack-protector-strong'); + $flags->append('CXXFLAGS', '-fstack-protector-strong'); + $flags->append('GCJFLAGS', '-fstack-protector-strong'); + } else { + $flags->append('CFLAGS', '-fstack-protector --param=ssp-buffer-size=4'); + $flags->append('OBJCFLAGS', '-fstack-protector --param=ssp-buffer-size=4'); + $flags->append('OBJCXXFLAGS', '-fstack-protector --param=ssp-buffer-size=4'); + $flags->append('FFLAGS', '-fstack-protector --param=ssp-buffer-size=4'); + $flags->append('FCFLAGS', '-fstack-protector --param=ssp-buffer-size=4'); + $flags->append('CXXFLAGS', '-fstack-protector --param=ssp-buffer-size=4'); + $flags->append('GCJFLAGS', '-fstack-protector --param=ssp-buffer-size=4'); + } } # Fortify Source -- To UNSUBSCRIBE, email to debian-dpkg-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/87a9927j0k....@kima.orebokech.com
