Gcc's libssp is a standalone userspace implementation of SSP that
makes gcc incompatible with kernel stack protection. Builds using
libssp cannot enable kernel stack protection due to the insertion
of an incompatible stack canary by libssp-enabled gcc.
All three C libraries supported by OpenWrt have native stack
smashing protection and this should be used in preference.
This patch removes gcc's libssp, enables native ssp for glibc and
uses the existing, already-configured, native ssp for uClibc.
It also enables kernel stack smashing protection for non-musl libc
toolchains and creates a uniform configuration interface for both
userspace and kernel stack protection options across all C library
variants supported by OpenWrt.
Kernel stack smashing protection is architecture dependent and
only available for a few architectures. The setting will be
ignored by the kernel if the architecture does not support it.
A minor semantic change is introduced to the config symbol
SSP_SUPPORT. Four packages rely on the SSP_SUPPORT symbol: avahi,
tor, openssh and cjdns. Of these, all will continue to compile
correctly in all cases except for avahi with glibc when stack
smashing protection is enabled.
The avahi Makefile will require a patch to remove an explicit
link of libssp_nonshared.a triggered by a dependency on
SSP_SUPPORT. Musl needs to link this library, however it is
part of the ALL_LIBS symbol and is automatically linked, so
the line can be safely removed from the avahi Makefile.
The other packages should be patched sometime to remove the
dependency on this ambiguous symbol (see commit 241e6dd3e) and
instead refer to PKG_CC_STACKPROTECTOR_NONE, after which the
symbol CONFIG_SSP_SUPPORT can be removed from the build
configuration.
All packages referring to the symbol GCC_LIBSSP will continue
to compile as before, as the symbol is retained, made non-
configurable and set to a default of 'n'.
This patch has been compile tested on musl, glibc and uclibc
with mips, arc and x86_64 architectures, both with and without
stack smashing protection and run tested on x86_64 glibc with
both.
Compiled kernels for x86_64 are verified to contain stack
smashing protection via the relevant symbols in /proc/config.gz
root@openwrt:~# zcat /proc/config.gz | grep STACKPROTECTOR
CONFIG_CC_HAS_SANE_STACKPROTECTOR=y
CONFIG_HAVE_STACKPROTECTOR=y
CONFIG_CC_HAS_STACKPROTECTOR_NONE=y
CONFIG_STACKPROTECTOR=y
CONFIG_STACKPROTECTOR_STRONG=y
Binaries linked to uClibc and glibc are verified to contain
stack canaries. The userspace stack smashing protection is
run-tested on glibc, however I don't have access to an arc-
based machine, so cannot run-test it for uClibc. If anyone
else has access and can run-test it on arc, then please do.
uClibc: nm dropbearconvert | grep stack_chk
U __stack_chk_fail
U __stack_chk_guard
glibc: nm dropbearconvert | grep stack_chk
U __stack_chk_fail@@GLIBC_2.4
root@openwrt:~# check-stack-protector
this input string is much too long for the buffer
*** stack smashing detected ***: terminated
Aborted
The musl implementation remains unmodified.
Ian Cooper (1):
toolchain: remove gcc libssp and use libc variant
config/Config-build.in | 4 ----
toolchain/Config.in | 2 +-
toolchain/binutils/Makefile | 8 --------
toolchain/gcc/Config.in | 6 +-----
toolchain/glibc/common.mk | 3 ++-
5 files changed, 4 insertions(+), 19 deletions(-)
--
2.25.1
_______________________________________________
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
