Re: [gentoo-hardened] GCC4 (again...)

[Magnus Grenberg <zorry@ume.nu>]

On Friday 26 June 2009 14.36.04 klondike wrote:
> 2009/6/26 Ed W <lists@wildgooses.com>:
> > klondike wrote:
> >>> Apologies for replying to my own post, but I just realised that you
> >>> were posing the question in the context of klondike's blog post. I do
> >>> not know what the status of SSP is in the overlays and/or experimental
> >>> toolchains so I'll bow out and leave it to one of the toolchain gurus
> >>> to provide a credible response. My answer applies to the gcc ebuild in
> >>> the mainline tree.
> >>
> >> Although I may be wrong, AFAIK SSP works nice with almost anything
> >> except libstdc++, also packages which need it to be disabled (ie
> >> thunderbird) usually do it without a problem of after pattching a bit
> >> the ebuild. Anyway, I think the best one to answer is Zorry or Xake as
> >> they maintain it.
> >
> > So the Xake overlay is GCC 4.3.2 with the GCC 4 SSP enabled?
>
> Mainly I could say it is.
>
> > My limited understanding is that the GCC 4 (new) SSP implementation
> > should be relatively benign and supported already by a modern toolchain
> > with no further patches?  I would naively assume that since Redhat (and
> > others) seem to be building their distros with it turned on that most
> > packages would already be largely patched upstream to cope with it?
> >  (certainly I am more interested in server packages than desktop
> > packages)
>
> I think Ubuntu has enabled it too. But I don't know how well or bad
> are packages usually supported upstream.. I have run an apache2 server
> and a verlihub server with the toolchain without issues, but I can't
> gurantee you nothing as the server still hasn't had heavy load.
>
> >> Anyway, at least on the overlay uclibc is still not supported :(
> >> http://github.com/Xake/toolchain-overlay/blob/54581c25b74be5a5dc3d8c1de6
> >>1dba55db7c639f/README
> >
> > Does Xake hang out here?  Curious as to what the issues will be found in
> > uclibc.  I'm not specially tied to uclibc, just that it seems to work
> > nicely so far and I'm not desperately tight on drive space...
>
> I don't know the reasons for uclibc being not supported, but I think
> it was because of some compilation problems. (Can't find the tickets,
> sorry).
The problem with uclibc is that it don't support TLS and GCC > 4.1 SSP use TLS
See bug #149292 and #267335 on bugs.gentoo.org
It may only need gcc4-stack-protector-uclibc-no-tls.patch but i can have wrong 
to. We are working hard to get GCC 4.4.0 with Hardened enabled and pass full 
gcc testsuite. I will try to get the patchset upstream in GCC 4.5 so we only 
need small patch to run it on Gentoo and it may get use by some more distros.
To get SSP as default with no CFLAGS or CXXFLAGS with -fstack-protector, GCC 
need patches and some stuff in GCC sources don't compile well with SSP on.
Gentoo's Hardened Toolchain for GCC 4.* have the SSP compile patches but don't 
have the needed spec and fixes in toolchain.eclass to use it as default and 
some packages in the tree don't have the GCC 4.* SSP support yet. A fix is to 
add -fstack-protector to the CFLAGS and CXXFLAGS but you can get PROBLEM TO.
The overlay have SSP and PIE enable by default but lacks some fixes for 
packages and we still fix bugs and it can be b0rked time to time. :)

Ubuntu and Debian use SSP as default with patched GCC source.
But only -fstack-protector is enable and we use -fstack-protector-all as 
default in the Hardened Toolchain so we may hit more bugs.

Xake do hang out her when he have time.
If more info needed ask in the forum or on irc #gentoo-hardened @ Freenode or 
the ml.

http://hardened.gentooexperimental.org/trac/secure/wiki
/Zorry