* [gentoo-user] "stack-protector-strong" option results in gcc error
@ 2014-09-23 2:49 Walter Dnes
2014-09-23 6:16 ` Alexander Kapshuk
0 siblings, 1 reply; 13+ messages in thread
From: Walter Dnes @ 2014-09-23 2:49 UTC (permalink / raw
To: Gentoo Users List
I did an emerge update just now, and figured it was time to jump to
the latest stable kernel (3.14.16). I ran "make oldconfig". Amongst
the new features, I selected "stack-protector-strong". When trying to
build the new kernel, I got...
scripts/kconfig/conf --silentoldconfig Kconfig
Makefile:615: Cannot use CONFIG_CC_STACKPROTECTOR_STRONG: -fstack-protector-strong not supported by compiler
SYSHDR arch/x86/syscalls/../include/generated/uapi/asm/unistd_32.h
SYSHDR arch/x86/syscalls/../include/generated/uapi/asm/unistd_64.h
SYSHDR arch/x86/syscalls/../include/generated/uapi/asm/unistd_x32.h
SYSTBL arch/x86/syscalls/../include/generated/asm/syscalls_32.h
HOSTCC arch/x86/tools/relocs_32.o
HOSTCC arch/x86/tools/relocs_64.o
HOSTCC arch/x86/tools/relocs_common.o
HOSTLD arch/x86/tools/relocs
CHK include/config/kernel.release
UPD include/config/kernel.release
WRAP arch/x86/include/generated/asm/clkdev.h
CHK include/generated/uapi/linux/version.h
UPD include/generated/uapi/linux/version.h
CHK include/generated/utsrelease.h
UPD include/generated/utsrelease.h
CC kernel/bounds.s
gcc: error: unrecognized command line option '-fstack-protector-strong'
make[1]: *** [kernel/bounds.s] Error 1
make: *** [prepare0] Error 2
I switched stack-protector to "regular", and it built OK. I rebooted
into it, and it works OK.
My gcc version data...
[d531][root][/usr/src/linux] gcc --version
gcc (Gentoo 4.7.3-r1 p1.4, pie-0.5.5) 4.7.3
Copyright (C) 2012 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
My install is 32-bit
[d531][waltdnes][~] uname -a
Linux d531 3.14.16-gentoo #1 SMP Mon Sep 22 20:43:33 EDT 2014 i686 Intel(R) Core(TM)2 Duo CPU E4600 @ 2.40GHz GenuineIntel GNU/Linux
--
Walter Dnes <waltdnes@waltdnes.org>
I don't run "desktop environments"; I run useful applications
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [gentoo-user] "stack-protector-strong" option results in gcc error
2014-09-23 2:49 [gentoo-user] "stack-protector-strong" option results in gcc error Walter Dnes
@ 2014-09-23 6:16 ` Alexander Kapshuk
2014-09-23 8:54 ` Walter Dnes
2014-09-23 11:52 ` Hinnerk van Bruinehsen
0 siblings, 2 replies; 13+ messages in thread
From: Alexander Kapshuk @ 2014-09-23 6:16 UTC (permalink / raw
To: Gentoo mailing list
On Tue, Sep 23, 2014 at 5:49 AM, Walter Dnes <waltdnes@waltdnes.org> wrote:
> I did an emerge update just now, and figured it was time to jump to
> the latest stable kernel (3.14.16). I ran "make oldconfig". Amongst
> the new features, I selected "stack-protector-strong". When trying to
> build the new kernel, I got...
>
> scripts/kconfig/conf --silentoldconfig Kconfig
> Makefile:615: Cannot use CONFIG_CC_STACKPROTECTOR_STRONG: -fstack-protector-strong not supported by compiler
> SYSHDR arch/x86/syscalls/../include/generated/uapi/asm/unistd_32.h
> SYSHDR arch/x86/syscalls/../include/generated/uapi/asm/unistd_64.h
> SYSHDR arch/x86/syscalls/../include/generated/uapi/asm/unistd_x32.h
> SYSTBL arch/x86/syscalls/../include/generated/asm/syscalls_32.h
> HOSTCC arch/x86/tools/relocs_32.o
> HOSTCC arch/x86/tools/relocs_64.o
> HOSTCC arch/x86/tools/relocs_common.o
> HOSTLD arch/x86/tools/relocs
> CHK include/config/kernel.release
> UPD include/config/kernel.release
> WRAP arch/x86/include/generated/asm/clkdev.h
> CHK include/generated/uapi/linux/version.h
> UPD include/generated/uapi/linux/version.h
> CHK include/generated/utsrelease.h
> UPD include/generated/utsrelease.h
> CC kernel/bounds.s
> gcc: error: unrecognized command line option '-fstack-protector-strong'
> make[1]: *** [kernel/bounds.s] Error 1
> make: *** [prepare0] Error 2
>
> I switched stack-protector to "regular", and it built OK. I rebooted
> into it, and it works OK.
>
> My gcc version data...
>
> [d531][root][/usr/src/linux] gcc --version
> gcc (Gentoo 4.7.3-r1 p1.4, pie-0.5.5) 4.7.3
> Copyright (C) 2012 Free Software Foundation, Inc.
> This is free software; see the source for copying conditions. There is NO
> warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
>
> My install is 32-bit
>
> [d531][waltdnes][~] uname -a
> Linux d531 3.14.16-gentoo #1 SMP Mon Sep 22 20:43:33 EDT 2014 i686 Intel(R) Core(TM)2 Duo CPU E4600 @ 2.40GHz GenuineIntel GNU/Linux
>
> --
> Walter Dnes <waltdnes@waltdnes.org>
> I don't run "desktop environments"; I run useful applications
>
Looks like support for '-fstack-protector-strong' was implemented in
more recent versions of gcc. The the URL below for details:
https://securityblog.redhat.com/tag/stack-protector/
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [gentoo-user] "stack-protector-strong" option results in gcc error
2014-09-23 6:16 ` Alexander Kapshuk
@ 2014-09-23 8:54 ` Walter Dnes
2014-09-23 9:41 ` [gentoo-user] " Nikos Chantziaras
` (2 more replies)
2014-09-23 11:52 ` Hinnerk van Bruinehsen
1 sibling, 3 replies; 13+ messages in thread
From: Walter Dnes @ 2014-09-23 8:54 UTC (permalink / raw
To: gentoo-user
On Tue, Sep 23, 2014 at 09:16:42AM +0300, Alexander Kapshuk wrote
>
> Looks like support for '-fstack-protector-strong' was implemented in
> more recent versions of gcc. The the URL below for details:
>
> https://securityblog.redhat.com/tag/stack-protector/
Thanks for the explanation. The blog says...
> GCC 4.8.1 and the GCC version in Fedora 19 added another mode,
> -fstack-protector-strong, bringing the number of stack protector
> modes up to three.
Gentoo stable appears to be gcc-4.7.3-r1. ebuilds up to gcc-4.9.1 are
present in the tree. Upgrading gcc is painful, so I appreciate the
maintainers not forcing a rebuild with every version bump. That's the
philosophy behind "stable". The tradeoff is that we have to wait longer
for "new and shiney" stuff. For those who want it, you can always
keyword a later version of gcc.
--
Walter Dnes <waltdnes@waltdnes.org>
I don't run "desktop environments"; I run useful applications
^ permalink raw reply [flat|nested] 13+ messages in thread
* [gentoo-user] Re: "stack-protector-strong" option results in gcc error
2014-09-23 8:54 ` Walter Dnes
@ 2014-09-23 9:41 ` Nikos Chantziaras
2014-09-23 10:09 ` [gentoo-user] " Neil Bothwick
2014-09-23 13:33 ` Michael Orlitzky
2 siblings, 0 replies; 13+ messages in thread
From: Nikos Chantziaras @ 2014-09-23 9:41 UTC (permalink / raw
To: gentoo-user
On 23/09/14 11:54, Walter Dnes wrote:
> On Tue, Sep 23, 2014 at 09:16:42AM +0300, Alexander Kapshuk wrote
>>
>> Looks like support for '-fstack-protector-strong' was implemented in
>> more recent versions of gcc. The the URL below for details:
>>
>> https://securityblog.redhat.com/tag/stack-protector/
>
> Thanks for the explanation. The blog says...
>
>> GCC 4.8.1 and the GCC version in Fedora 19 added another mode,
>> -fstack-protector-strong, bringing the number of stack protector
>> modes up to three.
>
> Gentoo stable appears to be gcc-4.7.3-r1. ebuilds up to gcc-4.9.1 are
> present in the tree. Upgrading gcc is painful, so I appreciate the
> maintainers not forcing a rebuild with every version bump.
You don't need to upgrade. You can just install it in parallel with your
current GCC, and use the newer one just to build the kernel.
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [gentoo-user] "stack-protector-strong" option results in gcc error
2014-09-23 8:54 ` Walter Dnes
2014-09-23 9:41 ` [gentoo-user] " Nikos Chantziaras
@ 2014-09-23 10:09 ` Neil Bothwick
2014-09-23 13:33 ` Michael Orlitzky
2 siblings, 0 replies; 13+ messages in thread
From: Neil Bothwick @ 2014-09-23 10:09 UTC (permalink / raw
To: gentoo-user
[-- Attachment #1: Type: text/plain, Size: 763 bytes --]
On Tue, 23 Sep 2014 04:54:03 -0400, Walter Dnes wrote:
> Gentoo stable appears to be gcc-4.7.3-r1. ebuilds up to gcc-4.9.1 are
> present in the tree. Upgrading gcc is painful, so I appreciate the
> maintainers not forcing a rebuild with every version bump.
Upgrading gcc hasn't been painful for some years. I think 3.3 to 3.4 was
the last one with an ABI change that needed a world rebuild for
consistency. Since then, upgrading GCC has been no more troublesome than
upgrading sys-apps/helloworld.
--
Neil Bothwick
"Most problems go away if you just wait long enough. It might look like
I'm standing motionless but I'm actively waiting for our problems to go
away. I don't know why this works but it does."
Scott Adams, Dilbert comic
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 181 bytes --]
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [gentoo-user] "stack-protector-strong" option results in gcc error
2014-09-23 6:16 ` Alexander Kapshuk
2014-09-23 8:54 ` Walter Dnes
@ 2014-09-23 11:52 ` Hinnerk van Bruinehsen
2014-09-23 12:47 ` Rich Freeman
1 sibling, 1 reply; 13+ messages in thread
From: Hinnerk van Bruinehsen @ 2014-09-23 11:52 UTC (permalink / raw
To: gentoo-user
[-- Attachment #1: Type: text/plain, Size: 1785 bytes --]
On Tue, Sep 23, 2014 at 09:16:42AM +0300, Alexander Kapshuk wrote:
> On Tue, Sep 23, 2014 at 5:49 AM, Walter Dnes <waltdnes@waltdnes.org> wrote:
> > CHK include/generated/utsrelease.h
> > UPD include/generated/utsrelease.h
> > CC kernel/bounds.s
> > gcc: error: unrecognized command line option '-fstack-protector-strong'
> > make[1]: *** [kernel/bounds.s] Error 1
> > make: *** [prepare0] Error 2
> >
> > I switched stack-protector to "regular", and it built OK. I rebooted
> > into it, and it works OK.
> >
> > My gcc version data...
> >
> > [d531][root][/usr/src/linux] gcc --version
> > gcc (Gentoo 4.7.3-r1 p1.4, pie-0.5.5) 4.7.3
> > Copyright (C) 2012 Free Software Foundation, Inc.
> > This is free software; see the source for copying conditions. There is NO
> > warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
> >
> > My install is 32-bit
> >
> > [d531][waltdnes][~] uname -a
> > Linux d531 3.14.16-gentoo #1 SMP Mon Sep 22 20:43:33 EDT 2014 i686 Intel(R) Core(TM)2 Duo CPU E4600 @ 2.40GHz GenuineIntel GNU/Linux
> >
> > --
> > Walter Dnes <waltdnes@waltdnes.org>
> > I don't run "desktop environments"; I run useful applications
> >
>
> Looks like support for '-fstack-protector-strong' was implemented in
> more recent versions of gcc. The the URL below for details:
>
> https://securityblog.redhat.com/tag/stack-protector/
'-fstack-protector-strong' is supported as of gcc-4.9.x - unless you upgrade,
you'll forced to use the regular one.
If you want more information on the option take a look here:
http://www.outflux.net/blog/archives/2014/01/27/fstack-protector-strong/
I think it's not even that unlikely that you don't even want the strong
version.
WKR
Hinnerk
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 473 bytes --]
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [gentoo-user] "stack-protector-strong" option results in gcc error
2014-09-23 11:52 ` Hinnerk van Bruinehsen
@ 2014-09-23 12:47 ` Rich Freeman
2014-09-23 13:06 ` J. Roeleveld
2014-09-23 14:42 ` [gentoo-user] " James
0 siblings, 2 replies; 13+ messages in thread
From: Rich Freeman @ 2014-09-23 12:47 UTC (permalink / raw
To: gentoo-user
On Tue, Sep 23, 2014 at 7:52 AM, Hinnerk van Bruinehsen
<h.v.bruinehsen@fu-berlin.de> wrote:
>
> '-fstack-protector-strong' is supported as of gcc-4.9.x - unless you upgrade,
> you'll forced to use the regular one.
>...
> I think it's not even that unlikely that you don't even want the strong
> version.
Ironically enough, your last sentence overflowed my parsing stack. :)
--
Rich
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [gentoo-user] "stack-protector-strong" option results in gcc error
2014-09-23 12:47 ` Rich Freeman
@ 2014-09-23 13:06 ` J. Roeleveld
2014-09-23 14:07 ` Hinnerk van Bruinehsen
2014-09-23 14:42 ` [gentoo-user] " James
1 sibling, 1 reply; 13+ messages in thread
From: J. Roeleveld @ 2014-09-23 13:06 UTC (permalink / raw
To: gentoo-user
On Tuesday, September 23, 2014 08:47:31 AM Rich Freeman wrote:
> On Tue, Sep 23, 2014 at 7:52 AM, Hinnerk van Bruinehsen
>
> <h.v.bruinehsen@fu-berlin.de> wrote:
> > '-fstack-protector-strong' is supported as of gcc-4.9.x - unless you
> > upgrade, you'll forced to use the regular one.
> >
> >...
> >
> > I think it's not even that unlikely that you don't even want the strong
> > version.
>
> Ironically enough, your last sentence overflowed my parsing stack. :)
>
> --
> Rich
I am guessing:
" I think it is not unlikely that you don't want the strong version"
parses to:
" I think it is likely that you don't want the strong version "
or: " I think it is unlikely that you want the strong version"
?
--
Joost
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [gentoo-user] "stack-protector-strong" option results in gcc error
2014-09-23 8:54 ` Walter Dnes
2014-09-23 9:41 ` [gentoo-user] " Nikos Chantziaras
2014-09-23 10:09 ` [gentoo-user] " Neil Bothwick
@ 2014-09-23 13:33 ` Michael Orlitzky
2014-09-23 14:07 ` Hinnerk van Bruinehsen
2 siblings, 1 reply; 13+ messages in thread
From: Michael Orlitzky @ 2014-09-23 13:33 UTC (permalink / raw
To: gentoo-user
On 09/23/2014 04:54 AM, Walter Dnes wrote:
>
> Gentoo stable appears to be gcc-4.7.3-r1. ebuilds up to gcc-4.9.1 are
> present in the tree. Upgrading gcc is painful, so I appreciate the
> maintainers not forcing a rebuild with every version bump. That's the
> philosophy behind "stable". The tradeoff is that we have to wait longer
> for "new and shiney" stuff. For those who want it, you can always
> keyword a later version of gcc.
>
Stabilization of GCC is especially careful because if your GCC winds up
broken, you might not be able to fix it (emerge won't work).
And since GCC is used to build everything else on your system, it can't
go stable until all upstream packages are fixed or patched to work with
the new GCC.
There's usually a tracker for those packages. For gcc-4.9 it's at,
https://bugs.gentoo.org/show_bug.cgi?id=gcc-4.9
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [gentoo-user] "stack-protector-strong" option results in gcc error
2014-09-23 13:33 ` Michael Orlitzky
@ 2014-09-23 14:07 ` Hinnerk van Bruinehsen
0 siblings, 0 replies; 13+ messages in thread
From: Hinnerk van Bruinehsen @ 2014-09-23 14:07 UTC (permalink / raw
To: gentoo-user
[-- Attachment #1: Type: text/plain, Size: 1355 bytes --]
On Tue, Sep 23, 2014 at 09:33:45AM -0400, Michael Orlitzky wrote:
> On 09/23/2014 04:54 AM, Walter Dnes wrote:
> >
> > Gentoo stable appears to be gcc-4.7.3-r1. ebuilds up to gcc-4.9.1 are
> > present in the tree. Upgrading gcc is painful, so I appreciate the
> > maintainers not forcing a rebuild with every version bump. That's the
> > philosophy behind "stable". The tradeoff is that we have to wait longer
> > for "new and shiney" stuff. For those who want it, you can always
> > keyword a later version of gcc.
> >
>
> Stabilization of GCC is especially careful because if your GCC winds up
> broken, you might not be able to fix it (emerge won't work).
>
> And since GCC is used to build everything else on your system, it can't
> go stable until all upstream packages are fixed or patched to work with
> the new GCC.
>
> There's usually a tracker for those packages. For gcc-4.9 it's at,
>
> https://bugs.gentoo.org/show_bug.cgi?id=gcc-4.9
Since gcc is slotted (I actually have 4.7, 4.8 and 4.9 on my systems). That
argument doesn't count much, imho.
I personally didn't encounter a single breakage after updating from 4.8 to 4.9
(this was different from 4.7 to 4.8).
IIRC 4.7 isn't supported by upstream anymore and there are known (security)
bugs. I don't really know why not at least 4.8 is stable.
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 473 bytes --]
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [gentoo-user] "stack-protector-strong" option results in gcc error
2014-09-23 13:06 ` J. Roeleveld
@ 2014-09-23 14:07 ` Hinnerk van Bruinehsen
0 siblings, 0 replies; 13+ messages in thread
From: Hinnerk van Bruinehsen @ 2014-09-23 14:07 UTC (permalink / raw
To: gentoo-user
[-- Attachment #1: Type: text/plain, Size: 890 bytes --]
On Tue, Sep 23, 2014 at 03:06:20PM +0200, J. Roeleveld wrote:
>
> On Tuesday, September 23, 2014 08:47:31 AM Rich Freeman wrote:
> > On Tue, Sep 23, 2014 at 7:52 AM, Hinnerk van Bruinehsen
> >
> > <h.v.bruinehsen@fu-berlin.de> wrote:
> > > '-fstack-protector-strong' is supported as of gcc-4.9.x - unless you
> > > upgrade, you'll forced to use the regular one.
> > >
> > >...
> > >
> > > I think it's not even that unlikely that you don't even want the strong
> > > version.
> >
> > Ironically enough, your last sentence overflowed my parsing stack. :)
> >
> > --
> > Rich
>
> I am guessing:
> " I think it is not unlikely that you don't want the strong version"
>
> parses to:
>
> " I think it is likely that you don't want the strong version "
> or: " I think it is unlikely that you want the strong version"
>
> ?
Thanks for translating me! ;-)
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 473 bytes --]
^ permalink raw reply [flat|nested] 13+ messages in thread
* [gentoo-user] Re: "stack-protector-strong" option results in gcc error
2014-09-23 12:47 ` Rich Freeman
2014-09-23 13:06 ` J. Roeleveld
@ 2014-09-23 14:42 ` James
2014-09-23 16:52 ` [gentoo-user] James
1 sibling, 1 reply; 13+ messages in thread
From: James @ 2014-09-23 14:42 UTC (permalink / raw
To: gentoo-user
Rich Freeman <rich0 <at> gentoo.org> writes:
> > '-fstack-protector-strong' is supported as of gcc-4.9.x - unless you
> > upgrade, you'll forced to use the regular one.
> > I think it's not even that unlikely that you don't even want the strong
> > version.
> Ironically enough, your last sentence overflowed my parsing stack. :)
From: https://securityblog.redhat.com/tag/stack-protector/
"The GCC flags -fstack-protector and -fstack-protector-all activate the
Stack Smashing Protector (SSP). When any of these flags are used, GCC
instruments the function return instruction with a probabilistic check that
the stack frame is not corrupted. "
From:
http://www.outflux.net/blog/archives/2014/01/27/fstack-protector-strong/
"The stack protector feature itself adds a known canary to the stack during
function preamble, and checks it when the function returns. "
Bug 517428 was/is a request to setup Ftrace/trace-cmd/KernelShark
as a fine-grained tool, for such issuses as fstack-protector events.
As we all know, I'm still struggling with learning the ebuild_gymnasitcs,
but bug 517428 is looking(begging) for a knowledgable person to get an
Ftrace/trace-cmd/kernelshark ebuild working. This will provide a
fantastic tool for low-level as well as application code diagnostics.
:)
hth,
James
[1] http://en.wikipedia.org/wiki/Ftrace
^ permalink raw reply [flat|nested] 13+ messages in thread
* [gentoo-user] Re:
2014-09-23 14:42 ` [gentoo-user] " James
@ 2014-09-23 16:52 ` James
0 siblings, 0 replies; 13+ messages in thread
From: James @ 2014-09-23 16:52 UTC (permalink / raw
To: gentoo-user
James <wireless <at> tampabay.rr.com> writes:
> Rich Freeman <rich0 <at> gentoo.org> writes:
> > > '-fstack-protector-strong' is supported as of gcc-4.9.x - unless you
> > > upgrade, you'll forced to use the regular one.
There is an old but very concise example of Ftrace/trace-cmd/kernelshark
for anyone interested.
https://events.linuxfoundation.org/slides/2010/
linuxcon_japan/linuxcon_jp2010_rostedt.pdf
Or just seach directly for the pdf:
linuxcon_jp2010_rostedt.pdf
A very interesting tool.
hth,
James
^ permalink raw reply [flat|nested] 13+ messages in thread
end of thread, other threads:[~2014-09-23 16:53 UTC | newest]
Thread overview: 13+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-09-23 2:49 [gentoo-user] "stack-protector-strong" option results in gcc error Walter Dnes
2014-09-23 6:16 ` Alexander Kapshuk
2014-09-23 8:54 ` Walter Dnes
2014-09-23 9:41 ` [gentoo-user] " Nikos Chantziaras
2014-09-23 10:09 ` [gentoo-user] " Neil Bothwick
2014-09-23 13:33 ` Michael Orlitzky
2014-09-23 14:07 ` Hinnerk van Bruinehsen
2014-09-23 11:52 ` Hinnerk van Bruinehsen
2014-09-23 12:47 ` Rich Freeman
2014-09-23 13:06 ` J. Roeleveld
2014-09-23 14:07 ` Hinnerk van Bruinehsen
2014-09-23 14:42 ` [gentoo-user] " James
2014-09-23 16:52 ` [gentoo-user] James
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox