CompilerFlags
1755
Comment: initial pass
|
6336
|
Deletions are marked like this. | Additions are marked like this. |
Line 1: | Line 1: |
This page documents the Ubuntu-specific default compiler flags in the toolchain. Based on the work from GccSsp, [:Security/HardeningWrapper:], and DistCompiler. Please attempt to fix a source package's problems before disabling a given compiler feature. | This page documents the Ubuntu-specific default compiler flags in the toolchain. Based on the work from GccSsp, [:Security/HardeningWrapper], and DistCompilerFlags. Please attempt to fix a source package's problems before disabling a given compiler feature, and document the package and bug numbers in the Problems section below. |
Line 5: | Line 5: |
First enabled in Ubuntu 6.10. See GccSsp for further details. |
First enabled in Ubuntu 6.10. Enabled run-time stack overflow verification. See GccSsp for further details. Most problems are related to packages that do not use stdlib directly (kernel modules, certain libraries, etc). |
Line 8: | Line 7: |
Failure example: {{{ | Failure examples: {{{ |
Line 11: | Line 11: |
Indicates a program was compiled to expect to have the stdlib available, but did not find it at runtime. | |
Line 12: | Line 13: |
Disabled with {{{-fno-stack-protector}}} or {{{-nostdlib}}}. | {{{ *** stack smashing detected *** Aborted }}} A function did not correctly maintain its stack variables. Usually indicates a stack buffer overflow. Disabled with {{{-fno-stack-protector}}} or {{{-nostdlib}}} in {{{CPPFLAGS}}}. |
Line 16: | Line 23: |
First enabled in Ubuntu 8.10. See [:Security/FortifySource:] for more details. | First enabled in Ubuntu 8.10. Provides compile-time best-practices errors for certain libc functions, and provides run-time checks of buffer lengths and memory regions. Only activated when compiled with {{{-O2}}} or higher. Most problems are related to common unsafe uses of certain libc functions. |
Line 22: | Line 29: |
The return value from {{{system()}}} functions should be evaluated and handled appropriately, or discarded with a {{{(void)}}} cast if the result can actually be safely ignored. | |
Line 26: | Line 34: |
When using {{{open()}}} with {{{O_CREAT}}}, best-practice is to define a valid {{{mode}}} argument. | |
Line 30: | Line 39: |
The call to {{{read()}}} was done into a buffer with the wrong size. Double-check the size argument and the buffer size. | |
Line 31: | Line 41: |
Reduced checking via {{{-D_FORTIFY_SOURCE=1}}}. Disabled with {{{-U_FORTIFY_SOURCE}}} or {{{-D_FORTIFY_SOURCE=0}}}. | {{{ warning: passing argument 1 of 'memcpy' discards qualifiers from pointer target type warning: passing argument 1 of 'strcpy' discards qualifiers from pointer target type }}} Code compiled with {{{-Werror}}} and using memcpy/strcpy/etc with qualifier overrides will fail. This is a bug in glibc 2.7. See [https://launchpad.net/bugs/217481]. {{{ *** %n in writable segment detected *** Aborted }}} On x86, use of {{{"%n"}}} in a format string is limited to read-only memory (not stack or heap allocated strings). {{{ *** buffer overflow detected *** Aborted }}} A call to {{{sprintf}}} should be changed to use {{{snprintf}}}, or a too-small buffer was read into (see {{{read()}}} warnings above). Reduced checking via {{{-D_FORTIFY_SOURCE=1}}} in {{{CPPFLAGS}}}. Disabled with {{{-U_FORTIFY_SOURCE}}} or {{{-D_FORTIFY_SOURCE=0}}} in {{{CPPFLAGS}}}. |
Line 35: | Line 63: |
First enabled in Ubuntu 8.10. These options should only cause FTBFS if the package is compiling with {{{-Werror}}}. | First enabled in Ubuntu 8.10. Enables compile-time warnings about misuse of format strings, some of which can have security implications. These options should only cause build failures if the package is compiling with {{{-Werror}}}. |
Line 39: | Line 67: |
warning: format ‘%s’ expects type ‘char *’, but argument 3 has type ‘int’ }}} For packages that aren't already building with {{{-Wall}}}, format character to argument types will be checked. Verify the correct variables for a given format string. {{{ |
|
Line 41: | Line 74: |
This is caused by code that fails to use {{{"%s"}}} for a {{{*printf}}} function. For example: {{{ printf(buf); |
This is caused by code that forgot to use {{{"%s"}}} for a {{{*printf}}} function. For example: {{{ fprintf(stderr,buf); |
Line 45: | Line 78: |
should be: {{{ printf("%s",buf); |
should be: {{{ fprintf(stderr,"%s",buf); |
Line 49: | Line 83: |
Disabled with {{{-Wno-format-security}}} or {{{-Wformat=0}}}. | Disabled with {{{-Wno-format-security}}} or {{{-Wformat=0}}} in {{{CPPFLAGS}}}. |
Line 53: | Line 87: |
First enabled in Ubuntu 8.10. | First enabled in Ubuntu 8.10. Provides a read-only relocation table area in the final ELF. This option paves the way for using {{{-z now}}} which forces all relocations to be resolved at run-time (which would cause some additional initial load delay), providing an even higher level of protection to the relocation table -- it could then be entirely read-only which can be used to further harden long-running programs like daemons. |
Line 58: | Line 92: |
= Problems = Please open FTBFS bugs and tag them with "hardening-ftbfs". If a compiler option must be disabled instead of finding a correct fix, document the packages, work-around, and reasons here: * Mozilla Multiple aborts in xulrunner-1.9 / firefox 3.0 (found while packaging [https://code.edge.launchpad.net/~mozillateam/songbird/songbird.head songbird]) {{{ $ ./xulrunner *** buffer overflow detected ***: ./xulrunner-bin terminated ======= Backtrace: ========= /lib/tls/i686/cmov/libc.so.6(__fortify_fail+0x48)[0xb6a7d138] /lib/tls/i686/cmov/libc.so.6[0xb6a7b7d0] /lib/tls/i686/cmov/libc.so.6[0xb6a7bf08] ./libxul.so(XRE_GetBinaryPath+0x55)[0xb74882dc] ./xulrunner-bin[0x8049967] ./xulrunner-bin[0x8049b76] ./xulrunner-bin[0x804a053] /lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xe0)[0xb69a6450] ./xulrunner-bin[0x8049871] }}} Happens at least in two callers of realpath(): http://mxr.mozilla.org/mozilla/source/toolkit/xre/nsAppRunner.cpp#1383. Patches that mask the problem: {{{ build-tree/mozilla/toolkit/profile/src/nsToolkitProfileService.cpp | 2 +- build-tree/mozilla/toolkit/xre/nsAppRunner.cpp | 2 +- ... - char exePath[MAXPATHLEN]; + char exePath[MAXPATHLEN * 10]; }}} Other aborts are difficult to catch because libs are loaded using dlopen(). Workaround: CPPFLAGS=-U_FORTIFY_SOURCE used for now. * libxfont1 doesn't work with -Bsymbolic-functions (trying to trace down the origin in bug #230460). * cvs eats 100% RAM in a few seconds and loops with "%n in writable segment detected" logs. To reproduce: {{{ $ apt-get install mozilla-devscripts $ make -f /usr/share/mozilla-devscripts/firefox-3.0.mk get-orig-source DEBIAN_DATE=20080506t1400 }}} Workaround: CPPFLAGS=-U_FORTIFY_SOURCE |
This page documents the Ubuntu-specific default compiler flags in the toolchain. Based on the work from GccSsp, [:Security/HardeningWrapper], and DistCompilerFlags. Please attempt to fix a source package's problems before disabling a given compiler feature, and document the package and bug numbers in the Problems section below.
-fstack-protector
First enabled in Ubuntu 6.10. Enabled run-time stack overflow verification. See GccSsp for further details. Most problems are related to packages that do not use stdlib directly (kernel modules, certain libraries, etc).
Failure examples:
'__stack_chk_fail' symbol not found
- Indicates a program was compiled to expect to have the stdlib available, but did not find it at runtime.
*** stack smashing detected *** Aborted
- A function did not correctly maintain its stack variables. Usually indicates a stack buffer overflow.
Disabled with -fno-stack-protector or -nostdlib in CPPFLAGS.
-D_FORTIFY_SOURCE=2
First enabled in Ubuntu 8.10. Provides compile-time best-practices errors for certain libc functions, and provides run-time checks of buffer lengths and memory regions. Only activated when compiled with -O2 or higher. Most problems are related to common unsafe uses of certain libc functions.
Failure examples:
error: ignoring return value of 'int system(const char*)', declared with attribute warn_unused_result
The return value from system() functions should be evaluated and handled appropriately, or discarded with a (void) cast if the result can actually be safely ignored.
error: call to '__open_missing_mode' declared with attribute error: open with O_CREAT in second argument needs 3 arguments
When using open() with O_CREAT, best-practice is to define a valid mode argument.
warning: call to ‘__read_chk_warn’ declared with attribute warning: read called with bigger length than size of the destination buffer
The call to read() was done into a buffer with the wrong size. Double-check the size argument and the buffer size.
warning: passing argument 1 of 'memcpy' discards qualifiers from pointer target type warning: passing argument 1 of 'strcpy' discards qualifiers from pointer target type
Code compiled with -Werror and using memcpy/strcpy/etc with qualifier overrides will fail. This is a bug in glibc 2.7. See [https://launchpad.net/bugs/217481].
*** %n in writable segment detected *** Aborted
On x86, use of "%n" in a format string is limited to read-only memory (not stack or heap allocated strings).
*** buffer overflow detected *** Aborted
A call to sprintf should be changed to use snprintf, or a too-small buffer was read into (see read() warnings above).
Reduced checking via -D_FORTIFY_SOURCE=1 in CPPFLAGS. Disabled with -U_FORTIFY_SOURCE or -D_FORTIFY_SOURCE=0 in CPPFLAGS.
-Wformat -Wformat-security
First enabled in Ubuntu 8.10. Enables compile-time warnings about misuse of format strings, some of which can have security implications. These options should only cause build failures if the package is compiling with -Werror.
Failure examples:
warning: format ‘%s’ expects type ‘char *’, but argument 3 has type ‘int’
For packages that aren't already building with -Wall, format character to argument types will be checked. Verify the correct variables for a given format string.
warning: format not a string literal and no format arguments
This is caused by code that forgot to use "%s" for a *printf function. For example:
fprintf(stderr,buf);
fprintf(stderr,"%s",buf);
Disabled with -Wno-format-security or -Wformat=0 in CPPFLAGS.
-Wl,-z,relro
First enabled in Ubuntu 8.10. Provides a read-only relocation table area in the final ELF. This option paves the way for using -z now which forces all relocations to be resolved at run-time (which would cause some additional initial load delay), providing an even higher level of protection to the relocation table -- it could then be entirely read-only which can be used to further harden long-running programs like daemons.
No known failure examples.
Disabled with -Wl,-z,norelro in LDFLAGS.
Problems
Please open FTBFS bugs and tag them with "hardening-ftbfs". If a compiler option must be disabled instead of finding a correct fix, document the packages, work-around, and reasons here:
- Mozilla
Multiple aborts in xulrunner-1.9 / firefox 3.0 (found while packaging [https://code.edge.launchpad.net/~mozillateam/songbird/songbird.head songbird])
$ ./xulrunner *** buffer overflow detected ***: ./xulrunner-bin terminated ======= Backtrace: ========= /lib/tls/i686/cmov/libc.so.6(__fortify_fail+0x48)[0xb6a7d138] /lib/tls/i686/cmov/libc.so.6[0xb6a7b7d0] /lib/tls/i686/cmov/libc.so.6[0xb6a7bf08] ./libxul.so(XRE_GetBinaryPath+0x55)[0xb74882dc] ./xulrunner-bin[0x8049967] ./xulrunner-bin[0x8049b76] ./xulrunner-bin[0x804a053] /lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xe0)[0xb69a6450] ./xulrunner-bin[0x8049871]
Happens at least in two callers of realpath(): http://mxr.mozilla.org/mozilla/source/toolkit/xre/nsAppRunner.cpp#1383. Patches that mask the problem:
build-tree/mozilla/toolkit/profile/src/nsToolkitProfileService.cpp | 2 +- build-tree/mozilla/toolkit/xre/nsAppRunner.cpp | 2 +- ... - char exePath[MAXPATHLEN]; + char exePath[MAXPATHLEN * 10];
- libxfont1
- doesn't work with -Bsymbolic-functions (trying to trace down the origin in bug #230460).
- cvs
- eats 100% RAM in a few seconds and loops with "%n in writable segment detected" logs. To reproduce:
$ apt-get install mozilla-devscripts $ make -f /usr/share/mozilla-devscripts/firefox-3.0.mk get-orig-source DEBIAN_DATE=20080506t1400
- eats 100% RAM in a few seconds and loops with "%n in writable segment detected" logs. To reproduce:
ToolChain/CompilerFlags (last edited 2024-03-22 22:52:13 by eslerm)