CompilerFlags

Differences between revisions 13 and 14
Revision 13 as of 2008-05-16 13:50:43
Size: 5165
Editor: APuteaux-153-1-79-180
Comment:
Revision 14 as of 2008-05-16 14:20:13
Size: 5917
Editor: sites
Comment: fill in specifics
Deletions are marked like this. Additions are marked like this.
Line 97: Line 97:

   Multiple crashes in xulrunner-1.9 / firefox 3.0 (found while packaging [https://code.edge.launchpad.net/~mozillateam/songbird/songbird.head songbird])
   At least two crashes occur in realpath(): http://mxr.mozilla.org/mozilla/source/toolkit/xre/nsAppRunner.cpp#1383
   but there are more crashes difficult to catch because some libs are loaded using dlopen().
   Workaround CPPFLAGS=-U_FORTIFY_SOURCE used for now.
  Multiple aborts in xulrunner-1.9 / firefox 3.0 (found while packaging [https://code.edge.launchpad.net/~mozillateam/songbird/songbird.head songbird])
   {{{
$ ./xulrunner
*** buffer overflow detected ***: ./xulrunner-bin terminated
======= Backtrace: =========
/lib/tls/i686/cmov/libc.so.6(__fortify_fail+0x48)[0xb6a7d138]
/lib/tls/i686/cmov/libc.so.6[0xb6a7b7d0]
/lib/tls/i686/cmov/libc.so.6[0xb6a7bf08]
./libxul.so(XRE_GetBinaryPath+0x55)[0xb74882dc]
./xulrunner-bin[0x8049967]
./xulrunner-bin[0x8049b76]
./xulrunner-bin[0x804a053]
/lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xe0)[0xb69a6450]
./xulrunner-bin[0x8049871]
}}}
  Happens at least in two callers of realpath(): http://mxr.mozilla.org/mozilla/source/toolkit/xre/nsAppRunner.cpp#1383. Patches that mask the problem:
   {{{
 build-tree/mozilla/toolkit/profile/src/nsToolkitProfileService.cpp | 2 +-
 build-tree/mozilla/toolkit/xre/nsAppRunner.cpp | 2 +-
...
- char exePath[MAXPATHLEN];
+ char exePath[MAXPATHLEN * 10];
}}}
  Other aborts are difficult to catch because libs are loaded using dlopen().
  Workaround: CPPFLAGS=-U_FORTIFY_SOURCE used for now.

This page documents the Ubuntu-specific default compiler flags in the toolchain. Based on the work from GccSsp, [:Security/HardeningWrapper], and DistCompilerFlags. Please attempt to fix a source package's problems before disabling a given compiler feature, and document the package and bug numbers in the Problems section below.

-fstack-protector

First enabled in Ubuntu 6.10. Enabled run-time stack overflow verification. See GccSsp for further details. Most problems are related to packages that do not use stdlib directly (kernel modules, certain libraries, etc).

Failure examples:

  • '__stack_chk_fail' symbol not found
    • Indicates a program was compiled to expect to have the stdlib available, but did not find it at runtime.
    *** stack smashing detected ***
    Aborted
    • A function did not correctly maintain its stack variables. Usually indicates a stack buffer overflow.

Disabled with -fno-stack-protector or -nostdlib in CPPFLAGS.

-D_FORTIFY_SOURCE=2

First enabled in Ubuntu 8.10. Provides compile-time best-practices errors for certain libc functions, and provides run-time checks of buffer lengths and memory regions. Only activated when compiled with -O2 or higher. Most problems are related to common unsafe uses of certain libc functions.

Failure examples:

  • error: ignoring return value of 'int system(const char*)', declared with attribute warn_unused_result
    • The return value from system() functions should be evaluated and handled appropriately, or discarded with a (void) cast if the result can actually be safely ignored.

    error: call to '__open_missing_mode' declared with attribute error: open with O_CREAT in second argument needs 3 arguments
    • When using open() with O_CREAT, best-practice is to define a valid mode argument.

    warning: call to ‘__read_chk_warn’ declared with attribute warning: read called with bigger length than size of the destination buffer
    • The call to read() was done into a buffer with the wrong size. Double-check the size argument and the buffer size.

    warning: passing argument 1 of 'memcpy' discards qualifiers from pointer target type
    warning: passing argument 1 of 'strcpy' discards qualifiers from pointer target type
    *** %n in writable segment detected ***
    Aborted
    • On x86, use of "%n" in a format string is limited to read-only memory (not stack or heap allocated strings).

    *** buffer overflow detected ***
    Aborted
    • A call to sprintf should be changed to use snprintf, or a too-small buffer was read into (see read() warnings above).

Reduced checking via -D_FORTIFY_SOURCE=1 in CPPFLAGS. Disabled with -U_FORTIFY_SOURCE or -D_FORTIFY_SOURCE=0 in CPPFLAGS.

-Wformat -Wformat-security

First enabled in Ubuntu 8.10. Enables compile-time warnings about misuse of format strings, some of which can have security implications. These options should only cause build failures if the package is compiling with -Werror.

Failure examples:

  • warning: format ‘%s’ expects type ‘char *’, but argument 3 has type ‘int’
    • For packages that aren't already building with -Wall, format character to argument types will be checked. Verify the correct variables for a given format string.

    warning: format not a string literal and no format arguments
    • This is caused by code that forgot to use "%s" for a *printf function. For example:

      • fprintf(stderr,buf);
      should be:
      • fprintf(stderr,"%s",buf);

Disabled with -Wno-format-security or -Wformat=0 in CPPFLAGS.

-Wl,-z,relro

First enabled in Ubuntu 8.10. Provides a read-only relocation table area in the final ELF. This option paves the way for using -z now which forces all relocations to be resolved at run-time (which would cause some additional initial load delay), providing an even higher level of protection to the relocation table -- it could then be entirely read-only which can be used to further harden long-running programs like daemons.

No known failure examples.

Disabled with -Wl,-z,norelro in LDFLAGS.

Problems

Please open FTBFS bugs and tag them with "hardening-ftbfs". If a compiler option must be disabled instead of finding a correct fix, document the packages, work-around, and reasons here:

  • Mozilla
    • Multiple aborts in xulrunner-1.9 / firefox 3.0 (found while packaging [https://code.edge.launchpad.net/~mozillateam/songbird/songbird.head songbird])

      • $ ./xulrunner
        *** buffer overflow detected ***: ./xulrunner-bin terminated
        ======= Backtrace: =========
        /lib/tls/i686/cmov/libc.so.6(__fortify_fail+0x48)[0xb6a7d138]
        /lib/tls/i686/cmov/libc.so.6[0xb6a7b7d0]
        /lib/tls/i686/cmov/libc.so.6[0xb6a7bf08]
        ./libxul.so(XRE_GetBinaryPath+0x55)[0xb74882dc]
        ./xulrunner-bin[0x8049967]
        ./xulrunner-bin[0x8049b76]
        ./xulrunner-bin[0x804a053]
        /lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xe0)[0xb69a6450]
        ./xulrunner-bin[0x8049871]

      Happens at least in two callers of realpath(): http://mxr.mozilla.org/mozilla/source/toolkit/xre/nsAppRunner.cpp#1383. Patches that mask the problem:

      •  build-tree/mozilla/toolkit/profile/src/nsToolkitProfileService.cpp |    2 +-
         build-tree/mozilla/toolkit/xre/nsAppRunner.cpp                     |    2 +-
        ...
        -  char exePath[MAXPATHLEN];
        +  char exePath[MAXPATHLEN * 10];
      Other aborts are difficult to catch because libs are loaded using dlopen(). Workaround: CPPFLAGS=-U_FORTIFY_SOURCE used for now.

ToolChain/CompilerFlags (last edited 2021-09-02 05:51:07 by paelzer)