CompilerFlags

Differences between revisions 19 and 22 (spanning 3 versions)
Revision 19 as of 2008-06-09 21:56:30
Size: 6511
Editor: c-76-105-157-155
Comment:
Revision 22 as of 2008-08-25 23:22:03
Size: 7141
Editor: sites
Comment:
Deletions are marked like this. Additions are marked like this.
Line 1: Line 1:
This page documents the Ubuntu-specific default compiler flags in the toolchain. Based on the work from GccSsp, [:Security/HardeningWrapper], and DistCompilerFlags. Please attempt to fix a source package's problems before disabling a given compiler feature, and document the package and bug numbers in the Problems section below. ||<tablestyle="float:right; font-size: 0.9em; width:30%; background:#F1F1ED; background-repeat: no-repeat; background-position: 98% 0.5ex; margin: 0 0 1em 1em; padding: 0.5em;"><<TableOfContents>>||
Line 3: Line 3:
This page documents the Ubuntu-specific default compiler flags in the toolchain. Based on the work from GccSsp, [[Security/HardeningWrapper]], and DistCompilerFlags. Please attempt to fix a source package's problems before disabling a given compiler feature, and document the package and bug numbers in the Problems section below.

<<Anchor(stack-protector)>>
Line 21: Line 24:
<<Anchor(fortify-source)>>
Line 34: Line 38:
  When using {{{open()}}} with {{{O_CREAT}}}, best-practice is to define a valid {{{mode}}} argument.   When using {{{open()}}} with {{{O_CREAT}}}, best-practice is to define a valid {{{mode}}} argument. For the least modes, try using {{{(S_IRUSR|S_IWUSR)}}} first. If that doesn't work as expected in the program, then start adding back perms. For example, user and group: {{{(S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP)}}}; user, group, and other: {{{(S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP|S_IROTH|S_IWOTH)}}}.
Line 45: Line 49:
  Code compiled with {{{-Werror}}} and using memcpy/strcpy/etc with qualifier overrides will fail. This is a bug in glibc 2.7. See [https://launchpad.net/bugs/217481].   Code compiled with {{{-Werror}}} and using memcpy/strcpy/etc with qualifier overrides will fail. This is a bug in glibc 2.7. See [[https://launchpad.net/bugs/217481]].
Line 61: Line 65:
<<Anchor(format-security)>>
Line 85: Line 90:
<<Anchor(relro)>>
Line 93: Line 99:
<<Anchor(problems)>>
Line 97: Line 104:
  Multiple aborts in xulrunner-1.9 / firefox 3.0 (found while packaging [https://code.edge.launchpad.net/~mozillateam/songbird/songbird.head songbird])   Multiple aborts in xulrunner-1.9 / firefox 3.0 (found while packaging [[https://code.edge.launchpad.net/~mozillateam/songbird/songbird.head|songbird]])

This page documents the Ubuntu-specific default compiler flags in the toolchain. Based on the work from GccSsp, Security/HardeningWrapper, and DistCompilerFlags. Please attempt to fix a source package's problems before disabling a given compiler feature, and document the package and bug numbers in the Problems section below.

-fstack-protector

First enabled in Ubuntu 6.10. Enabled run-time stack overflow verification. See GccSsp for further details. Most problems are related to packages that do not use stdlib directly (kernel modules, certain libraries, etc).

Failure examples:

  • '__stack_chk_fail' symbol not found
    • Indicates a program was compiled to expect to have the stdlib available, but did not find it at runtime.
    *** stack smashing detected ***
    Aborted
    • A function did not correctly maintain its stack variables. Usually indicates a stack buffer overflow.

Disabled with -fno-stack-protector or -nostdlib in CPPFLAGS.

-D_FORTIFY_SOURCE=2

First enabled in Ubuntu 8.10. Provides compile-time best-practices errors for certain libc functions, and provides run-time checks of buffer lengths and memory regions. Only activated when compiled with -O2 or higher. Most problems are related to common unsafe uses of certain libc functions.

Failure examples:

  • error: ignoring return value of 'int system(const char*)', declared with attribute warn_unused_result
    • The return value from system(), fwrite(), and similar functions should be evaluated and handled appropriately. In cases where one absolutely must throw away the return value, it can be discarded with an empty test: if (system("...")) { } , though this is not recommended.

    error: call to '__open_missing_mode' declared with attribute error: open with O_CREAT in second argument needs 3 arguments
    • When using open() with O_CREAT, best-practice is to define a valid mode argument. For the least modes, try using (S_IRUSR|S_IWUSR) first. If that doesn't work as expected in the program, then start adding back perms. For example, user and group: (S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP); user, group, and other: (S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP|S_IROTH|S_IWOTH).

    warning: call to ‘__read_chk_warn’ declared with attribute warning: read called with bigger length than size of the destination buffer
    • The call to read() was done into a buffer with the wrong size. Double-check the size argument and the buffer size.

    warning: passing argument 1 of 'memcpy' discards qualifiers from pointer target type
    warning: passing argument 1 of 'strcpy' discards qualifiers from pointer target type
    *** %n in writable segment detected ***
    Aborted
    • On x86, use of "%n" in a format string is limited to read-only memory (not stack or heap allocated strings).

    *** buffer overflow detected ***
    Aborted
    • A call to sprintf should be changed to use snprintf, or a too-small buffer was read into (see read() warnings above).

Reduced checking via -D_FORTIFY_SOURCE=1 in CPPFLAGS. Disabled with -U_FORTIFY_SOURCE or -D_FORTIFY_SOURCE=0 in CPPFLAGS.

-Wformat -Wformat-security

First enabled in Ubuntu 8.10. Enables compile-time warnings about misuse of format strings, some of which can have security implications. These options should only cause build failures if the package is compiling with -Werror.

Failure examples:

  • warning: format ‘%s’ expects type ‘char *’, but argument 3 has type ‘int’
    • For packages that aren't already building with -Wall, format character to argument types will be checked. Verify the correct variables for a given format string.

    warning: format not a string literal and no format arguments
    • This is caused by code that forgot to use "%s" for a *printf function. For example:

      • fprintf(stderr,buf);
      should be:
      • fprintf(stderr,"%s",buf);

Disabled with -Wno-format-security or -Wformat=0 in CPPFLAGS.

-Wl,-z,relro

First enabled in Ubuntu 8.10. Provides a read-only relocation table area in the final ELF. This option paves the way for using -z now which forces all relocations to be resolved at run-time (which would cause some additional initial load delay), providing an even higher level of protection to the relocation table -- it could then be entirely read-only which can be used to further harden long-running programs like daemons.

No known failure examples.

Disabled with -Wl,-z,norelro in LDFLAGS.

Problems

If the upstream source cannot be reasonably fixed and a package must have compiler flags disabled or some other work-around, please open a launchpad bug, tag it with "hardening-ftbfs", and link to it here along with an explanation of what the problem is:

  • Mozilla
    • Multiple aborts in xulrunner-1.9 / firefox 3.0 (found while packaging songbird)

      • $ ./xulrunner
        *** buffer overflow detected ***: ./xulrunner-bin terminated
        ======= Backtrace: =========
        /lib/tls/i686/cmov/libc.so.6(__fortify_fail+0x48)[0xb6a7d138]
        /lib/tls/i686/cmov/libc.so.6[0xb6a7b7d0]
        /lib/tls/i686/cmov/libc.so.6[0xb6a7bf08]
        ./libxul.so(XRE_GetBinaryPath+0x55)[0xb74882dc]
        ./xulrunner-bin[0x8049967]
        ./xulrunner-bin[0x8049b76]
        ./xulrunner-bin[0x804a053]
        /lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xe0)[0xb69a6450]
        ./xulrunner-bin[0x8049871]

      Happens at least in two callers of realpath(): http://mxr.mozilla.org/mozilla/source/toolkit/xre/nsAppRunner.cpp#1383. Patches that mask the problem:

      •  build-tree/mozilla/toolkit/profile/src/nsToolkitProfileService.cpp |    2 +-
         build-tree/mozilla/toolkit/xre/nsAppRunner.cpp                     |    2 +-
        ...
        -  char exePath[MAXPATHLEN];
        +  char exePath[MAXPATHLEN * 10];
      Other aborts are difficult to catch because libs are loaded using dlopen(). Workaround: CPPFLAGS=-U_FORTIFY_SOURCE used for now.
  • libxfont1
    • doesn't work with -Bsymbolic-functions (can't work, see bug #230460 for analysis).
  • cvs
    • eats 100% RAM in a few seconds and loops with "%n in writable segment detected" logs. To reproduce:
      • $ apt-get install mozilla-devscripts
        $ make -f /usr/share/mozilla-devscripts/firefox-3.0.mk get-orig-source DEBIAN_DATE=20080506t1400
      Workaround: CPPFLAGS=-U_FORTIFY_SOURCE

ToolChain/CompilerFlags (last edited 2024-03-22 22:52:13 by eslerm)