* [Buildroot] [PATCH] Config.in: security hardening: disable FORTIFY_SOURCE for gcc < 6
@ 2018-11-05 20:07 Romain Naour
2018-11-05 20:35 ` Matthew Weber
` (2 more replies)
0 siblings, 3 replies; 8+ messages in thread
From: Romain Naour @ 2018-11-05 20:07 UTC (permalink / raw)
To: buildroot
As reported in the bug report [1], gcc < 6 doesn't build when
FORTIFY_SOURCE is set to 1 or 2. The issue is related to the
upstream bug report [2] but the patch fixing the issue for gcc 6
has not been backported to earlier gcc versions.
Add a dependency on gcc at least version 6 to BR2_FORTIFY_SOURCE_1
and BR2_FORTIFY_SOURCE_2.
[1] https://bugs.busybox.net/show_bug.cgi?id=11476
[2] https://gcc.gnu.org/bugzilla/show_bug.cgi?id=61164
[3] https://github.com/gcc-mirror/gcc/commit/55f12fce4ccf77513644a247f9c401a5b1fa2402
Signed-off-by: Romain Naour <romain.naour@gmail.com>
Cc: Matthew Weber <matthew.weber@rockwellcollins.com>
Cc: Peter Korsgaard <peter@korsgaard.com>
---
To be backported up to Buildroot 2018.02.x.
---
Config.in | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/Config.in b/Config.in
index 584a1f087f..6176433fc0 100644
--- a/Config.in
+++ b/Config.in
@@ -798,6 +798,8 @@ config BR2_FORTIFY_SOURCE_NONE
config BR2_FORTIFY_SOURCE_1
bool "Conservative"
+ # gcc bug https://gcc.gnu.org/bugzilla/show_bug.cgi?id=61164
+ depends on BR2_TOOLCHAIN_GCC_AT_LEAST_6
help
This option sets _FORTIFY_SOURCE to 1 and only introduces
checks that shouldn't change the behavior of conforming
@@ -805,6 +807,8 @@ config BR2_FORTIFY_SOURCE_1
config BR2_FORTIFY_SOURCE_2
bool "Aggressive"
+ # gcc bug https://gcc.gnu.org/bugzilla/show_bug.cgi?id=61164
+ depends on BR2_TOOLCHAIN_GCC_AT_LEAST_6
help
This option sets _FORTIFY_SOURCES to 2 and some more
checking is added, but some conforming programs might fail.
--
2.14.5
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [Buildroot] [PATCH] Config.in: security hardening: disable FORTIFY_SOURCE for gcc < 6
2018-11-05 20:07 [Buildroot] [PATCH] Config.in: security hardening: disable FORTIFY_SOURCE for gcc < 6 Romain Naour
@ 2018-11-05 20:35 ` Matthew Weber
2018-11-05 22:17 ` Peter Korsgaard
2018-11-06 9:06 ` Peter Korsgaard
2018-11-25 20:49 ` Peter Korsgaard
2 siblings, 1 reply; 8+ messages in thread
From: Matthew Weber @ 2018-11-05 20:35 UTC (permalink / raw)
To: buildroot
Romain ,
On Mon, Nov 5, 2018, 14:07 Romain Naour <romain.naour@gmail.com wrote:
> As reported in the bug report [1], gcc < 6 doesn't build when
> FORTIFY_SOURCE is set to 1 or 2. The issue is related to the
> upstream bug report [2] but the patch fixing the issue for gcc 6
> has not been backported to earlier gcc versions.
>
> Add a dependency on gcc at least version 6 to BR2_FORTIFY_SOURCE_1
> and BR2_FORTIFY_SOURCE_2.
>
Sorry about the HTML email.
Could this dependency be conditional on if a internal toolchain is used?
> [1] https://bugs.busybox.net/show_bug.cgi?id=11476
> [2] https://gcc.gnu.org/bugzilla/show_bug.cgi?id=61164
> [3]
> https://github.com/gcc-mirror/gcc/commit/55f12fce4ccf77513644a247f9c401a5b1fa2402
>
> Signed-off-by: Romain Naour <romain.naour@gmail.com>
> Cc: Matthew Weber <matthew.weber@rockwellcollins.com>
> Cc: Peter Korsgaard <peter@korsgaard.com>
> ---
> To be backported up to Buildroot 2018.02.x.
> ---
> Config.in | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/Config.in b/Config.in
> index 584a1f087f..6176433fc0 100644
> --- a/Config.in
> +++ b/Config.in
> @@ -798,6 +798,8 @@ config BR2_FORTIFY_SOURCE_NONE
>
> config BR2_FORTIFY_SOURCE_1
> bool "Conservative"
> + # gcc bug https://gcc.gnu.org/bugzilla/show_bug.cgi?id=61164
> + depends on BR2_TOOLCHAIN_GCC_AT_LEAST_6
> help
> This option sets _FORTIFY_SOURCE to 1 and only introduces
> checks that shouldn't change the behavior of conforming
> @@ -805,6 +807,8 @@ config BR2_FORTIFY_SOURCE_1
>
> config BR2_FORTIFY_SOURCE_2
> bool "Aggressive"
> + # gcc bug https://gcc.gnu.org/bugzilla/show_bug.cgi?id=61164
> + depends on BR2_TOOLCHAIN_GCC_AT_LEAST_6
> help
> This option sets _FORTIFY_SOURCES to 2 and some more
> checking is added, but some conforming programs might fail.
> --
> 2.14.5
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.busybox.net/pipermail/buildroot/attachments/20181105/39860aad/attachment.html>
^ permalink raw reply [flat|nested] 8+ messages in thread
* [Buildroot] [PATCH] Config.in: security hardening: disable FORTIFY_SOURCE for gcc < 6
2018-11-05 20:35 ` Matthew Weber
@ 2018-11-05 22:17 ` Peter Korsgaard
2018-11-05 22:21 ` Matthew Weber
0 siblings, 1 reply; 8+ messages in thread
From: Peter Korsgaard @ 2018-11-05 22:17 UTC (permalink / raw)
To: buildroot
>>>>> "Matthew" == Matthew Weber <matthew.weber@rockwellcollins.com> writes:
> Romain ,
> On Mon, Nov 5, 2018, 14:07 Romain Naour <romain.naour@gmail.com wrote:
>> As reported in the bug report [1], gcc < 6 doesn't build when
>> FORTIFY_SOURCE is set to 1 or 2. The issue is related to the
>> upstream bug report [2] but the patch fixing the issue for gcc 6
>> has not been backported to earlier gcc versions.
>>
>> Add a dependency on gcc at least version 6 to BR2_FORTIFY_SOURCE_1
>> and BR2_FORTIFY_SOURCE_2.
>>
> Sorry about the HTML email.
> Could this dependency be conditional on if a internal toolchain is used?
Ahh yes, if this is really about *building* gcc, then it should be
depends on !BR2_TOOLCHAIN_BUILDROOT || BR2_TOOLCHAIN_GCC_AT_LEAST_6
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 8+ messages in thread
* [Buildroot] [PATCH] Config.in: security hardening: disable FORTIFY_SOURCE for gcc < 6
2018-11-05 22:17 ` Peter Korsgaard
@ 2018-11-05 22:21 ` Matthew Weber
2018-11-06 12:27 ` Matthew Weber
0 siblings, 1 reply; 8+ messages in thread
From: Matthew Weber @ 2018-11-05 22:21 UTC (permalink / raw)
To: buildroot
Peter/Romain,
On Mon, Nov 5, 2018 at 4:17 PM Peter Korsgaard <peter@korsgaard.com> wrote:
>
> >>>>> "Matthew" == Matthew Weber <matthew.weber@rockwellcollins.com> writes:
>
> > Romain ,
> > On Mon, Nov 5, 2018, 14:07 Romain Naour <romain.naour@gmail.com wrote:
>
> >> As reported in the bug report [1], gcc < 6 doesn't build when
> >> FORTIFY_SOURCE is set to 1 or 2. The issue is related to the
> >> upstream bug report [2] but the patch fixing the issue for gcc 6
> >> has not been backported to earlier gcc versions.
> >>
> >> Add a dependency on gcc at least version 6 to BR2_FORTIFY_SOURCE_1
> >> and BR2_FORTIFY_SOURCE_2.
> >>
>
> > Sorry about the HTML email.
>
> > Could this dependency be conditional on if a internal toolchain is used?
>
> Ahh yes, if this is really about *building* gcc, then it should be
>
> depends on !BR2_TOOLCHAIN_BUILDROOT || BR2_TOOLCHAIN_GCC_AT_LEAST_6
>
Correct. I'll have to dig a bit and see what the minimum supported
external toolchain version is. I believe 5.4.x
Matt
--
Matthew L Weber / Pr Software Engineer
Airborne Information Systems / RC Linux Secure Platforms
MS 131-100, C Ave NE, Cedar Rapids, IA, 52498, USA
www.rockwellcollins.com
Note: Any Export License Required Information and License Restricted
Third Party Intellectual Property (TPIP) content must be encrypted and
sent to matthew.weber at corp.rockwellcollins.com.
^ permalink raw reply [flat|nested] 8+ messages in thread
* [Buildroot] [PATCH] Config.in: security hardening: disable FORTIFY_SOURCE for gcc < 6
2018-11-05 22:21 ` Matthew Weber
@ 2018-11-06 12:27 ` Matthew Weber
2018-11-06 21:06 ` Romain Naour
0 siblings, 1 reply; 8+ messages in thread
From: Matthew Weber @ 2018-11-06 12:27 UTC (permalink / raw)
To: buildroot
All,
On Mon, Nov 5, 2018 at 4:21 PM Matthew Weber
<matthew.weber@rockwellcollins.com> wrote:
>
> Peter/Romain,
>
>
> On Mon, Nov 5, 2018 at 4:17 PM Peter Korsgaard <peter@korsgaard.com> wrote:
> >
> > >>>>> "Matthew" == Matthew Weber <matthew.weber@rockwellcollins.com> writes:
> >
> > > Romain ,
> > > On Mon, Nov 5, 2018, 14:07 Romain Naour <romain.naour@gmail.com wrote:
> >
> > >> As reported in the bug report [1], gcc < 6 doesn't build when
> > >> FORTIFY_SOURCE is set to 1 or 2. The issue is related to the
> > >> upstream bug report [2] but the patch fixing the issue for gcc 6
> > >> has not been backported to earlier gcc versions.
> > >>
> > >> Add a dependency on gcc at least version 6 to BR2_FORTIFY_SOURCE_1
> > >> and BR2_FORTIFY_SOURCE_2.
> > >>
> >
> > > Sorry about the HTML email.
> >
> > > Could this dependency be conditional on if a internal toolchain is used?
> >
> > Ahh yes, if this is really about *building* gcc, then it should be
> >
> > depends on !BR2_TOOLCHAIN_BUILDROOT || BR2_TOOLCHAIN_GCC_AT_LEAST_6
> >
>
> Correct. I'll have to dig a bit and see what the minimum supported
> external toolchain version is. I believe 5.4.x
Found an old post.... https://access.redhat.com/blogs/766093/posts/1976213
Looks like the FORTIFY options should work from GCC 4.0+ and is more
dependent on GLIBC being new enough (which we won't run into).
Macros are supported since GLIBC2.3.4 -
http://man7.org/linux/man-pages/man7/feature_test_macros.7.html
Matt
^ permalink raw reply [flat|nested] 8+ messages in thread
* [Buildroot] [PATCH] Config.in: security hardening: disable FORTIFY_SOURCE for gcc < 6
2018-11-06 12:27 ` Matthew Weber
@ 2018-11-06 21:06 ` Romain Naour
0 siblings, 0 replies; 8+ messages in thread
From: Romain Naour @ 2018-11-06 21:06 UTC (permalink / raw)
To: buildroot
Le 06/11/2018 ? 13:27, Matthew Weber a ?crit?:
> All,
>
> On Mon, Nov 5, 2018 at 4:21 PM Matthew Weber
> <matthew.weber@rockwellcollins.com> wrote:
>>
>> Peter/Romain,
>>
>>
>> On Mon, Nov 5, 2018 at 4:17 PM Peter Korsgaard <peter@korsgaard.com> wrote:
>>>
>>>>>>>> "Matthew" == Matthew Weber <matthew.weber@rockwellcollins.com> writes:
>>>
>>> > Romain ,
>>> > On Mon, Nov 5, 2018, 14:07 Romain Naour <romain.naour@gmail.com wrote:
>>>
>>> >> As reported in the bug report [1], gcc < 6 doesn't build when
>>> >> FORTIFY_SOURCE is set to 1 or 2. The issue is related to the
>>> >> upstream bug report [2] but the patch fixing the issue for gcc 6
>>> >> has not been backported to earlier gcc versions.
>>> >>
>>> >> Add a dependency on gcc at least version 6 to BR2_FORTIFY_SOURCE_1
>>> >> and BR2_FORTIFY_SOURCE_2.
>>> >>
>>>
>>> > Sorry about the HTML email.
>>>
>>> > Could this dependency be conditional on if a internal toolchain is used?
>>>
>>> Ahh yes, if this is really about *building* gcc, then it should be
>>>
>>> depends on !BR2_TOOLCHAIN_BUILDROOT || BR2_TOOLCHAIN_GCC_AT_LEAST_6
>>>
>>
>> Correct. I'll have to dig a bit and see what the minimum supported
>> external toolchain version is. I believe 5.4.x
>
> Found an old post.... https://access.redhat.com/blogs/766093/posts/1976213
> Looks like the FORTIFY options should work from GCC 4.0+ and is more
> dependent on GLIBC being new enough (which we won't run into).
> Macros are supported since GLIBC2.3.4 -
> http://man7.org/linux/man-pages/man7/feature_test_macros.7.html
Maybe it worth to backport this patch?
https://github.com/gcc-mirror/gcc/commit/55f12fce4ccf77513644a247f9c401a5b1fa2402
Best regards,
Romain
>
> Matt
>
^ permalink raw reply [flat|nested] 8+ messages in thread
* [Buildroot] [PATCH] Config.in: security hardening: disable FORTIFY_SOURCE for gcc < 6
2018-11-05 20:07 [Buildroot] [PATCH] Config.in: security hardening: disable FORTIFY_SOURCE for gcc < 6 Romain Naour
2018-11-05 20:35 ` Matthew Weber
@ 2018-11-06 9:06 ` Peter Korsgaard
2018-11-25 20:49 ` Peter Korsgaard
2 siblings, 0 replies; 8+ messages in thread
From: Peter Korsgaard @ 2018-11-06 9:06 UTC (permalink / raw)
To: buildroot
>>>>> "Romain" == Romain Naour <romain.naour@gmail.com> writes:
> As reported in the bug report [1], gcc < 6 doesn't build when
> FORTIFY_SOURCE is set to 1 or 2. The issue is related to the
> upstream bug report [2] but the patch fixing the issue for gcc 6
> has not been backported to earlier gcc versions.
> Add a dependency on gcc at least version 6 to BR2_FORTIFY_SOURCE_1
> and BR2_FORTIFY_SOURCE_2.
> [1] https://bugs.busybox.net/show_bug.cgi?id=11476
> [2] https://gcc.gnu.org/bugzilla/show_bug.cgi?id=61164
> [3] https://github.com/gcc-mirror/gcc/commit/55f12fce4ccf77513644a247f9c401a5b1fa2402
> Signed-off-by: Romain Naour <romain.naour@gmail.com>
> Cc: Matthew Weber <matthew.weber@rockwellcollins.com>
> Cc: Peter Korsgaard <peter@korsgaard.com>
> ---
> To be backported up to Buildroot 2018.02.x.
Committed after adding the internal toolchain dependency as pointed out
by Matthew, thanks.
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 8+ messages in thread
* [Buildroot] [PATCH] Config.in: security hardening: disable FORTIFY_SOURCE for gcc < 6
2018-11-05 20:07 [Buildroot] [PATCH] Config.in: security hardening: disable FORTIFY_SOURCE for gcc < 6 Romain Naour
2018-11-05 20:35 ` Matthew Weber
2018-11-06 9:06 ` Peter Korsgaard
@ 2018-11-25 20:49 ` Peter Korsgaard
2 siblings, 0 replies; 8+ messages in thread
From: Peter Korsgaard @ 2018-11-25 20:49 UTC (permalink / raw)
To: buildroot
>>>>> "Romain" == Romain Naour <romain.naour@gmail.com> writes:
> As reported in the bug report [1], gcc < 6 doesn't build when
> FORTIFY_SOURCE is set to 1 or 2. The issue is related to the
> upstream bug report [2] but the patch fixing the issue for gcc 6
> has not been backported to earlier gcc versions.
> Add a dependency on gcc at least version 6 to BR2_FORTIFY_SOURCE_1
> and BR2_FORTIFY_SOURCE_2.
> [1] https://bugs.busybox.net/show_bug.cgi?id=11476
> [2] https://gcc.gnu.org/bugzilla/show_bug.cgi?id=61164
> [3] https://github.com/gcc-mirror/gcc/commit/55f12fce4ccf77513644a247f9c401a5b1fa2402
> Signed-off-by: Romain Naour <romain.naour@gmail.com>
> Cc: Matthew Weber <matthew.weber@rockwellcollins.com>
> Cc: Peter Korsgaard <peter@korsgaard.com>
> ---
> To be backported up to Buildroot 2018.02.x.
Committed to 2018.02.x and 2018.08.x, thanks.
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2018-11-25 20:49 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-11-05 20:07 [Buildroot] [PATCH] Config.in: security hardening: disable FORTIFY_SOURCE for gcc < 6 Romain Naour
2018-11-05 20:35 ` Matthew Weber
2018-11-05 22:17 ` Peter Korsgaard
2018-11-05 22:21 ` Matthew Weber
2018-11-06 12:27 ` Matthew Weber
2018-11-06 21:06 ` Romain Naour
2018-11-06 9:06 ` Peter Korsgaard
2018-11-25 20:49 ` Peter Korsgaard
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.