Ubuntu
gcc-snapshot package

update for gcc-4.6 hardening patches

Bug #696990 reported by Kees Cook
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
gcc-snapshot (Ubuntu)
Won't Fix
High
Unassigned

Bug Description

Binary package hint: gcc-snapshot

Here is an updated patchset for gcc-4.6. I dropped the linaro-specific relro patch since it looked like it was just conflicting with the gold-and-ld patch, which when disabled caused the relro patch not to apply. I tried to make the relro patch apply more easily now in addition to the other updates.

Tags: patch
Kees Cook (kees)
tags: added: patch
Matthias Klose (doko)
Changed in gcc-snapshot (Ubuntu):
status: New → Fix Committed
Revision history for this message
Kees Cook (kees) wrote :

Hm, things are not right.

This is correct and expected in 4.5:

$ gcc-4.5 -U_FORTIFY_SOURCE -O2 test.c -o test
$ hardening-check test
...
 Fortify Source functions: no, not found!

This is not right for 4.6:

$ gcc-4.6 -U_FORTIFY_SOURCE -O2 test.c -o test
$ hardening-check test
...
 Fortify Source functions: yes

Revision history for this message
Kees Cook (kees) wrote :

4.5: COLLECT_GCC_OPTIONS='-v' '-U_FORTIFY_SOURCE' '-O2' '-o' 'test' '-mtune=generic' '-march=x86-64'
vs
4.6: COLLECT_GCC_OPTIONS='-v' '-U' '_FORTIFY_SOURCE' '-O2' '-o' 'test' '-mtune=generic' '-march=x86-64'

Revision history for this message
Kees Cook (kees) wrote :

It seems like the command line does not take precedence any more?

$ gcc-4.6 -D_FORTIFY_SOURCE=0 -O2 test.c -o test
<command-line>:0:0: warning: "_FORTIFY_SOURCE" redefined [enabled by default]
<command-line>:0:0: note: this is the location of the previous definition

Revision history for this message
Kees Cook (kees) wrote :

Oh, and I missed ssp (it was disabled twice in the build...)

Revision history for this message
Kees Cook (kees) wrote :

Okay, here's the final one. This passes the test-gcc-security.py regression tests and includes the fix for bug 691722 too.

Changed in gcc-snapshot (Ubuntu):
status: Fix Committed → In Progress
Kees Cook (kees)
Changed in gcc-snapshot (Ubuntu):
importance: Undecided → High
Revision history for this message
Matthias Klose (doko) wrote :

now in gcc-4.6 in the ubuntu-toolchain-r PPA. Are test results comparable with Debian gcc-snapshot builds?

Revision history for this message
Matthias Klose (doko) wrote :

this apparently is unfortunately a won't fix issue

Changed in gcc-snapshot (Ubuntu):
status: In Progress → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.