Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sun, 12 Aug 2012 22:12:02 +0400
From: Vasily Kulikov <segoon@...nwall.com>
To: owl-dev@...ts.openwall.com
Subject: kernel's -fstack-protector

Hi,

RHEL6.3'ish kernel is able to use SSP of gcc, but currently doesn't do it:

/usr/src/world/kernel-config/linux-2.6.32/arch/x86/Makefile:81: stack protector enabled but no compiler support

Linux tests SSP by compiling a trivial program which uses array and examining
the result:

	#!/bin/sh

	echo "int foo(void) { char X[200]; return 3; }" | $* -S -xc -c -O0 -fstack-protector - -o - 2> /dev/null | grep -q "%gs"
	if [ "$?" -eq "0" ] ; then
		echo y
	else
		echo n
	fi

Look for the difference between my host Ubuntu system and Owl's chroot:

--- /home/vasya/owl/gcc-ssp-1	2012-08-12 22:02:56.081192917 +0400
+++ /home/vasya/owl/gcc-ssp-2	2012-08-12 22:03:26.109341468 +0400
@@ -1,22 +1,31 @@
 	.file	""
 	.text
-.globl foo
+	.globl	foo
 	.type	foo, @function
 foo:
+.LFB0:
+	.cfi_startproc
 	pushl	%ebp
+	.cfi_def_cfa_offset 8
+	.cfi_offset 5, -8
 	movl	%esp, %ebp
+	.cfi_def_cfa_register 5
 	subl	$216, %esp
-	movl	%gs:20, %eax
+	movl	__stack_chk_guard, %eax
 	movl	%eax, -12(%ebp)
 	xorl	%eax, %eax
 	movl	$3, %eax
 	movl	-12(%ebp), %edx
-	xorl	%gs:20, %edx
-	je	.L3
+	xorl	__stack_chk_guard, %edx
+	je	.L2
 	call	__stack_chk_fail
-.L3:
+.L2:
 	leave
+	.cfi_restore 5
+	.cfi_def_cfa 4, 4
 	ret
+	.cfi_endproc
+.LFE0:
 	.size	foo, .-foo
-	.ident	"GCC: (Ubuntu 4.4.3-4ubuntu5.1) 4.4.3"
+	.ident	"GCC: (GNU) 4.6.2"
 	.section	.note.GNU-stack,"",@...gbits
---

The most interesting lines are:

	-	movl	%gs:20, %eax
	+	movl	__stack_chk_guard, %eax

Owl's gcc doesn't use %gs, but uses a global symbol.  That's because our glibc
doesn't support any sort of SSP and gcc fallbacks to using global symbol.
That is a gcc compilation stage choice, so we cannot explicitly enable it for
the kernel until glibc upgrade.

So, for now we don't use SSP for the kernel.

Thanks,

-- 
Vasily

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ