Date: Sat, 25 Jan 2020 10:53:31 +0000 From: Sergei Trofimovich <slyfox@...too.org> To: musl@...ts.openwall.com, libc-alpha@...rceware.org, gcc@....gnu.org, toolchain@...too.org Subject: musl, glibc and ideal place for __stack_chk_fail_local [ sending it to musl, glibc and gcc devel mailing list as we need to build a consensus across the projects ] To support smash stack protection gcc emits __stack_chk_fail calls on all targets. On top of that gcc emits __stack_chk_fail_local calls at least on i386 and powerpc: https://bugs.gentoo.org/706210#c9 gcc can either use libssp/libssp_nonshared fallback or rely on libc to provide __stack_chk_fail. Where ideally should gcc pick __stack_chk_fail_local? Looks like gcc/glibc and musl disagree on that: - gcc: gcc either provides it from libssp_nonshared.a if libc has no ssp support or pulls it from libc - glibc: provides both __stack_chk_fail (deault) and __stack_chk_fail_local (avoid PLT) symbols. __stack_chk_fail_local comes from libc_nonshared.a and is added to linker script as: $ cat /usr/lib/libc.so OUTPUT_FORMAT(elf32-i386) GROUP ( /lib/libc.so.6 /usr/lib/libc_nonshared.a AS_NEEDED ( /lib/ld-linux.so.2 ) ) - musl: provides only __stack_chk_fail (default) and refuses to provide __stack_chk_fail_local: https://www.openwall.com/lists/musl/2018/09/11/2 This makes musl effectively not support ssp on i386 and probably powerpc. Currently gcc's assumption is that musl supports ssp symbols from libc on all targets: https://gcc.gnu.org/git/?p=gcc.git;a=blob;f=gcc/configure.ac;h=a7521ee99436a7c12159bdde0471dc66d3c4288e;hb=HEAD#l6079 6088 case "$target" in 6089 *-*-musl*) 6090 # All versions of musl provide stack protector 6091 gcc_cv_libc_provides_ssp=yes;; Clearly that assumption is not correct as __stack_chk_fail_local is not provided by musl and linking fails. This sounds like a expectation mismatch between gcc and musl of what it takes to implement an ssp interface. What should we do to make it fixed long term and short term? Long term: Is there a vision of perfect end state agreed with gcc/glibc/musl folk so we could just implement it? If there is none let's try to form one. My understanding of requirements for libc that exposes ssp support: - __stack_chk_fail is implemented as a default symbol - __stack_chk_fail_local is implemented as a local symbol to avoid PLT. (Why is it important? To avoid use of potentially already broken stack?) My understanding of possible perfect end state: 1. All libcs are required to somehow provide both __stack_chk_fail and __stack_chk_fail_local: be it linker script, crt*.o files or an extra libc_nonshared.a which gcc explicitly uses. Which one is best? 2. All libcs are required to provide only __stack_chk_fail and gcc always provides __stack_chk_local from libgcc.a, or from new libgcc_ssp.a. Evntually glibc drops it's __stack_chk_fail definition. 3. Your variant. How do you gcc/glibc/musl folk see it? Once we decide I'll file bugs against agreed projects. At least gcc could explicitly document the interface. Short term: While the above is not addressed what should we do about musl in gcc? Should gcc stop trying use musl on i386/powerpc here: 6088 case "$target" in 6089 *-*-musl*) 6090 # All versions of musl provide stack protector 6091 gcc_cv_libc_provides_ssp=yes;; and fall back to libssp instead? If it makes sense I'll create a bug against gcc. Thanks! -- Sergei
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.