[PATCH 04/12] Allow overriding of CFLAGS as well as CPPFLAGS for rtld.

[PATCH 04/12] Allow overriding of CFLAGS as well as CPPFLAGS for rtld.

[Nix]

From: Nick Alcock <nick.alcock@oracle.com>

We need this to pass -fno-stack-protector to all the pieces of rtld in
non-elf/ directories.
---
 elf/rtld-Rules         | 2 +-
 scripts/sysd-rules.awk | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/elf/rtld-Rules b/elf/rtld-Rules
index 94ca39b..c1bb506 100644
--- a/elf/rtld-Rules
+++ b/elf/rtld-Rules
@@ -90,7 +90,7 @@ else
 
 rtld-compile-command.S = $(compile-command.S) $(rtld-CPPFLAGS)
 rtld-compile-command.s = $(compile-command.s) $(rtld-CPPFLAGS)
-rtld-compile-command.c = $(compile-command.c) $(rtld-CPPFLAGS)
+rtld-compile-command.c = $(compile-command.c) $(rtld-CPPFLAGS) $(rtld-CFLAGS)
 
 # These are the basic compilation rules corresponding to the Makerules ones.
 # The sysd-rules generated makefile already defines pattern rules for rtld-%
diff --git a/scripts/sysd-rules.awk b/scripts/sysd-rules.awk
index cebc9d3..69af400 100644
--- a/scripts/sysd-rules.awk
+++ b/scripts/sysd-rules.awk
@@ -54,7 +54,7 @@ BEGIN {
           command_suffix = "";
         } else {
           prefix = gensub(/%/, "", 1, target_pattern);
-          command_suffix = " $(" prefix  "CPPFLAGS)";
+          command_suffix = " $(" prefix  "CPPFLAGS)" " $(" prefix  "CFLAGS)";
         }
         target = "$(objpfx)" target_pattern o ":";
         if (asm_rules) {
-- 
2.7.0.198.g6dd47b6

--enable-stack-protector for glibc.

[Nix]

So this is the provisional "stack-protect glibc" patch, a version of which has
been running for many, many years on my (x86-32 Geode) firewall.  No changelog
yet, but I'll write one soonish.  (When I do, it'll cite glibc bug 7065.  Bug
7066, a buffer overrun in strtold(), was uncovered during the initial
development of this patch, many years ago.)

It's against glibc head as of a few days ago, a5df3210a641c17.

I've gone through it and dropped things that don't seem to have any
justification nor affect testsuite results.  Some of the things thus dropped may
in fact be important for proper functioning of things like error messages from
statically linked programs when running against a kernel too old for the glibc:
I haven't retested that case, but it is plausible.  (I'll test that case at some
point in the next few days, but after many dozens of 64- and 32-bit x86 glibc
build-and-tests with every combination of
--enable-stack-protector={no,yes,all,strong} / --enable-omitfp /
--enable-stackguard-randomization I had frankly had enough of that for now!)

The testsuite passes with every combination of those flags (other than various
combinations with --enable-stack-protector=no, that seemed pointless to test):
no failures are observed with it that are not also observed on an unpatched
glibc with the same flag combinations.  However, until last night two things
were failing: I figured out how to stop them, but I don't understand why this
patch works and why, if it works, many others aren't needed (see the last patch
in the series).


I have not even considered investigating the performance of this.  Suffice to
say that with everything *but* glibc stack-protected on many distros, and with
perforamnce appearing quite acceptable to me on a 32-bit 500MHz embedded
processor, the performance implications of this patch do not appear to be
catastrophic. It's probably the same as the stack-protector always is: a few
percent.

The patches themselves have my work address on them because I just spent
a couple of work days on them.

[PATCH 03/12] Initialize the stack guard earlier when linking statically.

[Nix]

From: Nick Alcock <nick.alcock@oracle.com>

The address of the stack canary is stored in a per-thread variable,
which means that we must ensure that the TLS area is intialized before
calling any -fstack-protector'ed functions.  For dynamically linked
applications, we ensure this (in a later patch) by disabling
-fstack-protector for the whole dynamic linker, but for static
applications the AT_ENTRY address is called directly by the kernel, so
we must deal with the problem differently.

So split out the part of pthread initialization that sets up the TCB
(and, more generally, the TLS area) into a separate function (twice --
there is one implementation in libpthread.a, and another outside it for
programs that do not link with libpthread), then call it at
initialization time. Call that, and move the stack guard initialization
above the DL_SYSDEP_OSCHECK hook, which if set will probably call
functions which are stack-protected (it does on Linux and NaCL too).

(Side note: on x86, the DL_SYSDEP_OSCHECK hook involves calling
_dl_discover_osversion(), which on older kernels can involve opening and
parsing files and once upon a time, long ago, went wrong if the
apply_irel() clause was not moved up above that hook call as well.
However, this no longer goes wrong on any system I have access to,
so I am willing to call this a separate bug: I can't see any obvious
connection to the stack-guard canary, at any rate.  I'm noting it here
purely because it crept into the patch and might potentially need
putting back in at some future date, if I'm wrong about this.)
---
 csu/libc-start.c | 20 ++++++++++++--------
 csu/libc-tls.c   |  8 ++++++++
 nptl/nptl-init.c | 11 +++++++----
 3 files changed, 27 insertions(+), 12 deletions(-)

diff --git a/csu/libc-start.c b/csu/libc-start.c
index f4aa01a..140b079 100644
--- a/csu/libc-start.c
+++ b/csu/libc-start.c
@@ -33,6 +33,7 @@ extern int __libc_multiple_libcs;
 #ifndef SHARED
 # include <dl-osinfo.h>
 extern void __pthread_initialize_minimal (void);
+extern void __pthread_initialize_tcb_internal (void);
 # ifndef THREAD_SET_STACK_GUARD
 /* Only exported for architectures that don't store the stack guard canary
    in thread local area.  */
@@ -178,6 +179,17 @@ LIBC_START_MAIN (int (*main) (int, char **, char ** MAIN_AUXVEC_DECL),
         }
     }
 
+  /* The stack guard goes into the TCB.  */
+  __pthread_initialize_tcb_internal ();
+
+  /* Set up the stack checker's canary.  */
+  uintptr_t stack_chk_guard = _dl_setup_stack_chk_guard (_dl_random);
+# ifdef THREAD_SET_STACK_GUARD
+  THREAD_SET_STACK_GUARD (stack_chk_guard);
+# else
+  __stack_chk_guard = stack_chk_guard;
+# endif
+
 # ifdef DL_SYSDEP_OSCHECK
   if (!__libc_multiple_libcs)
     {
@@ -195,14 +207,6 @@ LIBC_START_MAIN (int (*main) (int, char **, char ** MAIN_AUXVEC_DECL),
      we need to setup errno.  */
   __pthread_initialize_minimal ();
 
-  /* Set up the stack checker's canary.  */
-  uintptr_t stack_chk_guard = _dl_setup_stack_chk_guard (_dl_random);
-# ifdef THREAD_SET_STACK_GUARD
-  THREAD_SET_STACK_GUARD (stack_chk_guard);
-# else
-  __stack_chk_guard = stack_chk_guard;
-# endif
-
   /* Set up the pointer guard value.  */
   uintptr_t pointer_chk_guard = _dl_setup_pointer_guard (_dl_random,
 							 stack_chk_guard);
diff --git a/csu/libc-tls.c b/csu/libc-tls.c
index d6425e0..3d67a64 100644
--- a/csu/libc-tls.c
+++ b/csu/libc-tls.c
@@ -241,5 +241,13 @@ void
 __attribute__ ((weak))
 __pthread_initialize_minimal (void)
 {
+}
+
+/* This is the minimal initialization function used when libpthread is
+   not used.  */
+void
+__attribute__ ((weak))
+__pthread_initialize_tcb_internal (void)
+{
   __libc_setup_tls (TLS_INIT_TCB_SIZE, TLS_INIT_TCB_ALIGN);
 }
diff --git a/nptl/nptl-init.c b/nptl/nptl-init.c
index bdbdfed..a4626be 100644
--- a/nptl/nptl-init.c
+++ b/nptl/nptl-init.c
@@ -296,21 +296,24 @@ extern void **__libc_dl_error_tsd (void) __attribute__ ((const));
 /* This can be set by the debugger before initialization is complete.  */
 static bool __nptl_initial_report_events __attribute_used__;
 
+#ifndef SHARED
 void
-__pthread_initialize_minimal_internal (void)
+__pthread_initialize_tcb_internal (void)
 {
-#ifndef SHARED
   /* Unlike in the dynamically linked case the dynamic linker has not
      taken care of initializing the TLS data structures.  */
   __libc_setup_tls (TLS_TCB_SIZE, TLS_TCB_ALIGN);
 
-  /* We must prevent gcc from being clever and move any of the
+  /* We must prevent gcc from being clever after inlining and moving any of the
      following code ahead of the __libc_setup_tls call.  This function
      will initialize the thread register which is subsequently
      used.  */
   __asm __volatile ("");
+}
 #endif
-
+void
+__pthread_initialize_minimal_internal (void)
+{
   /* Minimal initialization of the thread descriptor.  */
   struct pthread *pd = THREAD_SELF;
   __pthread_initialize_pids (pd);
-- 
2.7.0.198.g6dd47b6

[PATCH 08/12] Link various tests with -fno-stack-protector.

[Nix]

From: Nick Alcock <nick.alcock@oracle.com>

These tests do not link with libc, so cannot see __stack_chk_fail().
---
 elf/Makefile            | 6 ++++++
 stdlib/Makefile         | 4 ++++
 sysdeps/x86_64/Makefile | 3 +++
 3 files changed, 13 insertions(+)

diff --git a/elf/Makefile b/elf/Makefile
index 0cb03b0..9806648 100644
--- a/elf/Makefile
+++ b/elf/Makefile
@@ -741,6 +741,12 @@ $(objpfx)filtmod1.so: $(objpfx)filtmod1.os $(objpfx)filtmod2.so
 		  $< -Wl,-F,$(objpfx)filtmod2.so
 $(objpfx)filter: $(objpfx)filtmod1.so
 
+ifeq ($(have-ssp),yes)
+# These do not link against libc.
+CFLAGS-filtmod1.c = -fno-stack-protector
+CFLAGS-filtmod2.c = -fno-stack-protector
+endif
+
 $(objpfx)unload: $(libdl)
 $(objpfx)unload.out: $(objpfx)unloadmod.so
 
diff --git a/stdlib/Makefile b/stdlib/Makefile
index 26fe67a..bb9d4b1 100644
--- a/stdlib/Makefile
+++ b/stdlib/Makefile
@@ -164,6 +164,10 @@ LDFLAGS-tst-putenv = $(no-as-needed)
 
 $(objpfx)tst-putenvmod.so: $(objpfx)tst-putenvmod.os $(link-libc-deps)
 	$(build-module)
+# This is not only not in libc, it's not even linked with it.
+ifeq ($(have-ssp),yes)
+CFLAGS-tst-putenvmod.c += -fno-stack-protector
+endif
 libof-tst-putenvmod = extramodules
 
 $(objpfx)bug-getcontext: $(libm)
diff --git a/sysdeps/x86_64/Makefile b/sysdeps/x86_64/Makefile
index 67ed5ba..3183cb3 100644
--- a/sysdeps/x86_64/Makefile
+++ b/sysdeps/x86_64/Makefile
@@ -40,6 +40,9 @@ quad-pie-test += tst-quad1pie tst-quad2pie
 tests += $(quad-pie-test)
 tests-pie += $(quad-pie-test)
 
+CFLAGS-tst-quad1pie.c = -fno-stack-protector
+CFLAGS-tst-quad2pie.c = -fno-stack-protector
+
 $(objpfx)tst-quad1pie: $(objpfx)tst-quadmod1pie.o
 $(objpfx)tst-quad2pie: $(objpfx)tst-quadmod2pie.o
 
-- 
2.7.0.198.g6dd47b6

[PATCH 01/12] Configury support for --enable-stack-protector.

[Nix]

From: Nick Alcock <nick.alcock@oracle.com>

This adds =all and =strong, with obvious semantics, and with a rather
arbitrarily-chosen default off, which we might well want to change to
something stronger once this patch has been tested by people other than
me.

We don't validate the value of the option yet: that's in a later patch.
Nor do we use it for anything at this stage.

We differentiate between 'the compiler understands -fstack-protector'
and 'the user wanted -fstack-protector' so that we can pass
-fno-stack-protector in appropriate places even if the user didn't want
to turn on -fstack-protector for other parts.  (This helps us overcome
another existing limitation, that glibc doesn't work with GCC's hacked
to pass in -fstack-protector by default.)

We might want to add another configuration option to turn on
-fstack-protector for nscd and other network-facing operations by
default, but for now I've stuck with one option to control everything.
---
 configure.ac | 61 ++++++++++++++++++++++++++++++++++++++++--------------------
 1 file changed, 41 insertions(+), 20 deletions(-)

diff --git a/configure.ac b/configure.ac
index 3c766b7..804fac7 100644
--- a/configure.ac
+++ b/configure.ac
@@ -232,6 +232,18 @@ AC_ARG_ENABLE([bind-now],
 	      [bindnow=no])
 AC_SUBST(bindnow)
 
+dnl Build glibc with -fstack-protector, -fstack-protector-all, or
+dnl -fstack-protector-strong.
+AC_ARG_ENABLE([stack-protector],
+            AC_HELP_STRING([--enable-stack-protector=@<:@yes|no|all|strong@:>@],
+                           [Detect stack overflows in glibc functions with large string buffers, or in all glibc functions]),
+            [enable_stack_protector=$enableval],
+            [enable_stack_protector=no])
+case x"$enable_stack_protector" in
+    xall|xyes|xno|xstrong) ;;
+    *) AC_MSG_ERROR([Not a valid argument for --enable-stack-protector]);;
+esac
+
 dnl On some platforms we cannot use dynamic loading.  We must provide
 dnl static NSS modules.
 AC_ARG_ENABLE([static-nss],
@@ -602,6 +614,35 @@ fi
 test -n "$base_machine" || base_machine=$machine
 AC_SUBST(base_machine)
 
+AC_CACHE_CHECK(for -fstack-protector, libc_cv_ssp, [dnl
+LIBC_TRY_CC_OPTION([$CFLAGS $CPPFLAGS -Werror -fstack-protector],
+		   [libc_cv_ssp=yes],
+		   [libc_cv_ssp=no])
+])
+
+AC_CACHE_CHECK(for -fstack-protector-strong, libc_cv_ssp_strong, [dnl
+LIBC_TRY_CC_OPTION([$CFLAGS $CPPFLAGS -Werror -fstack-protector-strong],
+		   [libc_cv_ssp_strong=yes],
+		   [libc_cv_ssp_strong=no])
+])
+
+AC_CACHE_CHECK(for -fstack-protector-all, libc_cv_ssp_all, [dnl
+LIBC_TRY_CC_OPTION([$CFLAGS $CPPFLAGS -Werror -fstack-protector-all],
+		   [libc_cv_ssp_all=yes],
+		   [libc_cv_ssp_all=no])
+])
+
+stack_protector=
+if test x$enable_stack_protector = xyes && test $libc_cv_ssp = yes; then
+  stack_protector=-fstack-protector
+elif test x$enable_stack_protector = xall && test $libc_cv_ssp_all = yes; then
+  stack_protector=-fstack-protector-all
+elif test x$enable_stack_protector = xstrong && test $libc_cv_ssp_strong = yes; then
+  stack_protector=-fstack-protector-strong
+fi
+AC_SUBST(libc_cv_ssp)
+AC_SUBST(stack_protector)
+
 # For the multi-arch option we need support in the assembler & linker.
 AC_CACHE_CHECK([for assembler and linker STT_GNU_IFUNC support],
 	       libc_cv_ld_gnu_indirect_function, [dnl
@@ -1389,26 +1430,6 @@ else
 fi
 AC_SUBST(fno_unit_at_a_time)
 
-AC_CACHE_CHECK(for -fstack-protector, libc_cv_ssp, [dnl
-LIBC_TRY_CC_OPTION([$CFLAGS $CPPFLAGS -Werror -fstack-protector],
-		   [libc_cv_ssp=yes],
-		   [libc_cv_ssp=no])
-])
-
-AC_CACHE_CHECK(for -fstack-protector-strong, libc_cv_ssp_strong, [dnl
-LIBC_TRY_CC_OPTION([$CFLAGS $CPPFLAGS -Werror -fstack-protector-strong],
-		   [libc_cv_ssp_strong=yes],
-		   [libc_cv_ssp_strong=no])
-])
-
-stack_protector=
-if test "$libc_cv_ssp_strong" = "yes"; then
-  stack_protector="-fstack-protector-strong"
-elif test "$libc_cv_ssp" = "yes"; then
-  stack_protector="-fstack-protector"
-fi
-AC_SUBST(stack_protector)
-
 AC_CACHE_CHECK(whether cc puts quotes around section names,
 	       libc_cv_have_section_quotes,
 	       [cat > conftest.c <<EOF
-- 
2.7.0.198.g6dd47b6

[PATCH 07/12] Link libc.so with libc_nonshared.a to pull in __stack_chk_fail.

[Nix]

From: Nick Alcock <nick.alcock@oracle.com>

This prevents a spurious undefined reference from libc (which would be
an ABI break).
---
 Makerules | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/Makerules b/Makerules
index 53eabfa..d369d78 100644
--- a/Makerules
+++ b/Makerules
@@ -674,6 +674,7 @@ $(common-objpfx)linkobj/libc.so: link-libc-deps = # empty
 # libraries.
 $(common-objpfx)libc.so: $(elf-objpfx)soinit.os \
 			 $(common-objpfx)libc_pic.os$(libc_pic_clean) \
+			 $(common-objpfx)libc_nonshared.a \
 			 $(elf-objpfx)sofini.os \
 			 $(elf-objpfx)interp.os \
 			 $(elf-objpfx)ld.so \
@@ -683,6 +684,7 @@ $(common-objpfx)libc.so: $(elf-objpfx)soinit.os \
 
 $(common-objpfx)linkobj/libc.so: $(elf-objpfx)soinit.os \
 			 $(common-objpfx)linkobj/libc_pic.a \
+			 $(common-objpfx)libc_nonshared.a \
 			 $(elf-objpfx)sofini.os \
 			 $(elf-objpfx)interp.os \
 			 $(elf-objpfx)ld.so \
-- 
2.7.0.198.g6dd47b6

[PATCH 06/12] Compile the entire dynamic linker with -fno-stack-protector.

[Nix]

From: Nick Alcock <nick.alcock@oracle.com>

Also compile corresponding routines in the static libc.a with the same
flag.
---
 elf/Makefile   | 13 +++++++++++++
 elf/rtld-Rules |  4 ++++
 2 files changed, 17 insertions(+)

diff --git a/elf/Makefile b/elf/Makefile
index 63a5355..0cb03b0 100644
--- a/elf/Makefile
+++ b/elf/Makefile
@@ -50,6 +50,16 @@ CFLAGS-dl-runtime.c = -fexceptions -fasynchronous-unwind-tables
 CFLAGS-dl-lookup.c = -fexceptions -fasynchronous-unwind-tables
 CFLAGS-dl-iterate-phdr.c = $(uses-callbacks)
 
+ifeq ($(have-ssp),yes)
+# In the dynamic loader, some routines (which include routines called before
+# the stack guard is initialized) are compiled without stack protection.
+# Do the same when those routines are found in the static library.
+
+CFLAGS-.o += $(if $(filter $(@F),$(patsubst %,%.o,$(elide-routines.os))),-fno-stack-protector)
+CFLAGS-.op += $(if $(filter $(@F),$(patsubst %,%.op,$(elide-routines.os))),-fno-stack-protector)
+CFLAGS-.og += $(if $(filter $(@F),$(patsubst %,%.og,$(elide-routines.os))),-fno-stack-protector)
+endif
+
 ifeq ($(unwind-find-fde),yes)
 routines += unwind-dw2-fde-glibc
 shared-only-routines += unwind-dw2-fde-glibc
@@ -468,6 +478,9 @@ libof-ldconfig = ldconfig
 CFLAGS-dl-cache.c = $(SYSCONF-FLAGS)
 CFLAGS-cache.c = $(SYSCONF-FLAGS)
 CFLAGS-rtld.c = $(SYSCONF-FLAGS)
+ifeq ($(have-ssp),yes)
+CFLAGS-.os += $(if $(filter $(@F),$(patsubst %,%.os,$(all-rtld-routines))),-fno-stack-protector)
+endif
 
 cpp-srcs-left := $(all-rtld-routines:=.os)
 lib := rtld
diff --git a/elf/rtld-Rules b/elf/rtld-Rules
index c1bb506..1d571d3 100644
--- a/elf/rtld-Rules
+++ b/elf/rtld-Rules
@@ -144,4 +144,8 @@ cpp-srcs-left := $(rtld-modules:%.os=%)
 lib := rtld
 include $(patsubst %,$(..)cppflags-iterator.mk,$(cpp-srcs-left))
 
+ifeq ($(have-ssp),yes)
+rtld-CFLAGS := -fno-stack-protector
+endif
+
 endif
-- 
2.7.0.198.g6dd47b6

[PATCH 12/12] Avoid stack-protecting certain functions called from assembly.

[Nix]

From: Nick Alcock <nick.alcock@oracle.com>

This is the problematic part.  Without -fno-stack-protector on these two
files, or more specifically on __pthread_mutex_cond_lock_adjust() and
__pthread_mutex_unlock_usercnt(), nptl/tst-cond24 and nptl/tst-cond25
receive a NULL mutex at unlock time and segfault.  However... I don't
understand why.  It is the callee's responsibility both to add the stack
canary and to initialize it, just like any other local variable.
It has to be, or the ABI for stack-protected code would be incompatible
with that for non-protected code.  But the fact remains that
sysdeps/unix/sysv/linux/i386/pthread_cond_timedwait.S both explicitly
mentions the stack frame layout and calls this function, and this call
goes wrong if we stack-protect it.

Looking at this, I'm now wondering how many other places GCC does calls
into C from assembler that break the rules in the same way. It can't be
all of them, or nothing would work -- but what about
sysdeps/x86_64/setjmp.S, which sibcalls into setjmp/sigjmp.c?  This
works and does not appear to need any -fstack-protector of any kind
at all -- but it also has no local variables, so I might be escaping by
luck rather than judgement...

So this is somewhere where I need someone to tell me what's special about
sysdeps/unix/sysv/linux/i386/pthread_cond_timedwait.S (and in particular
special about priority-inheritance mutexes: everything else works),
before I can be confident that this is even remotely the right thing to
do.
---
 nptl/Makefile | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/nptl/Makefile b/nptl/Makefile
index a1d52a2..95240c7 100644
--- a/nptl/Makefile
+++ b/nptl/Makefile
@@ -330,6 +330,10 @@ endif
 ifeq ($(have-ssp),yes)
 # Parts of nptl-init.c are called before the stack guard is initialized.
 CFLAGS-nptl-init.c += -fno-stack-protector
+# Parts of these files are called from assembler, with a hand-made stack,
+# sans canary.
+CFLAGS-pthread_mutex_cond_lock.c += -fno-stack-protector
+CFLAGS-pthread_mutex_unlock.c += -fno-stack-protector
 endif
 
 modules-names = tst-atfork2mod tst-tls3mod tst-tls4moda tst-tls4modb \
-- 
2.7.0.198.g6dd47b6

[PATCH 02/12] Make __stack_chk_fail() not use other glibc facilities.

[Nix]

From: Nick Alcock <nick.alcock@oracle.com>

After this patch series is complete, glibc exports a __stack_chk_fail()
implementation for use by all other programs, including other parts of
glibc.

Unfortunately this means that we have to rip out the existing
implementation (that simply calls __fortify_fail()) and replace it with
another which does not call into glibc: otherwise, you get this build
failure, when libdl ends up pulling in sizeable pieces of glibc at the
early static link stage, then understandably clashing with libc_pic later:

gcc   -nostdlib -nostartfiles -r -o /home/oranix/oracle/src/foo/libc_pic.os \
 -Wl,-d -Wl,--whole-archive /home/oranix/oracle/src/foo/libc_pic.a -o /home/oranix/oracle/src/foo/libc_pic.os
/home/oranix/oracle/src/foo/libc_pic.a(init-first.os):(.data+0x0): multiple definition of `__libc_multiple_libcs'
/home/oranix/oracle/src/foo/elf/dl-allobjs.os:(.bss+0xf8): first defined here
/home/oranix/oracle/src/foo/libc_pic.a(libc_fatal.os): In function `__GI___libc_fatal':
/home/oranix/oracle/src/glibc/libio/../sysdeps/posix/libc_fatal.c:182: multiple definition of `__GI___libc_fatal'
/home/oranix/oracle/src/foo/elf/dl-allobjs.os:/home/oranix/oracle/src/glibc/elf/dl-minimal.c:199: first defined here
/home/oranix/oracle/src/foo/libc_pic.a(libc_fatal.os): In function `__GI___libc_fatal':
/home/oranix/oracle/src/glibc/libio/../sysdeps/posix/libc_fatal.c:182: multiple definition of `__libc_fatal'
/home/oranix/oracle/src/foo/elf/dl-allobjs.os:/home/oranix/oracle/src/glibc/elf/dl-minimal.c:199: first defined here
/home/oranix/oracle/src/foo/libc_pic.a(dl-addr.os): In function `_dl_addr_inside_object':
/home/oranix/oracle/src/glibc/elf/dl-addr.c:151: multiple definition of `_dl_addr_inside_object'
/home/oranix/oracle/src/foo/elf/dl-allobjs.os:/home/oranix/oracle/src/glibc/elf/dl-open.c:744: first defined here

Back in 2008 when I wrote this I replaced it with the then-current
gentoo replacement stack-smasher: it had nice extra features like
automatically dumping core on a stack smash and logging via syslog, but
most importantly it did not rely on the rest of glibc.

I am completely happy with this piece being thrown out, as long as we
find some other fix for this double-pull-in bug! (It might be as easy as
changing the way dl-allobjs.os is linked, but I honestly don't know
how).  But in general this approach seems safer to me anyway: after
we've been actively attacked, we probably shouldn't be relying on the
complexities of libio with all its vtables and function pointers and the
like: an attacker could easily have smashed those, too.
---
 debug/Makefile         |   1 +
 debug/stack_chk_fail.c | 293 ++++++++++++++++++++++++++++++++++++++++++++++++-
 2 files changed, 288 insertions(+), 6 deletions(-)

diff --git a/debug/Makefile b/debug/Makefile
index 6b5f31e..535f10a 100644
--- a/debug/Makefile
+++ b/debug/Makefile
@@ -53,6 +53,7 @@ routines  = backtrace backtracesyms backtracesymsfd noophooks \
 static-only-routines := warning-nop stack_chk_fail_local
 
 CFLAGS-backtrace.c = -fno-omit-frame-pointer
+CFLAGS-stack_chk_fail.c = -DSSP_SMASH_DUMPS_CORE
 CFLAGS-sprintf_chk.c = $(libio-mtsafe)
 CFLAGS-snprintf_chk.c = $(libio-mtsafe)
 CFLAGS-vsprintf_chk.c = $(libio-mtsafe)
diff --git a/debug/stack_chk_fail.c b/debug/stack_chk_fail.c
index 4d0796f..c6ce7dc 100644
--- a/debug/stack_chk_fail.c
+++ b/debug/stack_chk_fail.c
@@ -15,15 +15,296 @@
    License along with the GNU C Library; if not, see
    <http://www.gnu.org/licenses/>.  */
 
-#include <stdio.h>
+/* Copyright (C) 2006-2007 Gentoo Foundation Inc.
+ * License terms as above.
+ *
+ * Hardened Gentoo SSP handler
+ *
+ * An SSP failure handler that does not use functions from the rest of
+ * glibc; it uses the INTERNAL_SYSCALL methods directly.  This ensures
+ * no possibility of recursion into the handler.
+ *
+ * Direct all bug reports to http://bugs.gentoo.org/
+ *
+ * Re-written from the glibc-2.3 Hardened Gentoo SSP handler
+ * by Kevin F. Quinn - <kevquinn[@]gentoo.org>
+ *
+ * The following people contributed to the glibc-2.3 Hardened
+ * Gentoo SSP handler, from which this implementation draws much:
+ *
+ * Ned Ludd - <solar[@]gentoo.org>
+ * Alexander Gabert - <pappy[@]gentoo.org>
+ * The PaX Team - <pageexec[@]freemail.hu>
+ * Peter S. Mazinger - <ps.m[@]gmx.net>
+ * Yoann Vandoorselaere - <yoann[@]prelude-ids.org>
+ * Robert Connolly - <robert[@]linuxfromscratch.org>
+ * Cory Visi <cory[@]visi.name>
+ * Mike Frysinger <vapier[@]gentoo.org>
+ */
+
+#include <errno.h>
 #include <stdlib.h>
+#include <unistd.h>
+#include <signal.h>
+
+#include <sys/types.h>
+
+#include <sysdep-cancel.h>
+#include <sys/syscall.h>
+
+#include <kernel-features.h>
+
+#include <alloca.h>
+/* from sysdeps */
+#include <socketcall.h>
+/* for the stuff in bits/socket.h */
+#include <sys/socket.h>
+#include <sys/un.h>
+
+
+/* Sanity check on SYSCALL macro names - force compilation
+ * failure if the names used here do not exist
+ */
+#if !defined __NR_socketcall && !defined __NR_socket
+# error Cannot do syscall socket or socketcall
+#endif
+#if !defined __NR_socketcall && !defined __NR_connect
+# error Cannot do syscall connect or socketcall
+#endif
+#ifndef __NR_write
+# error Cannot do syscall write
+#endif
+#ifndef __NR_close
+# error Cannot do syscall close
+#endif
+#ifndef __NR_getpid
+# error Cannot do syscall getpid
+#endif
+#ifndef __NR_kill
+# error Cannot do syscall kill
+#endif
+#ifndef __NR_exit
+# error Cannot do syscall exit
+#endif
+#ifdef SSP_SMASH_DUMPS_CORE
+# define ENABLE_SSP_SMASH_DUMPS_CORE 1
+# if !defined _KERNEL_NSIG && !defined _NSIG
+#  error No _NSIG or _KERNEL_NSIG for rt_sigaction
+# endif
+# if !defined __NR_sigaction && !defined __NR_rt_sigaction
+#  error Cannot do syscall sigaction or rt_sigaction
+# endif
+/* Although rt_sigaction expects sizeof(sigset_t) - it expects the size
+ * of the _kernel_ sigset_t which is not the same as the user sigset_t.
+ * Most arches have this as _NSIG bits - mips has _KERNEL_NSIG bits for
+ * some reason.
+ */
+# ifdef _KERNEL_NSIG
+#  define _SSP_NSIG _KERNEL_NSIG
+# else
+#  define _SSP_NSIG _NSIG
+# endif
+#else
+# define _SSP_NSIG 0
+# define ENABLE_SSP_SMASH_DUMPS_CORE 0
+#endif
+
+/* Define DO_SIGACTION - default to newer rt signal interface but
+ * fallback to old as needed.
+ */
+#ifdef __NR_rt_sigaction
+# define DO_SIGACTION(signum, act, oldact) \
+	INLINE_SYSCALL(rt_sigaction, 4, signum, act, oldact, _SSP_NSIG/8)
+#else
+# define DO_SIGACTION(signum, act, oldact) \
+	INLINE_SYSCALL(sigaction, 3, signum, act, oldact)
+#endif
+
+/* Define DO_SOCKET/DO_CONNECT functions to deal with socketcall vs socket/connect */
+#if defined(__NR_socket) && defined(__NR_connect)
+# define USE_OLD_SOCKETCALL 0
+#else
+# define USE_OLD_SOCKETCALL 1
+#endif
+/* stub out the __NR_'s so we can let gcc optimize away dead code */
+#ifndef __NR_socketcall
+# define __NR_socketcall 0
+#endif
+#ifndef __NR_socket
+# define __NR_socket 0
+#endif
+#ifndef __NR_connect
+# define __NR_connect 0
+#endif
+#define DO_SOCKET(result, domain, type, protocol) \
+	do { \
+		if (USE_OLD_SOCKETCALL) { \
+			socketargs[0] = domain; \
+			socketargs[1] = type; \
+			socketargs[2] = protocol; \
+			socketargs[3] = 0; \
+			result = INLINE_SYSCALL(socketcall, 2, SOCKOP_socket, socketargs); \
+		} else \
+			result = INLINE_SYSCALL(socket, 3, domain, type, protocol); \
+	} while (0)
+#define DO_CONNECT(result, sockfd, serv_addr, addrlen) \
+	do { \
+		if (USE_OLD_SOCKETCALL) { \
+			socketargs[0] = sockfd; \
+			socketargs[1] = (unsigned long int)serv_addr; \
+			socketargs[2] = addrlen; \
+			socketargs[3] = 0; \
+			result = INLINE_SYSCALL(socketcall, 2, SOCKOP_connect, socketargs); \
+		} else \
+			result = INLINE_SYSCALL(connect, 3, sockfd, serv_addr, addrlen); \
+	} while (0)
+
+#ifndef _PATH_LOG
+# define _PATH_LOG "/dev/log"
+#endif
+
+static const char path_log[] = _PATH_LOG;
+
+/* For building glibc with SSP switched on, define __progname to a
+ * constant if building for the run-time loader, to avoid pulling
+ * in more of libc.so into ld.so
+ */
+#ifdef IS_IN_rtld
+static char *__progname = "<rtld>";
+#else
+extern char *__progname;
+#endif
+
 
+/* Common handler code, used by stack_chk_fail and __stack_smash_handler
+ * Inlined to ensure no self-references to the handler within itself.
+ * Data static to avoid putting more than necessary on the stack,
+ * to aid core debugging.
+ * The copy in rtld must be hidden to ensure that it gets no relocations
+ * and thus does not crash if called during libc startup.
+ */
+__attribute__ ((__noreturn__ , __always_inline__))
+#ifdef IS_IN_rtld
+attribute_hidden
+#endif
+static inline void
+__hardened_gentoo_stack_chk_fail(char func[], int damaged)
+{
+#define MESSAGE_BUFSIZ 256
+	static pid_t pid;
+	static int plen, i;
+	static char message[MESSAGE_BUFSIZ];
+	static const char msg_ssa[] = ": stack smashing attack";
+	static const char msg_inf[] = " in function ";
+	static const char msg_ssd[] = "*** stack smashing detected ***: ";
+	static const char msg_terminated[] = " - terminated\n";
+	static const char msg_unknown[] = "<unknown>";
+	static int log_socket, connect_result;
+	static struct sockaddr_un sock;
+	static unsigned long int socketargs[4];
+
+	/* Build socket address
+	 */
+	sock.sun_family = AF_UNIX;
+	i = 0;
+	while ((path_log[i] != '\0') && (i<(sizeof(sock.sun_path)-1))) {
+		sock.sun_path[i] = path_log[i];
+		i++;
+	}
+	sock.sun_path[i] = '\0';
+
+	/* Try SOCK_DGRAM connection to syslog */
+	connect_result = -1;
+	DO_SOCKET(log_socket, AF_UNIX, SOCK_DGRAM, 0);
+	if (log_socket != -1)
+		DO_CONNECT(connect_result, log_socket, &sock, sizeof(sock));
+	if (connect_result == -1) {
+		if (log_socket != -1)
+			INLINE_SYSCALL(close, 1, log_socket);
+		/* Try SOCK_STREAM connection to syslog */
+		DO_SOCKET(log_socket, AF_UNIX, SOCK_STREAM, 0);
+		if (log_socket != -1)
+			DO_CONNECT(connect_result, log_socket, &sock, sizeof(sock));
+	}
+
+	/* Build message.  Messages are generated both in the old style and new style,
+	 * so that log watchers that are configured for the old-style message continue
+	 * to work.
+	 */
+#define strconcat(str) \
+		{i=0; while ((str[i] != '\0') && ((i+plen)<(MESSAGE_BUFSIZ-1))) \
+		{\
+			message[plen+i]=str[i];\
+			i++;\
+		}\
+		plen+=i;}
+
+	/* R.Henderson post-gcc-4 style message */
+	plen = 0;
+	strconcat(msg_ssd);
+	if (__progname != (char *)0)
+		strconcat(__progname)
+	else
+		strconcat(msg_unknown);
+	strconcat(msg_terminated);
+
+	/* Write out error message to STDERR, to syslog if open */
+	INLINE_SYSCALL(write, 3, STDERR_FILENO, message, plen);
+	if (connect_result != -1)
+		INLINE_SYSCALL(write, 3, log_socket, message, plen);
+
+	/* Dr. Etoh pre-gcc-4 style message */
+	plen = 0;
+	if (__progname != (char *)0)
+		strconcat(__progname)
+	else
+		strconcat(msg_unknown);
+	strconcat(msg_ssa);
+	strconcat(msg_inf);
+	if (func != NULL)
+		strconcat(func)
+	else
+		strconcat(msg_unknown);
+	strconcat(msg_terminated);
+	/* Write out error message to STDERR, to syslog if open */
+	INLINE_SYSCALL(write, 3, STDERR_FILENO, message, plen);
+	if (connect_result != -1)
+		INLINE_SYSCALL(write, 3, log_socket, message, plen);
 
-extern char **__libc_argv attribute_hidden;
+	/* Write out error message to STDERR, to syslog if open */
+	INLINE_SYSCALL(write, 3, STDERR_FILENO, message, plen);
+	if (connect_result != -1)
+		INLINE_SYSCALL(write, 3, log_socket, message, plen);
+
+	if (log_socket != -1)
+		INLINE_SYSCALL(close, 1, log_socket);
+
+	/* Suicide */
+	pid = INLINE_SYSCALL(getpid, 0);
+
+	if (ENABLE_SSP_SMASH_DUMPS_CORE) {
+		static struct sigaction default_abort_act;
+		/* Remove any user-supplied handler for SIGABRT, before using it */
+		default_abort_act.sa_handler = SIG_DFL;
+		default_abort_act.sa_sigaction = NULL;
+		__sigfillset(&default_abort_act.sa_mask);
+		default_abort_act.sa_flags = 0;
+		if (DO_SIGACTION(SIGABRT, &default_abort_act, NULL) == 0)
+			INLINE_SYSCALL(kill, 2, pid, SIGABRT);
+	}
+
+	/* Note; actions cannot be added to SIGKILL */
+	INLINE_SYSCALL(kill, 2, pid, SIGKILL);
+
+	/* In case the kill didn't work, exit anyway
+	 * The loop prevents gcc thinking this routine returns
+	 */
+	while (1)
+		INLINE_SYSCALL(exit, 0);
+}
 
-void
-__attribute__ ((noreturn))
-__stack_chk_fail (void)
+__attribute__ ((__noreturn__))
+void __stack_chk_fail(void)
 {
-  __fortify_fail ("stack smashing detected");
+	__hardened_gentoo_stack_chk_fail(NULL, 0);
 }
-- 
2.7.0.198.g6dd47b6

[PATCH 05/12] Mark all machinery needed in early static-link init as -fno-stack-protector.

[Nix]

From: Nick Alcock <nick.alcock@oracle.com>

The startup code in csu/, brk() and sbrk(), memcpy() and the
__pthread_initialize_tcb_internal() function we just introduced are
needed very early in initialization of a statically-linked program,
before the stack guard is initialized. Mark all of these as
-fno-stack-protector.

We also finally introduce @libc_cv_ssp@, substituted by the configury
changes made much earlier, to detect the case when -fno-stack-protector
is supported by the compiler, and unconditionally pass it in when this
is the case, whether or not --enable-stack-protector is passed to
configure.  (This means that it'll even work when the compiler's been
hacked to pass -fstack-protector by default, unless the hackage is so
broken that it does so in a way that is impossible to override.)

(At one point we marked __libc_fatal() as non-stack-protected too,
but this was pointless: all it did was call other routines which *are*
stack-protected.  I am slightly worried that __libc_fatal() calls from
very early in static binary execution may crash as a result, but I'm
not sure how to test this: booting a very old kernel, perhaps?)
---
 config.make.in  | 1 +
 csu/Makefile    | 7 +++++++
 misc/Makefile   | 6 ++++++
 nptl/Makefile   | 5 +++++
 string/Makefile | 5 +++++
 5 files changed, 24 insertions(+)

diff --git a/config.make.in b/config.make.in
index 05ed6ec..847931f 100644
--- a/config.make.in
+++ b/config.make.in
@@ -55,6 +55,7 @@ with-fp = @with_fp@
 enable-timezone-tools = @enable_timezone_tools@
 unwind-find-fde = @libc_cv_gcc_unwind_find_fde@
 have-fpie = @libc_cv_fpie@
+have-ssp = @libc_cv_ssp@
 stack-protector = @stack_protector@
 have-selinux = @have_selinux@
 have-libaudit = @have_libaudit@
diff --git a/csu/Makefile b/csu/Makefile
index 31e8bb9..8d7cbb5 100644
--- a/csu/Makefile
+++ b/csu/Makefile
@@ -45,6 +45,13 @@ before-compile += $(objpfx)version-info.h
 tests := tst-empty tst-atomic tst-atomic-long
 tests-static := tst-empty
 
+ifeq ($(have-ssp),yes)
+CFLAGS-.o += -fno-stack-protector
+CFLAGS-.og += -fno-stack-protector
+CFLAGS-.op += -fno-stack-protector
+CFLAGS-.os += -fno-stack-protector
+endif
+
 ifeq (yes,$(build-shared))
 extra-objs += S$(start-installed-name) gmon-start.os
 ifneq ($(start-installed-name),$(static-start-installed-name))
diff --git a/misc/Makefile b/misc/Makefile
index d7bbc85..ba5c5d0 100644
--- a/misc/Makefile
+++ b/misc/Makefile
@@ -99,6 +99,12 @@ CFLAGS-getusershell.c = -fexceptions
 CFLAGS-err.c = -fexceptions
 CFLAGS-tst-tsearch.c = $(stack-align-test-flags)
 
+ifeq ($(have-ssp),yes)
+# Called during static library initialization.
+CFLAGS-sbrk.c = -fno-stack-protector
+CFLAGS-brk.c = -fno-stack-protector
+endif
+
 include ../Rules
 
 $(objpfx)libg.a: $(dep-dummy-lib); $(make-dummy-lib)
diff --git a/nptl/Makefile b/nptl/Makefile
index dc3ccab..a1d52a2 100644
--- a/nptl/Makefile
+++ b/nptl/Makefile
@@ -327,6 +327,11 @@ tests += tst-execstack
 endif
 endif
 
+ifeq ($(have-ssp),yes)
+# Parts of nptl-init.c are called before the stack guard is initialized.
+CFLAGS-nptl-init.c += -fno-stack-protector
+endif
+
 modules-names = tst-atfork2mod tst-tls3mod tst-tls4moda tst-tls4modb \
 		tst-tls5mod tst-tls5moda tst-tls5modb tst-tls5modc \
 		tst-tls5modd tst-tls5mode tst-tls5modf tst-stack4mod \
diff --git a/string/Makefile b/string/Makefile
index 9c87419..2f97070 100644
--- a/string/Makefile
+++ b/string/Makefile
@@ -71,6 +71,11 @@ CFLAGS-stratcliff.c = -fno-builtin
 CFLAGS-test-ffs.c = -fno-builtin
 CFLAGS-tst-inlcall.c = -fno-builtin
 
+ifeq ($(have-ssp),yes)
+# This is used in early initialization.
+CFLAGS-memcpy.c = -fno-stack-protector
+endif
+
 ifeq ($(run-built-tests),yes)
 $(objpfx)tst-svc-cmp.out: tst-svc.expect $(objpfx)tst-svc.out
 	cmp $^ > $@; \
-- 
2.7.0.198.g6dd47b6

[PATCH 11/12] Drop explicit stack-protection of pieces of the system.

[Nix]

From: Nick Alcock <nick.alcock@oracle.com>

This is probably a bad idea: maybe we want to stack-protect some parts
of the system even when ! --enable-stack-protector. I can easily adjust
the patch to do that (though it'll mean introducing a new variable
analogous to $(stack-protector) but not ocntrolled by the configure
flag.)

But if we wanted to value consistency over security, and use the same
stack-protection configure flag to control everything, this is how we'd
do it!

("Always include at least one patch with something obviously wrong with
it.")
---
 login/Makefile  | 1 -
 nscd/Makefile   | 1 -
 resolv/Makefile | 1 -
 3 files changed, 3 deletions(-)

diff --git a/login/Makefile b/login/Makefile
index 9ff36d6..1a6161c 100644
--- a/login/Makefile
+++ b/login/Makefile
@@ -58,7 +58,6 @@ CFLAGS-getpt.c = -fexceptions
 ifeq (yesyes,$(have-fpie)$(build-shared))
 pt_chown-cflags += $(pie-ccflag)
 endif
-pt_chown-cflags += $(stack-protector)
 ifeq (yes,$(have-libcap))
 libcap = -lcap
 endif
diff --git a/nscd/Makefile b/nscd/Makefile
index 50bad32..bfd72d5 100644
--- a/nscd/Makefile
+++ b/nscd/Makefile
@@ -84,7 +84,6 @@ CPPFLAGS-nscd += -D_FORTIFY_SOURCE=2
 ifeq (yesyes,$(have-fpie)$(build-shared))
 CFLAGS-nscd += $(pie-ccflag)
 endif
-CFLAGS-nscd += $(stack-protector)
 
 ifeq (yesyes,$(have-fpie)$(build-shared))
 LDFLAGS-nscd = -Wl,-z,now
diff --git a/resolv/Makefile b/resolv/Makefile
index 8be41d3..0395b1a 100644
--- a/resolv/Makefile
+++ b/resolv/Makefile
@@ -90,7 +90,6 @@ CPPFLAGS += -Dgethostbyname=res_gethostbyname \
 	    -Dgetnetbyname=res_getnetbyname \
 	    -Dgetnetbyaddr=res_getnetbyaddr
 
-CFLAGS-libresolv += $(stack-protector)
 CFLAGS-res_hconf.c = -fexceptions
 
 # The BIND code elicits some harmless warnings.
-- 
2.7.0.198.g6dd47b6

[PATCH 09/12] Enable -fstack-protector=* when requested by configure.

[Nix]

From: Nick Alcock <nick.alcock@oracle.com>

This finally turns on all the machinery added in previous commits.
---
 Makeconfig | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/Makeconfig b/Makeconfig
index 87a22e8..cdffdc7 100644
--- a/Makeconfig
+++ b/Makeconfig
@@ -762,6 +762,11 @@ endif
 # disable any optimization that assume default rounding mode.
 +math-flags = -frounding-math
 
+# We might want to compile with some stack-protection flag.
+ifneq ($(stack-protector),)
++stack-protector=$(stack-protector)
+endif
+
 # This is the program that generates makefile dependencies from C source files.
 # The -MP flag tells GCC >= 3.2 (which we now require) to produce dummy
 # targets for headers so that removed headers don't break the build.
@@ -821,7 +826,7 @@ ifeq	"$(strip $(+cflags))" ""
 +cflags	:= $(default_cflags)
 endif	# $(+cflags) == ""
 
-+cflags += $(cflags-cpu) $(+gccwarn) $(+merge-constants) $(+math-flags)
++cflags += $(cflags-cpu) $(+gccwarn) $(+merge-constants) $(+math-flags) $(+stack-protector)
 +gcc-nowarn := -w
 
 # Don't duplicate options if we inherited variables from the parent.
-- 
2.7.0.198.g6dd47b6

[PATCH 10/12] Work even with compilers hacked to enable -fstack-protector by default.

[Nix]

From: Nick Alcock <nick.alcock@oracle.com>

With all the machinery we just added, we can easily arrange to work even
when the compiler passes in -fstack-protector automatically: all the
necessary bits of glibc are always compiled with -fno-stack-protector
now.

So tear out the check in configure, and add appropriate calls to
-fno-stack-protector and/or -lssp in tests that need them (largely
those that use -nostdlib).
---
 aclocal.m4   |  6 ++---
 configure.ac | 76 ++++++++++++++++++++----------------------------------------
 2 files changed, 28 insertions(+), 54 deletions(-)

diff --git a/aclocal.m4 b/aclocal.m4
index 3d64f77..a6db875 100644
--- a/aclocal.m4
+++ b/aclocal.m4
@@ -141,7 +141,7 @@ int _start (void) { return 0; }
 int __start (void) { return 0; }
 $1
 EOF
-AS_IF([AC_TRY_COMMAND([${CC-cc} $CFLAGS $CPPFLAGS $LDFLAGS -o conftest
+AS_IF([AC_TRY_COMMAND([${CC-cc} $CFLAGS $CPPFLAGS $LDFLAGS $no_ssp -o conftest
 		       conftest.c -static -nostartfiles -nostdlib
 		       1>&AS_MESSAGE_LOG_FD])],
       [$2], [$3])
@@ -226,7 +226,7 @@ if test x"$gnu_ld" = x"yes"; then
     cat > conftest.c <<EOF
 int _start (void) { return 42; }
 EOF
-    if AC_TRY_COMMAND([${CC-cc} $CFLAGS $CPPFLAGS $LDFLAGS
+    if AC_TRY_COMMAND([${CC-cc} $CFLAGS $CPPFLAGS $LDFLAGS $libssp
 				$2 -nostdlib -nostartfiles
 				-fPIC -shared -o conftest.so conftest.c
 				1>&AS_MESSAGE_LOG_FD])
@@ -268,7 +268,7 @@ libc_compiler_builtin_inlined=no
 cat > conftest.c <<EOF
 int _start (void) { $2 return 0; }
 EOF
-if ! AC_TRY_COMMAND([${CC-cc} $CFLAGS $CPPFLAGS $LDFLAGS
+if ! AC_TRY_COMMAND([${CC-cc} $CFLAGS $CPPFLAGS $LDFLAGS $no_ssp
 		     $3 -nostdlib -nostartfiles
 		     -S conftest.c -o - | fgrep "$1"
 		     1>&AS_MESSAGE_LOG_FD])
diff --git a/configure.ac b/configure.ac
index 804fac7..694bd68 100644
--- a/configure.ac
+++ b/configure.ac
@@ -643,6 +643,20 @@ fi
 AC_SUBST(libc_cv_ssp)
 AC_SUBST(stack_protector)
 
+if test -n "$stack_protector"; then
+  dnl While most tests can be conducted with stack protection on, a few are
+  dnl incompatible with it.
+  no_ssp=-fno-stack-protector
+  libssp="-lssp_nonshared -lssp"
+else
+  no_ssp=
+  libssp=
+
+  if test x"$enable_stack_protector" != xno; then
+    AC_MSG_ERROR([--enable-stack-protector=$enable_stack_protector specified, but specified level of stack protection is not supported by the compiler.])
+  fi
+fi
+
 # For the multi-arch option we need support in the assembler & linker.
 AC_CACHE_CHECK([for assembler and linker STT_GNU_IFUNC support],
 	       libc_cv_ld_gnu_indirect_function, [dnl
@@ -662,7 +676,7 @@ __start:
 EOF
 libc_cv_ld_gnu_indirect_function=no
 if ${CC-cc} $CFLAGS $CPPFLAGS $LDFLAGS \
-	    -nostartfiles -nostdlib \
+	    -nostartfiles -nostdlib $no_ssp \
 	    -o conftest conftest.S 1>&AS_MESSAGE_LOG_FD 2>&AS_MESSAGE_LOG_FD; then
   # Do a link to see if the backend supports IFUNC relocs.
   $READELF -r conftest 1>&AS_MESSAGE_LOG_FD
@@ -1131,8 +1145,8 @@ extern int glibc_conftest_frobozz;
 void _start() { glibc_conftest_frobozz = 1; }
 EOF
 if ${CC-cc} $CFLAGS $CPPFLAGS $LDFLAGS \
-	    -nostartfiles -nostdlib \
-	    -o conftest conftest.s conftest1.c 1>&AS_MESSAGE_LOG_FD 2>&AS_MESSAGE_LOG_FD; then
+	    -nostartfiles -nostdlib $no_ssp \
+	    -o conftest conftest.s conftest1.c $libssp 1>&AS_MESSAGE_LOG_FD 2>&AS_MESSAGE_LOG_FD; then
   libc_cv_asm_set_directive=yes
 else
   libc_cv_asm_set_directive=no
@@ -1148,12 +1162,12 @@ AC_CACHE_CHECK(linker support for protected data symbol,
 		int bar __attribute__ ((visibility ("protected"))) = 1;
 EOF
 		libc_cv_protected_data=no
-		if AC_TRY_COMMAND(${CC-cc} -nostdlib -nostartfiles -fPIC -shared conftest.c -o conftest.so); then
+		if AC_TRY_COMMAND(${CC-cc} -nostdlib -nostartfiles -fPIC -shared conftest.c -o conftest.so $libssp); then
 		  cat > conftest.c <<EOF
 		  extern int bar;
 		  int main (void) { return bar; }
 EOF
-		  if AC_TRY_COMMAND(${CC-cc} -nostdlib -nostartfiles conftest.c -o conftest conftest.so); then
+		  if AC_TRY_COMMAND(${CC-cc} -nostdlib -nostartfiles conftest.c -o conftest conftest.so $libssp); then
 		    libc_cv_protected_data=yes
 		  fi
 		fi
@@ -1277,7 +1291,7 @@ EOF
 if AC_TRY_COMMAND([${CC-cc} $CFLAGS $CPPFLAGS $LDFLAGS
 			-fPIC -shared -o conftest.so conftest.c
 			-nostdlib -nostartfiles
-			-Wl,-z,combreloc 1>&AS_MESSAGE_LOG_FD])
+			-Wl,-z,combreloc $libssp 1>&AS_MESSAGE_LOG_FD])
 then
 dnl The following test is a bit weak.  We must use a tool which can test
 dnl cross-platform since the gcc used can be a cross compiler.  Without
@@ -1313,9 +1327,9 @@ AC_CACHE_CHECK(for --hash-style option,
 cat > conftest.c <<EOF
 int _start (void) { return 42; }
 EOF
-if AC_TRY_COMMAND([${CC-cc} $CFLAGS $CPPFLAGS $LDFLAGS
+if AC_TRY_COMMAND([${CC-cc} $CFLAGS $CPPFLAGS $LDFLAGS $no_ssp
 			    -fPIC -shared -o conftest.so conftest.c
-			    -Wl,--hash-style=both -nostdlib 1>&AS_MESSAGE_LOG_FD])
+			    -Wl,--hash-style=both -nostdlib $libssp 1>&AS_MESSAGE_LOG_FD])
 then
   libc_cv_hashstyle=yes
 else
@@ -1385,7 +1399,7 @@ int foo (void) { return mumble; }
 EOF
 if AC_TRY_COMMAND([${CC-cc} $CFLAGS $CPPFLAGS $LDFLAGS
 			-fPIC -shared -o conftest.so conftest.c
-			-nostdlib -nostartfiles
+			-nostdlib -nostartfiles $libssp
 			1>&AS_MESSAGE_LOG_FD])
 then
 dnl look for GLOB_DAT relocation.
@@ -1402,7 +1416,7 @@ AC_SUBST(libc_cv_has_glob_dat)
 
 AC_CACHE_CHECK(linker output format, libc_cv_output_format, [dnl
 if libc_cv_output_format=`
-${CC-cc} -nostartfiles -nostdlib -Wl,--print-output-format 2>&AS_MESSAGE_LOG_FD`
+${CC-cc} -nostartfiles -nostdlib $no_ssp -Wl,--print-output-format 2>&AS_MESSAGE_LOG_FD`
 then
   :
 else
@@ -1601,46 +1615,6 @@ if test $libc_cv_predef_fortify_source = yes; then
 fi
 AC_SUBST(CPPUNDEFS)
 
-dnl Check for silly hacked compilers inserting -fstack-protector.
-dnl This breaks badly for the early startup code we compile, since
-dnl the compiled code can refer to a magic machine-dependent location
-dnl for the canary value before we have sufficient setup for that to
-dnl work.  It's also questionable to build all of libc with this flag
-dnl even when you're doing that for most applications you build, since
-dnl libc's code is so heavily-used and performance-sensitive.  If we
-dnl ever really want to make that work, it should be enabled explicitly
-dnl in the libc build, not inherited from implicit compiler settings.
-AC_CACHE_CHECK([whether $CC implicitly enables -fstack-protector],
-	       libc_cv_predef_stack_protector, [
-AC_TRY_COMPILE([extern void foobar (char *);],
-	       [char large_array[2048]; foobar (large_array);], [
-libc_undefs=`$NM -u conftest.o |
-  LC_ALL=C $AWK '$1 == "U" { print $2 | "sort -u"; next } { exit(1) }' \
-    2>&AS_MESSAGE_LOG_FD` || {
-  AC_MSG_ERROR([confusing output from $NM -u])
-}
-echo >&AS_MESSAGE_LOG_FD "libc_undefs='$libc_undefs'"
-# On some architectures, there are architecture-specific undefined
-# symbols (resolved by the linker), so filter out unknown symbols.
-# This will fail to produce the correct result if the compiler
-# defaults to -fstack-protector but this produces an undefined symbol
-# other than __stack_chk_fail.  However, compilers like that have not
-# been encountered in practice.
-libc_undefs=`echo "$libc_undefs" | egrep '^(foobar|__stack_chk_fail)$'`
-case "$libc_undefs" in
-foobar) libc_cv_predef_stack_protector=no ;;
-'__stack_chk_fail
-foobar') libc_cv_predef_stack_protector=yes ;;
-*) AC_MSG_ERROR([unexpected symbols in test: $libc_undefs]) ;;
-esac],
-	       [AC_MSG_ERROR([test compilation failed])])
-])
-libc_extra_cflags=
-if test $libc_cv_predef_stack_protector = yes; then
-  libc_extra_cflags="$libc_extra_cflags -fno-stack-protector"
-fi
-libc_extra_cppflags=
-
 # Some linkers on some architectures support __ehdr_start but with
 # bugs.  Make sure usage of it does not create relocations in the
 # output (as the linker should resolve them all for us).
@@ -1651,7 +1625,7 @@ old_LDFLAGS="$LDFLAGS"
 old_LIBS="$LIBS"
 CFLAGS="$CFLAGS -fPIC"
 LDFLAGS="$LDFLAGS -nostdlib -nostartfiles -shared"
-LIBS=
+LIBS=$libssp
 AC_LINK_IFELSE([AC_LANG_SOURCE([
 typedef struct {
   char foo;
-- 
2.7.0.198.g6dd47b6

Re: [PATCH 01/12] Configury support for --enable-stack-protector.

[Andreas Schwab]

Nix <nix@esperi.org.uk> writes:

> +AC_ARG_ENABLE([stack-protector],
> +            AC_HELP_STRING([--enable-stack-protector=@<:@yes|no|all|strong@:>@],
> +                           [Detect stack overflows in glibc functions with large string buffers, or in all glibc functions]),

Please explain the meaning of the argument in the help string.

Andreas.

-- 
Andreas Schwab, schwab@linux-m68k.org
GPG Key fingerprint = 58CA 54C7 6D53 942B 1756  01D3 44D5 214B 8276 4ED5
"And now for something completely different."

Re: [PATCH 01/12] Configury support for --enable-stack-protector.

[Nix]

On 20 Feb 2016, Andreas Schwab spake thusly:

> Nix <nix@esperi.org.uk> writes:
>
>> +AC_ARG_ENABLE([stack-protector],
>> +            AC_HELP_STRING([--enable-stack-protector=@<:@yes|no|all|strong@:>@],
>> +                           [Detect stack overflows in glibc functions with large string buffers, or in all glibc functions]),
>
> Please explain the meaning of the argument in the help string.

It's... a bit much to explain the difference between
--stack-protector=yes/all/strong in a configure help string without
filling half the screen up with explanations, but I'll try!

-- 
NULL && (void)

Re: [PATCH 02/12] Make __stack_chk_fail() not use other glibc facilities.

[Nix]

On 20 Feb 2016, nix@esperi.org.uk stated:

> From: Nick Alcock <nick.alcock@oracle.com>
>
> After this patch series is complete, glibc exports a __stack_chk_fail()
> implementation for use by all other programs, including other parts of
> glibc.

Magnus Granberg has now pointed me at a much more recent version of this
change, which replaces __chk_fail() to the same end and reimplement
__stack_chk_fail() in terms of it. I'll incorporate that in the next
version. (The only concern is that this has received changes from lots
of people. Maybe I'll have to reimplement it entirely to avoid
copyright-assignment concerns. What a drag...)

-- 
NULL && (void)

Re: [PATCH 01/12] Configury support for --enable-stack-protector.

[Andreas Schwab]

Nix <nix@esperi.org.uk> writes:

> On 20 Feb 2016, Andreas Schwab spake thusly:
>
>> Nix <nix@esperi.org.uk> writes:
>>
>>> +AC_ARG_ENABLE([stack-protector],
>>> +            AC_HELP_STRING([--enable-stack-protector=@<:@yes|no|all|strong@:>@],
>>> +                           [Detect stack overflows in glibc functions with large string buffers, or in all glibc functions]),
>>
>> Please explain the meaning of the argument in the help string.
>
> It's... a bit much to explain the difference between
> --stack-protector=yes/all/strong in a configure help string without
> filling half the screen up with explanations, but I'll try!

It should just mention the connection to -fstack-protector.

Andreas.

-- 
Andreas Schwab, schwab@linux-m68k.org
GPG Key fingerprint = 58CA 54C7 6D53 942B 1756  01D3 44D5 214B 8276 4ED5
"And now for something completely different."

Re: [PATCH 01/12] Configury support for --enable-stack-protector.

[Nix]

On 20 Feb 2016, Andreas Schwab outgrape:

> Nix <nix@esperi.org.uk> writes:
>
>> +AC_ARG_ENABLE([stack-protector],
>> +            AC_HELP_STRING([--enable-stack-protector=@<:@yes|no|all|strong@:>@],
>> +                           [Detect stack overflows in glibc functions with large string buffers, or in all glibc functions]),
>
> Please explain the meaning of the argument in the help string.

OK, so this is a bit long in the output:

  --enable-stack-protector=[yes|no|all|strong]
                          Detect stack overflows in glibc functions, either
                          with local buffers (yes), or with those plus arrays
                          (strong), or all functions (all)

but it does what you asked for, I think.  Adjusted patch below.  (The
line in configure.ac is rather long, but I don't think that line is
breakable easily.)

---------------- >8 ----------------
From: Nick Alcock <nick.alcock@oracle.com>
Date: Fri, 19 Feb 2016 17:25:05 +0000
Subject: [PATCH] Configury support for --enable-stack-protector.

This adds =all and =strong, with obvious semantics, and with a rather
arbitrarily-chosen default off, which we might well want to change to
something stronger once this patch has been tested by people other than
me.

We don't validate the value of the option yet: that's in a later patch.
Nor do we use it for anything at this stage.

We differentiate between 'the compiler understands -fstack-protector'
and 'the user wanted -fstack-protector' so that we can pass
-fno-stack-protector in appropriate places even if the user didn't want
to turn on -fstack-protector for other parts.  (This helps us overcome
another existing limitation, that glibc doesn't work with GCC's hacked
to pass in -fstack-protector by default.)

We might want to add another configuration option to turn on
-fstack-protector for nscd and other network-facing operations by
default, but for now I've stuck with one option to control everything.
---
 configure.ac | 61 ++++++++++++++++++++++++++++++++++++++++--------------------
 1 file changed, 41 insertions(+), 20 deletions(-)

diff --git a/configure.ac b/configure.ac
index 3c766b7..61bf882 100644
--- a/configure.ac
+++ b/configure.ac
@@ -232,6 +232,18 @@ AC_ARG_ENABLE([bind-now],
 	      [bindnow=no])
 AC_SUBST(bindnow)
 
+dnl Build glibc with -fstack-protector, -fstack-protector-all, or
+dnl -fstack-protector-strong.
+AC_ARG_ENABLE([stack-protector],
+            AC_HELP_STRING([--enable-stack-protector=@<:@yes|no|all|strong@:>@],
+                           [Detect stack overflows in glibc functions, either with local buffers (yes), or with those plus arrays (strong), or all functions (all)]),
+            [enable_stack_protector=$enableval],
+            [enable_stack_protector=no])
+case x"$enable_stack_protector" in
+    xall|xyes|xno|xstrong) ;;
+    *) AC_MSG_ERROR([Not a valid argument for --enable-stack-protector]);;
+esac
+
 dnl On some platforms we cannot use dynamic loading.  We must provide
 dnl static NSS modules.
 AC_ARG_ENABLE([static-nss],
@@ -602,6 +614,35 @@ fi
 test -n "$base_machine" || base_machine=$machine
 AC_SUBST(base_machine)
 
+AC_CACHE_CHECK(for -fstack-protector, libc_cv_ssp, [dnl
+LIBC_TRY_CC_OPTION([$CFLAGS $CPPFLAGS -Werror -fstack-protector],
+		   [libc_cv_ssp=yes],
+		   [libc_cv_ssp=no])
+])
+
+AC_CACHE_CHECK(for -fstack-protector-strong, libc_cv_ssp_strong, [dnl
+LIBC_TRY_CC_OPTION([$CFLAGS $CPPFLAGS -Werror -fstack-protector-strong],
+		   [libc_cv_ssp_strong=yes],
+		   [libc_cv_ssp_strong=no])
+])
+
+AC_CACHE_CHECK(for -fstack-protector-all, libc_cv_ssp_all, [dnl
+LIBC_TRY_CC_OPTION([$CFLAGS $CPPFLAGS -Werror -fstack-protector-all],
+		   [libc_cv_ssp_all=yes],
+		   [libc_cv_ssp_all=no])
+])
+
+stack_protector=
+if test x$enable_stack_protector = xyes && test $libc_cv_ssp = yes; then
+  stack_protector=-fstack-protector
+elif test x$enable_stack_protector = xall && test $libc_cv_ssp_all = yes; then
+  stack_protector=-fstack-protector-all
+elif test x$enable_stack_protector = xstrong && test $libc_cv_ssp_strong = yes; then
+  stack_protector=-fstack-protector-strong
+fi
+AC_SUBST(libc_cv_ssp)
+AC_SUBST(stack_protector)
+
 # For the multi-arch option we need support in the assembler & linker.
 AC_CACHE_CHECK([for assembler and linker STT_GNU_IFUNC support],
 	       libc_cv_ld_gnu_indirect_function, [dnl
@@ -1389,26 +1430,6 @@ else
 fi
 AC_SUBST(fno_unit_at_a_time)
 
-AC_CACHE_CHECK(for -fstack-protector, libc_cv_ssp, [dnl
-LIBC_TRY_CC_OPTION([$CFLAGS $CPPFLAGS -Werror -fstack-protector],
-		   [libc_cv_ssp=yes],
-		   [libc_cv_ssp=no])
-])
-
-AC_CACHE_CHECK(for -fstack-protector-strong, libc_cv_ssp_strong, [dnl
-LIBC_TRY_CC_OPTION([$CFLAGS $CPPFLAGS -Werror -fstack-protector-strong],
-		   [libc_cv_ssp_strong=yes],
-		   [libc_cv_ssp_strong=no])
-])
-
-stack_protector=
-if test "$libc_cv_ssp_strong" = "yes"; then
-  stack_protector="-fstack-protector-strong"
-elif test "$libc_cv_ssp" = "yes"; then
-  stack_protector="-fstack-protector"
-fi
-AC_SUBST(stack_protector)
-
 AC_CACHE_CHECK(whether cc puts quotes around section names,
 	       libc_cv_have_section_quotes,
 	       [cat > conftest.c <<EOF
-- 
2.7.0.198.g6dd47b6

Re: [PATCH 02/12] Make __stack_chk_fail() not use other glibc facilities.

[Mike Frysinger]

[-- Attachment #1: Type: text/plain, Size: 2070 bytes --]

On 20 Feb 2016 12:06, Nix wrote:
> On 20 Feb 2016, nix@esperi.org.uk stated:
> > From: Nick Alcock <nick.alcock@oracle.com>
> >
> > After this patch series is complete, glibc exports a __stack_chk_fail()
> > implementation for use by all other programs, including other parts of
> > glibc.
> 
> Magnus Granberg has now pointed me at a much more recent version of this
> change, which replaces __chk_fail() to the same end and reimplement
> __stack_chk_fail() in terms of it. I'll incorporate that in the next
> version. (The only concern is that this has received changes from lots
> of people. Maybe I'll have to reimplement it entirely to avoid
> copyright-assignment concerns. What a drag...)

yes, you will.  you (and Oracle) have CLA papers already signed for glibc
right ?  if not, there isn't much point in following up on this series if
you don't plan to.

it needs a rewrite anyways to not use INLINE_SYSCALL but INTERNAL_SYSCALL. 
i had done this locally, stashed it, but then lost it when cleaning up the
repo later :(.

all that said, i don't think we want to import the Gentoo one anyways.
it changes a lot of behavior that we shouldn't conflate here -- the
crash/syslog handling is contentious.  maybe something like (untested):

void
__attribute__ ((noreturn)) internal_function
__fortify_fail (const char *msg)
{
#ifdef __SSP__
  int fd = -1;

  const char *on_2 = __libc_secure_getenv ("LIBC_FATAL_STDERR_");
  if (on_2 == NULL || *on_2 == '\0')
    fd = open_not_cancel_2 (_PATH_TTY, O_RDWR | O_NOCTTY | O_NDELAY);
  if (fd == -1)
    fd = STDERR_FILENO;

#define IOVS(s) { s, strlen (s) }
  struct iovec iov[5] = {
    IOVS ("*** "),
    IOVS (msg),
    IOVS (" ***: "),
    IOVS (__libc_argv[0] ?: "<unknown>"),
    IOVS (" terminated\n"),
  };
  TEMP_FAILURE_RETRY (__writev (fd, iov, 5));

  abort ();
#else
  /* The loop is added only to keep gcc happy.  */
  while (1)
    __libc_message (2, "*** %s ***: %s terminated\n",
            msg, __libc_argv[0] ?: "<unknown>");
#endif
}
-mike

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

Re: [PATCH 01/12] Configury support for --enable-stack-protector.

[Joseph Myers]

Any patch adding a new configure option should also document it in 
install.texi and regenerate INSTALL.

-- 
Joseph S. Myers
joseph@codesourcery.com

Re: [PATCH 10/12] Work even with compilers hacked to enable -fstack-protector by default.

[Joseph Myers]

On Sat, 20 Feb 2016, Nix wrote:

> From: Nick Alcock <nick.alcock@oracle.com>
> 
> With all the machinery we just added, we can easily arrange to work even
> when the compiler passes in -fstack-protector automatically: all the
> necessary bits of glibc are always compiled with -fno-stack-protector
> now.
> 
> So tear out the check in configure, and add appropriate calls to
> -fno-stack-protector and/or -lssp in tests that need them (largely
> those that use -nostdlib).

You should avoid ever linking with -lssp.  Tests should return the same 
results when built with a minimal static-only bootstrap compiler (which 
likely has libssp disabled) as with a full compiler (indeed, a full 
compiler may well have libssp disabled as well), so that such a bootstrap 
compiler can produce glibc binaries identical to those produced by an 
alternating sequence of GCC and glibc builds.

-- 
Joseph S. Myers
joseph@codesourcery.com

Re: [PATCH 02/12] Make __stack_chk_fail() not use other glibc facilities.

[Joseph Myers]

You can't use defined(__NR_socket) && defined(__NR_connect) as a condition 
for whether to use socketcall, because of architectures that added the 
separate syscalls more recently than socketcall support.  Instead you need 
to use the kernel-features.h macros: if __ASSUME_SOCKETCALL is not 
defined, or the macros such as __ASSUME_SOCKET_SYSCALL and 
__ASSUME_CONNECT_SYSCALL for the individual syscalls are defined, then use 
individual syscalls, otherwise use socketcall.

(Apart from this, we may want to look at bug 12189 again and figure out 
how much of this code is desirable anyway.)

-- 
Joseph S. Myers
joseph@codesourcery.com

Re: [PATCH 01/12] Configury support for --enable-stack-protector.

[Nix]

On 20 Feb 2016, Joseph Myers spake thusly:

> Any patch adding a new configure option should also document it in 
> install.texi and regenerate INSTALL.

Thanks -- missed that. I'll add a new patch for that one, I think, and
add it to the next posting of the patch series: folding it into the
configury addition patch seems wrong.

-- 
NULL && (void)

Re: [PATCH 02/12] Make __stack_chk_fail() not use other glibc facilities.

[Nix]

On 20 Feb 2016, Mike Frysinger outgrape:

> On 20 Feb 2016 12:06, Nix wrote:
>> Magnus Granberg has now pointed me at a much more recent version of this
>> change, which replaces __chk_fail() to the same end and reimplement
>> __stack_chk_fail() in terms of it. I'll incorporate that in the next
>> version. (The only concern is that this has received changes from lots
>> of people. Maybe I'll have to reimplement it entirely to avoid
>> copyright-assignment concerns. What a drag...)
>
> yes, you will.  you (and Oracle) have CLA papers already signed for glibc
> right ?  if not, there isn't much point in following up on this series if
> you don't plan to.

Oracle has a disclaimer signed, of couse, but I'll need to start the
copyright papers dance for myself (I have signed papers for other GNU
projects, but not glibc yet).

If people were going to laugh this out of the barn there seemed to be no
point, but if people are receptive, I'm happy to sign.

(I'm in the UK, which unfortunately means, I think, that I'm still
condemned to posting off papers made of real paper.)

> it needs a rewrite anyways to not use INLINE_SYSCALL but INTERNAL_SYSCALL. 
> i had done this locally, stashed it, but then lost it when cleaning up the
> repo later :(.

Frankly, I was rather hoping that someone could figure out what I
hadn't yet -- the right way to prevent the intermediate link failing
when the original __stack_chk_fail() is used.

> all that said, i don't think we want to import the Gentoo one anyways.
> it changes a lot of behavior that we shouldn't conflate here -- the
> crash/syslog handling is contentious.  maybe something like (untested):
>
> void
> __attribute__ ((noreturn)) internal_function
> __fortify_fail (const char *msg)
> {
> #ifdef __SSP__
>   int fd = -1;
>
>   const char *on_2 = __libc_secure_getenv ("LIBC_FATAL_STDERR_");
>   if (on_2 == NULL || *on_2 == '\0')
>     fd = open_not_cancel_2 (_PATH_TTY, O_RDWR | O_NOCTTY | O_NDELAY);

I fear this use of open_not_cancel_2() may bring back the same behaviour
we're trying to avoid :(

Re: [PATCH 10/12] Work even with compilers hacked to enable -fstack-protector by default.

[Nix]

On 20 Feb 2016, Joseph Myers uttered the following:

> On Sat, 20 Feb 2016, Nix wrote:
>
>> From: Nick Alcock <nick.alcock@oracle.com>
>> 
>> With all the machinery we just added, we can easily arrange to work even
>> when the compiler passes in -fstack-protector automatically: all the
>> necessary bits of glibc are always compiled with -fno-stack-protector
>> now.
>> 
>> So tear out the check in configure, and add appropriate calls to
>> -fno-stack-protector and/or -lssp in tests that need them (largely
>> those that use -nostdlib).
>
> You should avoid ever linking with -lssp.  Tests should return the same 
> results when built with a minimal static-only bootstrap compiler (which 
> likely has libssp disabled) as with a full compiler (indeed, a full 
> compiler may well have libssp disabled as well), so that such a bootstrap 
> compiler can produce glibc binaries identical to those produced by an 
> alternating sequence of GCC and glibc builds.

Ah. The bootstrap problem. I didn't think about that case very closely:
I guess I was assuming that anyone in the middle of the bootstrap cycle
wouldn't be turning this on. But you're right, that's an unjustified
assumption.

I suspect that simply -fno-stack-protectoring everything I'm -lssping
now will have the same effect with respect to unbreaking compilers that
pass in -fstack-protector by default: I'll try that. (I originally
didn't because if there *was* a behaviour change from -fstack-protector,
I wanted the configure tests to pick that up. Back then in the mid-2000s
when SSP was fairly new it didn't seem beyond the bounds of possibility
-- but with whole distros being built with it now it seems unlikely that
-fstack-protector will induce behaviour changes on that level. If it
does, the glibc build is in deep trouble anyway!)

There's an extra ugliness here too: configure and the main glibc build
are using completely different definitions of __stack_chk_fail(). That's
just horrible, even if we're not actually overflowing the stack in these
tests so it wouldn't have any effect.


Something like this (tested with a normal compiler and several different
'hardened' automatically-stack-protect ones, verified no
__stack_chk_fail's in the config.log and that tests pass as before):

8<-------------------------------------------------------->8
From: Nick Alcock <nick.alcock@oracle.com>

With all the machinery we just added, we can easily arrange to work even
when the compiler passes in -fstack-protector automatically: all the
necessary bits of glibc are always compiled with -fno-stack-protector
now.

So tear out the check in configure, and add appropriate calls to
-fno-stack-protector in tests that need them (largely those that use
-nostdlib), since we don't yet have a __stack_chk_fail() that those
tests can rely upon.  (GCC often provides one, but we cannot rely on
this, especially not when bootstrapping.)
---
 aclocal.m4   |  6 ++---
 configure.ac | 74 +++++++++++++++++++-----------------------------------------
 2 files changed, 26 insertions(+), 54 deletions(-)

diff --git a/aclocal.m4 b/aclocal.m4
index 3d64f77..6902155 100644
--- a/aclocal.m4
+++ b/aclocal.m4
@@ -141,7 +141,7 @@ int _start (void) { return 0; }
 int __start (void) { return 0; }
 $1
 EOF
-AS_IF([AC_TRY_COMMAND([${CC-cc} $CFLAGS $CPPFLAGS $LDFLAGS -o conftest
+AS_IF([AC_TRY_COMMAND([${CC-cc} $CFLAGS $CPPFLAGS $LDFLAGS $no_ssp -o conftest
 		       conftest.c -static -nostartfiles -nostdlib
 		       1>&AS_MESSAGE_LOG_FD])],
       [$2], [$3])
@@ -226,7 +226,7 @@ if test x"$gnu_ld" = x"yes"; then
     cat > conftest.c <<EOF
 int _start (void) { return 42; }
 EOF
-    if AC_TRY_COMMAND([${CC-cc} $CFLAGS $CPPFLAGS $LDFLAGS
+    if AC_TRY_COMMAND([${CC-cc} $CFLAGS $CPPFLAGS $LDFLAGS $no_ssp
 				$2 -nostdlib -nostartfiles
 				-fPIC -shared -o conftest.so conftest.c
 				1>&AS_MESSAGE_LOG_FD])
@@ -268,7 +268,7 @@ libc_compiler_builtin_inlined=no
 cat > conftest.c <<EOF
 int _start (void) { $2 return 0; }
 EOF
-if ! AC_TRY_COMMAND([${CC-cc} $CFLAGS $CPPFLAGS $LDFLAGS
+if ! AC_TRY_COMMAND([${CC-cc} $CFLAGS $CPPFLAGS $LDFLAGS $no_ssp
 		     $3 -nostdlib -nostartfiles
 		     -S conftest.c -o - | fgrep "$1"
 		     1>&AS_MESSAGE_LOG_FD])
diff --git a/configure.ac b/configure.ac
index 61bf882..4884479 100644
--- a/configure.ac
+++ b/configure.ac
@@ -643,6 +643,18 @@ fi
 AC_SUBST(libc_cv_ssp)
 AC_SUBST(stack_protector)
 
+if test -n "$stack_protector"; then
+  dnl Don't run configure tests with stack-protection on, to avoid problems with
+  dnl bootstrapping.
+  no_ssp=-fno-stack-protector
+else
+  no_ssp=
+
+  if test x"$enable_stack_protector" != xno; then
+    AC_MSG_ERROR([--enable-stack-protector=$enable_stack_protector specified, but specified level of stack protection is not supported by the compiler.])
+  fi
+fi
+
 # For the multi-arch option we need support in the assembler & linker.
 AC_CACHE_CHECK([for assembler and linker STT_GNU_IFUNC support],
 	       libc_cv_ld_gnu_indirect_function, [dnl
@@ -662,7 +674,7 @@ __start:
 EOF
 libc_cv_ld_gnu_indirect_function=no
 if ${CC-cc} $CFLAGS $CPPFLAGS $LDFLAGS \
-	    -nostartfiles -nostdlib \
+	    -nostartfiles -nostdlib $no_ssp \
 	    -o conftest conftest.S 1>&AS_MESSAGE_LOG_FD 2>&AS_MESSAGE_LOG_FD; then
   # Do a link to see if the backend supports IFUNC relocs.
   $READELF -r conftest 1>&AS_MESSAGE_LOG_FD
@@ -1131,8 +1143,8 @@ extern int glibc_conftest_frobozz;
 void _start() { glibc_conftest_frobozz = 1; }
 EOF
 if ${CC-cc} $CFLAGS $CPPFLAGS $LDFLAGS \
-	    -nostartfiles -nostdlib \
-	    -o conftest conftest.s conftest1.c 1>&AS_MESSAGE_LOG_FD 2>&AS_MESSAGE_LOG_FD; then
+	    -nostartfiles -nostdlib $no_ssp \
+	    -o conftest conftest.s conftest1.c $no_ssp 1>&AS_MESSAGE_LOG_FD 2>&AS_MESSAGE_LOG_FD; then
   libc_cv_asm_set_directive=yes
 else
   libc_cv_asm_set_directive=no
@@ -1148,12 +1160,12 @@ AC_CACHE_CHECK(linker support for protected data symbol,
 		int bar __attribute__ ((visibility ("protected"))) = 1;
 EOF
 		libc_cv_protected_data=no
-		if AC_TRY_COMMAND(${CC-cc} -nostdlib -nostartfiles -fPIC -shared conftest.c -o conftest.so); then
+		if AC_TRY_COMMAND(${CC-cc} -nostdlib -nostartfiles $no_ssp -fPIC -shared conftest.c -o conftest.so); then
 		  cat > conftest.c <<EOF
 		  extern int bar;
 		  int main (void) { return bar; }
 EOF
-		  if AC_TRY_COMMAND(${CC-cc} -nostdlib -nostartfiles conftest.c -o conftest conftest.so); then
+		  if AC_TRY_COMMAND(${CC-cc} -nostdlib -nostartfiles $no_ssp conftest.c -o conftest conftest.so); then
 		    libc_cv_protected_data=yes
 		  fi
 		fi
@@ -1275,7 +1287,7 @@ extern int mumble;
 int foo (void) { return bar (mumble); }
 EOF
 if AC_TRY_COMMAND([${CC-cc} $CFLAGS $CPPFLAGS $LDFLAGS
-			-fPIC -shared -o conftest.so conftest.c
+			-fPIC -shared $no_ssp -o conftest.so conftest.c
 			-nostdlib -nostartfiles
 			-Wl,-z,combreloc 1>&AS_MESSAGE_LOG_FD])
 then
@@ -1313,9 +1325,9 @@ AC_CACHE_CHECK(for --hash-style option,
 cat > conftest.c <<EOF
 int _start (void) { return 42; }
 EOF
-if AC_TRY_COMMAND([${CC-cc} $CFLAGS $CPPFLAGS $LDFLAGS
+if AC_TRY_COMMAND([${CC-cc} $CFLAGS $CPPFLAGS $LDFLAGS $no_ssp
 			    -fPIC -shared -o conftest.so conftest.c
-			    -Wl,--hash-style=both -nostdlib 1>&AS_MESSAGE_LOG_FD])
+			    -Wl,--hash-style=both -nostdlib $no_ssp 1>&AS_MESSAGE_LOG_FD])
 then
   libc_cv_hashstyle=yes
 else
@@ -1385,7 +1397,7 @@ int foo (void) { return mumble; }
 EOF
 if AC_TRY_COMMAND([${CC-cc} $CFLAGS $CPPFLAGS $LDFLAGS
 			-fPIC -shared -o conftest.so conftest.c
-			-nostdlib -nostartfiles
+			-nostdlib -nostartfiles $no_ssp
 			1>&AS_MESSAGE_LOG_FD])
 then
 dnl look for GLOB_DAT relocation.
@@ -1402,7 +1414,7 @@ AC_SUBST(libc_cv_has_glob_dat)
 
 AC_CACHE_CHECK(linker output format, libc_cv_output_format, [dnl
 if libc_cv_output_format=`
-${CC-cc} -nostartfiles -nostdlib -Wl,--print-output-format 2>&AS_MESSAGE_LOG_FD`
+${CC-cc} -nostartfiles -nostdlib $no_ssp -Wl,--print-output-format 2>&AS_MESSAGE_LOG_FD`
 then
   :
 else
@@ -1601,46 +1613,6 @@ if test $libc_cv_predef_fortify_source = yes; then
 fi
 AC_SUBST(CPPUNDEFS)
 
-dnl Check for silly hacked compilers inserting -fstack-protector.
-dnl This breaks badly for the early startup code we compile, since
-dnl the compiled code can refer to a magic machine-dependent location
-dnl for the canary value before we have sufficient setup for that to
-dnl work.  It's also questionable to build all of libc with this flag
-dnl even when you're doing that for most applications you build, since
-dnl libc's code is so heavily-used and performance-sensitive.  If we
-dnl ever really want to make that work, it should be enabled explicitly
-dnl in the libc build, not inherited from implicit compiler settings.
-AC_CACHE_CHECK([whether $CC implicitly enables -fstack-protector],
-	       libc_cv_predef_stack_protector, [
-AC_TRY_COMPILE([extern void foobar (char *);],
-	       [char large_array[2048]; foobar (large_array);], [
-libc_undefs=`$NM -u conftest.o |
-  LC_ALL=C $AWK '$1 == "U" { print $2 | "sort -u"; next } { exit(1) }' \
-    2>&AS_MESSAGE_LOG_FD` || {
-  AC_MSG_ERROR([confusing output from $NM -u])
-}
-echo >&AS_MESSAGE_LOG_FD "libc_undefs='$libc_undefs'"
-# On some architectures, there are architecture-specific undefined
-# symbols (resolved by the linker), so filter out unknown symbols.
-# This will fail to produce the correct result if the compiler
-# defaults to -fstack-protector but this produces an undefined symbol
-# other than __stack_chk_fail.  However, compilers like that have not
-# been encountered in practice.
-libc_undefs=`echo "$libc_undefs" | egrep '^(foobar|__stack_chk_fail)$'`
-case "$libc_undefs" in
-foobar) libc_cv_predef_stack_protector=no ;;
-'__stack_chk_fail
-foobar') libc_cv_predef_stack_protector=yes ;;
-*) AC_MSG_ERROR([unexpected symbols in test: $libc_undefs]) ;;
-esac],
-	       [AC_MSG_ERROR([test compilation failed])])
-])
-libc_extra_cflags=
-if test $libc_cv_predef_stack_protector = yes; then
-  libc_extra_cflags="$libc_extra_cflags -fno-stack-protector"
-fi
-libc_extra_cppflags=
-
 # Some linkers on some architectures support __ehdr_start but with
 # bugs.  Make sure usage of it does not create relocations in the
 # output (as the linker should resolve them all for us).
@@ -1650,7 +1622,7 @@ old_CFLAGS="$CFLAGS"
 old_LDFLAGS="$LDFLAGS"
 old_LIBS="$LIBS"
 CFLAGS="$CFLAGS -fPIC"
-LDFLAGS="$LDFLAGS -nostdlib -nostartfiles -shared"
+LDFLAGS="$LDFLAGS -nostdlib -nostartfiles -shared $no_ssp"
 LIBS=
 AC_LINK_IFELSE([AC_LANG_SOURCE([
 typedef struct {
-- 
2.7.0.198.g6dd47b6

Re: [PATCH 01/12] Configury support for --enable-stack-protector.

[Nix]

On 20 Feb 2016, Joseph Myers spake thusly:

> Any patch adding a new configure option should also document it in 
> install.texi and regenerate INSTALL.

Like this? (Assuming that using multiple @items in succession like that
is sensible. If there's a better way to delineate possible options in a
way that the reader can match up with the -fstack-protector options
described below, please susgest it.)

(I haven't included the INSTALL regeneration here, because when I try to
do it I end up with half of INSTALL getting re-word-wrapped, with
massive numbers of spurious changes that have nothing to do with the
stanza I've added. Is a particular version of texinfo required for this
to work?)

8>---------------------------------------------------------------<8
From: Nick Alcock <nick.alcock@oracle.com>

This adds =all and =strong, with obvious semantics, and with a rather
arbitrarily-chosen default off, which we might well want to change to
something stronger once this patch has been tested by people other than
me.

We don't validate the value of the option yet: that's in a later patch.
Nor do we use it for anything at this stage.

We differentiate between 'the compiler understands -fstack-protector'
and 'the user wanted -fstack-protector' so that we can pass
-fno-stack-protector in appropriate places even if the user didn't want
to turn on -fstack-protector for other parts.  (This helps us overcome
another existing limitation, that glibc doesn't work with GCC's hacked
to pass in -fstack-protector by default.)

We might want to add another configuration option to turn on
-fstack-protector for nscd and other network-facing operations by
default, but for now I've stuck with one option to control everything.
---
 configure.ac        | 61 +++++++++++++++++++++++++++++++++++------------------
 manual/install.texi | 12 +++++++++++
 2 files changed, 53 insertions(+), 20 deletions(-)

diff --git a/configure.ac b/configure.ac
index 3c766b7..61bf882 100644
--- a/configure.ac
+++ b/configure.ac
@@ -232,6 +232,18 @@ AC_ARG_ENABLE([bind-now],
 	      [bindnow=no])
 AC_SUBST(bindnow)
 
+dnl Build glibc with -fstack-protector, -fstack-protector-all, or
+dnl -fstack-protector-strong.
+AC_ARG_ENABLE([stack-protector],
+            AC_HELP_STRING([--enable-stack-protector=@<:@yes|no|all|strong@:>@],
+                           [Detect stack overflows in glibc functions, either with local buffers (yes), or with those plus arrays (strong), or all functions (all)]),
+            [enable_stack_protector=$enableval],
+            [enable_stack_protector=no])
+case x"$enable_stack_protector" in
+    xall|xyes|xno|xstrong) ;;
+    *) AC_MSG_ERROR([Not a valid argument for --enable-stack-protector]);;
+esac
+
 dnl On some platforms we cannot use dynamic loading.  We must provide
 dnl static NSS modules.
 AC_ARG_ENABLE([static-nss],
@@ -602,6 +614,35 @@ fi
 test -n "$base_machine" || base_machine=$machine
 AC_SUBST(base_machine)
 
+AC_CACHE_CHECK(for -fstack-protector, libc_cv_ssp, [dnl
+LIBC_TRY_CC_OPTION([$CFLAGS $CPPFLAGS -Werror -fstack-protector],
+		   [libc_cv_ssp=yes],
+		   [libc_cv_ssp=no])
+])
+
+AC_CACHE_CHECK(for -fstack-protector-strong, libc_cv_ssp_strong, [dnl
+LIBC_TRY_CC_OPTION([$CFLAGS $CPPFLAGS -Werror -fstack-protector-strong],
+		   [libc_cv_ssp_strong=yes],
+		   [libc_cv_ssp_strong=no])
+])
+
+AC_CACHE_CHECK(for -fstack-protector-all, libc_cv_ssp_all, [dnl
+LIBC_TRY_CC_OPTION([$CFLAGS $CPPFLAGS -Werror -fstack-protector-all],
+		   [libc_cv_ssp_all=yes],
+		   [libc_cv_ssp_all=no])
+])
+
+stack_protector=
+if test x$enable_stack_protector = xyes && test $libc_cv_ssp = yes; then
+  stack_protector=-fstack-protector
+elif test x$enable_stack_protector = xall && test $libc_cv_ssp_all = yes; then
+  stack_protector=-fstack-protector-all
+elif test x$enable_stack_protector = xstrong && test $libc_cv_ssp_strong = yes; then
+  stack_protector=-fstack-protector-strong
+fi
+AC_SUBST(libc_cv_ssp)
+AC_SUBST(stack_protector)
+
 # For the multi-arch option we need support in the assembler & linker.
 AC_CACHE_CHECK([for assembler and linker STT_GNU_IFUNC support],
 	       libc_cv_ld_gnu_indirect_function, [dnl
@@ -1389,26 +1430,6 @@ else
 fi
 AC_SUBST(fno_unit_at_a_time)
 
-AC_CACHE_CHECK(for -fstack-protector, libc_cv_ssp, [dnl
-LIBC_TRY_CC_OPTION([$CFLAGS $CPPFLAGS -Werror -fstack-protector],
-		   [libc_cv_ssp=yes],
-		   [libc_cv_ssp=no])
-])
-
-AC_CACHE_CHECK(for -fstack-protector-strong, libc_cv_ssp_strong, [dnl
-LIBC_TRY_CC_OPTION([$CFLAGS $CPPFLAGS -Werror -fstack-protector-strong],
-		   [libc_cv_ssp_strong=yes],
-		   [libc_cv_ssp_strong=no])
-])
-
-stack_protector=
-if test "$libc_cv_ssp_strong" = "yes"; then
-  stack_protector="-fstack-protector-strong"
-elif test "$libc_cv_ssp" = "yes"; then
-  stack_protector="-fstack-protector"
-fi
-AC_SUBST(stack_protector)
-
 AC_CACHE_CHECK(whether cc puts quotes around section names,
 	       libc_cv_have_section_quotes,
 	       [cat > conftest.c <<EOF
diff --git a/manual/install.texi b/manual/install.texi
index b329950..cec2060 100644
--- a/manual/install.texi
+++ b/manual/install.texi
@@ -170,6 +170,18 @@ time.  Consult the @file{timezone} subdirectory for more details.
 @item --enable-lock-elision=yes
 Enable lock elision for pthread mutexes by default.
 
+@item --enable-stack-protector
+@item --enable-stack-protector=strong
+@item --enable-stack-protector=all
+Compile the C library and all other parts of the glibc package
+(including the threading and math libraries, NSS modules, and
+transliteration modules) using the GCC @option{-fstack-protector},
+@option{-fstack-protector-strong} or @option{-fstack-protector-all}
+options to detect stack overruns.  Only the dynamic linker and a small
+number of routines called directly from assembler are excluded from this
+protection.
+
+
 @pindex pt_chown
 @findex grantpt
 @item --enable-pt_chown
-- 
2.7.0.198.g6dd47b6

Re: [PATCH 02/12] Make __stack_chk_fail() not use other glibc facilities.

[Mike Frysinger]

[-- Attachment #1: Type: text/plain, Size: 2312 bytes --]

On 21 Feb 2016 12:44, Nix wrote:
> On 20 Feb 2016, Mike Frysinger outgrape:
> > On 20 Feb 2016 12:06, Nix wrote:
> >> Magnus Granberg has now pointed me at a much more recent version of this
> >> change, which replaces __chk_fail() to the same end and reimplement
> >> __stack_chk_fail() in terms of it. I'll incorporate that in the next
> >> version. (The only concern is that this has received changes from lots
> >> of people. Maybe I'll have to reimplement it entirely to avoid
> >> copyright-assignment concerns. What a drag...)
> >
> > yes, you will.  you (and Oracle) have CLA papers already signed for glibc
> > right ?  if not, there isn't much point in following up on this series if
> > you don't plan to.
> 
> Oracle has a disclaimer signed, of couse, but I'll need to start the
> copyright papers dance for myself (I have signed papers for other GNU
> projects, but not glibc yet).

a disclaimer is not the same thing as a CLA.  what exactly are you
referring to here ?

> > it needs a rewrite anyways to not use INLINE_SYSCALL but INTERNAL_SYSCALL. 
> > i had done this locally, stashed it, but then lost it when cleaning up the
> > repo later :(.
> 
> Frankly, I was rather hoping that someone could figure out what I
> hadn't yet -- the right way to prevent the intermediate link failing
> when the original __stack_chk_fail() is used.

i haven't looked closely at the loop.  i assumed the fail relied on more
printf machinery.

> > all that said, i don't think we want to import the Gentoo one anyways.
> > it changes a lot of behavior that we shouldn't conflate here -- the
> > crash/syslog handling is contentious.  maybe something like (untested):
> >
> > void
> > __attribute__ ((noreturn)) internal_function
> > __fortify_fail (const char *msg)
> > {
> > #ifdef __SSP__
> >   int fd = -1;
> >
> >   const char *on_2 = __libc_secure_getenv ("LIBC_FATAL_STDERR_");
> >   if (on_2 == NULL || *on_2 == '\0')
> >     fd = open_not_cancel_2 (_PATH_TTY, O_RDWR | O_NOCTTY | O_NDELAY);
> 
> I fear this use of open_not_cancel_2() may bring back the same behaviour
> we're trying to avoid :(

if this triggers the loop, then you'll need INTERNAL_SYSCALL.  if that
fixes the loop, then we can probably not make it depend on __SSP__ at
all.
-mike

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

Re: [PATCH 02/12] Make __stack_chk_fail() not use other glibc facilities.

[Nix]

On 22 Feb 2016, Mike Frysinger told this:

> On 21 Feb 2016 12:44, Nix wrote:
>> On 20 Feb 2016, Mike Frysinger outgrape:
>> > On 20 Feb 2016 12:06, Nix wrote:
>> >> Magnus Granberg has now pointed me at a much more recent version of this
>> >> change, which replaces __chk_fail() to the same end and reimplement
>> >> __stack_chk_fail() in terms of it. I'll incorporate that in the next
>> >> version. (The only concern is that this has received changes from lots
>> >> of people. Maybe I'll have to reimplement it entirely to avoid
>> >> copyright-assignment concerns. What a drag...)
>> >
>> > yes, you will.  you (and Oracle) have CLA papers already signed for glibc
>> > right ?  if not, there isn't much point in following up on this series if
>> > you don't plan to.
>> 
>> Oracle has a disclaimer signed, of couse, but I'll need to start the
>> copyright papers dance for myself (I have signed papers for other GNU
>> projects, but not glibc yet).
>
> a disclaimer is not the same thing as a CLA.  what exactly are you
> referring to here ?

Well, when I had to do this last (years ago), there was an employer's
disclaimer of rights and there were assignment-and-grantback papers for
the individual to sign for the project in question. I still have the
latter to do for glibc.

>> > it needs a rewrite anyways to not use INLINE_SYSCALL but INTERNAL_SYSCALL. 
>> > i had done this locally, stashed it, but then lost it when cleaning up the
>> > repo later :(.
>> 
>> Frankly, I was rather hoping that someone could figure out what I
>> hadn't yet -- the right way to prevent the intermediate link failing
>> when the original __stack_chk_fail() is used.
>
> i haven't looked closely at the loop.  i assumed the fail relied on more
> printf machinery.

Yeah, but the question is just why that incremental link is trying to
pull the stuff in twice rather than depending on the canonical copy in
libc -- presumably because everything is still statically linked at that
point. If that gets solved, the only reason for this patch being in this
series goes away.

>> > all that said, i don't think we want to import the Gentoo one anyways.
>> > it changes a lot of behavior that we shouldn't conflate here -- the
>> > crash/syslog handling is contentious.  maybe something like (untested):
>> >
>> > void
>> > __attribute__ ((noreturn)) internal_function
>> > __fortify_fail (const char *msg)
>> > {
>> > #ifdef __SSP__
>> >   int fd = -1;
>> >
>> >   const char *on_2 = __libc_secure_getenv ("LIBC_FATAL_STDERR_");
>> >   if (on_2 == NULL || *on_2 == '\0')
>> >     fd = open_not_cancel_2 (_PATH_TTY, O_RDWR | O_NOCTTY | O_NDELAY);
>> 
>> I fear this use of open_not_cancel_2() may bring back the same behaviour
>> we're trying to avoid :(
>
> if this triggers the loop, then you'll need INTERNAL_SYSCALL.  if that
> fixes the loop, then we can probably not make it depend on __SSP__ at
> all.

True enough. I'll give it a try, and thanks for the help!

-- 
NULL && (void)

Re: [PATCH 01/12] Configury support for --enable-stack-protector.

[Joseph Myers]

On Sun, 21 Feb 2016, Nix wrote:

> On 20 Feb 2016, Joseph Myers spake thusly:
> 
> > Any patch adding a new configure option should also document it in 
> > install.texi and regenerate INSTALL.
> 
> Like this? (Assuming that using multiple @items in succession like that
> is sensible. If there's a better way to delineate possible options in a
> way that the reader can match up with the -fstack-protector options
> described below, please susgest it.)

You should use @itemx for the second and subsequent entries in such a 
list.

> (I haven't included the INSTALL regeneration here, because when I try to
> do it I end up with half of INSTALL getting re-word-wrapped, with
> massive numbers of spurious changes that have nothing to do with the
> stanza I've added. Is a particular version of texinfo required for this
> to work?)

Carlos recently changed <https://sourceware.org/glibc/wiki/Regeneration> 
to say texinfo 6.0 (but it was the change from 4 to 5 that caused big 
changes in the output).

-- 
Joseph S. Myers
joseph@codesourcery.com

Re: [PATCH 02/12] Make __stack_chk_fail() not use other glibc facilities.

[Nix]

On 20 Feb 2016, Mike Frysinger said this:
> all that said, i don't think we want to import the Gentoo one anyways.
> it changes a lot of behavior that we shouldn't conflate here -- the
> crash/syslog handling is contentious.  maybe something like (untested):

Thank you for this! :) I was scared of the code to do things like
getting backtraces, but I see now that this is contentious in the
existing cases where it is done in any case :)

However, even once I'd knocked the bugs out of it (notably that (__SSP__
is only defined for -fstack-protector; -strong and -all get different
#defines), it doesn't actually fix the problem:

gcc   -nostdlib -nostartfiles -r -o /home/oranix/oracle/src/foo/elf/librtld.map.o '-Wl,-(' /home/oranix/oracle/src/foo/elf/dl-allobjs.os /home/oranix/oracle/src/foo/libc_pic.a -lgcc '-Wl,-)' -Wl,-Map,/home/oranix/oracle/src/foo/elf/librtld.mapT
/home/oranix/oracle/src/foo/libc_pic.a(init-first.os):(.data+0x0): multiple definition of `__libc_multiple_libcs'
/home/oranix/oracle/src/foo/elf/dl-allobjs.os:(.bss+0xf8): first defined here

So this forced me to actually *debug* the problem rather than flailing
randomly at it until the problem went away as I had been before.


It turns out there were two problems.

Firstly a __stack_chk_fail call was creeping in to rtld itself,
violating the rule that it should remain unprotected and yanking in the
failure machinery from libc (and when that machinery calls on the rest
of libc, all hell then breaks loose and you get, well, this failure:
even if you manage to avoid it, as with my original patch, it's highly
undesirable).

The function in question (__sigjmp_save) lands in rtld on x86-32, but is
not at any point compiled with MODULE_NAME=rtld, nor rebuilt that way
when rtld is rebuilt after the mapfile is constructed. I called this
function out as problematic in the last patch in the series (which I'll
fold this fix into), but never dreamt that it might be causing this
failure. I'll fold a patch turning this off into the last patch in the
series when I repost.


The second problem, with the same symptoms, is an obvious one I was
foolishly assuming glibc was getting around magically because things
seemed to work -- the mapfile command above is using the libc object
files (it has to, because the rtld modules cannot possibly have been
built yet). Those object files have __stack_chk_fail's scattered all
through them, so ld is going to be pulling __stack_chk_fail and all that
it depends upon into the rtld mapfile (and then not actually building
any of that into rtld after all, because the objects that finally end up
in rtld don't call __stack_chk_fail). Fixing that by faking out ld is
fairly simple: see the patch below.

With setjmp/sigjmp.c unconditionally excluded from stack-protection and
__stack_chk_fail faked out at rtld mapfile computation time, rtld links
fine and this patch in the series can be dropped, thank goodness.


To be sure of that, I'm doing another giant pile of test cycles on x86,
x86-64 and (newly) sparc(64) and will post a revised patch series
incorporating all the review-inspired changes after that, and any
further changes the sparc runs require. (Though the patch I'm disturbed
about, and which may imply a need for review and testing of this stuff
on yet more arches, remains the last one in the series.)

Initial signs on x86 and x86-64, at least, look good.


(For debugging this sort of thing in the future, nm'ing dl-allobjs.os
and looking for __stack_chk_fail in there is the thing to do. There
should be none. To be honest, the sigjmp thing looks like an existing
bug in the build system -- if it lands in rtld, it should be being
rebuilt accordingly, but it isn't.)


Here's the patch. I'll add this to the next series right after the patch
to suppress -fstack-protector in rtld. (It may be that I'm putting the
variable in the wrong place and you don't want it in elf/Makefile, or
that you'd prefer the thing to be done unconditionally, or
unconditionally if ssp is available in the compiler: but for now I'm
only doing this when the compiler supports SSP. As usual in this series,
I'm doing it even if glibc is not configured with
--enable-stack-protector, as long as the compiler is capable of it,
because this ensures that even compilers that pass in -fstack-protector
by default will generate a working glibc.)

8>---------------------------------------------------------------------<8
From: Nick Alcock <nick.alcock@oracle.com>
Subject: [PATCH] Prevent the rtld mapfile computation from dragging in
 __stack_chk_fail().

The previous commit prevented rtld itself from being built with
-fstack-protector, but this is not quite enough.  We identify which
objects belong in rtld via a test link and analysis of the resulting
mapfile.  That link is necessarily done against objects that are
stack-protected, so drags in __stack_chk_fail() and all the libc
and libio code it uses.

To stop this happening, use --defsym in the test librtld.map-production
link to force the linker to predefine __stack_chk_fail() (to 0, but it
could be to anything).  (In a real link, this would of course be
catastrophic, but these object files are never used for anything else.)
---
 elf/Makefile | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/elf/Makefile b/elf/Makefile
index 9806648..4a7be71 100644
--- a/elf/Makefile
+++ b/elf/Makefile
@@ -346,9 +346,19 @@ $(objpfx)dl-allobjs.os: $(all-rtld-routines:%=$(objpfx)%.os)
 # are compiled with special flags, and puts these modules into rtld-libc.a
 # for us.  Then we do the real link using rtld-libc.a instead of libc_pic.a.
 
+# If the compiler can do SSP, build the mapfile with a dummy __stack_chk_fail
+# symbol defined, to prevent the real thing being dragged into rtld
+# even though rtld is never built with stack-protection.
+
+ifneq ($(stack-protector),)
+dummy-stack-chk-fail := -Wl,--defsym='__stack_chk_fail=0'
+else
+dummy-stack-chk-fail :=
+endif
+
 $(objpfx)librtld.map: $(objpfx)dl-allobjs.os $(common-objpfx)libc_pic.a
 	@-rm -f $@T
-	$(reloc-link) -o $@.o '-Wl,-(' $^ -lgcc '-Wl,-)' -Wl,-Map,$@T
+	$(reloc-link) -o $@.o $(dummy-stack-chk-fail) '-Wl,-(' $^ -lgcc '-Wl,-)' -Wl,-Map,$@T
 	rm -f $@.o
 	mv -f $@T $@
 
-- 
2.7.0.198.g6dd47b6

Re: [PATCH 01/12] Configury support for --enable-stack-protector.

[Nix]

On 22 Feb 2016, Joseph Myers outgrape:

> On Sun, 21 Feb 2016, Nix wrote:
>
>> On 20 Feb 2016, Joseph Myers spake thusly:
>> 
>> > Any patch adding a new configure option should also document it in 
>> > install.texi and regenerate INSTALL.
>> 
>> Like this? (Assuming that using multiple @items in succession like that
>> is sensible. If there's a better way to delineate possible options in a
>> way that the reader can match up with the -fstack-protector options
>> described below, please susgest it.)
>
> You should use @itemx for the second and subsequent entries in such a 
> list.

Aha, thank you. Adjusted, will be in the next series.

>> (I haven't included the INSTALL regeneration here, because when I try to
>> do it I end up with half of INSTALL getting re-word-wrapped, with
>> massive numbers of spurious changes that have nothing to do with the
>> stanza I've added. Is a particular version of texinfo required for this
>> to work?)
>
> Carlos recently changed <https://sourceware.org/glibc/wiki/Regeneration> 
> to say texinfo 6.0 (but it was the change from 4 to 5 that caused big 
> changes in the output).

Useful wiki page, thanks. I'll regenerate with 6.0 in the next series.
(I presume you want configure regenerated as well -- it looks like the
page is out of date, since that's clearly being generated with 2.69 at
present, but the page says 2.68.)

-- 
NULL && (void)