--enable-stack-protector for glibc, v5

--enable-stack-protector for glibc, v5

[Nix]

This is version 5 of the stack-protected glibc patch, incorporating all review
comments to date (unless I missed some), and finally clearing up the long-
standing mystery surrounding __pthread_mutex_unlock_usercnt() et al.

It's not rebased and is still against glibc head as of a few weeks ago,
a5df3210a641c17.

Tested with these flag combinations on {i686,x86_64)-pc-linux-gnu:

--enable-omitfp --enable-stack-protector=all
--enable-stack-protector
--enable-stack-protector=strong
--enable-stack-protector=all
--enable-stackguard-randomization --enable-stack-protector=all
--enable-omitfp --enable-stackguard-randomization --enable-stack-protector
--enable-omitfp --enable-stackguard-randomization --enable-stack-protector=strong
--enable-omitfp --enable-stackguard-randomization --enable-stack-protector=all
--disable-stack-protector
--enable-stack-protector=no

Tested with with these flag combinations on sparc{32,64}-pc-linux-gnu:

--enable-stack-protector
--enable-stack-protector=strong
--enable-stackguard-randomization --enable-stack-protector=strong
--enable-stackguard-randomization --enable-stack-protector=all
--disable-stack-protector

Tested with these flag combinations on armv7l-unknown-linux-gnueabihf (it
happened to have GCC 4.8, so -strong wasn't available):

--enable-stackguard-randomization --enable-stack-protector
--enable-stackguard-randomization --enable-stack-protector=all --enable-omitfp
--disable-stack-protector

No failures are observed that are not also observed on an unpatched glibc with
the same flag combinations. (There is one intermittent failure on arm: a
segfault from nptl/tst-cancelx17. However, it intermittently fails for me on the
unpatched baseline too, so I'm not making it any worse!)

On the copyright assignment front, I am informed that Oracle has a blanket
assignment on file for glibc work, so I don't need to do anything. (Patch 11 is
in Adhemerval's name, but obviously there's no assignment problem there either.)

The only remaining question I really have is what to do instead of patch 14,
which I really do expect to be rejected.  Another configure argument to set the
stack-protection level of externally-facing components, perhaps, or simply a
wiring-in that if --enable-stack-protector is not passed, that -fstack-protector
is passed in for these external components anyway?  What I do think is that the
level set via --enable-stack-protector should be a minimum: that libresolv, nscd
et al should never be protected *less* than libc.so and the rest are.  Patch 14
was a nice simple way to do that, but it is probably *too* simple...

Overview of changes in this posting:

 - Do not call __stack_chk_fail through the PLT for calls within libc itself,
   and calls within libc_nonshared.a as well.

 - Do not build __stack_chk_fail or __stack_chk_fail_local with stack-protection
   to avoid the (very unlikely) possibility of recursion.

 - Fix the comment describing of inhibit_stack_protector, which was
   incomprehensible.

 - Solve the great __pthread_mutex_unlock_usercnt() mystery: see patch N in the
   series.  Stack protection wasn't breaking anything, it was just legitimately
   clobbering a register it was allowed to clobber, and the i386 assembly
   implementation of pthread_cond_wait() et al were assuming it was not
   clobbered across calls.  All of the non-assembly parts of threading other
   than ifunc resolvers and a one-line initialization function in nptl-init.c
   are now stack-protected.

 - Stack-protect brk() and sbrk() in the shared library: they only need to be
   unprotected in the three varieties of static libc, where they are used in
   early init.

 - Reshuffle the series so that it is always compilable (I think).  (This was
   once true, but commits had crept in after the commit that wired up the
   --enable-stack-protector configure flag into a -fstack-protector compiler
   flag.)

 - Changelogs for everything.

Remaining mysteries:

 - None!
 

[PATCH 02/18] Initialize the stack guard earlier when linking statically.

[Nix]

From: Nick Alcock <nick.alcock@oracle.com>

The address of the stack canary is stored in a per-thread variable,
which means that we must ensure that the TLS area is intialized before
calling any -fstack-protector'ed functions.  For dynamically linked
applications, we ensure this (in a later patch) by disabling
-fstack-protector for the whole dynamic linker, but for static
applications the AT_ENTRY address is called directly by the kernel, so
we must deal with the problem differently.

So split out the part of pthread initialization that sets up the TCB
(and, more generally, the TLS area) into a separate function (twice --
there is one implementation in libpthread.a, and another outside it for
programs that do not link with libpthread), then call it at
initialization time.  Call that, and move the stack guard initialization
above the DL_SYSDEP_OSCHECK hook, which if set will probably call
functions which are stack-protected (it does on Linux and NaCL too).

We do not move apply_irel() up, because applying irels can require
state set up by the DL_SYSDEP_OSCHECK hook on some platforms.  This
means, as a consequence, that __pthread_initialize_tcb_internal()
had better not call anything that requires ifuncs.  (This is dealt
with in a later patch.)

v2: describe why we don't move apply_irel() up, and the consequences.

	* nptl/nptl-init.c (__pthread_initialize_tcb_internal): New
	function, split out from...
	(__pthread_initialize_minimal_internal): ... here.
	* csu/libc-start.c (LIBC_START_MAIN): Call it.  Move stack canary
	initialization up.
---
 csu/libc-start.c | 20 ++++++++++++--------
 csu/libc-tls.c   |  8 ++++++++
 nptl/nptl-init.c | 11 +++++++----
 3 files changed, 27 insertions(+), 12 deletions(-)

diff --git a/csu/libc-start.c b/csu/libc-start.c
index f4aa01a..140b079 100644
--- a/csu/libc-start.c
+++ b/csu/libc-start.c
@@ -33,6 +33,7 @@ extern int __libc_multiple_libcs;
 #ifndef SHARED
 # include <dl-osinfo.h>
 extern void __pthread_initialize_minimal (void);
+extern void __pthread_initialize_tcb_internal (void);
 # ifndef THREAD_SET_STACK_GUARD
 /* Only exported for architectures that don't store the stack guard canary
    in thread local area.  */
@@ -178,6 +179,17 @@ LIBC_START_MAIN (int (*main) (int, char **, char ** MAIN_AUXVEC_DECL),
         }
     }
 
+  /* The stack guard goes into the TCB.  */
+  __pthread_initialize_tcb_internal ();
+
+  /* Set up the stack checker's canary.  */
+  uintptr_t stack_chk_guard = _dl_setup_stack_chk_guard (_dl_random);
+# ifdef THREAD_SET_STACK_GUARD
+  THREAD_SET_STACK_GUARD (stack_chk_guard);
+# else
+  __stack_chk_guard = stack_chk_guard;
+# endif
+
 # ifdef DL_SYSDEP_OSCHECK
   if (!__libc_multiple_libcs)
     {
@@ -195,14 +207,6 @@ LIBC_START_MAIN (int (*main) (int, char **, char ** MAIN_AUXVEC_DECL),
      we need to setup errno.  */
   __pthread_initialize_minimal ();
 
-  /* Set up the stack checker's canary.  */
-  uintptr_t stack_chk_guard = _dl_setup_stack_chk_guard (_dl_random);
-# ifdef THREAD_SET_STACK_GUARD
-  THREAD_SET_STACK_GUARD (stack_chk_guard);
-# else
-  __stack_chk_guard = stack_chk_guard;
-# endif
-
   /* Set up the pointer guard value.  */
   uintptr_t pointer_chk_guard = _dl_setup_pointer_guard (_dl_random,
 							 stack_chk_guard);
diff --git a/csu/libc-tls.c b/csu/libc-tls.c
index d6425e0..3d67a64 100644
--- a/csu/libc-tls.c
+++ b/csu/libc-tls.c
@@ -241,5 +241,13 @@ void
 __attribute__ ((weak))
 __pthread_initialize_minimal (void)
 {
+}
+
+/* This is the minimal initialization function used when libpthread is
+   not used.  */
+void
+__attribute__ ((weak))
+__pthread_initialize_tcb_internal (void)
+{
   __libc_setup_tls (TLS_INIT_TCB_SIZE, TLS_INIT_TCB_ALIGN);
 }
diff --git a/nptl/nptl-init.c b/nptl/nptl-init.c
index bdbdfed..a4626be 100644
--- a/nptl/nptl-init.c
+++ b/nptl/nptl-init.c
@@ -296,21 +296,24 @@ extern void **__libc_dl_error_tsd (void) __attribute__ ((const));
 /* This can be set by the debugger before initialization is complete.  */
 static bool __nptl_initial_report_events __attribute_used__;
 
+#ifndef SHARED
 void
-__pthread_initialize_minimal_internal (void)
+__pthread_initialize_tcb_internal (void)
 {
-#ifndef SHARED
   /* Unlike in the dynamically linked case the dynamic linker has not
      taken care of initializing the TLS data structures.  */
   __libc_setup_tls (TLS_TCB_SIZE, TLS_TCB_ALIGN);
 
-  /* We must prevent gcc from being clever and move any of the
+  /* We must prevent gcc from being clever after inlining and moving any of the
      following code ahead of the __libc_setup_tls call.  This function
      will initialize the thread register which is subsequently
      used.  */
   __asm __volatile ("");
+}
 #endif
-
+void
+__pthread_initialize_minimal_internal (void)
+{
   /* Minimal initialization of the thread descriptor.  */
   struct pthread *pd = THREAD_SELF;
   __pthread_initialize_pids (pd);
-- 
2.7.0.198.g6dd47b6

Re: [PATCH 02/18] Initialize the stack guard earlier when linking statically.

[Mike Frysinger]

[-- Attachment #1: Type: text/plain, Size: 231 bytes --]

these patches that can be merged by themselves (like this one) i think
we should do so sooner so we don't have to keep iterating on 15+ patches.
as things get reviewed, the pending patchset dwindles and we don't go so
crazy.
-mike

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

Re: [PATCH 02/18] Initialize the stack guard earlier when linking statically.

[Nix]

On 9 Mar 2016, Mike Frysinger outgrape:

> these patches that can be merged by themselves (like this one) i think
> we should do so sooner so we don't have to keep iterating on 15+ patches.
> as things get reviewed, the pending patchset dwindles and we don't go so
> crazy.

I have no fundamental objection to people doing that, as long as they're
happy with the patches -- but in most cases the patches are useless
deadweight if we don't get stack-protection in the end, so maybe you'd
rather I simply email out only those patches that have changed in each
round (which is easy, I'm tracking that anyway), and then apply the lot
at the end, once you know it's going to be accepted as a whole?

(The only patch here I'd call of truly general utility without
stack-protection is patch 17, the fix for the missing reload of %eax in
the pthread_cond_*wait() x86 assembler implementations.)

-- 
NULL && (void)

[PATCH 01/18] Configury support for --enable-stack-protector.

[Nix]

From: Nick Alcock <nick.alcock@oracle.com>

This adds =all and =strong, with obvious semantics, and with a rather
arbitrarily-chosen default off, which we might well want to change to
something stronger once this patch has been tested by people other than
me.

We don't validate the value of the option yet: that's in a later patch.
Nor do we use it for anything at this stage.

We differentiate between 'the compiler understands -fstack-protector'
and 'the user wanted -fstack-protector' so that we can pass
-fno-stack-protector in appropriate places even if the user didn't want
to turn on -fstack-protector for other parts.  (This helps us overcome
another existing limitation, that glibc doesn't work with GCCs hacked
to pass in -fstack-protector by default.)

We might want to add another configuration option to turn on
-fstack-protector for nscd and other network-facing operations by
default, but for now I've stuck with one option to control everything.

v2: documentation in install.texi; better description of the option.
    INSTALL regenerated.
v3: Substitute in no_stack_protector.

	[BZ #7065]
	* configure.ac (libc_cv_ssp): Move up.
	(libc_cv_ssp_strong): Likewise.
	(libc_cv_ssp_all): New.
	(stack_protector): Augment, adding -fstack-protector-all.
	(no_stack_protector): New.
	(AC_ARG_ENABLE(stack-protector)): New configure flag.
	* manual/install.texi (--enable-stack-protector): Document it.
	* INSTALL: Regenerate.
---
 INSTALL             | 39 ++++++++++++++++++++-----------
 configure.ac        | 67 +++++++++++++++++++++++++++++++++++++----------------
 manual/install.texi | 12 ++++++++++
 3 files changed, 84 insertions(+), 34 deletions(-)

diff --git a/INSTALL b/INSTALL
index a0d0c05..3d55585 100644
--- a/INSTALL
+++ b/INSTALL
@@ -141,20 +141,31 @@ will be used, and CFLAGS sets optimization options for the compiler.
 '--enable-lock-elision=yes'
      Enable lock elision for pthread mutexes by default.
 
-'--enable-pt_chown'
-     The file 'pt_chown' is a helper binary for 'grantpt' (*note
-     Pseudo-Terminals: Allocation.) that is installed setuid root to fix
-     up pseudo-terminal ownership.  It is not built by default because
-     systems using the Linux kernel are commonly built with the 'devpts'
-     filesystem enabled and mounted at '/dev/pts', which manages
-     pseudo-terminal ownership automatically.  By using
-     '--enable-pt_chown', you may build 'pt_chown' and install it setuid
-     and owned by 'root'.  The use of 'pt_chown' introduces additional
-     security risks to the system and you should enable it only if you
-     understand and accept those risks.
-
-'--disable-werror'
-     By default, the GNU C Library is built with '-Werror'.  If you wish
+`--enable-stack-protector'
+`--enable-stack-protector=strong'
+`--enable-stack-protector=all'
+     Compile the C library and all other parts of the glibc package
+     (including the threading and math libraries, NSS modules, and
+     transliteration modules) using the GCC `-fstack-protector',
+     `-fstack-protector-strong' or `-fstack-protector-all' options to
+     detect stack overruns.  Only the dynamic linker and a small number
+     of routines called directly from assembler are excluded from this
+     protection.
+
+`--enable-pt_chown'
+     The file `pt_chown' is a helper binary for `grantpt' (*note
+     Pseudo-Terminals: Allocation.) that is installed setuid root to
+     fix up pseudo-terminal ownership.  It is not built by default
+     because systems using the Linux kernel are commonly built with the
+     `devpts' filesystem enabled and mounted at `/dev/pts', which
+     manages pseudo-terminal ownership automatically.  By using
+     `--enable-pt_chown', you may build `pt_chown' and install it
+     setuid and owned by `root'.  The use of `pt_chown' introduces
+     additional security risks to the system and you should enable it
+     only if you understand and accept those risks.
+
+`--disable-werror'
+     By default, the GNU C Library is built with `-Werror'.  If you wish
      to build without this option (for example, if building with a newer
      version of GCC than this version of the GNU C Library was tested
      with, so new warnings cause the build with '-Werror' to fail), you
diff --git a/configure.ac b/configure.ac
index 3c766b7..7b81049 100644
--- a/configure.ac
+++ b/configure.ac
@@ -232,6 +232,18 @@ AC_ARG_ENABLE([bind-now],
 	      [bindnow=no])
 AC_SUBST(bindnow)
 
+dnl Build glibc with -fstack-protector, -fstack-protector-all, or
+dnl -fstack-protector-strong.
+AC_ARG_ENABLE([stack-protector],
+            AC_HELP_STRING([--enable-stack-protector=@<:@yes|no|all|strong@:>@],
+                           [Detect stack overflows in glibc functions, either with local buffers (yes), or with those plus arrays (strong), or all functions (all)]),
+            [enable_stack_protector=$enableval],
+            [enable_stack_protector=no])
+case x"$enable_stack_protector" in
+    xall|xyes|xno|xstrong) ;;
+    *) AC_MSG_ERROR([Not a valid argument for --enable-stack-protector]);;
+esac
+
 dnl On some platforms we cannot use dynamic loading.  We must provide
 dnl static NSS modules.
 AC_ARG_ENABLE([static-nss],
@@ -602,6 +614,41 @@ fi
 test -n "$base_machine" || base_machine=$machine
 AC_SUBST(base_machine)
 
+AC_CACHE_CHECK(for -fstack-protector, libc_cv_ssp, [dnl
+LIBC_TRY_CC_OPTION([$CFLAGS $CPPFLAGS -Werror -fstack-protector],
+		   [libc_cv_ssp=yes],
+		   [libc_cv_ssp=no])
+])
+
+AC_CACHE_CHECK(for -fstack-protector-strong, libc_cv_ssp_strong, [dnl
+LIBC_TRY_CC_OPTION([$CFLAGS $CPPFLAGS -Werror -fstack-protector-strong],
+		   [libc_cv_ssp_strong=yes],
+		   [libc_cv_ssp_strong=no])
+])
+
+AC_CACHE_CHECK(for -fstack-protector-all, libc_cv_ssp_all, [dnl
+LIBC_TRY_CC_OPTION([$CFLAGS $CPPFLAGS -Werror -fstack-protector-all],
+		   [libc_cv_ssp_all=yes],
+		   [libc_cv_ssp_all=no])
+])
+
+stack_protector=
+no_stack_protector=
+if test x$libc_cv_ssp = xyes; then
+    no_stack_protector=-fno-stack-protector
+fi
+
+if test x$enable_stack_protector = xyes && test $libc_cv_ssp = yes; then
+  stack_protector=-fstack-protector
+elif test x$enable_stack_protector = xall && test $libc_cv_ssp_all = yes; then
+  stack_protector=-fstack-protector-all
+elif test x$enable_stack_protector = xstrong && test $libc_cv_ssp_strong = yes; then
+  stack_protector=-fstack-protector-strong
+fi
+AC_SUBST(libc_cv_ssp)
+AC_SUBST(stack_protector)
+AC_SUBST(no_stack_protector)
+
 # For the multi-arch option we need support in the assembler & linker.
 AC_CACHE_CHECK([for assembler and linker STT_GNU_IFUNC support],
 	       libc_cv_ld_gnu_indirect_function, [dnl
@@ -1389,26 +1436,6 @@ else
 fi
 AC_SUBST(fno_unit_at_a_time)
 
-AC_CACHE_CHECK(for -fstack-protector, libc_cv_ssp, [dnl
-LIBC_TRY_CC_OPTION([$CFLAGS $CPPFLAGS -Werror -fstack-protector],
-		   [libc_cv_ssp=yes],
-		   [libc_cv_ssp=no])
-])
-
-AC_CACHE_CHECK(for -fstack-protector-strong, libc_cv_ssp_strong, [dnl
-LIBC_TRY_CC_OPTION([$CFLAGS $CPPFLAGS -Werror -fstack-protector-strong],
-		   [libc_cv_ssp_strong=yes],
-		   [libc_cv_ssp_strong=no])
-])
-
-stack_protector=
-if test "$libc_cv_ssp_strong" = "yes"; then
-  stack_protector="-fstack-protector-strong"
-elif test "$libc_cv_ssp" = "yes"; then
-  stack_protector="-fstack-protector"
-fi
-AC_SUBST(stack_protector)
-
 AC_CACHE_CHECK(whether cc puts quotes around section names,
 	       libc_cv_have_section_quotes,
 	       [cat > conftest.c <<EOF
diff --git a/manual/install.texi b/manual/install.texi
index b329950..e05424a 100644
--- a/manual/install.texi
+++ b/manual/install.texi
@@ -170,6 +170,18 @@ time.  Consult the @file{timezone} subdirectory for more details.
 @item --enable-lock-elision=yes
 Enable lock elision for pthread mutexes by default.
 
+@item --enable-stack-protector
+@itemx --enable-stack-protector=strong
+@itemx --enable-stack-protector=all
+Compile the C library and all other parts of the glibc package
+(including the threading and math libraries, NSS modules, and
+transliteration modules) using the GCC @option{-fstack-protector},
+@option{-fstack-protector-strong} or @option{-fstack-protector-all}
+options to detect stack overruns.  Only the dynamic linker and a small
+number of routines called directly from assembler are excluded from this
+protection.
+
+
 @pindex pt_chown
 @findex grantpt
 @item --enable-pt_chown
-- 
2.7.0.198.g6dd47b6

Re: [PATCH 01/18] Configury support for --enable-stack-protector.

[Mike Frysinger]

[-- Attachment #1: Type: text/plain, Size: 1627 bytes --]

On 08 Mar 2016 13:50, Nix wrote:
> +AC_ARG_ENABLE([stack-protector],
> +            AC_HELP_STRING([--enable-stack-protector=@<:@yes|no|all|strong@:>@],

8 spaces -> tabs, and re-align the 2nd arg

> +                           [Detect stack overflows in glibc functions, either with local buffers (yes), or with those plus arrays (strong), or all functions (all)]),

is this really necessary ?  can't we just say something like "pass
-fstack-protector[-all|-strong]" and leave the rest to the gcc manual ?

> +            [enable_stack_protector=no])

should we default this to auto-detecting strong ?
or at least make that a follow up patch in this series ?

> +case x"$enable_stack_protector" in
> +    xall|xyes|xno|xstrong) ;;

don't need the x prefix.  that historical wart is related to empty
string compares with the test command, not the case command.

> +    *) AC_MSG_ERROR([Not a valid argument for --enable-stack-protector]);;

don't indent case statements

> +if test x$libc_cv_ssp = xyes; then

quote the LHS -- cache vars can be set via the env or config.site files

> +    no_stack_protector=-fno-stack-protector

indent with two spaces

> +if test x$enable_stack_protector = xyes && test $libc_cv_ssp = yes; then
> +  stack_protector=-fstack-protector
> +elif test x$enable_stack_protector = xall && test $libc_cv_ssp_all = yes; then
> +  stack_protector=-fstack-protector-all
> +elif test x$enable_stack_protector = xstrong && test $libc_cv_ssp_strong = yes; then
> +  stack_protector=-fstack-protector-strong
> +fi

all of these strings should be quoted imo.  they were before you changed
things too.
-mike

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

Re: [PATCH 01/18] Configury support for --enable-stack-protector.

[Nix]

On 9 Mar 2016, Mike Frysinger said:

> On 08 Mar 2016 13:50, Nix wrote:
>> +AC_ARG_ENABLE([stack-protector],
>> +            AC_HELP_STRING([--enable-stack-protector=@<:@yes|no|all|strong@:>@],
>
> 8 spaces -> tabs, and re-align the 2nd arg

Fixed.

Second arg looks perfectly alright to me, though: it's aligned in my
tree, and in the patch I emailed out. Looks like your MUA has done
something to it.  (Though it was aligned with spaces.)

>> +                           [Detect stack overflows in glibc functions, either with local buffers (yes), or with those plus arrays (strong), or all functions (all)]),
>
> is this really necessary ?  can't we just say something like "pass
> -fstack-protector[-all|-strong]" and leave the rest to the gcc manual ?

Er, yes, and Andreas even asked me to do that, and I thought oh yes
that's a good idea and then didn't do it. Um. It's done now.

How about

[Use -fstack-protector[-all|-strong] to detect glibc stack overflows]

so that at least it becomes clear what it means to 'protect' the stack
without having to dive into the manual? I'd like to say a tiny bit more
than just say "pass": to what? why?

(but maybe the last five words are redundant after all. I dunno. Still,
even if you take them off it doesn't fit on one line in configure --help
output in my tests, so the extra words don't actually *cost* anything.)

>> +            [enable_stack_protector=no])
>
> should we default this to auto-detecting strong ?
> or at least make that a follow up patch in this series ?

I thought that might be too contentious! but if people want to flip the
default, it's fine by me. (Just don't flip it to -all: that's probably
best left to hardened distros, since it probably does have a real
performance cost...)

>> +case x"$enable_stack_protector" in
>> +    xall|xyes|xno|xstrong) ;;
>
> don't need the x prefix.  that historical wart is related to empty
> string compares with the test command, not the case command.

It's historical terror. (And I have distinct memories of seeing problems
with case on ancient HP-UX boxes, HP-UX 9 or thereabouts. This is
obviously relevant since people build glibc on HP-UX 9 boxes *all the
time*.)

Fixed. :)

>> +    *) AC_MSG_ERROR([Not a valid argument for --enable-stack-protector]);;
>
> don't indent case statements

Ew, really?

... gods, you're right, none of them are indented. I never noticed that.
Fixed.

>> +if test x$libc_cv_ssp = xyes; then
>
> quote the LHS -- cache vars can be set via the env or config.site files

Fixed. (And if I'm quoting it I don't need to x it: fixed that, too.)

>> +    no_stack_protector=-fno-stack-protector
>
> indent with two spaces

Oops, yes. (Also fixed a couple of places in patch 9 that made the same
mistake.)

>> +if test x$enable_stack_protector = xyes && test $libc_cv_ssp = yes; then
>> +  stack_protector=-fstack-protector
>> +elif test x$enable_stack_protector = xall && test $libc_cv_ssp_all = yes; then
>> +  stack_protector=-fstack-protector-all
>> +elif test x$enable_stack_protector = xstrong && test $libc_cv_ssp_strong = yes; then
>> +  stack_protector=-fstack-protector-strong
>> +fi
>
> all of these strings should be quoted imo.  they were before you changed
> things too.

Yeah, I removed the quotation because it was useless -- the value of
$enable_stack_protector is constrained by the check further up, and you
don't need to quote a single word with no shell metacharacters in it
(and - is not a shell metacharacter). The former argument is debatable
-- someone might remove the check further up in later maintenance
without even noticing this code exists -- but the latter is not, really:
any shell in which the string '-fstack-protector' needed quoting would
not be a shell that could run configure at all.

So, quoted all the $libc_cv_ssps and $enable_stack_protectors, de-x'ed
the latter, but not yet quoted the assignments, because... what for?
Also quoted and de-x'ed the stuff in the checks added in patch 9, for
the same reason.

-- 
NULL && (void)

Re: [PATCH 01/18] Configury support for --enable-stack-protector.

[Nix]

On 9 Mar 2016, nix@esperi.org.uk uttered the following:

> [Use -fstack-protector[-all|-strong] to detect glibc stack overflows]

Obviously this was stupid. That's not what -fstack-protector does!
What was I thinking...

This is better:

[Use -fstack-protector[-all|-strong] to detect glibc buffer overflows]

[PATCH 03/18] Do not stack-protect ifunc resolvers.

[Nix]

From: Nick Alcock <nick.alcock@oracle.com>

When dynamically linking, ifunc resolvers are called before TLS is
initialized, so they cannot be safely stack-protected.

We avoid disabling stack-protection on large numbers of files by
depending on the availability of __attribute__ ((__optimize__
("-fno-stack-protector"))), and turning it off just for
the resolvers themselves.  (We provide the attribute even when
statically linking, because we will later use it elsewhere too.)

v4: New.
v5: Comment fix.

	* config.h.in (HAVE_CC_NO_STACK_PROTECTOR): New macro.
	* configure.ac (libc_cv_cc_no_stack_protector): Check if compiler
	accepts __attribute__ ((__optimize__ ("-fno-stack-protector"))).
	* include/libc-symbols.h (inhibit_stack_protector): New macro.
	(libc_ifunc): Use it.
	(libm_ifunc): Likewise.
	* elf/ifuncdep2.c (foo1_ifunc): Add inhibit_stack_protector.
	(foo2_ifunc): Likewise.
	(foo3_ifunc): Likewise.
	* elf/ifuncmain6pie.c (foo_ifunc): Likewise.
	* elf/ifuncmain7.c (foo_ifunc): Likewise.
	* elf/ifuncmod1.c (foo_ifunc): Likewise.
	(foo_hidden_ifunc): Likewise.
	(foo_protected_ifunc): Likewise.
	* elf/ifuncmod5.c (foo_ifunc): Likewise.
	(foo_hidden_ifunc): Likewise.
	(foo_protected_ifunc): Likewise.
	* sysdeps/x86_64/ifuncmod8.c (foo_ifunc): Likewise.
	* nptl/pt-fork.c (fork_resolve): Likewise.
	* nptl/pt-longjmp.c (longjmp_resolve): Likewise.
	* nptl/pt-system.c (system_resolve): Likewise.
	* nptl/pt-vfork.c (vfork_resolve): Likewise.
	* rt/clock-compat.c [HAVE_IFUNC] (COMPAT_REDIRECT): Likewise.
	* sysdeps/generic/ifunc-sel.h (ifunc_sel): Likewise.
	(ifunc_one): Likewise.
	* sysdeps/nacl/nacl_interface_query.c [SHARED]
	(nacl_interface_query_ifunc): Likewise.
	* sysdeps/powerpc/ifunc-sel.h (ifunc_sel): Likewise.
	(ifunc_one): Likewise.
	* sysdeps/unix/make-syscalls.sh: Likewise.
	* sysdeps/unix/sysv/linux/powerpc/gettimeofday.c
	(gettimeofday_ifunc): Likewise.
	* sysdeps/unix/sysv/linux/powerpc/time.c (time_ifunc): Likewise.
	* sysdeps/unix/sysv/linux/x86/gettimeofday.c (gettimeofday_ifunc):
	Likewise.
	* sysdeps/unix/sysv/linux/x86/time.c (time_ifunc): Likewise.
	* sysdeps/unix/sysv/linux/x86_64/x32/getcpu.c (getcpu_ifunc):
	Likewise.
---
 config.h.in                                    |  4 ++++
 configure.ac                                   | 15 +++++++++++++++
 elf/ifuncdep2.c                                |  3 +++
 elf/ifuncmain6pie.c                            |  1 +
 elf/ifuncmain7.c                               |  1 +
 elf/ifuncmod1.c                                |  3 +++
 elf/ifuncmod5.c                                |  3 +++
 include/libc-symbols.h                         | 18 ++++++++++++++++--
 nptl/pt-fork.c                                 |  1 +
 nptl/pt-longjmp.c                              |  1 +
 nptl/pt-system.c                               |  1 +
 nptl/pt-vfork.c                                |  1 +
 rt/clock-compat.c                              |  4 +++-
 sysdeps/generic/ifunc-sel.h                    |  2 ++
 sysdeps/nacl/nacl_interface_query.c            |  1 +
 sysdeps/powerpc/ifunc-sel.h                    |  2 ++
 sysdeps/unix/make-syscalls.sh                  |  1 +
 sysdeps/unix/sysv/linux/powerpc/gettimeofday.c |  1 +
 sysdeps/unix/sysv/linux/powerpc/time.c         |  1 +
 sysdeps/unix/sysv/linux/x86/gettimeofday.c     |  1 +
 sysdeps/unix/sysv/linux/x86/time.c             |  1 +
 sysdeps/unix/sysv/linux/x86_64/x32/getcpu.c    |  1 +
 sysdeps/x86_64/ifuncmod8.c                     |  1 +
 23 files changed, 65 insertions(+), 3 deletions(-)

diff --git a/config.h.in b/config.h.in
index ec9c8bc..7bbc148 100644
--- a/config.h.in
+++ b/config.h.in
@@ -43,6 +43,10 @@
 /* Define if compiler accepts -ftree-loop-distribute-patterns.  */
 #undef  HAVE_CC_INHIBIT_LOOP_TO_LIBCALL
 
+/* Define if compiler accepts -fno-stack-protector in an
+   __attribute__((__optimize__)).  */
+#undef	HAVE_CC_NO_STACK_PROTECTOR
+
 /* Define if the regparm attribute shall be used for local functions
    (gcc on ix86 only).  */
 #undef	USE_REGPARMS
diff --git a/configure.ac b/configure.ac
index 7b81049..a920f89 100644
--- a/configure.ac
+++ b/configure.ac
@@ -632,10 +632,25 @@ LIBC_TRY_CC_OPTION([$CFLAGS $CPPFLAGS -Werror -fstack-protector-all],
 		   [libc_cv_ssp_all=no])
 ])
 
+AC_CACHE_CHECK(if $CC accepts -fno-stack-protector with \
+__attribute__ ((__optimize__)), libc_cv_cc_no_stack_protector, [dnl
+cat > conftest.c <<EOF
+void
+__attribute__ ((__optimize__ ("-fno-stack-protector")))
+foo (void) {}
+EOF
+libc_cv_cc_no_stack_protector=no
+if AC_TRY_COMMAND([${CC-cc} $CFLAGS $CPPFLAGS -c conftest.c])
+then
+  libc_cv_cc_no_stack_protector=yes
+fi
+rm -f conftest*])
+
 stack_protector=
 no_stack_protector=
 if test x$libc_cv_ssp = xyes; then
     no_stack_protector=-fno-stack-protector
+    AC_DEFINE(HAVE_CC_NO_STACK_PROTECTOR)
 fi
 
 if test x$enable_stack_protector = xyes && test $libc_cv_ssp = yes; then
diff --git a/elf/ifuncdep2.c b/elf/ifuncdep2.c
index 6e66d31..d87d61d 100644
--- a/elf/ifuncdep2.c
+++ b/elf/ifuncdep2.c
@@ -32,6 +32,7 @@ void * foo1_ifunc (void) __asm__ ("foo1");
 __asm__(".type foo1, %gnu_indirect_function");
 
 void *
+inhibit_stack_protector
 foo1_ifunc (void)
 {
   return ifunc_sel (one, minus_one, zero);
@@ -41,6 +42,7 @@ void * foo2_ifunc (void) __asm__ ("foo2");
 __asm__(".type foo2, %gnu_indirect_function");
 
 void *
+inhibit_stack_protector
 foo2_ifunc (void)
 {
   return ifunc_sel (minus_one, one, zero);
@@ -50,6 +52,7 @@ void * foo3_ifunc (void) __asm__ ("foo3");
 __asm__(".type foo3, %gnu_indirect_function");
 
 void *
+inhibit_stack_protector
 foo3_ifunc (void)
 {
   return ifunc_sel (one, zero, minus_one);
diff --git a/elf/ifuncmain6pie.c b/elf/ifuncmain6pie.c
index 8478d4c..04faeb8 100644
--- a/elf/ifuncmain6pie.c
+++ b/elf/ifuncmain6pie.c
@@ -21,6 +21,7 @@ void * foo_ifunc (void) __asm__ ("foo");
 __asm__(".type foo, %gnu_indirect_function");
 
 void *
+inhibit_stack_protector
 foo_ifunc (void)
 {
   return ifunc_one (one);
diff --git a/elf/ifuncmain7.c b/elf/ifuncmain7.c
index 617a596..1e8f7ea 100644
--- a/elf/ifuncmain7.c
+++ b/elf/ifuncmain7.c
@@ -20,6 +20,7 @@ __asm__(".type foo, %gnu_indirect_function");
 
 static void *
 __attribute__ ((used))
+inhibit_stack_protector
 foo_ifunc (void)
 {
   return ifunc_one (one);
diff --git a/elf/ifuncmod1.c b/elf/ifuncmod1.c
index 0b61380..f0bf5fb 100644
--- a/elf/ifuncmod1.c
+++ b/elf/ifuncmod1.c
@@ -36,6 +36,7 @@ void * foo_ifunc (void) __asm__ ("foo");
 __asm__(".type foo, %gnu_indirect_function");
 
 void *
+inhibit_stack_protector
 foo_ifunc (void)
 {
   return ifunc_sel (one, minus_one, zero);
@@ -45,6 +46,7 @@ void * foo_hidden_ifunc (void) __asm__ ("foo_hidden");
 __asm__(".type foo_hidden, %gnu_indirect_function");
 
 void *
+inhibit_stack_protector
 foo_hidden_ifunc (void)
 {
   return ifunc_sel (minus_one, one, zero);
@@ -54,6 +56,7 @@ void * foo_protected_ifunc (void) __asm__ ("foo_protected");
 __asm__(".type foo_protected, %gnu_indirect_function");
 
 void *
+inhibit_stack_protector
 foo_protected_ifunc (void)
 {
   return ifunc_sel (one, zero, minus_one);
diff --git a/elf/ifuncmod5.c b/elf/ifuncmod5.c
index 0e65a63..5a95780 100644
--- a/elf/ifuncmod5.c
+++ b/elf/ifuncmod5.c
@@ -31,6 +31,7 @@ void * foo_ifunc (void) __asm__ ("foo");
 __asm__(".type foo, %gnu_indirect_function");
 
 void *
+inhibit_stack_protector
 foo_ifunc (void)
 {
   return ifunc_sel (one, minus_one, zero);
@@ -40,6 +41,7 @@ void * foo_hidden_ifunc (void) __asm__ ("foo_hidden");
 __asm__(".type foo_hidden, %gnu_indirect_function");
 
 void *
+inhibit_stack_protector
 foo_hidden_ifunc (void)
 {
   return ifunc_sel (minus_one, one, zero);
@@ -49,6 +51,7 @@ void * foo_protected_ifunc (void) __asm__ ("foo_protected");
 __asm__(".type foo_protected, %gnu_indirect_function");
 
 void *
+inhibit_stack_protector
 foo_protected_ifunc (void)
 {
   return ifunc_sel (one, zero, minus_one);
diff --git a/include/libc-symbols.h b/include/libc-symbols.h
index 4548e09..531092c 100644
--- a/include/libc-symbols.h
+++ b/include/libc-symbols.h
@@ -314,6 +314,16 @@ for linking")
 
 #define attribute_relro __attribute__ ((section (".data.rel.ro")))
 
+
+/* Used to disable stack protection in sensitive places, like ifunc
+   resolvers and early static TLS init.  */
+#ifdef HAVE_CC_NO_STACK_PROTECTOR
+# define inhibit_stack_protector \
+    __attribute__ ((__optimize__ ("-fno-stack-protector")))
+#else
+# define inhibit_stack_protector
+#endif
+
 /* The following macros are used for PLT bypassing within libc.so
    (and if needed other libraries similarly).
    First of all, you need to have the function prototyped somewhere,
@@ -716,7 +726,9 @@ for linking")
 /* Marker used for indirection function symbols.  */
 #define libc_ifunc(name, expr)						\
   extern void *name##_ifunc (void) __asm__ (#name);			\
-  void *name##_ifunc (void)						\
+  void *								\
+  inhibit_stack_protector						\
+  name##_ifunc (void)							\
   {									\
     INIT_ARCH ();							\
     __typeof (name) *res = expr;					\
@@ -728,7 +740,9 @@ for linking")
    which will, if necessary, initialize the data first.  */
 #define libm_ifunc(name, expr)						\
   extern void *name##_ifunc (void) __asm__ (#name);			\
-  void *name##_ifunc (void)						\
+  void *								\
+  inhibit_stack_protector						\
+  name##_ifunc (void)							\
   {									\
     __typeof (name) *res = expr;					\
     return res;								\
diff --git a/nptl/pt-fork.c b/nptl/pt-fork.c
index b65d6b4..4178af8 100644
--- a/nptl/pt-fork.c
+++ b/nptl/pt-fork.c
@@ -34,6 +34,7 @@
 
 static __typeof (fork) *
 __attribute__ ((used))
+inhibit_stack_protector
 fork_resolve (void)
 {
   return &__libc_fork;
diff --git a/nptl/pt-longjmp.c b/nptl/pt-longjmp.c
index a1cc286..8a33cb4 100644
--- a/nptl/pt-longjmp.c
+++ b/nptl/pt-longjmp.c
@@ -34,6 +34,7 @@
 
 static __typeof (longjmp) *
 __attribute__ ((used))
+inhibit_stack_protector
 longjmp_resolve (void)
 {
   return &__libc_longjmp;
diff --git a/nptl/pt-system.c b/nptl/pt-system.c
index 56f2a89..a481ab3 100644
--- a/nptl/pt-system.c
+++ b/nptl/pt-system.c
@@ -34,6 +34,7 @@
 
 static __typeof (system) *
 __attribute__ ((used))
+inhibit_stack_protector
 system_resolve (void)
 {
   return &__libc_system;
diff --git a/nptl/pt-vfork.c b/nptl/pt-vfork.c
index 8f4be0c..8f3c2c0 100644
--- a/nptl/pt-vfork.c
+++ b/nptl/pt-vfork.c
@@ -48,6 +48,7 @@ extern __typeof (vfork) __libc_vfork;   /* Defined in libc.  */
 
 static __typeof (vfork) *
 __attribute__ ((used))
+inhibit_stack_protector
 vfork_resolve (void)
 {
   return &__libc_vfork;
diff --git a/rt/clock-compat.c b/rt/clock-compat.c
index dc69e4a..b0fdd8b 100644
--- a/rt/clock-compat.c
+++ b/rt/clock-compat.c
@@ -30,7 +30,9 @@
 #if HAVE_IFUNC
 # define COMPAT_REDIRECT(name, proto, arglist)				      \
   __typeof (name) *name##_ifunc (void) asm (#name);			      \
-  __typeof (name) *name##_ifunc (void)					      \
+  __typeof (name) *							      \
+  inhibit_stack_protector						      \
+  name##_ifunc (void)							      \
   {									      \
     return &__##name;							      \
   }									      \
diff --git a/sysdeps/generic/ifunc-sel.h b/sysdeps/generic/ifunc-sel.h
index 6a27b69..1fff405 100644
--- a/sysdeps/generic/ifunc-sel.h
+++ b/sysdeps/generic/ifunc-sel.h
@@ -5,6 +5,7 @@
 extern int global;
 
 static inline void *
+inhibit_stack_protector
 ifunc_sel (int (*f1) (void), int (*f2) (void), int (*f3) (void))
 {
  switch (global)
@@ -19,6 +20,7 @@ ifunc_sel (int (*f1) (void), int (*f2) (void), int (*f3) (void))
 }
 
 static inline void *
+inhibit_stack_protector
 ifunc_one (int (*f1) (void))
 {
   return f1;
diff --git a/sysdeps/nacl/nacl_interface_query.c b/sysdeps/nacl/nacl_interface_query.c
index adf1dd4..dbaa88b 100644
--- a/sysdeps/nacl/nacl_interface_query.c
+++ b/sysdeps/nacl/nacl_interface_query.c
@@ -29,6 +29,7 @@ extern TYPE_nacl_irt_query nacl_interface_query_ifunc (void)
   asm ("nacl_interface_query");
 
 TYPE_nacl_irt_query
+inhibit_stack_protector
 nacl_interface_query_ifunc (void)
 {
   return &__nacl_irt_query;
diff --git a/sysdeps/powerpc/ifunc-sel.h b/sysdeps/powerpc/ifunc-sel.h
index 526d8ed..598b125 100644
--- a/sysdeps/powerpc/ifunc-sel.h
+++ b/sysdeps/powerpc/ifunc-sel.h
@@ -5,6 +5,7 @@
 extern int global;
 
 static inline void *
+inhibit_stack_protector
 ifunc_sel (int (*f1) (void), int (*f2) (void), int (*f3) (void))
 {
   register void *ret __asm__ ("r3");
@@ -30,6 +31,7 @@ ifunc_sel (int (*f1) (void), int (*f2) (void), int (*f3) (void))
 }
 
 static inline void *
+inhibit_stack_protector
 ifunc_one (int (*f1) (void))
 {
   register void *ret __asm__ ("r3");
diff --git a/sysdeps/unix/make-syscalls.sh b/sysdeps/unix/make-syscalls.sh
index 58d165e..123553c 100644
--- a/sysdeps/unix/make-syscalls.sh
+++ b/sysdeps/unix/make-syscalls.sh
@@ -287,6 +287,7 @@ while read file srcfile caller syscall args strong weak; do
 	(echo '#include <dl-vdso.h>'; \\
 	 echo 'extern void *${strong}_ifunc (void) __asm ("${strong}");'; \\
 	 echo 'void *'; \\
+	 echo 'inhibit_stack_protector'; \\
 	 echo '${strong}_ifunc (void)'; \\
 	 echo '{'; \\
 	 echo '  PREPARE_VERSION_KNOWN (symver, ${vdso_symver});'; \\
diff --git a/sysdeps/unix/sysv/linux/powerpc/gettimeofday.c b/sysdeps/unix/sysv/linux/powerpc/gettimeofday.c
index 25a4e7c..a8b6cfa 100644
--- a/sysdeps/unix/sysv/linux/powerpc/gettimeofday.c
+++ b/sysdeps/unix/sysv/linux/powerpc/gettimeofday.c
@@ -33,6 +33,7 @@ __gettimeofday_syscall (struct timeval *tv, struct timezone *tz)
 }
 
 void *
+inhibit_stack_protector
 gettimeofday_ifunc (void)
 {
   PREPARE_VERSION (linux2615, "LINUX_2.6.15", 123718565);
diff --git a/sysdeps/unix/sysv/linux/powerpc/time.c b/sysdeps/unix/sysv/linux/powerpc/time.c
index 7973419..4b89b38 100644
--- a/sysdeps/unix/sysv/linux/powerpc/time.c
+++ b/sysdeps/unix/sysv/linux/powerpc/time.c
@@ -43,6 +43,7 @@ time_syscall (time_t *t)
 }
 
 void *
+inhibit_stack_protector
 time_ifunc (void)
 {
   PREPARE_VERSION (linux2615, "LINUX_2.6.15", 123718565);
diff --git a/sysdeps/unix/sysv/linux/x86/gettimeofday.c b/sysdeps/unix/sysv/linux/x86/gettimeofday.c
index 36f7c26..e05ad53 100644
--- a/sysdeps/unix/sysv/linux/x86/gettimeofday.c
+++ b/sysdeps/unix/sysv/linux/x86/gettimeofday.c
@@ -32,6 +32,7 @@ __gettimeofday_syscall (struct timeval *tv, struct timezone *tz)
 void *gettimeofday_ifunc (void) __asm__ ("__gettimeofday");
 
 void *
+inhibit_stack_protector
 gettimeofday_ifunc (void)
 {
   PREPARE_VERSION_KNOWN (linux26, LINUX_2_6);
diff --git a/sysdeps/unix/sysv/linux/x86/time.c b/sysdeps/unix/sysv/linux/x86/time.c
index f5f7f91..c5bd8dc 100644
--- a/sysdeps/unix/sysv/linux/x86/time.c
+++ b/sysdeps/unix/sysv/linux/x86/time.c
@@ -33,6 +33,7 @@ __time_syscall (time_t *t)
 void *time_ifunc (void) __asm__ ("time");
 
 void *
+inhibit_stack_protector
 time_ifunc (void)
 {
   PREPARE_VERSION_KNOWN (linux26, LINUX_2_6);
diff --git a/sysdeps/unix/sysv/linux/x86_64/x32/getcpu.c b/sysdeps/unix/sysv/linux/x86_64/x32/getcpu.c
index cbac4b3..8436f9d 100644
--- a/sysdeps/unix/sysv/linux/x86_64/x32/getcpu.c
+++ b/sysdeps/unix/sysv/linux/x86_64/x32/getcpu.c
@@ -21,6 +21,7 @@
 void *getcpu_ifunc (void) __asm__ ("__getcpu");
 
 void *
+inhibit_stack_protector
 getcpu_ifunc (void)
 {
   PREPARE_VERSION (linux26, "LINUX_2.6", 61765110);
diff --git a/sysdeps/x86_64/ifuncmod8.c b/sysdeps/x86_64/ifuncmod8.c
index c004367..7c06562 100644
--- a/sysdeps/x86_64/ifuncmod8.c
+++ b/sysdeps/x86_64/ifuncmod8.c
@@ -28,6 +28,7 @@ foo_impl (float x)
 }
 
 void *
+inhibit_stack_protector
 foo_ifunc (void)
 {
   __m128i xmm = _mm_set1_epi32 (-1);
-- 
2.7.0.198.g6dd47b6

Re: [PATCH 03/18] Do not stack-protect ifunc resolvers.

[Mike Frysinger]

[-- Attachment #1: Type: text/plain, Size: 223 bytes --]

On 08 Mar 2016 13:50, Nix wrote:
> +AC_CACHE_CHECK(if $CC accepts -fno-stack-protector with \
> +__attribute__ ((__optimize__)),

m4 strings should be quoted.  so this should be:
AC_CACHE_CHECK([if $CC ........], ...
-mike

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

Re: [PATCH 03/18] Do not stack-protect ifunc resolvers.

[Nix]

On 9 Mar 2016, Mike Frysinger outgrape:

> On 08 Mar 2016 13:50, Nix wrote:
>> +AC_CACHE_CHECK(if $CC accepts -fno-stack-protector with \
>> +__attribute__ ((__optimize__)),
>
> m4 strings should be quoted.  so this should be:
> AC_CACHE_CHECK([if $CC ........], ...

I copied it from the similarly unquoted

AC_CACHE_CHECK(if $CC accepts -fno-tree-loop-distribute-patterns with \
__attribute__ ((__optimize__)), libc_cv_cc_loop_to_function, [dnl
cat > conftest.c <<EOF

and didn't quote it out of unreasoning fear that \-escaping might get
broken if I did that.  I didn't actually *test* it, or I'd have seen that
my fears were groundless.  Fixed (at least, fixed my copy: I think the
other one is for another time).

-- 
NULL && (void)

Re: [PATCH 03/18] Do not stack-protect ifunc resolvers.

[Joseph Myers]

On Wed, 9 Mar 2016, Mike Frysinger wrote:

> On 08 Mar 2016 13:50, Nix wrote:
> > +AC_CACHE_CHECK(if $CC accepts -fno-stack-protector with \
> > +__attribute__ ((__optimize__)),
> 
> m4 strings should be quoted.  so this should be:
> AC_CACHE_CHECK([if $CC ........], ...

It would certainly be nice if someone cleaned up the existing *.ac scripts 
and fragments to consistently follow this rule (for each autoconf macro, 
there should generally be exactly one level of [] quoting around each of 
its arguments, except in special cases such as where the Autoconf manual 
explains that AC_LANG_SOURCE's argument should be double-quoted [[]]).

-- 
Joseph S. Myers
joseph@codesourcery.com

Re: [PATCH 03/18] Do not stack-protect ifunc resolvers.

[Mike Frysinger]

[-- Attachment #1: Type: text/plain, Size: 432 bytes --]

On 08 Mar 2016 13:50, Nix wrote:
> +AC_CACHE_CHECK(if $CC accepts -fno-stack-protector with \
> +__attribute__ ((__optimize__)), libc_cv_cc_no_stack_protector, [dnl
> +cat > conftest.c <<EOF
> +void
> +__attribute__ ((__optimize__ ("-fno-stack-protector")))
> +foo (void) {}
> +EOF

actually, which versions of gcc *don't* support this ?  if it's in gcc-4.7
and newer, then we don't need this test as we require that already.
-mike

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

Re: [PATCH 03/18] Do not stack-protect ifunc resolvers.

[Nix]

On 9 Mar 2016, Mike Frysinger told this:

> On 08 Mar 2016 13:50, Nix wrote:
>> +AC_CACHE_CHECK(if $CC accepts -fno-stack-protector with \
>> +__attribute__ ((__optimize__)), libc_cv_cc_no_stack_protector, [dnl
>> +cat > conftest.c <<EOF
>> +void
>> +__attribute__ ((__optimize__ ("-fno-stack-protector")))
>> +foo (void) {}
>> +EOF
>
> actually, which versions of gcc *don't* support this ?  if it's in gcc-4.7
> and newer, then we don't need this test as we require that already.

Good question. The worrying thing is that support for
__attribute__((__optimize__)) may not be enough: IIRC, that attribute
was not exactly perfectly functional in the first release or two after
it landed, IIRC.

Let's see...

... GCC 4.4?! OK, way older than I remembered. We can definitely drop
this: there have been fixes to fix things like target-specific options
with __attribute__((__optimize__)) right up until recently, but nothing
that would perturb -fno-stack-protector (and nothing at *all* between
4.6.x and 4.8.x, and I know 4.8.x works).

So I'll drop this bit.

(Technically this makes libc_cv_ssp useless too, because
-fstack-protector is *much* older than __attribute__((__optimize__)),
but it's consistent with the checks for -fstack-protector-strong and
-all to have it there, and those are much newer and still not
consistently supported on all targets. I can tear libc_cv_ssp and
have_ssp out as well if you think it worth doing.)

-- 
NULL && (void)

Re: [PATCH 03/18] Do not stack-protect ifunc resolvers.

[Mike Frysinger]

[-- Attachment #1: Type: text/plain, Size: 1667 bytes --]

On 09 Mar 2016 23:48, Nix wrote:
> On 9 Mar 2016, Mike Frysinger told this:
> > On 08 Mar 2016 13:50, Nix wrote:
> >> +AC_CACHE_CHECK(if $CC accepts -fno-stack-protector with \
> >> +__attribute__ ((__optimize__)), libc_cv_cc_no_stack_protector, [dnl
> >> +cat > conftest.c <<EOF
> >> +void
> >> +__attribute__ ((__optimize__ ("-fno-stack-protector")))
> >> +foo (void) {}
> >> +EOF
> >
> > actually, which versions of gcc *don't* support this ?  if it's in gcc-4.7
> > and newer, then we don't need this test as we require that already.
> 
> Good question. The worrying thing is that support for
> __attribute__((__optimize__)) may not be enough: IIRC, that attribute
> was not exactly perfectly functional in the first release or two after
> it landed, IIRC.
> 
> Let's see...
> 
> ... GCC 4.4?! OK, way older than I remembered. We can definitely drop
> this: there have been fixes to fix things like target-specific options
> with __attribute__((__optimize__)) right up until recently, but nothing
> that would perturb -fno-stack-protector (and nothing at *all* between
> 4.6.x and 4.8.x, and I know 4.8.x works).
> 
> So I'll drop this bit.
> 
> (Technically this makes libc_cv_ssp useless too, because
> -fstack-protector is *much* older than __attribute__((__optimize__)),
> but it's consistent with the checks for -fstack-protector-strong and
> -all to have it there, and those are much newer and still not
> consistently supported on all targets. I can tear libc_cv_ssp and
> have_ssp out as well if you think it worth doing.)

checking for the flag itself we prob want to keep because not all targets
support SSP
-mike

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

[PATCH 18/18] Enable -fstack-protector=* when requested by configure.

[Nix]

From: Nick Alcock <nick.alcock@oracle.com>

This finally turns on all the machinery added in previous commits.

v3: Wrap long lines.
v5: Shuffle to the end.

	* Makeconfig (+stack-protector): New variable.
	(+cflags): Use it.
---
 Makeconfig | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/Makeconfig b/Makeconfig
index 87a22e8..efcfdad 100644
--- a/Makeconfig
+++ b/Makeconfig
@@ -762,6 +762,11 @@ endif
 # disable any optimization that assume default rounding mode.
 +math-flags = -frounding-math
 
+# We might want to compile with some stack-protection flag.
+ifneq ($(stack-protector),)
++stack-protector=$(stack-protector)
+endif
+
 # This is the program that generates makefile dependencies from C source files.
 # The -MP flag tells GCC >= 3.2 (which we now require) to produce dummy
 # targets for headers so that removed headers don't break the build.
@@ -821,7 +826,8 @@ ifeq	"$(strip $(+cflags))" ""
 +cflags	:= $(default_cflags)
 endif	# $(+cflags) == ""
 
-+cflags += $(cflags-cpu) $(+gccwarn) $(+merge-constants) $(+math-flags)
++cflags += $(cflags-cpu) $(+gccwarn) $(+merge-constants) $(+math-flags) \
+	   $(+stack-protector)
 +gcc-nowarn := -w
 
 # Don't duplicate options if we inherited variables from the parent.
-- 
2.7.0.198.g6dd47b6

[PATCH 11/18] De-PLTize __stack_chk_fail internal calls within libc.so.

[Nix]

From: Adhemerval Zanella <adhemerval.zanella@linaro.org>

We use the same assembler-macro trick we use to de-PLTize
compiler-generated libcalls to memcpy and memset to redirect
__stack_chk_fail to __stack_chk_fail_local.

v5: New.

	* sysdeps/generic/symbol-hacks.h (__stack_chk_fail): Add internal
	alias.
---
 sysdeps/generic/symbol-hacks.h | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/sysdeps/generic/symbol-hacks.h b/sysdeps/generic/symbol-hacks.h
index ce576c9..9d3662f 100644
--- a/sysdeps/generic/symbol-hacks.h
+++ b/sysdeps/generic/symbol-hacks.h
@@ -5,3 +5,9 @@ asm ("memmove = __GI_memmove");
 asm ("memset = __GI_memset");
 asm ("memcpy = __GI_memcpy");
 #endif
+
+/* -fstack-protector generates calls to __stack_chk_fail, which need
+   similar adjustments to avoid going through the PLT.  */
+#if !defined __ASSEMBLER__ && IS_IN (libc)
+asm ("__stack_chk_fail = __stack_chk_fail_local");
+#endif
-- 
2.7.0.198.g6dd47b6

[PATCH 13/18] Prohibit stack-protection if the compiler is not capable.

[Nix]

From: Nick Alcock <nick.alcock@oracle.com>

We need support for __attribute__ ((__optimize__ ("-fno-stack-protector")))
if -fno-stack-protector is to work reliably.

v4: New.

	* configure.ac [stack_protector && !libc_cv_cc_no_stack_protector]:
	Error out in this case.
---
 configure.ac | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/configure.ac b/configure.ac
index 38e9c27..9df57ec 100644
--- a/configure.ac
+++ b/configure.ac
@@ -665,6 +665,11 @@ AC_SUBST(stack_protector)
 AC_SUBST(no_stack_protector)
 
 if test -n "$stack_protector"; then
+  dnl We cannot work without the ability to disable -fstack-protector for
+  dnl specific functions.
+  if test $libc_cv_cc_no_stack_protector = no; then
+      AC_MSG_ERROR([--enable-stack-protector not supported without __attribute__ ((__optimize__ ("-fno-stack-protector"))).])
+  fi
   dnl Don't run configure tests with stack-protection on, to avoid problems with
   dnl bootstrapping.
   no_ssp=-fno-stack-protector
-- 
2.7.0.198.g6dd47b6

[PATCH 14/18] Drop explicit stack-protection of pieces of the system.

[Nix]

From: Nick Alcock <nick.alcock@oracle.com>

This is probably a bad idea: maybe we want to stack-protect some parts
of the system even when ! --enable-stack-protector.  I can easily adjust
the patch to do that (though it'll mean introducing a new variable
analogous to $(stack-protector) but not controlled by the configure
flag.)

But if we wanted to value consistency over security, and use the same
stack-protection configure flag to control everything, this is how we'd
do it!

("Always include at least one patch with something obviously wrong with
it.")

	* login/Makefile (pt_chown-cflags): Remove.
	* nscd/Makefile (CFLAGS-nscd): Likewise.
	* resolv/Makefile (CFLAGS-libresolv): Likewise.
---
 login/Makefile  | 1 -
 nscd/Makefile   | 1 -
 resolv/Makefile | 1 -
 3 files changed, 3 deletions(-)

diff --git a/login/Makefile b/login/Makefile
index 9ff36d6..1a6161c 100644
--- a/login/Makefile
+++ b/login/Makefile
@@ -58,7 +58,6 @@ CFLAGS-getpt.c = -fexceptions
 ifeq (yesyes,$(have-fpie)$(build-shared))
 pt_chown-cflags += $(pie-ccflag)
 endif
-pt_chown-cflags += $(stack-protector)
 ifeq (yes,$(have-libcap))
 libcap = -lcap
 endif
diff --git a/nscd/Makefile b/nscd/Makefile
index 50bad32..bfd72d5 100644
--- a/nscd/Makefile
+++ b/nscd/Makefile
@@ -84,7 +84,6 @@ CPPFLAGS-nscd += -D_FORTIFY_SOURCE=2
 ifeq (yesyes,$(have-fpie)$(build-shared))
 CFLAGS-nscd += $(pie-ccflag)
 endif
-CFLAGS-nscd += $(stack-protector)
 
 ifeq (yesyes,$(have-fpie)$(build-shared))
 LDFLAGS-nscd = -Wl,-z,now
diff --git a/resolv/Makefile b/resolv/Makefile
index 8be41d3..0395b1a 100644
--- a/resolv/Makefile
+++ b/resolv/Makefile
@@ -90,7 +90,6 @@ CPPFLAGS += -Dgethostbyname=res_gethostbyname \
 	    -Dgetnetbyname=res_getnetbyname \
 	    -Dgetnetbyaddr=res_getnetbyaddr
 
-CFLAGS-libresolv += $(stack-protector)
 CFLAGS-res_hconf.c = -fexceptions
 
 # The BIND code elicits some harmless warnings.
-- 
2.7.0.198.g6dd47b6

[PATCH 07/18] Compile the entire dynamic linker with -fno-stack-protector.

[Nix]

From: Nick Alcock <nick.alcock@oracle.com>

Also compile corresponding routines in the static libc.a with the same
flag.

v3: Use $(no-stack-protector).
    Introduce $(elide-stack-protector) and use it to reduce redundancy.
    Bring all the elisions together textually.

	* elf/Makefile (elide-stack-protector): New.
	(CFLAGS-.os): Use it, eliding $(all-rtld-routines).
	(CFLAGS-.oX): Likewise, eliding $(elide-routines.os).
	(rtld-CFLAGS): Likewise.
---
 elf/Makefile   | 13 +++++++++++++
 elf/rtld-Rules |  2 ++
 2 files changed, 15 insertions(+)

diff --git a/elf/Makefile b/elf/Makefile
index 63a5355..0037cca 100644
--- a/elf/Makefile
+++ b/elf/Makefile
@@ -50,6 +50,19 @@ CFLAGS-dl-runtime.c = -fexceptions -fasynchronous-unwind-tables
 CFLAGS-dl-lookup.c = -fexceptions -fasynchronous-unwind-tables
 CFLAGS-dl-iterate-phdr.c = $(uses-callbacks)
 
+# Compile rtld itself without stack protection.
+# Also compile all routines in the static library that are elided from
+# the shared libc because they are in ld.so the same way.
+
+define elide-stack-protector
+$(if $(filter $(@F),$(patsubst %,%$(1),$(2))), $(no-stack-protector))
+endef
+
+CFLAGS-.o += $(call elide-stack-protector,.o,$(elide-routines.os))
+CFLAGS-.op += $(call elide-stack-protector,.op,$(elide-routines.os))
+CFLAGS-.og += $(call elide-stack-protector,.og,$(elide-routines.os))
+CFLAGS-.os += $(call elide-stack-protector,.os,$(all-rtld-routines))
+
 ifeq ($(unwind-find-fde),yes)
 routines += unwind-dw2-fde-glibc
 shared-only-routines += unwind-dw2-fde-glibc
diff --git a/elf/rtld-Rules b/elf/rtld-Rules
index c1bb506..aff4e3e 100644
--- a/elf/rtld-Rules
+++ b/elf/rtld-Rules
@@ -144,4 +144,6 @@ cpp-srcs-left := $(rtld-modules:%.os=%)
 lib := rtld
 include $(patsubst %,$(..)cppflags-iterator.mk,$(cpp-srcs-left))
 
+rtld-CFLAGS := $(no-stack-protector)
+
 endif
-- 
2.7.0.198.g6dd47b6

[PATCH 16/18] sparc: do not stack-protect the sigreturn handler.

[Nix]

From: Nick Alcock <nick.alcock@oracle.com>

This is called from the kernel and must not have a canary.

v2: New.
v3: Use $(no-stack-protector).
v4: Use inhibit_stack_protector.

	* sysdeps/unix/sysv/linux/sparc/sparc64/sigaction.c:
	(__rt_sigreturn_stub): Use inhibit_stack_protector.
	* sysdeps/unix/sysv/linux/sparc/sparc32/sigaction.c
	(__rt_sigreturn_stub): Likewise.
	(__sigreturn_stub): Likewise.
---
 sysdeps/unix/sysv/linux/sparc/sparc32/sigaction.c | 8 ++++++--
 sysdeps/unix/sysv/linux/sparc/sparc64/sigaction.c | 4 +++-
 2 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/sysdeps/unix/sysv/linux/sparc/sparc32/sigaction.c b/sysdeps/unix/sysv/linux/sparc/sparc32/sigaction.c
index 5aa3c35..b75142f 100644
--- a/sysdeps/unix/sysv/linux/sparc/sparc32/sigaction.c
+++ b/sysdeps/unix/sysv/linux/sparc/sparc32/sigaction.c
@@ -65,7 +65,9 @@ libc_hidden_def (__libc_sigaction)
 #include <nptl/sigaction.c>
 
 
-static void
+static
+inhibit_stack_protector
+void
 __rt_sigreturn_stub (void)
 {
   __asm__ ("mov %0, %%g1\n\t"
@@ -74,7 +76,9 @@ __rt_sigreturn_stub (void)
 	   : "i" (__NR_rt_sigreturn));
 }
 
-static void
+static
+inhibit_stack_protector
+void
 __sigreturn_stub (void)
 {
   __asm__ ("mov %0, %%g1\n\t"
diff --git a/sysdeps/unix/sysv/linux/sparc/sparc64/sigaction.c b/sysdeps/unix/sysv/linux/sparc/sparc64/sigaction.c
index 50c444c..058c011 100644
--- a/sysdeps/unix/sysv/linux/sparc/sparc64/sigaction.c
+++ b/sysdeps/unix/sysv/linux/sparc/sparc64/sigaction.c
@@ -66,7 +66,9 @@ libc_hidden_def (__libc_sigaction)
 #include <nptl/sigaction.c>
 
 
-static void
+static
+inhibit_stack_protector
+void
 __rt_sigreturn_stub (void)
 {
   __asm__ ("mov %0, %%g1\n\t"
-- 
2.7.0.198.g6dd47b6

[PATCH 06/18] Allow overriding of CFLAGS as well as CPPFLAGS for rtld.

[Nix]

From: Nick Alcock <nick.alcock@oracle.com>

We need this to pass -fno-stack-protector to all the pieces of rtld in
non-elf/ directories.

	* elf/rtld-Rules (rtld-compile-command.c): Add $(rtld-CFLAGS).
	* scripts/sysd-rules.awk: Substitute in $(CFLAGS) as well as
	$(CPPFLAGS).
---
 elf/rtld-Rules         | 2 +-
 scripts/sysd-rules.awk | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/elf/rtld-Rules b/elf/rtld-Rules
index 94ca39b..c1bb506 100644
--- a/elf/rtld-Rules
+++ b/elf/rtld-Rules
@@ -90,7 +90,7 @@ else
 
 rtld-compile-command.S = $(compile-command.S) $(rtld-CPPFLAGS)
 rtld-compile-command.s = $(compile-command.s) $(rtld-CPPFLAGS)
-rtld-compile-command.c = $(compile-command.c) $(rtld-CPPFLAGS)
+rtld-compile-command.c = $(compile-command.c) $(rtld-CPPFLAGS) $(rtld-CFLAGS)
 
 # These are the basic compilation rules corresponding to the Makerules ones.
 # The sysd-rules generated makefile already defines pattern rules for rtld-%
diff --git a/scripts/sysd-rules.awk b/scripts/sysd-rules.awk
index cebc9d3..69af400 100644
--- a/scripts/sysd-rules.awk
+++ b/scripts/sysd-rules.awk
@@ -54,7 +54,7 @@ BEGIN {
           command_suffix = "";
         } else {
           prefix = gensub(/%/, "", 1, target_pattern);
-          command_suffix = " $(" prefix  "CPPFLAGS)";
+          command_suffix = " $(" prefix  "CPPFLAGS)" " $(" prefix  "CFLAGS)";
         }
         target = "$(objpfx)" target_pattern o ":";
         if (asm_rules) {
-- 
2.7.0.198.g6dd47b6

[PATCH 08/18] Prevent the rtld mapfile computation from dragging in __stack_chk_fail.

[Nix]

From: Nick Alcock <nick.alcock@oracle.com>

The previous commit prevented rtld itself from being built with
-fstack-protector, but this is not quite enough.  We identify which
objects belong in rtld via a test link and analysis of the resulting
mapfile.  That link is necessarily done against objects that are
stack-protected, so drags in __stack_chk_fail and all the libc
and libio code it uses.

To stop this happening, use --defsym in the test librtld.map-production
link to force the linker to predefine __stack_chk_fail (to 0, but it
could be to anything).  (In a real link, this would of course be
catastrophic, but these object files are never used for anything else.)

v2: New.

	* elf/Makefile (dummy-stack-chk-fail): New.
	($(objpfx)librtld.map): Use it.
---
 elf/Makefile | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/elf/Makefile b/elf/Makefile
index 0037cca..8f0973d 100644
--- a/elf/Makefile
+++ b/elf/Makefile
@@ -349,9 +349,19 @@ $(objpfx)dl-allobjs.os: $(all-rtld-routines:%=$(objpfx)%.os)
 # are compiled with special flags, and puts these modules into rtld-libc.a
 # for us.  Then we do the real link using rtld-libc.a instead of libc_pic.a.
 
+# If the compiler can do SSP, build the mapfile with a dummy __stack_chk_fail
+# symbol defined, to prevent the real thing being dragged into rtld
+# even though rtld is never built with stack-protection.
+
+ifeq ($(have-ssp),yes)
+dummy-stack-chk-fail := -Wl,--defsym='__stack_chk_fail=0'
+else
+dummy-stack-chk-fail :=
+endif
+
 $(objpfx)librtld.map: $(objpfx)dl-allobjs.os $(common-objpfx)libc_pic.a
 	@-rm -f $@T
-	$(reloc-link) -o $@.o '-Wl,-(' $^ -lgcc '-Wl,-)' -Wl,-Map,$@T
+	$(reloc-link) -o $@.o $(dummy-stack-chk-fail) '-Wl,-(' $^ -lgcc '-Wl,-)' -Wl,-Map,$@T
 	rm -f $@.o
 	mv -f $@T $@
 
-- 
2.7.0.198.g6dd47b6

[PATCH 17/18] x86, pthread_cond_*wait: Do not depend on %eax not being clobbered

[Nix]

From: Nick Alcock <nick.alcock@oracle.com>

The x86-specific versions of both pthread_cond_wait and
pthread_cond_timedwait have (in their fall-back-to-futex-wait slow
paths) calls to __pthread_mutex_cond_lock_adjust followed by
__pthread_mutex_unlock_usercnt, which load the parameters before the
first call but then assume that the first parameter, in %eax, will
survive unaffected.  This happens to have been true before now, but %eax
is a call-clobbered register, and this assumption is not safe: it could
change at any time, at GCC's whim, and indeed the stack-protector canary
checking code clobbers %eax while checking that the canary is
uncorrupted.

So reload %eax before calling __pthread_mutex_unlock_usercnt.  (Do this
unconditionally, even when stack-protection is not in use, because it's
the right thing to do, it's a slow path, and anything else is dicing
with death.)

v5: New.

	* sysdeps/unix/sysv/linux/i386/pthread_cond_timedwait.S: Reload
	call-clobbered %eax on retry path.
	* sysdeps/unix/sysv/linux/i386/pthread_cond_wait.S: Likewise.
---
 sysdeps/unix/sysv/linux/i386/pthread_cond_timedwait.S | 1 +
 sysdeps/unix/sysv/linux/i386/pthread_cond_wait.S      | 1 +
 2 files changed, 2 insertions(+)

diff --git a/sysdeps/unix/sysv/linux/i386/pthread_cond_timedwait.S b/sysdeps/unix/sysv/linux/i386/pthread_cond_timedwait.S
index 96f8a8d..6256376 100644
--- a/sysdeps/unix/sysv/linux/i386/pthread_cond_timedwait.S
+++ b/sysdeps/unix/sysv/linux/i386/pthread_cond_timedwait.S
@@ -297,6 +297,7 @@ __pthread_cond_timedwait:
 	   correctly.  */
 	movl	dep_mutex(%ebx), %eax
 	call	__pthread_mutex_cond_lock_adjust
+	movl	dep_mutex(%ebx), %eax
 	xorl	%edx, %edx
 	call	__pthread_mutex_unlock_usercnt
 	jmp	8b
diff --git a/sysdeps/unix/sysv/linux/i386/pthread_cond_wait.S b/sysdeps/unix/sysv/linux/i386/pthread_cond_wait.S
index 94302b0..5016718 100644
--- a/sysdeps/unix/sysv/linux/i386/pthread_cond_wait.S
+++ b/sysdeps/unix/sysv/linux/i386/pthread_cond_wait.S
@@ -309,6 +309,7 @@ __pthread_cond_wait:
 	   correctly.  */
 	movl	dep_mutex(%ebx), %eax
 	call    __pthread_mutex_cond_lock_adjust
+	movl	dep_mutex(%ebx), %eax
 	xorl	%edx, %edx
 	call	__pthread_mutex_unlock_usercnt
 	jmp	8b
-- 
2.7.0.198.g6dd47b6

Re: [PATCH 17/18] x86, pthread_cond_*wait: Do not depend on %eax not being clobbered

[Florian Weimer]

On 03/08/2016 02:51 PM, Nix wrote:
> From: Nick Alcock <nick.alcock@oracle.com>
> 
> The x86-specific versions of both pthread_cond_wait and
> pthread_cond_timedwait have (in their fall-back-to-futex-wait slow
> paths) calls to __pthread_mutex_cond_lock_adjust followed by
> __pthread_mutex_unlock_usercnt, which load the parameters before the
> first call but then assume that the first parameter, in %eax, will
> survive unaffected.  This happens to have been true before now, but %eax
> is a call-clobbered register, and this assumption is not safe: it could
> change at any time, at GCC's whim, and indeed the stack-protector canary
> checking code clobbers %eax while checking that the canary is
> uncorrupted.
> 
> So reload %eax before calling __pthread_mutex_unlock_usercnt.  (Do this
> unconditionally, even when stack-protection is not in use, because it's
> the right thing to do, it's a slow path, and anything else is dicing
> with death.)
> 
> v5: New.
> 
> 	* sysdeps/unix/sysv/linux/i386/pthread_cond_timedwait.S: Reload
> 	call-clobbered %eax on retry path.
> 	* sysdeps/unix/sysv/linux/i386/pthread_cond_wait.S: Likewise.

Nice catch.  This should go in separately because it's independent of
the stack protector work.

Thanks,
Florian

[PATCH 04/18] Mark all machinery needed in early static-link init as -fno-stack-protector.

[Nix]

From: Nick Alcock <nick.alcock@oracle.com>

The startup code in csu/, brk() and sbrk(), and the
__pthread_initialize_tcb_internal() function we just introduced are
needed very early in initialization of a statically-linked program,
before the stack guard is initialized.  Mark all of these as
-fno-stack-protector.

We also finally introduce @libc_cv_ssp@ and @no-stack-protector@, both
substituted by the configury changes made earlier, to detect the case
when -fno-stack-protector is supported by the compiler, and
unconditionally pass it in when this is the case, whether or not
--enable-stack-protector is passed to configure.  (This means that
it'll even work when the compiler's been hacked to pass
-fstack-protector by default, unless the hackage is so broken that
it does so in a way that is impossible to override.)

(At one point we marked __libc_fatal() as non-stack-protected too,
but this was pointless: all it did was call other routines which *are*
stack-protected.  The earliest __libc_fatal() call is in the
DL_SYSDEP_OSCHECK hook on some platforms, when statically linking:
this is fine, since it is after TLS and stack-canary initialization.
I have tested invocation of programs statically and dynamically
linked against this glibc on older kernels on x86 and ARM, and they
still "work", i.e. fail with the appropriate message.)

v2: No longer mark memcpy() as -fno-stack-protector.
v3: Use $(no-stack-protector).
v4: Use inhibit_stack_protector rather than de-protecting all of nptl-init.c.
v5: Don't stack-protect brk() and sbrk() in the shared library.

	* config.make.in (have-ssp): New.
	(no-stack-protector): New.
	* csu/Makefile (CFLAGS-.o): Use it.
	(CFLAGS-.og): Likewise.
	(CFLAGS-.op): Likewise.
	(CFLAGS-.os): Likewise.
	* misc/Makefile (CFLAGS-sbrk.o): Likewise.
	(CFLAGS-sbrk.op): Likewise.
	(CFLAGS-sbrk.og): Likewise.
	(CFLAGS-brk.o): Likewise.
	(CFLAGS-brk.op): Likewise.
	(CFLAGS-brk.og): Likewise.
	* nptl/nptl-init.c [!SHARED] (__pthread_initialize_tcb_internal):
	Likewise.
---
 config.make.in   | 2 ++
 csu/Makefile     | 5 +++++
 misc/Makefile    | 8 ++++++++
 nptl/nptl-init.c | 1 +
 4 files changed, 16 insertions(+)

diff --git a/config.make.in b/config.make.in
index 05ed6ec..9afd4ff 100644
--- a/config.make.in
+++ b/config.make.in
@@ -55,7 +55,9 @@ with-fp = @with_fp@
 enable-timezone-tools = @enable_timezone_tools@
 unwind-find-fde = @libc_cv_gcc_unwind_find_fde@
 have-fpie = @libc_cv_fpie@
+have-ssp = @libc_cv_ssp@
 stack-protector = @stack_protector@
+no-stack-protector = @no_stack_protector@
 have-selinux = @have_selinux@
 have-libaudit = @have_libaudit@
 have-libcap = @have_libcap@
diff --git a/csu/Makefile b/csu/Makefile
index 31e8bb9..22afe67 100644
--- a/csu/Makefile
+++ b/csu/Makefile
@@ -45,6 +45,11 @@ before-compile += $(objpfx)version-info.h
 tests := tst-empty tst-atomic tst-atomic-long
 tests-static := tst-empty
 
+CFLAGS-.o += $(no-stack-protector)
+CFLAGS-.og += $(no-stack-protector)
+CFLAGS-.op += $(no-stack-protector)
+CFLAGS-.os += $(no-stack-protector)
+
 ifeq (yes,$(build-shared))
 extra-objs += S$(start-installed-name) gmon-start.os
 ifneq ($(start-installed-name),$(static-start-installed-name))
diff --git a/misc/Makefile b/misc/Makefile
index d7bbc85..e3062f8 100644
--- a/misc/Makefile
+++ b/misc/Makefile
@@ -99,6 +99,14 @@ CFLAGS-getusershell.c = -fexceptions
 CFLAGS-err.c = -fexceptions
 CFLAGS-tst-tsearch.c = $(stack-align-test-flags)
 
+# Called during static library initialization.
+CFLAGS-sbrk.o = $(no-stack-protector)
+CFLAGS-sbrk.op = $(no-stack-protector)
+CFLAGS-sbrk.og = $(no-stack-protector)
+CFLAGS-brk.o = $(no-stack-protector)
+CFLAGS-brk.op = $(no-stack-protector)
+CFLAGS-brk.og = $(no-stack-protector)
+
 include ../Rules
 
 $(objpfx)libg.a: $(dep-dummy-lib); $(make-dummy-lib)
diff --git a/nptl/nptl-init.c b/nptl/nptl-init.c
index a4626be..2775d14 100644
--- a/nptl/nptl-init.c
+++ b/nptl/nptl-init.c
@@ -298,6 +298,7 @@ static bool __nptl_initial_report_events __attribute_used__;
 
 #ifndef SHARED
 void
+inhibit_stack_protector
 __pthread_initialize_tcb_internal (void)
 {
   /* Unlike in the dynamically linked case the dynamic linker has not
-- 
2.7.0.198.g6dd47b6

[PATCH 10/18] Link libc.so with libc_nonshared.a to pull in __stack_chk_fail_local.

[Nix]

From: Nick Alcock <nick.alcock@oracle.com>

With this in place, we pull in __stack_chk_fail_local, which will
be required by the next commit, and referenced by every stack-
protected function in libc.

Also prevent that function from being stack-protected itself: this
makes no sense.

v5: Better explanation.  Add no-stack-protection of
    __stack_chk_fail_local etc.

	* Makerules $(common-objpfx)libc.so,
	$(common-objpfx)linkobj/libc.so): Add
	$(common-objpfx)libc_nonshared.a.
	* debug/Makefile (CFLAGS-stack_chk_fail.c): Use $(no-stack-protector).
	(CFLAGS-stack_chk_fail_local.c): Likewise.
---
 Makerules      | 2 ++
 debug/Makefile | 6 ++++++
 2 files changed, 8 insertions(+)

diff --git a/Makerules b/Makerules
index 53eabfa..d369d78 100644
--- a/Makerules
+++ b/Makerules
@@ -674,6 +674,7 @@ $(common-objpfx)linkobj/libc.so: link-libc-deps = # empty
 # libraries.
 $(common-objpfx)libc.so: $(elf-objpfx)soinit.os \
 			 $(common-objpfx)libc_pic.os$(libc_pic_clean) \
+			 $(common-objpfx)libc_nonshared.a \
 			 $(elf-objpfx)sofini.os \
 			 $(elf-objpfx)interp.os \
 			 $(elf-objpfx)ld.so \
@@ -683,6 +684,7 @@ $(common-objpfx)libc.so: $(elf-objpfx)soinit.os \
 
 $(common-objpfx)linkobj/libc.so: $(elf-objpfx)soinit.os \
 			 $(common-objpfx)linkobj/libc_pic.a \
+			 $(common-objpfx)libc_nonshared.a \
 			 $(elf-objpfx)sofini.os \
 			 $(elf-objpfx)interp.os \
 			 $(elf-objpfx)ld.so \
diff --git a/debug/Makefile b/debug/Makefile
index 6b5f31e..2f506af 100644
--- a/debug/Makefile
+++ b/debug/Makefile
@@ -52,6 +52,12 @@ routines  = backtrace backtracesyms backtracesymsfd noophooks \
 	    $(static-only-routines)
 static-only-routines := warning-nop stack_chk_fail_local
 
+# Building the stack-protector failure routines with stack protection
+# makes no sense.
+
+CFLAGS-stack_chk_fail.c = $(no-stack-protector)
+CFLAGS-stack_chk_fail_local.c = $(no-stack-protector)
+
 CFLAGS-backtrace.c = -fno-omit-frame-pointer
 CFLAGS-sprintf_chk.c = $(libio-mtsafe)
 CFLAGS-snprintf_chk.c = $(libio-mtsafe)
-- 
2.7.0.198.g6dd47b6

Re: [PATCH 10/18] Link libc.so with libc_nonshared.a to pull in __stack_chk_fail_local.

[Andreas Schwab]

Nix <nix@esperi.org.uk> writes:

> @@ -674,6 +674,7 @@ $(common-objpfx)linkobj/libc.so: link-libc-deps = # empty
>  # libraries.
>  $(common-objpfx)libc.so: $(elf-objpfx)soinit.os \
>  			 $(common-objpfx)libc_pic.os$(libc_pic_clean) \
> +			 $(common-objpfx)libc_nonshared.a \

Everything needed for libc.so should come from libc_pic.a.

Andreas.

-- 
Andreas Schwab, SUSE Labs, schwab@suse.de
GPG Key fingerprint = 0196 BAD8 1CE9 1970 F4BE  1748 E4D4 88E3 0EEA B9D7
"And now for something completely different."

Re: [PATCH 10/18] Link libc.so with libc_nonshared.a to pull in __stack_chk_fail_local.

[Nix]

On 8 Mar 2016, Andreas Schwab verbalised:

> Nix <nix@esperi.org.uk> writes:
>
>> @@ -674,6 +674,7 @@ $(common-objpfx)linkobj/libc.so: link-libc-deps = # empty
>>  # libraries.
>>  $(common-objpfx)libc.so: $(elf-objpfx)soinit.os \
>>  			 $(common-objpfx)libc_pic.os$(libc_pic_clean) \
>> +			 $(common-objpfx)libc_nonshared.a \
>
> Everything needed for libc.so should come from libc_pic.a.

That means we have to build __stack_check_fail_local into two libraries
at once, since it also has to be in libc_nonshared.a (that's where it is
now and moving it seems likely to be problematic). How does one do that
in the glibc makefile scheme of things?

-- 
NULL && (void)

Re: [PATCH 10/18] Link libc.so with libc_nonshared.a to pull in __stack_chk_fail_local.

[Andreas Schwab]

Nix <nix@esperi.org.uk> writes:

> That means we have to build __stack_check_fail_local into two libraries
> at once, since it also has to be in libc_nonshared.a

libc.so and libc_nonshared.a are variants of the same library.

> How does one do that in the glibc makefile scheme of things?

You can create it under a new name and put it in shared-only-routines.

Andreas.

-- 
Andreas Schwab, SUSE Labs, schwab@suse.de
GPG Key fingerprint = 0196 BAD8 1CE9 1970 F4BE  1748 E4D4 88E3 0EEA B9D7
"And now for something completely different."

Re: [PATCH 10/18] Link libc.so with libc_nonshared.a to pull in __stack_chk_fail_local.

[Nix]

On 9 Mar 2016, Andreas Schwab said:

> Nix <nix@esperi.org.uk> writes:
>
>> How does one do that in the glibc makefile scheme of things?
>
> You can create it under a new name and put it in shared-only-routines.

... oh! Of course, just because the filename is different doesn't mean
it can't export the same symbols, and because it's hidden it can never
conflict with anything.

Andreas's infuriating "Socratic review" style wins again, I think.

[pause]

Yes, that seems to work on x86-64 and sparc64, though I still have to
throw it through a full test cycle to be sure this is true with many
configure flag combos and bitnesses. It also means we can drop the
__stack_chk_fail -> __stack_chk_fail_local symbol hack from the static
libcs and only keep it in the shared one, since the only reason it was
there in the static one was because things were being dragged into
libc.so from libc_nonshared.a.

This was an unsatisfactory bit of the patch series, in hindsight: I hope
you like the replacement better.

I chose to augment the value of shared-only-routines for the sake of the
rtld recursion stage: static-only-routines is only assigned with := here
because its previous value, modified during the rtld recursion, is used
to augment $(routines) immediately above.

Provisional patch (real thing will land in the next series I post, v6,
in addition to the limitation of the symbol-hack to SHARED, which is in
a different patch in the series):

From 4360b8f9115f0408ff36ee5779cb0b9daae7264b Mon Sep 17 00:00:00 2001
From: Nick Alcock <nick.alcock@oracle.com>
Date: Fri, 19 Feb 2016 18:49:16 +0000
Subject: [PATCH] Add stack_chk_fail_local to libc.so.

This is required by the next commit, which routes all
__stack_chk_fail() calls in libc.so via this function to avoid
the PLT.  It has be duplicated in libc.so and libc_nonshared.a
because its entire reason for existence is to be hidden and avoid
the PLT, so the copy in libc.so is not visible from elsewhere.

Also stop all the variants of __stack_chk_fail from being stack-
protected: this makes no sense and risks recursion.

v5: Better explanation.  Add no-stack-protection of
    __stack_chk_fail_local etc.
v6: Rework as suggested by Andreas: make a shared-only version of
    stack_chk_fail_local.c rather than linking libc_nonshared into
    libc.

	* debug/libc-stack_chk_fail_local.c: New file.
	* debug/Makefile (routines): Add it.
	(shared-only-routines): Likewise.
	(CFLAGS-stack_chk_fail.c): Use $(no-stack-protector).
	(CFLAGS-stack_chk_fail_local.c): Likewise.
	(CFLAGS-libc-stack_chk_fail_local.c): Likewise.
---
 debug/Makefile                    | 14 +++++++++++++-
 debug/libc-stack_chk_fail_local.c |  3 +++
 2 files changed, 16 insertions(+), 1 deletion(-)
 create mode 100644 debug/libc-stack_chk_fail_local.c

diff --git a/debug/Makefile b/debug/Makefile
index 6b5f31e..27da081 100644
--- a/debug/Makefile
+++ b/debug/Makefile
@@ -48,9 +48,21 @@ routines  = backtrace backtracesyms backtracesymsfd noophooks \
 	    vdprintf_chk obprintf_chk \
 	    longjmp_chk ____longjmp_chk \
 	    fdelt_chk poll_chk ppoll_chk \
-	    stack_chk_fail fortify_fail \
+	    stack_chk_fail fortify_fail libc-stack_chk_fail_local \
 	    $(static-only-routines)
+
+# stack_chk_fail_local must be non-PIC, thus static-only, but we also
+# want an identical thunk hidden in libc.so to avoid going via the PLT.
+
 static-only-routines := warning-nop stack_chk_fail_local
+shared-only-routines += libc-stack_chk_fail_local
+
+# Building the stack-protector failure routines with stack protection
+# makes no sense.
+
+CFLAGS-stack_chk_fail.c = $(no-stack-protector)
+CFLAGS-stack_chk_fail_local.c = $(no-stack-protector)
+CFLAGS-libc-stack_chk_fail_local.c = $(no-stack-protector)
 
 CFLAGS-backtrace.c = -fno-omit-frame-pointer
 CFLAGS-sprintf_chk.c = $(libio-mtsafe)
diff --git a/debug/libc-stack_chk_fail_local.c b/debug/libc-stack_chk_fail_local.c
new file mode 100644
index 0000000..73da970
--- /dev/null
+++ b/debug/libc-stack_chk_fail_local.c
@@ -0,0 +1,3 @@
+/* This goes into the shared libc.  */
+
+#include <stack_chk_fail_local.c>
-- 
2.7.0.198.g6dd47b6

[PATCH 15/18] Avoid stack-protecting signal-handling functions sibcalled from assembly.

[Nix]

From: Nick Alcock <nick.alcock@oracle.com>

Certain signal-handling functions are sibcalled from assembly on
x86, both on Linux and the Hurd.  As such, they depend on having
the same-shaped stack frame, an assumption it seems likely that
-fstack-protector violates.  More worryingly, setjmp/sigjmp.c lands
in the dynamic linker but is overlooked by the machinery that
rebuilds almost everything else, and is never rebuilt: so we
should compile it witout stack-protection for the sake of ld.so.

v2: de-stack-protect setjmp/sigjmp.c.
v3: Use $(no-stack-protector).
v4: Use inhibit_stack_protector.
v5: Remove inhibition of nptl/pthread_mutex_(un)lock.c now that is
    diagnosed and fixed elsewhere, properly; inhibit _hurd_self_sigstate
    instead.

	* hurd/hurd/signal.h (_hurd_self_sigstate): Add
	inhibit_stack_protector.
	* setjmp/Makefile (CFLAGS-sigjmp.c): Add $(no-stack-protector).
---
 hurd/hurd/signal.h | 2 +-
 setjmp/Makefile    | 4 ++++
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/hurd/hurd/signal.h b/hurd/hurd/signal.h
index 85e5152..78a25ae 100644
--- a/hurd/hurd/signal.h
+++ b/hurd/hurd/signal.h
@@ -129,7 +129,7 @@ extern struct hurd_sigstate *_hurd_self_sigstate (void)
 #define _HURD_SIGNAL_H_EXTERN_INLINE __extern_inline
 #endif
 
-_HURD_SIGNAL_H_EXTERN_INLINE struct hurd_sigstate *
+_HURD_SIGNAL_H_EXTERN_INLINE inhibit_stack_protector struct hurd_sigstate *
 _hurd_self_sigstate (void)
 {
   struct hurd_sigstate **location = (struct hurd_sigstate **)
diff --git a/setjmp/Makefile b/setjmp/Makefile
index 5b677cc..b617a84 100644
--- a/setjmp/Makefile
+++ b/setjmp/Makefile
@@ -35,3 +35,7 @@ tests-static	:= tst-setjmp-static
 include ../Rules
 
 $(objpfx)tst-setjmp-fp: $(libm)
+
+# This is sibcalled directly from arch-specific assembly, included in rtld,
+# but never rebuilt, so it must never be built with stack protection.
+CFLAGS-sigjmp.c += $(no-stack-protector)
-- 
2.7.0.198.g6dd47b6

[PATCH 05/18] Open-code the memcpy() at static TLS initialization time.

[Nix]

From: Nick Alcock <nick.alcock@oracle.com>

This one is a bit nasty.  Now that we are initializing TLS earlier for
the stack canary's sake, existing memcpy() implementations become
problematic.  We can use the multiarch implementations, but they might
not always be present, and even if they are present they might not always
be in assembler, so might be compiled with stack-protection.  We cannot
use posix/memcpy.c without marking both it and */wordcopy.c as non-stack-
protected, which for memcpy() of all things seems like a seriously bad
idea: if any function in glibc should be stack-protected, it's memcpy()
(though stack-protecting the many optimized assembly versions is not done
in this patch series).

So we have two real options: hack up the guts of posix/memcpy.c and
*/wordcopy.c so that they can be #included (renamed and declared static)
inside libc-tls.c, or simply open-code the memcpy().  For simplicity's
sake, this patch open-codes it, on the grounds that static binaries are
relatively rare and quasi-deprecated anyway, and static binaries with
large TLS sections are yet rarer, and not worth the complexity of hacking
up all the arch-dependent wordcopy files.

(This was not revealed when testing on x86 because on that platform
GCC was open-coding the memcpy() for us.)

v2: New, lets us remove the memcpy() -fno-stack-protection, which wasn't
    enough in any case.
v4: Add an inhibit_loop_to_libcall to prevent GCC from turning the loop
    back into a memcpy() again.  Wrap long lines.

	* csu/libc-tls.c (__libc_setup_tls): Add inhibit_loop_to_libcall
	to avoid calls to potentially ifunced or stack-protected memcpy.
	Open-code the TLS-initialization memcpy.
---
 csu/libc-tls.c | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/csu/libc-tls.c b/csu/libc-tls.c
index 3d67a64..ef5d76e 100644
--- a/csu/libc-tls.c
+++ b/csu/libc-tls.c
@@ -102,6 +102,7 @@ init_static_tls (size_t memsz, size_t align)
 }
 
 void
+inhibit_loop_to_libcall
 __libc_setup_tls (size_t tcbsize, size_t tcbalign)
 {
   void *tlsblock;
@@ -176,8 +177,18 @@ __libc_setup_tls (size_t tcbsize, size_t tcbalign)
 # error "Either TLS_TCB_AT_TP or TLS_DTV_AT_TP must be defined"
 #endif
   _dl_static_dtv[2].pointer.is_static = true;
-  /* sbrk gives us zero'd memory, so we don't need to clear the remainder.  */
-  memcpy (_dl_static_dtv[2].pointer.val, initimage, filesz);
+
+  /* sbrk gives us zero'd memory, so we don't need to clear the remainder.
+
+     Copy by hand, because memcpy() is stack-protected and is often multiarch
+     too.  */
+
+  char *dst = (char *) _dl_static_dtv[2].pointer.val;
+  char *src = (char *) initimage;
+  size_t i;
+
+  for (i = 0; i < filesz; dst++, src++, i++)
+    *dst = *src;
 
   /* Install the pointer to the dtv.  */
 
-- 
2.7.0.198.g6dd47b6

Re: [PATCH 05/18] Open-code the memcpy() at static TLS initialization time.

[Mike Frysinger]

[-- Attachment #1: Type: text/plain, Size: 1354 bytes --]

On 08 Mar 2016 13:50, Nix wrote:
> This one is a bit nasty.  Now that we are initializing TLS earlier for
> the stack canary's sake, existing memcpy() implementations become
> problematic.  We can use the multiarch implementations, but they might
> not always be present, and even if they are present they might not always
> be in assembler, so might be compiled with stack-protection.  We cannot
> use posix/memcpy.c without marking both it and */wordcopy.c as non-stack-
> protected, which for memcpy() of all things seems like a seriously bad
> idea: if any function in glibc should be stack-protected, it's memcpy()
> (though stack-protecting the many optimized assembly versions is not done
> in this patch series).
> 
> So we have two real options: hack up the guts of posix/memcpy.c and
> */wordcopy.c so that they can be #included (renamed and declared static)
> inside libc-tls.c, or simply open-code the memcpy().  For simplicity's
> sake, this patch open-codes it, on the grounds that static binaries are
> relatively rare and quasi-deprecated anyway, and static binaries with
> large TLS sections are yet rarer, and not worth the complexity of hacking
> up all the arch-dependent wordcopy files.

can we utilize _HAVE_STRING_ARCH_memcpy here ?  the string includes will
sometimes provide inlined asm versions ...
-mike

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

Re: [PATCH 05/18] Open-code the memcpy() at static TLS initialization time.

[Nix]

On 9 Mar 2016, Mike Frysinger uttered the following:

> On 08 Mar 2016 13:50, Nix wrote:
>> This one is a bit nasty.  Now that we are initializing TLS earlier for
>> the stack canary's sake, existing memcpy() implementations become
>> problematic.  We can use the multiarch implementations, but they might
>> not always be present, and even if they are present they might not always
>> be in assembler, so might be compiled with stack-protection.  We cannot
>> use posix/memcpy.c without marking both it and */wordcopy.c as non-stack-
>> protected, which for memcpy() of all things seems like a seriously bad
>> idea: if any function in glibc should be stack-protected, it's memcpy()
>> (though stack-protecting the many optimized assembly versions is not done
>> in this patch series).
>> 
>> So we have two real options: hack up the guts of posix/memcpy.c and
>> */wordcopy.c so that they can be #included (renamed and declared static)
>> inside libc-tls.c, or simply open-code the memcpy().  For simplicity's
>> sake, this patch open-codes it, on the grounds that static binaries are
>> relatively rare and quasi-deprecated anyway, and static binaries with
>> large TLS sections are yet rarer, and not worth the complexity of hacking
>> up all the arch-dependent wordcopy files.
>
> can we utilize _HAVE_STRING_ARCH_memcpy here ?  the string includes will
> sometimes provide inlined asm versions ...

I think so, *if* we can be sure that arches that define
_HAVE_STRING_ARCH_memcpy will never expand memcpy() to macros that
sometimes call functions, but only to pure inline asm stuff. Since there
is only one definer of that (x86), I'm not sure that's guaranteed...

(This does explain why my original implementation, which didn't do any
of this, also didn't have any problems on x86!)

How's this instead? (Seems to work just as well on x86, which is after
all the only arch this change will affect at all.)

From 3427487ee08586f76f711758795dba31b62c4238 Mon Sep 17 00:00:00 2001
From: Nick Alcock <nick.alcock@oracle.com>
Date: Tue, 23 Feb 2016 11:08:38 +0000
Subject: [PATCH] Open-code the memcpy() at static TLS initialization time.

This one is a bit nasty.  Now that we are initializing TLS earlier for
the stack canary's sake, existing memcpy() implementations become
problematic.  We can use the multiarch implementations, but they might
not always be present, and even if they are present they might not always
be in assembler, so might be compiled with stack-protection.  We cannot
use posix/memcpy.c without marking both it and */wordcopy.c as non-stack-
protected, which for memcpy() of all things seems like a seriously bad
idea: if any function in glibc should be stack-protected, it's memcpy()
(though stack-protecting the many optimized assembly versions is not done
in this patch series).

So we have two real options: hack up the guts of posix/memcpy.c and
*/wordcopy.c so that they can be #included (renamed and declared static)
inside libc-tls.c, or simply open-code the memcpy().  For simplicity's
sake, this patch open-codes it, on the grounds that static binaries are
relatively rare and quasi-deprecated anyway, and static binaries with
large TLS sections are yet rarer, and not worth the complexity of hacking
up all the arch-dependent wordcopy files.  There is one exception: if
the arch provides an inline assembler memcpy() implementation, we can
use that in preference.

(This was not revealed when testing on x86 because on that platform
GCC was open-coding the memcpy() for us.)

v2: New, lets us remove the memcpy() -fno-stack-protection, which wasn't
    enough in any case.
v4: Add an inhibit_loop_to_libcall to prevent GCC from turning the loop
    back into a memcpy() again.  Wrap long lines.
v6: Use the inline assembler ARCH_memcpy if available.

	* csu/libc-tls.c (__libc_setup_tls): Add inhibit_loop_to_libcall
	to avoid calls to potentially ifunced or stack-protected memcpy.
	Open-code the TLS-initialization memcpy.
---
 csu/libc-tls.c | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/csu/libc-tls.c b/csu/libc-tls.c
index 3d67a64..af0d3e6 100644
--- a/csu/libc-tls.c
+++ b/csu/libc-tls.c
@@ -102,6 +102,7 @@ init_static_tls (size_t memsz, size_t align)
 }
 
 void
+inhibit_loop_to_libcall
 __libc_setup_tls (size_t tcbsize, size_t tcbalign)
 {
   void *tlsblock;
@@ -176,8 +177,22 @@ __libc_setup_tls (size_t tcbsize, size_t tcbalign)
 # error "Either TLS_TCB_AT_TP or TLS_DTV_AT_TP must be defined"
 #endif
   _dl_static_dtv[2].pointer.is_static = true;
-  /* sbrk gives us zero'd memory, so we don't need to clear the remainder.  */
+
+  /* sbrk gives us zero'd memory, so we don't need to clear the remainder.
+
+     Use inlined asm implementation if available: otherwise, copy by hand,
+     because memcpy() is stack-protected and is often multiarch too.  */
+
+#if defined _HAVE_STRING_ARCH_memcpy
   memcpy (_dl_static_dtv[2].pointer.val, initimage, filesz);
+#else
+  char *dst = (char *) _dl_static_dtv[2].pointer.val;
+  char *src = (char *) initimage;
+  size_t i;
+
+  for (i = 0; i < filesz; dst++, src++, i++)
+    *dst = *src;
+#endif
 
   /* Install the pointer to the dtv.  */
 
-- 
2.7.0.198.g6dd47b6

Re: [PATCH 05/18] Open-code the memcpy() at static TLS initialization time.

[Mike Frysinger]

[-- Attachment #1: Type: text/plain, Size: 2444 bytes --]

On 10 Mar 2016 01:00, Nix wrote:
> On 9 Mar 2016, Mike Frysinger uttered the following:
> > On 08 Mar 2016 13:50, Nix wrote:
> >> This one is a bit nasty.  Now that we are initializing TLS earlier for
> >> the stack canary's sake, existing memcpy() implementations become
> >> problematic.  We can use the multiarch implementations, but they might
> >> not always be present, and even if they are present they might not always
> >> be in assembler, so might be compiled with stack-protection.  We cannot
> >> use posix/memcpy.c without marking both it and */wordcopy.c as non-stack-
> >> protected, which for memcpy() of all things seems like a seriously bad
> >> idea: if any function in glibc should be stack-protected, it's memcpy()
> >> (though stack-protecting the many optimized assembly versions is not done
> >> in this patch series).
> >> 
> >> So we have two real options: hack up the guts of posix/memcpy.c and
> >> */wordcopy.c so that they can be #included (renamed and declared static)
> >> inside libc-tls.c, or simply open-code the memcpy().  For simplicity's
> >> sake, this patch open-codes it, on the grounds that static binaries are
> >> relatively rare and quasi-deprecated anyway, and static binaries with
> >> large TLS sections are yet rarer, and not worth the complexity of hacking
> >> up all the arch-dependent wordcopy files.
> >
> > can we utilize _HAVE_STRING_ARCH_memcpy here ?  the string includes will
> > sometimes provide inlined asm versions ...
> 
> I think so, *if* we can be sure that arches that define
> _HAVE_STRING_ARCH_memcpy will never expand memcpy() to macros that
> sometimes call functions, but only to pure inline asm stuff. Since there
> is only one definer of that (x86), I'm not sure that's guaranteed...

i guess look at the other arch inlines to see what they do.  i honestly
don't know where or how well these APIs are defined.

> +  /* sbrk gives us zero'd memory, so we don't need to clear the remainder.
> +
> +     Use inlined asm implementation if available: otherwise, copy by hand,
> +     because memcpy() is stack-protected and is often multiarch too.  */
> +
> +#if defined _HAVE_STRING_ARCH_memcpy
>    memcpy (_dl_static_dtv[2].pointer.val, initimage, filesz);

should this also depend on SSP not being enabled ?
#if defined _HAVE_STRING_ARCH_memcpy || !defined <whatever SSP define>

otherwise, you'd want to use "#ifdef".
-mike

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

Re: [PATCH 05/18] Open-code the memcpy() at static TLS initialization time.

[Adhemerval Zanella]

On 10-03-2016 09:28, Mike Frysinger wrote:
> On 10 Mar 2016 01:00, Nix wrote:
>> On 9 Mar 2016, Mike Frysinger uttered the following:
>>> On 08 Mar 2016 13:50, Nix wrote:
>>>> This one is a bit nasty.  Now that we are initializing TLS earlier for
>>>> the stack canary's sake, existing memcpy() implementations become
>>>> problematic.  We can use the multiarch implementations, but they might
>>>> not always be present, and even if they are present they might not always
>>>> be in assembler, so might be compiled with stack-protection.  We cannot
>>>> use posix/memcpy.c without marking both it and */wordcopy.c as non-stack-
>>>> protected, which for memcpy() of all things seems like a seriously bad
>>>> idea: if any function in glibc should be stack-protected, it's memcpy()
>>>> (though stack-protecting the many optimized assembly versions is not done
>>>> in this patch series).
>>>>
>>>> So we have two real options: hack up the guts of posix/memcpy.c and
>>>> */wordcopy.c so that they can be #included (renamed and declared static)
>>>> inside libc-tls.c, or simply open-code the memcpy().  For simplicity's
>>>> sake, this patch open-codes it, on the grounds that static binaries are
>>>> relatively rare and quasi-deprecated anyway, and static binaries with
>>>> large TLS sections are yet rarer, and not worth the complexity of hacking
>>>> up all the arch-dependent wordcopy files.
>>>
>>> can we utilize _HAVE_STRING_ARCH_memcpy here ?  the string includes will
>>> sometimes provide inlined asm versions ...
>>
>> I think so, *if* we can be sure that arches that define
>> _HAVE_STRING_ARCH_memcpy will never expand memcpy() to macros that
>> sometimes call functions, but only to pure inline asm stuff. Since there
>> is only one definer of that (x86), I'm not sure that's guaranteed...
> 
> i guess look at the other arch inlines to see what they do.  i honestly
> don't know where or how well these APIs are defined.
> 
>> +  /* sbrk gives us zero'd memory, so we don't need to clear the remainder.
>> +
>> +     Use inlined asm implementation if available: otherwise, copy by hand,
>> +     because memcpy() is stack-protected and is often multiarch too.  */
>> +
>> +#if defined _HAVE_STRING_ARCH_memcpy
>>    memcpy (_dl_static_dtv[2].pointer.val, initimage, filesz);
> 
> should this also depend on SSP not being enabled ?
> #if defined _HAVE_STRING_ARCH_memcpy || !defined <whatever SSP define>
> 
> otherwise, you'd want to use "#ifdef".
> -mike
> 

Is _HAVE_STRING_ARCH_memcpy really doing a better job than gcc? I would prefer
to just use the open memcpy and let it optimize it.

Re: [PATCH 05/18] Open-code the memcpy() at static TLS initialization time.

[Nix]

On 10 Mar 2016, Adhemerval Zanella stated:

> On 10-03-2016 09:28, Mike Frysinger wrote:
>> otherwise, you'd want to use "#ifdef".
>> -mike
>
> Is _HAVE_STRING_ARCH_memcpy really doing a better job than gcc? I would prefer
> to just use the open memcpy and let it optimize it.

In most cases I'd agree with you but the thing about
_HAVE_STRING_ARCH_memcpy is that GCC can decide *not* to optimize it:
though we have suppressed generation of libcalls in this function, not
even a call to __builtin_memcpy() is guaranteed to generate inline asm
with no function calls, as far as I know.

(We could start messing about with
__attribute__((__optimize__("-mmemcpy-strategy=STRATEGY"))), but this is
really starting to get a bit over the top, I think... particularly given
that the only platform that works on is *also* the only platform we have
ARCH_memcpy for, so the only platform we don't need that sort of thing
on.)

-- 
NULL && (void)

Re: [PATCH 05/18] Open-code the memcpy() at static TLS initialization time.

[Nix]

On 10 Mar 2016, Mike Frysinger verbalised:

> On 10 Mar 2016 01:00, Nix wrote:
>> I think so, *if* we can be sure that arches that define
>> _HAVE_STRING_ARCH_memcpy will never expand memcpy() to macros that
>> sometimes call functions, but only to pure inline asm stuff. Since there
>> is only one definer of that (x86), I'm not sure that's guaranteed...
>
> i guess look at the other arch inlines to see what they do.  i honestly
> don't know where or how well these APIs are defined.

The only platform that defines *any* string arch operations is x86. None
of those fall back to out-of-line functions at all, even for huge inputs
(which for some functions and some larger inputs strikes me as a
terrible implementation choice, but ah well.)

>> +  /* sbrk gives us zero'd memory, so we don't need to clear the remainder.
>> +
>> +     Use inlined asm implementation if available: otherwise, copy by hand,
>> +     because memcpy() is stack-protected and is often multiarch too.  */
>> +
>> +#if defined _HAVE_STRING_ARCH_memcpy
>>    memcpy (_dl_static_dtv[2].pointer.val, initimage, filesz);
>
> should this also depend on SSP not being enabled ?
> #if defined _HAVE_STRING_ARCH_memcpy || !defined <whatever SSP define>

Probably a good idea: it makes things less invasive for the common case.
(Though your belief that there is just *one* SSP define is alas untrue:
we'll have to check all three.)

Adding.

Re: [PATCH 05/18] Open-code the memcpy() at static TLS initialization time.

[Nix]

On 10 Mar 2016, nix@esperi.org.uk stated:

> On 10 Mar 2016, Mike Frysinger verbalised:
>> should this also depend on SSP not being enabled ?
>> #if defined _HAVE_STRING_ARCH_memcpy || !defined <whatever SSP define>
>
> Probably a good idea: it makes things less invasive for the common case.
> (Though your belief that there is just *one* SSP define is alas untrue:
> we'll have to check all three.)

Heh. This has additional fun complications: all of csu/ is built without
stack protection, so we cannot rely on the macros the compiler
predefines to indicate that stack protection is on: for csu/, it's not,
ever.

So I do have to introduce a new #define here, to indicate that
stack-protection is globally enabled even if it's off for some file in
particular (easy to do in configure.ac etc: folding that part into patch
1).

-- 
NULL && (void)

[PATCH 12/18] Link various tests with -fno-stack-protector.

[Nix]

From: Nick Alcock <nick.alcock@oracle.com>

These tests do not link with libc, so cannot see __stack_chk_fail().

v3: Use $(no-stack-protector).

	* elf/Makefile (CFLAGS-filtmod1.c): Use $(no-stack-protector) for
	non-libc-linking testcase.
	(CFLAGS-filtmod2.c): Likewise.
	* stdlib/Makefile (CFLAGS-tst-putenvmod.c): Likewise.
	* sysdeps/x86_64/Makefile (CFLAGS-tst-quad1pie.c): Likewise.
	(CFLAGS-tst-quad2pie.c): Likewise.
---
 elf/Makefile            | 4 ++++
 stdlib/Makefile         | 3 +++
 sysdeps/x86_64/Makefile | 3 +++
 3 files changed, 10 insertions(+)

diff --git a/elf/Makefile b/elf/Makefile
index 8f0973d..7a1c939 100644
--- a/elf/Makefile
+++ b/elf/Makefile
@@ -751,6 +751,10 @@ $(objpfx)filtmod1.so: $(objpfx)filtmod1.os $(objpfx)filtmod2.so
 		  $< -Wl,-F,$(objpfx)filtmod2.so
 $(objpfx)filter: $(objpfx)filtmod1.so
 
+# These do not link against libc.
+CFLAGS-filtmod1.c = $(no-stack-protector)
+CFLAGS-filtmod2.c = $(no-stack-protector)
+
 $(objpfx)unload: $(libdl)
 $(objpfx)unload.out: $(objpfx)unloadmod.so
 
diff --git a/stdlib/Makefile b/stdlib/Makefile
index 26fe67a..d601b87 100644
--- a/stdlib/Makefile
+++ b/stdlib/Makefile
@@ -164,6 +164,9 @@ LDFLAGS-tst-putenv = $(no-as-needed)
 
 $(objpfx)tst-putenvmod.so: $(objpfx)tst-putenvmod.os $(link-libc-deps)
 	$(build-module)
+# This is not only not in libc, it's not even linked with it.
+CFLAGS-tst-putenvmod.c += $(no-stack-protector)
+
 libof-tst-putenvmod = extramodules
 
 $(objpfx)bug-getcontext: $(libm)
diff --git a/sysdeps/x86_64/Makefile b/sysdeps/x86_64/Makefile
index 67ed5ba..6caa74a 100644
--- a/sysdeps/x86_64/Makefile
+++ b/sysdeps/x86_64/Makefile
@@ -40,6 +40,9 @@ quad-pie-test += tst-quad1pie tst-quad2pie
 tests += $(quad-pie-test)
 tests-pie += $(quad-pie-test)
 
+CFLAGS-tst-quad1pie.c = $(no-stack-protector)
+CFLAGS-tst-quad2pie.c = $(no-stack-protector)
+
 $(objpfx)tst-quad1pie: $(objpfx)tst-quadmod1pie.o
 $(objpfx)tst-quad2pie: $(objpfx)tst-quadmod2pie.o
 
-- 
2.7.0.198.g6dd47b6

[PATCH 09/18] Work even with compilers hacked to enable -fstack-protector by default.

[Nix]

From: Nick Alcock <nick.alcock@oracle.com>

With all the machinery we just added, we can easily arrange to work even
when the compiler passes in -fstack-protector automatically: all the
necessary bits of glibc are always compiled with -fno-stack-protector
now.

So tear out the check in configure, and add appropriate calls to
-fno-stack-protector in tests that need them (largely those that use
-nostdlib), since we don't yet have a __stack_chk_fail() that those
tests can rely upon.  (GCC often provides one, but we cannot rely on
this, especially not when bootstrapping.)

v2: No longer pass in -lssp to anything.
v5: Remove accidentally duplicated $(no_ssp)s.

	* configure.ac: Add check for unsupported stack-protection level.
	(libc_cv_predef_stack_protector): Remove.
	(no_ssp): New variable.
	(libc_cv_ld_gnu_indirect_function): Use it.
	(libc_cv_asm_set_directive): Likewise.
	(libc_cv_protected_data): Likewise.
	(libc_cv_z_combreloc): Likewise.
	(libc_cv_hashstyle): Likewise.
	(libc_cv_has_glob_dat): Likewise.
	(libc_cv_output_format): Likewise.
	(libc_cv_ehdr_start): Likewise.
	* aclocal.m4 (LIBC_TRY_LINK_STATIC): Likewise.
	(LIBC_LINKER_FEATURE): Likewise.
	(LIBC_COMPILER_BUILTIN_INLINED): Likewise.
---
 aclocal.m4   |  6 +++---
 configure.ac | 70 ++++++++++++++++++------------------------------------------
 2 files changed, 24 insertions(+), 52 deletions(-)

diff --git a/aclocal.m4 b/aclocal.m4
index 3d64f77..6902155 100644
--- a/aclocal.m4
+++ b/aclocal.m4
@@ -141,7 +141,7 @@ int _start (void) { return 0; }
 int __start (void) { return 0; }
 $1
 EOF
-AS_IF([AC_TRY_COMMAND([${CC-cc} $CFLAGS $CPPFLAGS $LDFLAGS -o conftest
+AS_IF([AC_TRY_COMMAND([${CC-cc} $CFLAGS $CPPFLAGS $LDFLAGS $no_ssp -o conftest
 		       conftest.c -static -nostartfiles -nostdlib
 		       1>&AS_MESSAGE_LOG_FD])],
       [$2], [$3])
@@ -226,7 +226,7 @@ if test x"$gnu_ld" = x"yes"; then
     cat > conftest.c <<EOF
 int _start (void) { return 42; }
 EOF
-    if AC_TRY_COMMAND([${CC-cc} $CFLAGS $CPPFLAGS $LDFLAGS
+    if AC_TRY_COMMAND([${CC-cc} $CFLAGS $CPPFLAGS $LDFLAGS $no_ssp
 				$2 -nostdlib -nostartfiles
 				-fPIC -shared -o conftest.so conftest.c
 				1>&AS_MESSAGE_LOG_FD])
@@ -268,7 +268,7 @@ libc_compiler_builtin_inlined=no
 cat > conftest.c <<EOF
 int _start (void) { $2 return 0; }
 EOF
-if ! AC_TRY_COMMAND([${CC-cc} $CFLAGS $CPPFLAGS $LDFLAGS
+if ! AC_TRY_COMMAND([${CC-cc} $CFLAGS $CPPFLAGS $LDFLAGS $no_ssp
 		     $3 -nostdlib -nostartfiles
 		     -S conftest.c -o - | fgrep "$1"
 		     1>&AS_MESSAGE_LOG_FD])
diff --git a/configure.ac b/configure.ac
index a920f89..38e9c27 100644
--- a/configure.ac
+++ b/configure.ac
@@ -664,6 +664,18 @@ AC_SUBST(libc_cv_ssp)
 AC_SUBST(stack_protector)
 AC_SUBST(no_stack_protector)
 
+if test -n "$stack_protector"; then
+  dnl Don't run configure tests with stack-protection on, to avoid problems with
+  dnl bootstrapping.
+  no_ssp=-fno-stack-protector
+else
+  no_ssp=
+
+  if test x"$enable_stack_protector" != xno; then
+    AC_MSG_ERROR([--enable-stack-protector=$enable_stack_protector specified, but specified level of stack protection is not supported by the compiler.])
+  fi
+fi
+
 # For the multi-arch option we need support in the assembler & linker.
 AC_CACHE_CHECK([for assembler and linker STT_GNU_IFUNC support],
 	       libc_cv_ld_gnu_indirect_function, [dnl
@@ -683,7 +695,7 @@ __start:
 EOF
 libc_cv_ld_gnu_indirect_function=no
 if ${CC-cc} $CFLAGS $CPPFLAGS $LDFLAGS \
-	    -nostartfiles -nostdlib \
+	    -nostartfiles -nostdlib $no_ssp \
 	    -o conftest conftest.S 1>&AS_MESSAGE_LOG_FD 2>&AS_MESSAGE_LOG_FD; then
   # Do a link to see if the backend supports IFUNC relocs.
   $READELF -r conftest 1>&AS_MESSAGE_LOG_FD
@@ -1152,7 +1164,7 @@ extern int glibc_conftest_frobozz;
 void _start() { glibc_conftest_frobozz = 1; }
 EOF
 if ${CC-cc} $CFLAGS $CPPFLAGS $LDFLAGS \
-	    -nostartfiles -nostdlib \
+	    -nostartfiles -nostdlib $no_ssp \
 	    -o conftest conftest.s conftest1.c 1>&AS_MESSAGE_LOG_FD 2>&AS_MESSAGE_LOG_FD; then
   libc_cv_asm_set_directive=yes
 else
@@ -1169,12 +1181,12 @@ AC_CACHE_CHECK(linker support for protected data symbol,
 		int bar __attribute__ ((visibility ("protected"))) = 1;
 EOF
 		libc_cv_protected_data=no
-		if AC_TRY_COMMAND(${CC-cc} -nostdlib -nostartfiles -fPIC -shared conftest.c -o conftest.so); then
+		if AC_TRY_COMMAND(${CC-cc} -nostdlib -nostartfiles $no_ssp -fPIC -shared conftest.c -o conftest.so); then
 		  cat > conftest.c <<EOF
 		  extern int bar;
 		  int main (void) { return bar; }
 EOF
-		  if AC_TRY_COMMAND(${CC-cc} -nostdlib -nostartfiles conftest.c -o conftest conftest.so); then
+		  if AC_TRY_COMMAND(${CC-cc} -nostdlib -nostartfiles $no_ssp conftest.c -o conftest conftest.so); then
 		    libc_cv_protected_data=yes
 		  fi
 		fi
@@ -1296,7 +1308,7 @@ extern int mumble;
 int foo (void) { return bar (mumble); }
 EOF
 if AC_TRY_COMMAND([${CC-cc} $CFLAGS $CPPFLAGS $LDFLAGS
-			-fPIC -shared -o conftest.so conftest.c
+			-fPIC -shared $no_ssp -o conftest.so conftest.c
 			-nostdlib -nostartfiles
 			-Wl,-z,combreloc 1>&AS_MESSAGE_LOG_FD])
 then
@@ -1334,7 +1346,7 @@ AC_CACHE_CHECK(for --hash-style option,
 cat > conftest.c <<EOF
 int _start (void) { return 42; }
 EOF
-if AC_TRY_COMMAND([${CC-cc} $CFLAGS $CPPFLAGS $LDFLAGS
+if AC_TRY_COMMAND([${CC-cc} $CFLAGS $CPPFLAGS $LDFLAGS $no_ssp
 			    -fPIC -shared -o conftest.so conftest.c
 			    -Wl,--hash-style=both -nostdlib 1>&AS_MESSAGE_LOG_FD])
 then
@@ -1406,7 +1418,7 @@ int foo (void) { return mumble; }
 EOF
 if AC_TRY_COMMAND([${CC-cc} $CFLAGS $CPPFLAGS $LDFLAGS
 			-fPIC -shared -o conftest.so conftest.c
-			-nostdlib -nostartfiles
+			-nostdlib -nostartfiles $no_ssp
 			1>&AS_MESSAGE_LOG_FD])
 then
 dnl look for GLOB_DAT relocation.
@@ -1423,7 +1435,7 @@ AC_SUBST(libc_cv_has_glob_dat)
 
 AC_CACHE_CHECK(linker output format, libc_cv_output_format, [dnl
 if libc_cv_output_format=`
-${CC-cc} -nostartfiles -nostdlib -Wl,--print-output-format 2>&AS_MESSAGE_LOG_FD`
+${CC-cc} -nostartfiles -nostdlib $no_ssp -Wl,--print-output-format 2>&AS_MESSAGE_LOG_FD`
 then
   :
 else
@@ -1622,46 +1634,6 @@ if test $libc_cv_predef_fortify_source = yes; then
 fi
 AC_SUBST(CPPUNDEFS)
 
-dnl Check for silly hacked compilers inserting -fstack-protector.
-dnl This breaks badly for the early startup code we compile, since
-dnl the compiled code can refer to a magic machine-dependent location
-dnl for the canary value before we have sufficient setup for that to
-dnl work.  It's also questionable to build all of libc with this flag
-dnl even when you're doing that for most applications you build, since
-dnl libc's code is so heavily-used and performance-sensitive.  If we
-dnl ever really want to make that work, it should be enabled explicitly
-dnl in the libc build, not inherited from implicit compiler settings.
-AC_CACHE_CHECK([whether $CC implicitly enables -fstack-protector],
-	       libc_cv_predef_stack_protector, [
-AC_TRY_COMPILE([extern void foobar (char *);],
-	       [char large_array[2048]; foobar (large_array);], [
-libc_undefs=`$NM -u conftest.o |
-  LC_ALL=C $AWK '$1 == "U" { print $2 | "sort -u"; next } { exit(1) }' \
-    2>&AS_MESSAGE_LOG_FD` || {
-  AC_MSG_ERROR([confusing output from $NM -u])
-}
-echo >&AS_MESSAGE_LOG_FD "libc_undefs='$libc_undefs'"
-# On some architectures, there are architecture-specific undefined
-# symbols (resolved by the linker), so filter out unknown symbols.
-# This will fail to produce the correct result if the compiler
-# defaults to -fstack-protector but this produces an undefined symbol
-# other than __stack_chk_fail.  However, compilers like that have not
-# been encountered in practice.
-libc_undefs=`echo "$libc_undefs" | egrep '^(foobar|__stack_chk_fail)$'`
-case "$libc_undefs" in
-foobar) libc_cv_predef_stack_protector=no ;;
-'__stack_chk_fail
-foobar') libc_cv_predef_stack_protector=yes ;;
-*) AC_MSG_ERROR([unexpected symbols in test: $libc_undefs]) ;;
-esac],
-	       [AC_MSG_ERROR([test compilation failed])])
-])
-libc_extra_cflags=
-if test $libc_cv_predef_stack_protector = yes; then
-  libc_extra_cflags="$libc_extra_cflags -fno-stack-protector"
-fi
-libc_extra_cppflags=
-
 # Some linkers on some architectures support __ehdr_start but with
 # bugs.  Make sure usage of it does not create relocations in the
 # output (as the linker should resolve them all for us).
@@ -1671,7 +1643,7 @@ old_CFLAGS="$CFLAGS"
 old_LDFLAGS="$LDFLAGS"
 old_LIBS="$LIBS"
 CFLAGS="$CFLAGS -fPIC"
-LDFLAGS="$LDFLAGS -nostdlib -nostartfiles -shared"
+LDFLAGS="$LDFLAGS -nostdlib -nostartfiles -shared $no_ssp"
 LIBS=
 AC_LINK_IFELSE([AC_LANG_SOURCE([
 typedef struct {
-- 
2.7.0.198.g6dd47b6