FS#64270 - [gcc] missing spec string for additional compile time stack protector disable

Attached to Project: Arch Linux
Opened by Matt Weber (matthewlweber) - Saturday, 26 October 2019, 08:25 GMT
Last edited by Bartłomiej Piotrowski (Barthalion) - Thursday, 07 May 2020, 17:48 GMT
Task Type Bug Report
Category Packages: Core
Status Closed
Assigned To Bartłomiej Piotrowski (Barthalion)
Architecture x86_64
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

The compiler on Arch Linux always builds with -fstack-protector, even when -ffreestanding is passed.  However, when -fnostdlib is passed at link time (which is normally the case when building with -ffreestanding), it is not linked with the stack-protector library.  This leads to a link time error:
/usr/bin/ld: x86/realmode.o: in function `print_serial_u32':
.../x86/realmode.c:104: undefined reference to `__stack_chk_fail'

What was observed in a working build on Ubuntu was that there were the same link time (link_ssp) SSP conditions in the spec.  However for compiler spec options, the following additional item was present. 
*ssp_default:
%{!fno-stack-protector:%{!fstack-protector-all:%{!ffreestanding:%{!nostdlib:%{!fstack-protector:-fstack-protector-strong}}}}} %{!Wformat:%{!Wformat=2:%{!Wformat=0:%{!Wall:-Wform
at} %{!Wno-format-security:-Wformat-security}}}}

We believe that a GCC build when "--enable-default-ssp" adds the "ssp_default" to the spec. Does Arch use that option or a custom patch to set the stack protector flags?

Additional info:
* package version(s)
gcc 9.2.0

Steps to reproduce:
1) git clone https://git.kernel.org/pub/scm/virt/kvm/kvm-unit-tests.git
2) cd kvm-unit-tests ; make

That example compiles an application with the -ffreestanding compile flag and links it with -nostdlib set.  This should normally bypass the stack protector default (RHEL / Ubuntu / Debian)
This task depends upon

Closed by  Bartłomiej Piotrowski (Barthalion)
Thursday, 07 May 2020, 17:48 GMT
Reason for closing:  Fixed
Additional comments about closing:  Fixed in 9.3.0.
Comment by Dave Reisner (falconindy) - Saturday, 26 October 2019, 08:36 GMT Comment by Matt Weber (matthewlweber) - Saturday, 26 October 2019, 09:24 GMT
Dug a little more and it looks like most distros are carrying a patch to add either ssp_default or equivalent. Here for an example in Gentoo, search for ssp-fix to find the right gcc fixup (https://gitweb.gentoo.org/proj/gcc-patches.git/diff/?id2=969a97bb015e65c8a867f695e2fe753bd228dee0).

Similar example from Debian is still carrying gcc-default-ssp.diff: https://salsa.debian.org/toolchain-team/gcc/blob/gcc-7-debian/debian/patches/gcc-default-ssp.diff
Comment by Michel Koss (MichelKoss1) - Saturday, 26 October 2019, 13:58 GMT
Here's direct link to gentoo gcc 9.2.0 patch which is most relevant:

https://gitweb.gentoo.org/proj/gcc-patches.git/tree/9.2.0/gentoo/04_all_default-ssp-fix.patch

Loading...