Feature #13274
closed
enable -fstack-protector-strong by default in user land
100%
Description
It is long past time for -fstack-protector-strong to be enabled by default in user land in the build. This goes through and enables this across the entire user land stack with a few exceptions to deal with bootstrapping and other minor challenges. In particular, if this had been enabled, it would have at least caught #13242 (I explicitly tested that).
- rtld (and as a side effect libc and libconv) due to bootstrapping issues around enabling the guard
- kmdb as it needs its own implementation of the stack protector and can't really use the kernel's
- The kmdb standalone versions of libdis, libctf, and libumem which are only used for kmdb.
- DTrace's drti.o which would require other objects to need ssp_ns that wouldn't in and of itself know to
The above can all be dealt with other work over time, the highest value would be enabling libc; however, that's no reason to stop getting basically all of the rest of userland enabled.
As part of doing this work, I discovered a lot of bugs in the build system which will be linked as blockers on this ticket.
Related issues
Updated by Robert Mustacchi over 2 years ago
- Blocked by Feature #5788: Want support for GCC's stack protector in libc added
Updated by Robert Mustacchi over 2 years ago
- Blocked by Bug #13260: librtld_db demo should be built separately added
Updated by Robert Mustacchi over 2 years ago
- Blocked by Bug #13261: libdbus-1 deps missing libbsm added
Updated by Robert Mustacchi over 2 years ago
- Blocked by Bug #13262: rcm_daemon missing library search paths added
Updated by Robert Mustacchi over 2 years ago
- Blocked by Bug #13263: startd needs to search $(ROOT)/usr/lib/fm for deps added
Updated by Robert Mustacchi over 2 years ago
- Blocked by Bug #13264: perl Makefiles place object files after libraries added
Updated by Robert Mustacchi over 2 years ago
- Blocked by Bug #13265: libmp.so.1 missing library search path added
Updated by Robert Mustacchi over 2 years ago
- Blocked by Bug #13266: mdb build tools should use native tools added
Updated by Robert Mustacchi over 2 years ago
- Blocked by Bug #13267: tools libld build picks up normal sgs libs added
Updated by Robert Mustacchi over 2 years ago
- Blocked by Bug #13268: lp native build forgot CFLAGS added
Updated by Robert Mustacchi over 2 years ago
- Blocked by Bug #13269: esc needs a native build added
Updated by Robert Mustacchi over 2 years ago
- Blocked by Bug #13270: cmd/spell native build incomplete added
Updated by Robert Mustacchi over 2 years ago
- Blocked by Bug #13271: 64-bit crypto tests have wrong library search path added
Updated by Robert Mustacchi over 2 years ago
- Blocked by Bug #13272: 64-bit secflags test has wrong ldlibs added
Updated by Robert Mustacchi over 2 years ago
To test this I did the following:
- Manually verified that we had emitted calls to the stack protector into most binaries and libraries.
- Ran through the primary test suites: crypto, libc, elf, os, and util
- Used bits semi-regularly
Then, I had a bunch of help from the broader community. In particular the following folks helped test their workloads:
- Andy Fiddaman built OmniOS with these changes
- Dan McDonald built SmartOS with these changes and uncovered a small issue with it
- Alex Wilson built SmartOS and tested some of their workloads with this present
- Peter Tribble verified that this built cleanly on SPARC
I also did builds of everything on ssp bits which is why we had all the linked changes.
Updated by Electric Monk over 2 years ago
- Status changed from New to Closed
- % Done changed from 80 to 100
git commit 5a0af8165ce9590e7a18f1ef4f9badc4dd72c6e6
commit 5a0af8165ce9590e7a18f1ef4f9badc4dd72c6e6
Author: Robert Mustacchi <rm@fingolfin.org>
Date: 2020-11-17T16:52:10.000Z
13274 enable -fstack-protector-strong by default in user land
Reviewed by: Andy Fiddaman <andy@omniosce.org>
Reviewed by: Toomas Soome <tsoome@me.com>
Approved by: Gordon Ross <gordon.w.ross@gmail.com>
Updated by Joshua M. Clulow over 2 years ago
- Related to Bug #13324: struct dk_minfo_ext size differences trigger SSP in libfdisk added
Updated by Andy Fiddaman about 2 years ago
- Related to Bug #13562: zlogin for Solaris10 branded zones does not work after implementation of Feature #13274 added