Hardened compiler flags by default #12895

Merged
merged 563 commits into from Aug 29, 2016

Projects

None yet
@globin
Member
globin commented Feb 9, 2016 edited

This adds some compiler/linker flags to harden our packages via a stdenv adapter:

The following parameters are now available:

  • hardeningDisable
    To disable specific hardening flags
  • hardeningEnable
    To enable specific hardening flags

Only the cc-wrapper supports this right now, but these may be reused by other wrappers, builders or setup hooks.

cc-wrapper supports the following flags:

  • fortify
  • stackprotector
  • pie (disabled by default)
  • pic
  • strictoverflow
  • format
  • relro
  • bindnow

Information from the debian wiki:

Stack protector is a mainline GCC feature, which adds safety checks against stack overwrites. This renders many potential code injection attacks into aborting situations. In the best case this turns code injection vulnerabilities into denial of service or into non-issues (depending on the application). http://en.wikipedia.org/wiki/Stack-smashing_protection
Currently this uses -fstack-protector-all instead of -fstack-protector-strong because the bootstrapping compiler is too old.` /cc @edolstra

Fortify During code generation the compiler knows a great deal of information about buffer sizes (where possible), and attempts to replace insecure unlimited length buffer function calls with length-limited ones. This is especially useful for old, crufty code. Additionally, format strings in writable memory that contain '%n' are blocked. If an application depends on such a format string, it will need to be worked around.

Format
If -Wformat is specified, also warn about uses of format functions that represent possible security problems. At present, this warns about calls to printf and scanf functions where the format string is not a string literal and there are no format arguments, as in printf (foo);. This may be a security hole if the format string came from untrusted input and contains %n.

Position Independent Executable (pie) are needed to take advantage of Address Space Layout Randomization, supported by some kernel versions. While ASLR can already be enforced for data areas in the stack and heap (brk and mmap), the code areas must be compiled as position-independent. Shared libraries already do this (-fPIC), so they gain ASLR automatically, but binary .text regions need to be build PIE to gain ASLR. When this happens, ROP attacks are much harder since there are no static locations to bounce off of during a memory corruption attack.

relro
During program load, several ELF memory sections need to be written to by the linker, but can be turned read-only before turning over control to the program. This prevents some GOT (and .dtors) overwrite attacks, but at least the part of the GOT used by the dynamic linker (.got.plt) is still vulnerable.

bindnow
During program load, all dynamic symbols are resolved, allowing for the complete GOT to be marked read-only (due to -z relro above). This prevents GOT overwrite attacks. For very large application, this can incur some performance loss during initial load while symbols are resolved, but this shouldn't be an issue for daemons.

State in other Distributions
Nearly all major distributions are setting these flags by default (except for pie), debian started working on this ~10 years ago, see links at the end.

Most packages build (https://hydra.nixos.org/jobset/nixpkgs/pr-12895#tabs-evaluations), mostly needs further testing at runtime.

I'd be happy to hear more comments, ideas, concerns!

Links
https://wiki.debian.org/Hardening
https://wiki.ubuntu.com/Security/Features
https://wiki.gentoo.org/wiki/Project:Hardened (and https://wiki.gentoo.org/wiki/Hardened/FAQ)
https://wiki.archlinux.org/index.php/DeveloperWiki:Security

(/cc @copumpkin @fpletz)

@mention-bot

By analyzing the blame information on this pull request, we identified @edolstra, @rbvermaa and @MarcWeber to be potential reviewers

@copumpkin
Member

First off, awesome effort, thank you 👍 👍 👍 👍 🍻

Second, I know you say that it hasn't been tested on Darwin, but I'm wondering if you've tested things using the clang stdenv even on Linux. If so, I have reasonable confidence that all issues Darwin might encounter would be resolved ahead of time.

Edit: is PIE off by default due to performance concerns? I believe on Mac OS, it's on by default for x86_64 due to it being cheap.

@copumpkin copumpkin referenced this pull request Feb 9, 2016
Closed

RFC: Harden(ed) NixOS #7220

0 of 17 tasks complete
@heydojo
Contributor
heydojo commented Feb 9, 2016

Is there a global switch to turn this all off. Or should I be looking at clang? (For prototyping and boards like pie zero where I want speed, don't want the penalties this creates.)

I would be interested in benchmarks to see what kind of a difference these changes make.

@globin
Member
globin commented Feb 9, 2016

Yes hardening_all = false;

@heydojo
Contributor
heydojo commented Feb 9, 2016

@globin cool tnx!

@copumpkin
Member

@globin your evaluation error with hardening.foo is due to your hardening arguments making their way down to the underlying derivation. Nix assumes that all parameters to derivation (the builtin underlying mkDerivation) should be stringified and put into the environment of the underlying script. That's not as important in our case, but is still happening with your code. When you had hardening_foo, that was a boolean so could easily be stringified. When you wrote hardening.foo, that turned into a dict-valued attribute called hardening to derivation, and when Nix tries to stringify hardening, it doesn't know what to do.

@vcunat
Member
vcunat commented Feb 9, 2016

Currently this uses -fstack-protector-all instead of -fstack-protector-strong because the bootstrapping compiler is too old.

There's no use for hardening during bootstrapping so you can selectively disable it in there. BTW, I didn't know gcc-4.8.3 is considered so old.

This includes a gcc update to gcc5 as we were checking all builds anyway and fixed up some stuff on the way.

We've had an unresolved discussion around gcc5 switch due to the question whether to use the new C++ ABI by default (already). (Full conformance to C++11 vs. inability to link with stuff compiled by older gcc versions.) #8729

@copumpkin
Member

I didn't know gcc-4.8.3 is considered so old.

Hey, it was released over a year and a half ago. That's ages in computer time 😄

@globin
Member
globin commented Feb 9, 2016

Ok sounds like I'll take the gcc bump out again.

Regarding GCC 4.8:

Since GCC 4.9, -fstack-protector-strong, an improved version of -fstack-protector is introduced, which covers all the more paranoid conditions that might lead to a stack overflow but not trade performance like -fstack-protector-all, thus it becomes default.

@copumpkin
Member

Is moving to 4.9 less controversial than 5?
On Tue, Feb 9, 2016 at 18:26 Robin Gloster notifications@github.com wrote:

Ok sounds like I'll take the gcc bump out again.

Regarding GCC 4.8:

Since GCC 4.9, -fstack-protector-strong, an improved version of
-fstack-protector is introduced, which covers all the more paranoid
conditions that might lead to a stack overflow but not trade performance
like -fstack-protector-all, thus it becomes default.


Reply to this email directly or view it on GitHub
#12895 (comment).

@globin
Member
globin commented Feb 9, 2016

gcc49 is the default for the system, only the pre-built bootstrap gcc is at 4.8

@globin
Member
globin commented Feb 11, 2016

@copumpkin PIE is off because it breaks nearly everything (see the Ubuntu link where they have turned it on), I reckon you're thinking of PIC.

@domenkozar
Member

FYI, travis is saying:

error: anonymous function at /home/travis/build/NixOS/nixpkgs/pkgs/development/compilers/webdsl/default.nix:1:1 called without required argument ‘strategoPackages’, at /home/travis/build/NixOS/nixpkgs/lib/customisation.nix:56:12
@globin globin referenced this pull request Feb 21, 2016
Closed

wiki: Hardened NixOS #13304

@jagajaga
Member

👍

globin added some commits Feb 25, 2016
@globin globin wvstreams: use newer gcc
710f4cf
@globin globin haskell.compilers.ghc6104: turn off format hardening
da9352e
@globin globin ssvnc: turn off format hardening e0200a5
@globin globin self: use default compiler 7412bff
@globin globin stunnel: 5.29 -> 5.30 351173c
@globin globin flow: 0.18 -> 0.22 46b0d51
@globin globin signing-party: 2.1 -> 2.2 c045d2d
@globin globin openssh: enable pie hardening b627995
@globin globin nginx: enable pie hardening 310fa56
@globin globin socat: enable pie hardening a737622
@globin globin checksec: clean up 631c09b
@globin globin cron: enable pie hardening 87e64f1
@globin globin chrony: enable pie hardening 62f65d1
@globin globin dnsmasq: enable pie hardening e392824
@globin globin radvd: enable pie hardening 8b9eccb
@globin globin icecast: enable pie hardening 1a31447
@globin globin memcached: enable pie hardening b4dadff
@globin globin Merge remote-tracking branch 'upstream/master' into hardened-stdenv
3477e66
@globin globin fix evaluation
b3d9562
@globin globin mongodb: enable pie hardening 5176e7a
@grahamc
Member
grahamc commented Feb 27, 2016

I'm seeing a failure to evaluate still:

18:46:15.370 error: attribute ‘kernelHeaders’ missing, at /var/lib/gocd-agent/pipelines/nixpkgs-prs/pkgs/os-specific/linux/dietlibc/default.nix:14:19
18:46:15.371 (use ‘--show-trace’ to show detailed location information)
18:46:15.415 /nix/store/5awhg8rsrpc18gw6v333zx2724wxibyx-nixpkgs-lint-1/bin/.nixpkgs-lint-wrapped: evaluation of ‘.’ failed
@globin
Member
globin commented Feb 27, 2016

I merged in master yesterday after a week of changes and a few things need fixing up

globin added some commits Feb 27, 2016
@globin globin glibc: disable stackprotector hardening 83bf03e
@globin globin Merge remote-tracking branch 'upstream/master' into hardened-stdenv 0889372
@globin globin dietlibc: fix merge failure
d3fb7ac
@globin globin speed_dreams: remove obsolete variable
14177f5
@globin globin postfix: use hardening flags from stdenv
cfffac2
@globin globin v8_3_16_14: use default stdenv
8615f02
@zimbatm
Contributor
zimbatm commented Feb 28, 2016

This is good. Maybe we could get a hydra channel to make it easier to track the build errors ?

For consistency's sake it would be nice if the hardening* arguments where in the camelCase format.

globin added some commits Feb 28, 2016
@globin globin Merge remote-tracking branch 'upstream/master' into hardened-stdenv
3b4765c
@globin globin perl520: fix bootstrap compilation by disabling fortify hardening
4d6db3c
@globin globin clisp_2_44_1: disable format hardening 85515f0
@globin globin clang-analyzer: use default clang 2d17e81
@globin globin perseus: disable stackprotector hardening 4f0608a
@globin
Member
globin commented Mar 1, 2016
globin added some commits Mar 1, 2016
@globin globin pdf2xml: disable format hardening 1bbb2f0
@globin globin Merge remote-tracking branch 'upstream/master' into hardened-stdenv
d47857c
@globin globin caneda: disable format hardening 9ba6bd4
@globin globin gnu-efi: disable stackprotector hardening a6dae3b
@globin globin refind: disable stackprotector hardening a12ecfc
@globin globin gummiboot: disable stackprotector hardening
2f7e9f2
@globin globin Merge remote-tracking branch 'upstream/master' into hardened-stdenv 33f7d0b
@globin globin redmine: disable format hardening
4c9c4c4
@globin globin Merge remote-tracking branch 'upstream/master' into hardened-stdenv
fed4942
@globin globin ceph: possible fix for zip timestamps
84cc00b
@globin globin spark: fix hash
23d85c7
@globin globin pharo-vm5: disable format hardening
745fa2f
@Profpatsch
Contributor

You guys at mayflower are crazy! Major props. Probably also to @fadenb and @fpletz.

fadenb and others added some commits Mar 4, 2016
@fadenb fadenb memtest86+: disable pic/stackprotector hardening c3096a4
@fadenb fadenb faac: disable format hardening e43a384
@globin globin Merge pull request #13673 from mayflower/fix/disable_hardening
disable hardening: faac + memtest86+
5a1a8b6
@globin
Member
globin commented Mar 4, 2016

Definitely props to @fpletz who started this work :)

@fpletz
Member
fpletz commented Mar 5, 2016

I removed the stdenv adapter and instead enable hardening by default in the cc-wrapper. The lists hardeningDisable and hardeningEnable can be used to toggle hardening flags. The meta flag all is available for hardeningDisable to disable all hardening. Feedback on this interface would be appreciated. The PR description above has been updated accordingly.

We changed this because adding new environment variables is a bit hacky and breaks overriding hardening flags of derivations. This should work now.

fpletz added some commits Nov 14, 2015
@fpletz fpletz coreutils: Skip some tests (filenames too long) a2e449e
@fpletz fpletz Use general hardening flag toggle lists
The following parameters are now available:

  * hardeningDisable
    To disable specific hardening flags
  * hardeningEnable
    To enable specific hardening flags

Only the cc-wrapper supports this right now, but these may be reused by
other wrappers, builders or setup hooks.

cc-wrapper supports the following flags:

  * fortify
  * stackprotector
  * pie (disabled by default)
  * pic
  * strictoverflow
  * format
  * relro
  * bindnow
aff1f4a
@fpletz fpletz Merge remote-tracking branch 'origin/master' into hardened-stdenv
cb3d27d
@fpletz
Member
fpletz commented Mar 5, 2016

Open question: We would like to bump the bootstrapTools to a current version with gcc 4.9 as mentioned a few times above. How should this be done? I'm seeing links to tarballs.nixos.org and to dropbox (wat?). Where can we put these bootstrap tarballs where URLs don't change and they won't get garbage collected? The current builds from hydra work just fine, we tested those already.

@domenkozar Should we maybe bump these for 16.03?

fpletz added some commits Mar 5, 2016
@fpletz fpletz glibc: stackprotector is already disabled in default.nix
This overwrites the hardeningDisable attribute and removes disabling the
fortify flag.
034b2ec
@fpletz fpletz vim: Disable hardening flag fortify
Fortify hardening detects a probable buffer overflow in vim at runtime. This
has to be fixed upstream.

Debian also disables fortify:

  https://anonscm.debian.org/cgit/pkg-vim/vim.git/tree/debian/rules#n6
0cad2e7
globin added some commits Mar 6, 2016
@globin globin linuxPackages.virtualbox: disable fortify/pic/stackprotector 1b4ec4b
@globin globin vim-configurable: Disable hardening flag fortify
Fortify hardening detects a probable buffer overflow in vim at runtime. This
has to be fixed upstream.

Debian also disables fortify:

  https://anonscm.debian.org/cgit/pkg-vim/vim.git/tree/debian/rules#n6
2013614
@domenkozar
Member

@fpletz excuse my non-responsivness. Not sure about the bootstrap files, I think only @edolstra can do that.

I've created http://hydra.nixos.org/jobset/nixpkgs/pr-12895 to build this PR. Keep going :)

@vcunat
Member
vcunat commented Mar 7, 2016

There's even a Hydra job for building (new) bootstrap tools http://hydra.nixos.org/job/nixpkgs/trunk/stdenvBootstrapTools.x86_64-linux.dist, so the main part is about having write-access to tarballs.nixos.org.

fpletz added some commits Mar 7, 2016
@fpletz fpletz cc-wrapper: Check if ld supports -z, fixes darwin baee91e
@fpletz fpletz Merge remote-tracking branch 'origin/master' into hardened-stdenv
e9fc4e7
@fpletz fpletz nginx: Rmove custom hardening, now enabled by default fedf316
@fpletz fpletz quicktun: Remove custom hardening, now enabled by default
ac73835
@grahamc
Member
grahamc commented Aug 13, 2016

Building locally, I get almost through the entire build but fail on broadcom-sta:

make[1]: Entering directory '/nix/store/k2m9959g1hhph2ymn9zxxh9hwz96s04x-linux-4.7-dev/lib/modules/4.7.0/build'
arch/x86/Makefile:133: stack-protector enabled but compiler support broken
/nix/store/k2m9959g1hhph2ymn9zxxh9hwz96s04x-linux-4.7-dev/lib/modules/4.7.0/source/Makefile:670: Cannot use CONFIG_CC_STACKPROTECTOR_REGULAR: -fstack-protector not supported by compiler
CFG80211 API is prefered for this kernel version
Using CFG80211 API
  LD      /tmp/nix-build-broadcom-sta-6.30.223.271-4.7.drv-0/broadcom-sta/built-in.o
  CC [M]  /tmp/nix-build-broadcom-sta-6.30.223.271-4.7.drv-0/broadcom-sta/src/shared/linux_osl.o
/tmp/nix-build-broadcom-sta-6.30.223.271-4.7.drv-0/broadcom-sta/src/shared/linux_osl.c:1:0: error: code model kernel does not support PIC mode

Found this at https://bugs.launchpad.net/ubuntu/+source/bcmwl/+bug/1578455 :

Note that this bug is not specific to the broadcom code. It affects _all_ kernel module builds, and is caused by a recent change in gcc-5 (which makes -fPIE default).

The solution should therefore probably be implemented more generically than just in these packages: possible in dkms or in the kernel headers.

@obadz
Contributor
obadz commented Aug 13, 2016

@grahamc, so

pie (disabled by default)

… is no longer true?

@fpletz
Member
fpletz commented Aug 13, 2016

PIC != PIE 😄

Disabling PIC on broadcom_sta is missing, fix is coming with my next push. PIC is not supported for kernel modules.

@obadz
Contributor
obadz commented Aug 13, 2016

@fpletz, the quote that @grahamc mentions PIE:

(which makes -fPIE default)

@grahamc
Member
grahamc commented Aug 13, 2016 edited

Running locally, I saw in my journal:

Aug 13 15:34:29 NdNdNx pulseaudio[1259]: Failed to open module module-x11-publish.so: module-x11-publish.so: cannot open shared object file: No such file or directory
Aug 13 15:34:29 NdNdNx pulseaudio[1259]: Failed to open module "module-x11-publish".

Everything important seems to be working for me.

  • UEFI
  • encrypted root
  • ext4
  • i3

I'll try again soon with Gnome.

@grahamc
Member
grahamc commented Aug 14, 2016

Gnome + Chromium seems to have some problems with icons.

missing-icons

globin added some commits Aug 13, 2016
@globin globin linuxPackages.lttng-modules: fix build 2676cf9
@globin globin linuxPackages.rtl8812au: fix build 8071caf
@globin globin xorg.*: disable relro/bindnow hardening
Breaks the module system at runtime otherwise.
27b9f5d
@globin globin Merge remote-tracking branch 'upstream/master' into hardened-stdenv
99cb230
@globin
Member
globin commented Aug 14, 2016

@obadz: Xorg should be fixed by 27b9f5d

@obadz
Contributor
obadz commented Aug 14, 2016

Thx @globin, I'll wait for eval 1287299 to finish building and give it another go.

@mbakke
Contributor
mbakke commented Aug 14, 2016

@grahamc The icons are broken in current unstable too, since about a week ago.

@grahamc
Member
grahamc commented Aug 14, 2016

Got it. A cursory test of KDE and Gnome both seem to work fine, then. I'm
not a power user but it definitely worked.
On Sun, Aug 14, 2016 at 8:55 AM Marius Bakke notifications@github.com
wrote:

@grahamc https://github.com/grahamc The icons are broken in current
unstable too, since about a week ago.


You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
#12895 (comment), or mute
the thread
https://github.com/notifications/unsubscribe-auth/AAErrC6uSYUlUKPAd9dIP6PpAJ2E9rNdks5qfxBPgaJpZM4HWgB9
.

@FRidh
Member
FRidh commented Aug 14, 2016 edited

KDE5 was without issues. Chrome works, Steam with a game works.

I've encountered only one issue, nix-shell -p python35Packages.ptyprocess results in a segmentation fault whereas on master it doesn't.

@globin
Member
globin commented Aug 14, 2016 edited

Cannot reproduce:

EDIT: sorry, the last two replies hadn't appeared and I thought I'd refreshed.

@obadz
Contributor
obadz commented Aug 15, 2016

xorg starting fine on 99cb230! Thank you!

Most things seem to be working normally including Chromium & Skype.

So far only thing I've noticed is that vboxnet0.service has been acting up. It crashed on first boot, then I was able to restart it. But it worked fine on second boot. I would probably not even had mentioned this if it wasn't for the fact that it had also crashed with the same error message the previous time that I tried this PR.

journalctl -u vboxnet0.service shows errors messages:

-- Reboot --
Aug 15 00:56:53 hostname systemd[1]: Starting VirtualBox vboxnet0 Interface...
Aug 15 00:56:53 hostname vboxnet0-start[808]: VBoxManage: error: Failed to create the VirtualBox object!
Aug 15 00:56:53 hostname vboxnet0-start[808]: VBoxManage: error: Code NS_ERROR_FACTORY_NOT_REGISTERED (0x80040154) - Class not registered (extended info not available)
Aug 15 00:56:53 hostname vboxnet0-start[808]: VBoxManage: error: Most likely, the VirtualBox COM server is not running or failed to start.
Aug 15 00:56:53 hostname systemd[1]: vboxnet0.service: Main process exited, code=exited, status=1/FAILURE
Aug 15 00:56:53 hostname systemd[1]: Failed to start VirtualBox vboxnet0 Interface.
Aug 15 00:56:53 hostname systemd[1]: vboxnet0.service: Unit entered failed state.
Aug 15 00:56:53 hostname systemd[1]: vboxnet0.service: Failed with result 'exit-code'.

(I have virtualisation.virtualbox.host.enable = true;)

@globin
Member
globin commented Aug 15, 2016 edited

More information to python35Packages.ptyprocess, not sure if failing due to python or due to python35Packages.ptyprocess, possibly turning off hardening flags with buildPythonPackage does not work properly:

test_preexec (tests.test_preexec_fn.PreexecFns) ... 
Program received signal SIGSEGV, Segmentation fault.
0x0000000000000000 in ?? ()
(gdb) bt
#0  0x0000000000000000 in ?? ()
#1  0x00007ffff6e4350e in forkpty () from /nix/store/szq6dgq4b7fsa8p85sfs5njfly4a5000-glibc-2.23/lib/libutil.so.1
#2  0x00007ffff7a77263 in os_forkpty ()
   from /nix/store/8vdmddn7gdw1644c12dl80cjm1hfrjxi-python3-3.5.2/lib/libpython3.5m.so.1.0
#3  0x00007ffff7a3126c in PyEval_EvalFrameEx ()
   from /nix/store/8vdmddn7gdw1644c12dl80cjm1hfrjxi-python3-3.5.2/lib/libpython3.5m.so.1.0
#4  0x00007ffff7a30ec7 in PyEval_EvalFrameEx ()
   from /nix/store/8vdmddn7gdw1644c12dl80cjm1hfrjxi-python3-3.5.2/lib/libpython3.5m.so.1.0
#5  0x00007ffff7a328f2 in _PyEval_EvalCodeWithName ()
   from /nix/store/8vdmddn7gdw1644c12dl80cjm1hfrjxi-python3-3.5.2/lib/libpython3.5m.so.1.0
#6  0x00007ffff7a2fb1f in PyEval_EvalFrameEx ()
   from /nix/store/8vdmddn7gdw1644c12dl80cjm1hfrjxi-python3-3.5.2/lib/libpython3.5m.so.1.0
#7  0x00007ffff7a328f2 in _PyEval_EvalCodeWithName ()
   from /nix/store/8vdmddn7gdw1644c12dl80cjm1hfrjxi-python3-3.5.2/lib/libpython3.5m.so.1.0
#8  0x00007ffff7a2fb1f in PyEval_EvalFrameEx ()
   from /nix/store/8vdmddn7gdw1644c12dl80cjm1hfrjxi-python3-3.5.2/lib/libpython3.5m.so.1.0
#9  0x00007ffff7a328f2 in _PyEval_EvalCodeWithName ()
   from /nix/store/8vdmddn7gdw1644c12dl80cjm1hfrjxi-python3-3.5.2/lib/libpython3.5m.so.1.0
#10 0x00007ffff7a329d3 in PyEval_EvalCodeEx ()
   from /nix/store/8vdmddn7gdw1644c12dl80cjm1hfrjxi-python3-3.5.2/lib/libpython3.5m.so.1.0
#11 0x00007ffff799c8b5 in function_call ()
   from /nix/store/8vdmddn7gdw1644c12dl80cjm1hfrjxi-python3-3.5.2/lib/libpython3.5m.so.1.0
#12 0x00007ffff79716ca in PyObject_Call ()
   from /nix/store/8vdmddn7gdw1644c12dl80cjm1hfrjxi-python3-3.5.2/lib/libpython3.5m.so.1.0
#13 0x00007ffff7a2c250 in PyEval_EvalFrameEx ()
---Type <return> to continue, or q <return> to quit---
   from /nix/store/8vdmddn7gdw1644c12dl80cjm1hfrjxi-python3-3.5.2/lib/libpython3.5m.so.1.0
#14 0x00007ffff7a328f2 in _PyEval_EvalCodeWithName ()
   from /nix/store/8vdmddn7gdw1644c12dl80cjm1hfrjxi-python3-3.5.2/lib/libpython3.5m.so.1.0
#15 0x00007ffff7a329d3 in PyEval_EvalCodeEx ()
   from /nix/store/8vdmddn7gdw1644c12dl80cjm1hfrjxi-python3-3.5.2/lib/libpython3.5m.so.1.0
#16 0x00007ffff799c7c8 in function_call ()
   from /nix/store/8vdmddn7gdw1644c12dl80cjm1hfrjxi-python3-3.5.2/lib/libpython3.5m.so.1.0
#17 0x00007ffff79716ca in PyObject_Call ()
   from /nix/store/8vdmddn7gdw1644c12dl80cjm1hfrjxi-python3-3.5.2/lib/libpython3.5m.so.1.0
#18 0x00007ffff79883b4 in method_call ()
   from /nix/store/8vdmddn7gdw1644c12dl80cjm1hfrjxi-python3-3.5.2/lib/libpython3.5m.so.1.0
#19 0x00007ffff79716ca in PyObject_Call ()
   from /nix/store/8vdmddn7gdw1644c12dl80cjm1hfrjxi-python3-3.5.2/lib/libpython3.5m.so.1.0
#20 0x00007ffff79ce900 in slot_tp_call ()
   from /nix/store/8vdmddn7gdw1644c12dl80cjm1hfrjxi-python3-3.5.2/lib/libpython3.5m.so.1.0
#21 0x00007ffff79716ca in PyObject_Call ()
   from /nix/store/8vdmddn7gdw1644c12dl80cjm1hfrjxi-python3-3.5.2/lib/libpython3.5m.so.1.0
#22 0x00007ffff7a2b1ec in PyEval_EvalFrameEx ()
   from /nix/store/8vdmddn7gdw1644c12dl80cjm1hfrjxi-python3-3.5.2/lib/libpython3.5m.so.1.0
#23 0x00007ffff7a328f2 in _PyEval_EvalCodeWithName ()
   from /nix/store/8vdmddn7gdw1644c12dl80cjm1hfrjxi-python3-3.5.2/lib/libpython3.5m.so.1.0
#24 0x00007ffff7a329d3 in PyEval_EvalCodeEx ()
   from /nix/store/8vdmddn7gdw1644c12dl80cjm1hfrjxi-python3-3.5.2/lib/libpython3.5m.so.1.0
#25 0x00007ffff799c8b5 in function_call ()
   from /nix/store/8vdmddn7gdw1644c12dl80cjm1hfrjxi-python3-3.5.2/lib/libpython3.5m.so.1.0
---Type <return> to continue, or q <return> to quit---
#26 0x00007ffff79716ca in PyObject_Call ()
   from /nix/store/8vdmddn7gdw1644c12dl80cjm1hfrjxi-python3-3.5.2/lib/libpython3.5m.so.1.0
#27 0x00007ffff7a2c250 in PyEval_EvalFrameEx ()
   from /nix/store/8vdmddn7gdw1644c12dl80cjm1hfrjxi-python3-3.5.2/lib/libpython3.5m.so.1.0
#28 0x00007ffff7a328f2 in _PyEval_EvalCodeWithName ()
   from /nix/store/8vdmddn7gdw1644c12dl80cjm1hfrjxi-python3-3.5.2/lib/libpython3.5m.so.1.0
#29 0x00007ffff7a329d3 in PyEval_EvalCodeEx ()
   from /nix/store/8vdmddn7gdw1644c12dl80cjm1hfrjxi-python3-3.5.2/lib/libpython3.5m.so.1.0
#30 0x00007ffff799c7c8 in function_call ()
   from /nix/store/8vdmddn7gdw1644c12dl80cjm1hfrjxi-python3-3.5.2/lib/libpython3.5m.so.1.0
#31 0x00007ffff79716ca in PyObject_Call ()
   from /nix/store/8vdmddn7gdw1644c12dl80cjm1hfrjxi-python3-3.5.2/lib/libpython3.5m.so.1.0
#32 0x00007ffff79883b4 in method_call ()
   from /nix/store/8vdmddn7gdw1644c12dl80cjm1hfrjxi-python3-3.5.2/lib/libpython3.5m.so.1.0
#33 0x00007ffff79716ca in PyObject_Call ()
   from /nix/store/8vdmddn7gdw1644c12dl80cjm1hfrjxi-python3-3.5.2/lib/libpython3.5m.so.1.0
#34 0x00007ffff79ce900 in slot_tp_call ()
   from /nix/store/8vdmddn7gdw1644c12dl80cjm1hfrjxi-python3-3.5.2/lib/libpython3.5m.so.1.0
#35 0x00007ffff79716ca in PyObject_Call ()
   from /nix/store/8vdmddn7gdw1644c12dl80cjm1hfrjxi-python3-3.5.2/lib/libpython3.5m.so.1.0
#36 0x00007ffff7a2b1ec in PyEval_EvalFrameEx ()
   from /nix/store/8vdmddn7gdw1644c12dl80cjm1hfrjxi-python3-3.5.2/lib/libpython3.5m.so.1.0
#37 0x00007ffff7a328f2 in _PyEval_EvalCodeWithName ()
   from /nix/store/8vdmddn7gdw1644c12dl80cjm1hfrjxi-python3-3.5.2/lib/libpython3.5m.so.1.0
#38 0x00007ffff7a329d3 in PyEval_EvalCodeEx ()
---Type <return> to continue, or q <return> to quit---
   from /nix/store/8vdmddn7gdw1644c12dl80cjm1hfrjxi-python3-3.5.2/lib/libpython3.5m.so.1.0
#39 0x00007ffff799c8b5 in function_call ()
   from /nix/store/8vdmddn7gdw1644c12dl80cjm1hfrjxi-python3-3.5.2/lib/libpython3.5m.so.1.0
#40 0x00007ffff79716ca in PyObject_Call ()
   from /nix/store/8vdmddn7gdw1644c12dl80cjm1hfrjxi-python3-3.5.2/lib/libpython3.5m.so.1.0
#41 0x00007ffff7a2c250 in PyEval_EvalFrameEx ()
   from /nix/store/8vdmddn7gdw1644c12dl80cjm1hfrjxi-python3-3.5.2/lib/libpython3.5m.so.1.0
#42 0x00007ffff7a328f2 in _PyEval_EvalCodeWithName ()
   from /nix/store/8vdmddn7gdw1644c12dl80cjm1hfrjxi-python3-3.5.2/lib/libpython3.5m.so.1.0
#43 0x00007ffff7a329d3 in PyEval_EvalCodeEx ()
   from /nix/store/8vdmddn7gdw1644c12dl80cjm1hfrjxi-python3-3.5.2/lib/libpython3.5m.so.1.0
#44 0x00007ffff799c7c8 in function_call ()
   from /nix/store/8vdmddn7gdw1644c12dl80cjm1hfrjxi-python3-3.5.2/lib/libpython3.5m.so.1.0
#45 0x00007ffff79716ca in PyObject_Call ()
   from /nix/store/8vdmddn7gdw1644c12dl80cjm1hfrjxi-python3-3.5.2/lib/libpython3.5m.so.1.0
#46 0x00007ffff79883b4 in method_call ()
   from /nix/store/8vdmddn7gdw1644c12dl80cjm1hfrjxi-python3-3.5.2/lib/libpython3.5m.so.1.0
#47 0x00007ffff79716ca in PyObject_Call ()
   from /nix/store/8vdmddn7gdw1644c12dl80cjm1hfrjxi-python3-3.5.2/lib/libpython3.5m.so.1.0
#48 0x00007ffff79ce900 in slot_tp_call ()
   from /nix/store/8vdmddn7gdw1644c12dl80cjm1hfrjxi-python3-3.5.2/lib/libpython3.5m.so.1.0
#49 0x00007ffff79716ca in PyObject_Call ()
   from /nix/store/8vdmddn7gdw1644c12dl80cjm1hfrjxi-python3-3.5.2/lib/libpython3.5m.so.1.0
#50 0x00007ffff7a2b1ec in PyEval_EvalFrameEx ()
   from /nix/store/8vdmddn7gdw1644c12dl80cjm1hfrjxi-python3-3.5.2/lib/libpython3.5m.so.1.0
---Type <return> to continue, or q <return> to quit---
#51 0x00007ffff7a328f2 in _PyEval_EvalCodeWithName ()
   from /nix/store/8vdmddn7gdw1644c12dl80cjm1hfrjxi-python3-3.5.2/lib/libpython3.5m.so.1.0
#52 0x00007ffff7a329d3 in PyEval_EvalCodeEx ()
   from /nix/store/8vdmddn7gdw1644c12dl80cjm1hfrjxi-python3-3.5.2/lib/libpython3.5m.so.1.0
#53 0x00007ffff799c8b5 in function_call ()
   from /nix/store/8vdmddn7gdw1644c12dl80cjm1hfrjxi-python3-3.5.2/lib/libpython3.5m.so.1.0
#54 0x00007ffff79716ca in PyObject_Call ()
   from /nix/store/8vdmddn7gdw1644c12dl80cjm1hfrjxi-python3-3.5.2/lib/libpython3.5m.so.1.0
#55 0x00007ffff7a2c250 in PyEval_EvalFrameEx ()
   from /nix/store/8vdmddn7gdw1644c12dl80cjm1hfrjxi-python3-3.5.2/lib/libpython3.5m.so.1.0
#56 0x00007ffff7a328f2 in _PyEval_EvalCodeWithName ()
   from /nix/store/8vdmddn7gdw1644c12dl80cjm1hfrjxi-python3-3.5.2/lib/libpython3.5m.so.1.0
#57 0x00007ffff7a329d3 in PyEval_EvalCodeEx ()
   from /nix/store/8vdmddn7gdw1644c12dl80cjm1hfrjxi-python3-3.5.2/lib/libpython3.5m.so.1.0
#58 0x00007ffff799c7c8 in function_call ()
   from /nix/store/8vdmddn7gdw1644c12dl80cjm1hfrjxi-python3-3.5.2/lib/libpython3.5m.so.1.0
#59 0x00007ffff79716ca in PyObject_Call ()
   from /nix/store/8vdmddn7gdw1644c12dl80cjm1hfrjxi-python3-3.5.2/lib/libpython3.5m.so.1.0
#60 0x00007ffff79883b4 in method_call ()
   from /nix/store/8vdmddn7gdw1644c12dl80cjm1hfrjxi-python3-3.5.2/lib/libpython3.5m.so.1.0
#61 0x00007ffff79716ca in PyObject_Call ()
   from /nix/store/8vdmddn7gdw1644c12dl80cjm1hfrjxi-python3-3.5.2/lib/libpython3.5m.so.1.0
#62 0x00007ffff79ce900 in slot_tp_call ()
   from /nix/store/8vdmddn7gdw1644c12dl80cjm1hfrjxi-python3-3.5.2/lib/libpython3.5m.so.1.0
#63 0x00007ffff79716ca in PyObject_Call ()
---Type <return> to continue, or q <return> to quit---
   from /nix/store/8vdmddn7gdw1644c12dl80cjm1hfrjxi-python3-3.5.2/lib/libpython3.5m.so.1.0
#64 0x00007ffff7a2b1ec in PyEval_EvalFrameEx ()
   from /nix/store/8vdmddn7gdw1644c12dl80cjm1hfrjxi-python3-3.5.2/lib/libpython3.5m.so.1.0
#65 0x00007ffff7a328f2 in _PyEval_EvalCodeWithName ()
   from /nix/store/8vdmddn7gdw1644c12dl80cjm1hfrjxi-python3-3.5.2/lib/libpython3.5m.so.1.0
#66 0x00007ffff7a329d3 in PyEval_EvalCodeEx ()
   from /nix/store/8vdmddn7gdw1644c12dl80cjm1hfrjxi-python3-3.5.2/lib/libpython3.5m.so.1.0
#67 0x00007ffff799c8b5 in function_call ()
   from /nix/store/8vdmddn7gdw1644c12dl80cjm1hfrjxi-python3-3.5.2/lib/libpython3.5m.so.1.0
#68 0x00007ffff79716ca in PyObject_Call ()
   from /nix/store/8vdmddn7gdw1644c12dl80cjm1hfrjxi-python3-3.5.2/lib/libpython3.5m.so.1.0
#69 0x00007ffff7a2c250 in PyEval_EvalFrameEx ()
   from /nix/store/8vdmddn7gdw1644c12dl80cjm1hfrjxi-python3-3.5.2/lib/libpython3.5m.so.1.0
#70 0x00007ffff7a328f2 in _PyEval_EvalCodeWithName ()
   from /nix/store/8vdmddn7gdw1644c12dl80cjm1hfrjxi-python3-3.5.2/lib/libpython3.5m.so.1.0
#71 0x00007ffff7a329d3 in PyEval_EvalCodeEx ()
   from /nix/store/8vdmddn7gdw1644c12dl80cjm1hfrjxi-python3-3.5.2/lib/libpython3.5m.so.1.0
#72 0x00007ffff799c7c8 in function_call ()
   from /nix/store/8vdmddn7gdw1644c12dl80cjm1hfrjxi-python3-3.5.2/lib/libpython3.5m.so.1.0
#73 0x00007ffff79716ca in PyObject_Call ()
   from /nix/store/8vdmddn7gdw1644c12dl80cjm1hfrjxi-python3-3.5.2/lib/libpython3.5m.so.1.0
#74 0x00007ffff79883b4 in method_call ()
   from /nix/store/8vdmddn7gdw1644c12dl80cjm1hfrjxi-python3-3.5.2/lib/libpython3.5m.so.1.0
#75 0x00007ffff79716ca in PyObject_Call ()
   from /nix/store/8vdmddn7gdw1644c12dl80cjm1hfrjxi-python3-3.5.2/lib/libpython3.5m.so.1.0
---Type <return> to continue, or q <return> to quit---
#76 0x00007ffff79ce900 in slot_tp_call ()
   from /nix/store/8vdmddn7gdw1644c12dl80cjm1hfrjxi-python3-3.5.2/lib/libpython3.5m.so.1.0
#77 0x00007ffff79716ca in PyObject_Call ()
   from /nix/store/8vdmddn7gdw1644c12dl80cjm1hfrjxi-python3-3.5.2/lib/libpython3.5m.so.1.0
#78 0x00007ffff7a2b1ec in PyEval_EvalFrameEx ()
   from /nix/store/8vdmddn7gdw1644c12dl80cjm1hfrjxi-python3-3.5.2/lib/libpython3.5m.so.1.0
#79 0x00007ffff7a30ec7 in PyEval_EvalFrameEx ()
   from /nix/store/8vdmddn7gdw1644c12dl80cjm1hfrjxi-python3-3.5.2/lib/libpython3.5m.so.1.0
#80 0x00007ffff7a30ec7 in PyEval_EvalFrameEx ()
   from /nix/store/8vdmddn7gdw1644c12dl80cjm1hfrjxi-python3-3.5.2/lib/libpython3.5m.so.1.0
#81 0x00007ffff7a328f2 in _PyEval_EvalCodeWithName ()
   from /nix/store/8vdmddn7gdw1644c12dl80cjm1hfrjxi-python3-3.5.2/lib/libpython3.5m.so.1.0
#82 0x00007ffff7a329d3 in PyEval_EvalCodeEx ()
   from /nix/store/8vdmddn7gdw1644c12dl80cjm1hfrjxi-python3-3.5.2/lib/libpython3.5m.so.1.0
#83 0x00007ffff799c8b5 in function_call ()
   from /nix/store/8vdmddn7gdw1644c12dl80cjm1hfrjxi-python3-3.5.2/lib/libpython3.5m.so.1.0
#84 0x00007ffff79716ca in PyObject_Call ()
   from /nix/store/8vdmddn7gdw1644c12dl80cjm1hfrjxi-python3-3.5.2/lib/libpython3.5m.so.1.0
#85 0x00007ffff79883b4 in method_call ()
   from /nix/store/8vdmddn7gdw1644c12dl80cjm1hfrjxi-python3-3.5.2/lib/libpython3.5m.so.1.0
#86 0x00007ffff79716ca in PyObject_Call ()
   from /nix/store/8vdmddn7gdw1644c12dl80cjm1hfrjxi-python3-3.5.2/lib/libpython3.5m.so.1.0
#87 0x00007ffff79ce5d0 in slot_tp_init ()
   from /nix/store/8vdmddn7gdw1644c12dl80cjm1hfrjxi-python3-3.5.2/lib/libpython3.5m.so.1.0
#88 0x00007ffff79cc946 in type_call ()
---Type <return> to continue, or q <return> to quit---
   from /nix/store/8vdmddn7gdw1644c12dl80cjm1hfrjxi-python3-3.5.2/lib/libpython3.5m.so.1.0
#89 0x00007ffff79716ca in PyObject_Call ()
   from /nix/store/8vdmddn7gdw1644c12dl80cjm1hfrjxi-python3-3.5.2/lib/libpython3.5m.so.1.0
#90 0x00007ffff7a2b1ec in PyEval_EvalFrameEx ()
   from /nix/store/8vdmddn7gdw1644c12dl80cjm1hfrjxi-python3-3.5.2/lib/libpython3.5m.so.1.0
#91 0x00007ffff7a30ec7 in PyEval_EvalFrameEx ()
   from /nix/store/8vdmddn7gdw1644c12dl80cjm1hfrjxi-python3-3.5.2/lib/libpython3.5m.so.1.0
#92 0x00007ffff7a30ec7 in PyEval_EvalFrameEx ()
   from /nix/store/8vdmddn7gdw1644c12dl80cjm1hfrjxi-python3-3.5.2/lib/libpython3.5m.so.1.0
#93 0x00007ffff7a30ec7 in PyEval_EvalFrameEx ()
   from /nix/store/8vdmddn7gdw1644c12dl80cjm1hfrjxi-python3-3.5.2/lib/libpython3.5m.so.1.0
#94 0x00007ffff7a30ec7 in PyEval_EvalFrameEx ()
   from /nix/store/8vdmddn7gdw1644c12dl80cjm1hfrjxi-python3-3.5.2/lib/libpython3.5m.so.1.0
#95 0x00007ffff7a30ec7 in PyEval_EvalFrameEx ()
   from /nix/store/8vdmddn7gdw1644c12dl80cjm1hfrjxi-python3-3.5.2/lib/libpython3.5m.so.1.0
#96 0x00007ffff7a328f2 in _PyEval_EvalCodeWithName ()
   from /nix/store/8vdmddn7gdw1644c12dl80cjm1hfrjxi-python3-3.5.2/lib/libpython3.5m.so.1.0
#97 0x00007ffff7a2fb1f in PyEval_EvalFrameEx ()
   from /nix/store/8vdmddn7gdw1644c12dl80cjm1hfrjxi-python3-3.5.2/lib/libpython3.5m.so.1.0
#98 0x00007ffff7a328f2 in _PyEval_EvalCodeWithName ()
   from /nix/store/8vdmddn7gdw1644c12dl80cjm1hfrjxi-python3-3.5.2/lib/libpython3.5m.so.1.0
#99 0x00007ffff7a329d3 in PyEval_EvalCodeEx ()
   from /nix/store/8vdmddn7gdw1644c12dl80cjm1hfrjxi-python3-3.5.2/lib/libpython3.5m.so.1.0
#100 0x00007ffff7a329fb in PyEval_EvalCode ()
   from /nix/store/8vdmddn7gdw1644c12dl80cjm1hfrjxi-python3-3.5.2/lib/libpython3.5m.so.1.0
---Type <return> to continue, or q <return> to quit---
#101 0x00007ffff7a26d7d in builtin_exec ()
   from /nix/store/8vdmddn7gdw1644c12dl80cjm1hfrjxi-python3-3.5.2/lib/libpython3.5m.so.1.0
#102 0x00007ffff79b90c9 in PyCFunction_Call ()
   from /nix/store/8vdmddn7gdw1644c12dl80cjm1hfrjxi-python3-3.5.2/lib/libpython3.5m.so.1.0
#103 0x00007ffff7a315b3 in PyEval_EvalFrameEx ()
   from /nix/store/8vdmddn7gdw1644c12dl80cjm1hfrjxi-python3-3.5.2/lib/libpython3.5m.so.1.0
#104 0x00007ffff7a328f2 in _PyEval_EvalCodeWithName ()
   from /nix/store/8vdmddn7gdw1644c12dl80cjm1hfrjxi-python3-3.5.2/lib/libpython3.5m.so.1.0
#105 0x00007ffff7a329d3 in PyEval_EvalCodeEx ()
   from /nix/store/8vdmddn7gdw1644c12dl80cjm1hfrjxi-python3-3.5.2/lib/libpython3.5m.so.1.0
#106 0x00007ffff7a329fb in PyEval_EvalCode ()
   from /nix/store/8vdmddn7gdw1644c12dl80cjm1hfrjxi-python3-3.5.2/lib/libpython3.5m.so.1.0
#107 0x00007ffff7a518c4 in run_mod ()
   from /nix/store/8vdmddn7gdw1644c12dl80cjm1hfrjxi-python3-3.5.2/lib/libpython3.5m.so.1.0
#108 0x00007ffff7a53e05 in PyRun_FileExFlags ()
   from /nix/store/8vdmddn7gdw1644c12dl80cjm1hfrjxi-python3-3.5.2/lib/libpython3.5m.so.1.0
#109 0x00007ffff7a53f76 in PyRun_SimpleFileExFlags ()
   from /nix/store/8vdmddn7gdw1644c12dl80cjm1hfrjxi-python3-3.5.2/lib/libpython3.5m.so.1.0
#110 0x00007ffff7a6afd4 in Py_Main ()
   from /nix/store/8vdmddn7gdw1644c12dl80cjm1hfrjxi-python3-3.5.2/lib/libpython3.5m.so.1.0
#111 0x0000000000400cd7 in main ()

EDIT
After digging through the code, minimal reproduction:

[nix-shell:~/dev/nixpkgs/Python-3.5.2]$ gdb python3
Reading symbols from python3...(no debugging symbols found)...done.
(gdb) run
Starting program: /nix/store/8vdmddn7gdw1644c12dl80cjm1hfrjxi-python3-3.5.2/bin/python3 
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/nix/store/szq6dgq4b7fsa8p85sfs5njfly4a5000-glibc-2.23/lib/libthread_db.so.1".
Python 3.5.2 (default, Jun 25 2016, 21:38:40) 
[GCC 5.4.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import pty
>>> pty.fork()

Program received signal SIGSEGV, Segmentation fault.
0x0000000000000000 in ?? ()
(gdb) bt
#0  0x0000000000000000 in ?? ()
#1  0x00007ffff6e4350e in forkpty () from /nix/store/szq6dgq4b7fsa8p85sfs5njfly4a5000-glibc-2.23/lib/libutil.so.1
#2  0x00007ffff7a77263 in os_forkpty ()
   from /nix/store/8vdmddn7gdw1644c12dl80cjm1hfrjxi-python3-3.5.2/lib/libpython3.5m.so.1.0
#3  0x00007ffff7a3126c in PyEval_EvalFrameEx ()
   from /nix/store/8vdmddn7gdw1644c12dl80cjm1hfrjxi-python3-3.5.2/lib/libpython3.5m.so.1.0
#4  0x00007ffff7a30ec7 in PyEval_EvalFrameEx ()
   from /nix/store/8vdmddn7gdw1644c12dl80cjm1hfrjxi-python3-3.5.2/lib/libpython3.5m.so.1.0
#5  0x00007ffff7a328f2 in _PyEval_EvalCodeWithName ()
   from /nix/store/8vdmddn7gdw1644c12dl80cjm1hfrjxi-python3-3.5.2/lib/libpython3.5m.so.1.0
#6  0x00007ffff7a329d3 in PyEval_EvalCodeEx ()
   from /nix/store/8vdmddn7gdw1644c12dl80cjm1hfrjxi-python3-3.5.2/lib/libpython3.5m.so.1.0
#7  0x00007ffff7a329fb in PyEval_EvalCode ()
   from /nix/store/8vdmddn7gdw1644c12dl80cjm1hfrjxi-python3-3.5.2/lib/libpython3.5m.so.1.0
#8  0x00007ffff7a518c4 in run_mod ()
   from /nix/store/8vdmddn7gdw1644c12dl80cjm1hfrjxi-python3-3.5.2/lib/libpython3.5m.so.1.0
#9  0x00007ffff7a53962 in PyRun_InteractiveOneObject ()
   from /nix/store/8vdmddn7gdw1644c12dl80cjm1hfrjxi-python3-3.5.2/lib/libpython3.5m.so.1.0
#10 0x00007ffff7a53c1e in PyRun_InteractiveLoopFlags ()
   from /nix/store/8vdmddn7gdw1644c12dl80cjm1hfrjxi-python3-3.5.2/lib/libpython3.5m.so.1.0
#11 0x00007ffff7a543ae in PyRun_AnyFileExFlags ()
   from /nix/store/8vdmddn7gdw1644c12dl80cjm1hfrjxi-python3-3.5.2/lib/libpython3.5m.so.1.0
#12 0x00007ffff7a6ae38 in Py_Main ()
   from /nix/store/8vdmddn7gdw1644c12dl80cjm1hfrjxi-python3-3.5.2/lib/libpython3.5m.so.1.0
#13 0x0000000000400cd7 in main ()
(gdb) 
@obadz
Contributor
obadz commented Aug 15, 2016

@globin,

Mentioned in http://www.psf.upfronthosting.co.za/issue27287

simplest repro:

$ python3.5 -c 'import os; os.forkpty()'
python3.5: command not found

Affects all version of the interpreter…

Rebuilding python with hardeningDisable = [ "all" ]; does not fix.

@obadz
Contributor
obadz commented Aug 15, 2016

Apparently this is the solution: https://bugs.gentoo.org/show_bug.cgi?id=584916#c12

@globin
Member
globin commented Aug 15, 2016 edited

Patch applied locally and testing currently.
(fixed in glibc 2.24 https://sourceware.org/bugzilla/show_bug.cgi?id=19861)

@globin globin Merge remote-tracking branch 'upstream/master' into hardened-stdenv
33e1c78
@globin
Member
globin commented Aug 16, 2016

Added the patch and merged in master, should avoid doing a full-rebuild twice.

@RamKromberg
Contributor

You can probably revert this: 24835df#diff-28b34304a6a1909783145800909b90df

Maybe even 60a0bb7#diff-28b34304a6a1909783145800909b90df with a low priority for wineWow?

@globin
Member
globin commented Aug 16, 2016

@RamKromberg: I don't see how this PR changes anything in regard to those commits, the gcc updates are on master, too, so a PR should simply be opened for those changes. :)

@RamKromberg
Contributor

@globin oh sorry I had my nixpkgs master just before 5.4 got committed so I didn't notice it was in unstable.. :/ I'll give it a try soon. Thanks for the heads up :)

obadz and others added some commits Aug 17, 2016
@obadz obadz calamares/tarball test: fix eval error
e0f124a
@fpletz fpletz Merge remote-tracking branch 'origin/master' into hardened-stdenv
Fixes #17801 and #17802.
b4cc9bd
@obadz
Contributor
obadz commented Aug 19, 2016

Today I bumped glibc to 2.24 in staging and since hydra had made little progress building pr-12895 over the last 3 days I decided to cancel it to give more resources for staging to build.

Once we know that glibc 2.24 works, we can merge that (into master and) into hardened-stdenv and try to have hydra focus on building pr-12895 then?

@obadz obadz added a commit that referenced this pull request Aug 22, 2016
@obadz obadz Merge branch 'hardened-stdenv' into staging
Closes #12895

Amazing work by @globin & @fpletz getting hardened compiler flags by
enabled default on the whole package set
24a9183
@obadz
Contributor
obadz commented Aug 22, 2016

glibc 2.24 has been merged from staging to master, and hardened-stdenv is now merged into staging.

If you'd like to cheer hydra: http://hydra.nixos.org/build/38892192#tabs-constituents

@obadz
Contributor
obadz commented Aug 22, 2016 edited

@edolstra,

This branch has built fine with all tests passing here: http://hydra.nixos.org/build/38503032#tabs-constituents

FWIW I've also been running on it for 8 days without any hiccups.

It's being rebuilt in staging with glibc 2.24 and a bunch of other changes in staging: http://hydra.nixos.org/build/38892192#tabs-constituents

I am planning to merge it into master if there aren't any substantial issues with that build unless you let us know that you want more time to think/review/or if you or anyone else has concerns.

@edolstra edolstra commented on the diff Aug 22, 2016
doc/stdenv.xml
@@ -1360,6 +1360,209 @@ in the default system locations.</para>
</section>
+<section xml:id="sec-hardening-in-nixpkgs"><title>Hardening in Nixpkgs</title>
+
+<para>There are flags available to harden packages at compile or link-time.
+These can be toggled using the <varname>stdenv.mkDerivation</varname> parameters
+<varname>hardeningDisable</varname> and <varname>hardeningEnable</varname>.
@edolstra
edolstra Aug 22, 2016 Member

Why not a single flag hardening = (true|false)? Seems strange to have two Boolean arguments that are each other's opposite.

@edolstra
edolstra Aug 22, 2016 Member

Oh, they're not Booleans.

@edolstra edolstra commented on an outdated diff Aug 22, 2016
nixos/modules/module-list.nix
@@ -402,7 +402,6 @@
./services/networking/softether.nix
./services/networking/spiped.nix
./services/networking/sslh.nix
- ./services/networking/ssh/lshd.nix
@edolstra
edolstra Aug 22, 2016 Member

Is this intended?

@edolstra edolstra commented on an outdated diff Aug 22, 2016
pkgs/build-support/cc-wrapper/add-hardening
@@ -0,0 +1,61 @@
+hardeningFlags=(fortify stackprotector pic strictoverflow format relro bindnow)
+hardeningFlags+=("${hardeningEnable[@]}")
+hardeningCFlags=()
+hardeningLDFlags=()
+hardeningDisable=${hardeningDisable:-""}
+
+if [[ "$($LD -z 2>&1)" =~ "unknown option" ]]; then
@edolstra
edolstra Aug 22, 2016 Member

Doesn't this cause an extra invocation of ld for every call to the gcc wrapper? That seems pretty expensive to me...

@edolstra
edolstra Aug 22, 2016 Member

Given that $LD is constant, it should be possible to do this check at stdenv build time.

@edolstra edolstra commented on an outdated diff Aug 22, 2016
pkgs/build-support/cc-wrapper/add-hardening
+ ;;
+ pic)
+ if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling pic >&2; fi
+ hardeningCFlags+=('-fPIC')
+ ;;
+ strictoverflow)
+ if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling strictoverflow >&2; fi
+ hardeningCFlags+=('-fno-strict-overflow')
+ ;;
+ format)
+ if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling format >&2; fi
+ hardeningCFlags+=('-Wformat' '-Wformat-security' '-Werror=format-security')
+ ;;
+ relro)
+ if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling relro >&2; fi
+ hardeningLDFlags+=('-z relro')
@edolstra
edolstra Aug 22, 2016 Member

This only works because hardeningLDFlags is later used unquoted. Would be better IMHO to do

hardeningLDFlags+=('-z' 'relro')
@edolstra edolstra commented on an outdated diff Aug 22, 2016
pkgs/build-support/cc-wrapper/default.nix
@@ -238,6 +238,7 @@ stdenv.mkDerivation {
rm $out/nix-support/setup-hook.tmp
substituteAll ${./add-flags} $out/nix-support/add-flags.sh
+ cp -p ${./add-hardening} $out/nix-support/add-hardening.sh
@edolstra
edolstra Aug 22, 2016 Member

The source file should also be called add-hardening.sh.

@edolstra edolstra and 1 other commented on an outdated diff Aug 22, 2016
pkgs/development/compilers/ccl/default.nix
@@ -5,7 +5,7 @@ let
/* TODO: there are also MacOS, FreeBSD and Windows versions */
x86_64-linux = {
arch = "linuxx86";
- sha256 = "0d2vhp5n74yhwixnvlsnp7dzaf9aj6zd2894hr2728djyd8x9fx6";
+ sha256 = "07cny2qkzc624bzpdsy4iakcln0p7v5rhf8bv0vnh6rhpvnahrnq";
@edolstra
edolstra Aug 22, 2016 Member

?

@fpletz
fpletz Aug 23, 2016 Member

The hash of the ccl source has changed in the hardening-stdenv branch somehow (fetchsvn?) and isn't even correct on master. Also, the new hash here is wrong again due to mass rebuilds.

@fpletz
fpletz Aug 23, 2016 Member

Fixed the hash again in this branch.

@obadz
Contributor
obadz commented Aug 22, 2016 edited

re lsh, looks like it was @fpletz's decison in 73f4c2b

@obadz
Contributor
obadz commented Aug 22, 2016

re the ccl hash, @globin in d12ff64

@obadz
Contributor
obadz commented Aug 22, 2016

looking at the diff, am also curious about 393977d: "Remove qcmm, strategoxt, aterm, bibtextools"

@obadz
Contributor
obadz commented Aug 22, 2016 edited

@fpletz mentioned that he is working on addressing @edolstra's concerns re the wrapper. This will require a mass rebuild in staging.

The current staging branch passes the same tests than master does.

@globin
Member
globin commented Aug 23, 2016 edited

TODO:

  • move add-hardening -> add-hardening.sh (@globin)
  • use correct quotation in shell script for -z relro and -z now (@globin)
  • make LD feature check constant (@fpletz)
  • recheck packages, services which were removed when broken in gcc update (possibly fixed on master) (@globin)
  • recheck the ccl hash (@fpletz)
@globin
Member
globin commented Aug 23, 2016

Pushing the changes to the PR branch for now as I don't want to cause intermittent mass-rebuilds.

globin and others added some commits Aug 23, 2016
@globin globin Revert "lsh: remove last references"
This reverts commit 8329066.
3a18f06
@globin globin Revert "Remove lsh, broken & unmaintained"
This reverts commit 73f4c2b.
7413278
@joachifm @globin joachifm lsh: fix gcc5 build
The build fails with c11 (also tested c99), but works with gnu90.
8ab4009
@globin globin czmq: fix build
Uses -Werror, failing with additionally enabled warnings from hardening.
9e21120
@fpletz fpletz cc-wrapper: check ld hardening capabilities in stdenv 3c06e5f
@fpletz fpletz ccl: fix hash 17234ca
@fpletz fpletz changed the title from [WIP/RFC] Hardened compiler flags by default to Hardened compiler flags by default Aug 23, 2016
@mrobbetts
Contributor
mrobbetts commented Aug 24, 2016 edited

I just updated my hardened-stdenv branch to get hold of today's commit(s) (I was up to date with it yesterday) and the huge rebuild is failing at the pcre package with:

----->8------->8----

FAIL: pcre_jit_test
===================

Running JIT regression tests
  target CPU of SLJIT compiler: x86 64bit (little endian + unaligned)
  in  8 bit mode with UTF-8  enabled and ucp enabled:

8 bit: JIT compiler does not support: AbC
8 bit: Test should match: [1] 'AbC' @ 'AbAbC'
FAIL pcre_jit_test (exit status: 139)

FAIL: RunTest
=============


PCRE C library tests using test data from ./testdata
PCRE version 8.38 2015-11-23

---- Testing 8-bit library ----

Test 1: Main functionality (Compatible with Perl >= 5.10)
  OK
  OK with study
  OK with JIT study
Test 2: API, errors, internals, and non-Perl stuff (not UTF-8)
  OK
  OK with study
  OK with JIT study
Cannot test locale-specific features - none of the 'fr_FR', 'fr' or
'french' locales exist, or the "locale" command is not available
to check for them.

Test 4: UTF-8 support (Compatible with Perl >= 5.10)
  OK
  OK with study
  OK with JIT study
Test 5: API, internals, and non-Perl stuff for UTF-8 support
  OK
  OK with study
  OK with JIT study
Test 6: Unicode property support (Compatible with Perl >= 5.10)
  OK
  OK with study
  OK with JIT study
Test 7: API, internals, and non-Perl stuff for Unicode property support
  OK
  OK with study
  OK with JIT study
Test 8: DFA matching main functionality
  OK
  OK with study
Test 9: DFA matching with UTF-8
  OK
  OK with study
Test 10: DFA matching with Unicode properties
  OK
  OK with study
Test 11: Internal offsets and code size tests
  OK
  OK with study
Test 12: JIT-specific features (when JIT is available)
--- ./testdata/testoutput12 2015-09-02 08:53:57.000000000 +0000
+++ testtry 2016-08-24 03:59:09.652704792 +0000
@@ -9,7 +9,7 @@
 Need char = 'c'
 Subject length lower bound = 3
 No starting char list
-JIT study was successful
+JIT study was not successful

 /(?(?C1)(?=a)a)/S+I
 Capturing subpattern count = 0
@@ -46,7 +46,7 @@
 Need char = 'c'
 Subject length lower bound = 3
 No starting char list
-JIT study was successful
+JIT study was not successful
 Compiled pattern written to testsavedregex
 Study data written to testsavedregex

@@ -66,45 +66,45 @@

 /(?(R)a*(?1)|((?R))b)/S+
     aaaabcde
-Error -27 (JIT stack limit reached)
+Error -26 (nested recursion at the same subject position)

 /-- Test various compile modes --/ 

 /abcd/S++
     abcd
- 0: abcd (JIT)
+ 0: abcd
     xyz  
-No match (JIT)
+No match

 /abcd/S+
     abcd
- 0: abcd (JIT)
+ 0: abcd
     ab\P
-Partial match: ab (JIT)
+Partial match: ab
     ab\P\P
-Partial match: ab (JIT)
+Partial match: ab
     xyz
-No match (JIT)
+No match

 /abcd/S++
     abcd
- 0: abcd (JIT)
+ 0: abcd
     ab\P
-Partial match: ab (JIT)
+Partial match: ab
     ab\P\P
-Partial match: ab (JIT)
+Partial match: ab
     xyz
-No match (JIT)
+No match

 /abcd/S++1
     abcd
- 0: abcd (JIT)
+ 0: abcd
     ab\P
 Partial match: ab
     ab\P\P
 Partial match: ab
     xyz
-No match (JIT)
+No match
     xyz\P
 No match

@@ -112,7 +112,7 @@
     abcd
  0: abcd
     ab\P
-Partial match: ab (JIT)
+Partial match: ab
     ab\P\P
 Partial match: ab
     xyz
@@ -120,13 +120,13 @@

 /abcd/S++3
     abcd
- 0: abcd (JIT)
+ 0: abcd
     ab\P
-Partial match: ab (JIT)
+Partial match: ab
     ab\P\P
 Partial match: ab
     xyz
-No match (JIT)
+No match

 /abcd/S++4
     abcd
@@ -134,39 +134,39 @@
     ab\P
 Partial match: ab
     ab\P\P
-Partial match: ab (JIT)
+Partial match: ab
     xyz
 No match

 /abcd/S++5
     abcd
- 0: abcd (JIT)
+ 0: abcd
     ab\P
 Partial match: ab
     ab\P\P
-Partial match: ab (JIT)
+Partial match: ab
     xyz
-No match (JIT)
+No match

 /abcd/S++6
     abcd
  0: abcd
     ab\P
-Partial match: ab (JIT)
+Partial match: ab
     ab\P\P
-Partial match: ab (JIT)
+Partial match: ab
     xyz
 No match

 /abcd/S++7
     abcd
- 0: abcd (JIT)
+ 0: abcd
     ab\P
-Partial match: ab (JIT)
+Partial match: ab
     ab\P\P
-Partial match: ab (JIT)
+Partial match: ab
     xyz
-No match (JIT)
+No match

 /abcd/S++2I 
 Capturing subpattern count = 0
@@ -175,15 +175,15 @@
 Need char = 'd'
 Subject length lower bound = 4
 No starting char list
-JIT study was successful
+JIT study was not successful

 /(*NO_START_OPT)a(*:m)b/KS++
     a
-No match, mark = m (JIT)
+No match, mark = m

 /^12345678abcd/mS++
     12345678abcd
- 0: 12345678abcd (JIT)
+ 0: 12345678abcd

 /-- Test pattern compilation --/ 

FAIL RunTest (exit status: 1)

============================================================================
Testsuite summary for PCRE 8.38
============================================================================
# TOTAL: 3
# PASS:  1
# SKIP:  0
# XFAIL: 0
# FAIL:  2
# XPASS: 0
# ERROR: 0
============================================================================
See ./test-suite.log
============================================================================
Makefile:2612: recipe for target 'test-suite.log' failed
make[3]: *** [test-suite.log] Error 1
make[3]: Leaving directory '/tmp/nix-build-pcre-8.38.drv-0/pcre-8.38'
Makefile:2718: recipe for target 'check-TESTS' failed
make[2]: *** [check-TESTS] Error 2
make[2]: Leaving directory '/tmp/nix-build-pcre-8.38.drv-0/pcre-8.38'
Makefile:2957: recipe for target 'check-am' failed
make[1]: *** [check-am] Error 2
make[1]: Leaving directory '/tmp/nix-build-pcre-8.38.drv-0/pcre-8.38'
Makefile:2960: recipe for target 'check' failed
make: *** [check] Error 2
gcc -DHAVE_CONFIG_H -I. -I../..  -DLOCALEDIR=\"/nix/store/xgrdpjxaavnrqqdbxkdpa2rlbbqw0dnv-xz-5.2.2/share/locale\" -I../../src/common -I../../src/liblzma/api -I../../lib  -pthread -fvisibility=hidden -Wall -Wextra -Wvla -Wformat=2 -Winit-self -Wmissing-include-dirs -Wstrict-aliasing -Wfloat-equal -Wundef -Wshadow -Wpointer-arith -Wbad-function-cast -Wwrite-strings -Wlogical-op -Waggregate-return -Wstrict-prototypes -Wold-style-definition -Wmissing-prototypes -Wmissing-declarations -Wmissing-noreturn -Wredundant-decls -g -O2 -c -o xz-tuklib_open_stdxxx.o `test -f '../common/tuklib_open_stdxxx.c' || echo './'`../common/tuklib_open_stdxxx.c
builder for ‘/nix/store/xs41msw0gz3wb62k6px78nx4mn317g0k-pcre-8.38.drv’ failed with exit code 2
cannot build derivation ‘/nix/store/84hrf7w9ga2jhk1rb2pmld4qcysjzdcq-gnugrep-2.25.drv’: 1 dependencies couldn't be built
cannot build derivation ‘/nix/store/53198hfgxgzik3ji7rfc9jx8p7w7b1np-stdenv.drv’: 1 dependencies couldn't be built
cannot build derivation ‘/nix/store/g37vl831cmj1qwzcz8ay1zym2ww934ay-nix-1.11.2.drv’: 1 dependencies couldn't be built
error: build of ‘/nix/store/g37vl831cmj1qwzcz8ay1zym2ww934ay-nix-1.11.2.drv’ failed

I also get the following the my dmesg (I'm using a grsecurity kernel):

[Tue Aug 23 20:53:48 2016] grsec: denied resource overstep by requesting 4096 for RLIMIT_NOFILE against limit 4096 for /tmp/nix-build-patch-2.7.5.drv-0/patch-2.7.5/conftest[conftest:18810] uid/euid:30010/30010 gid/egid:30000/30000, parent /nix/store/d1prcspbh2qsviipvnaxizcj8l3g7fpw-bootstrap-tools/bin/bash[bash:18809] uid/euid:30010/30010 gid/egid:30000/30000
[Tue Aug 23 20:53:48 2016] grsec: denied resource overstep by requesting 4294967295 for RLIMIT_NOFILE against limit 4096 for /tmp/nix-build-patch-2.7.5.drv-0/patch-2.7.5/conftest[conftest:18810] uid/euid:30010/30010 gid/egid:30000/30000, parent /nix/store/d1prcspbh2qsviipvnaxizcj8l3g7fpw-bootstrap-tools/bin/bash[bash:18809] uid/euid:30010/30010 gid/egid:30000/30000
[Tue Aug 23 20:53:48 2016] grsec: denied resource overstep by requesting 4294967295 for RLIMIT_NOFILE against limit 4096 for /tmp/nix-build-patch-2.7.5.drv-0/patch-2.7.5/conftest[conftest:19209] uid/euid:30010/30010 gid/egid:30000/30000, parent /nix/store/d1prcspbh2qsviipvnaxizcj8l3g7fpw-bootstrap-tools/bin/bash[bash:19207] uid/euid:30010/30010 gid/egid:30000/30000
[Tue Aug 23 20:53:48 2016] grsec: denied resource overstep by requesting 4096 for RLIMIT_NOFILE against limit 4096 for /tmp/nix-build-patch-2.7.5.drv-0/patch-2.7.5/conftest[conftest:19209] uid/euid:30010/30010 gid/egid:30000/30000, parent /nix/store/d1prcspbh2qsviipvnaxizcj8l3g7fpw-bootstrap-tools/bin/bash[bash:19207] uid/euid:30010/30010 gid/egid:30000/30000
[Tue Aug 23 20:53:48 2016] grsec: denied resource overstep by requesting 4096 for RLIMIT_NOFILE against limit 4096 for /tmp/nix-build-patch-2.7.5.drv-0/patch-2.7.5/conftest[conftest:19589] uid/euid:30010/30010 gid/egid:30000/30000, parent /nix/store/d1prcspbh2qsviipvnaxizcj8l3g7fpw-bootstrap-tools/bin/bash[bash:19588] uid/euid:30010/30010 gid/egid:30000/30000
[Tue Aug 23 20:53:56 2016] grsec: denied RWX mmap of <anonymous mapping> by /tmp/nix-build-pcre-8.38.drv-0/pcre-8.38/.libs/lt-pcre_jit_test[lt-pcre_jit_tes:28278] uid/euid:30003/30003 gid/egid:30000/30000, parent /nix/store/d1prcspbh2qsviipvnaxizcj8l3g7fpw-bootstrap-tools/bin/bash[bash:28273] uid/euid:30003/30003 gid/egid:30000/30000
[Tue Aug 23 20:53:56 2016] lt-pcre_jit_tes[28278]: segfault at 28 ip 000003effca90148 sp 000003fe76b7a760 error 4 in libc-2.23.so[3effca1b000+198000]
[Tue Aug 23 20:53:56 2016] grsec: Segmentation fault occurred at 0000000000000028 in /tmp/nix-build-pcre-8.38.drv-0/pcre-8.38/.libs/lt-pcre_jit_test[lt-pcre_jit_tes:28278] uid/euid:30003/30003 gid/egid:30000/30000, parent /nix/store/d1prcspbh2qsviipvnaxizcj8l3g7fpw-bootstrap-tools/bin/bash[bash:28273] uid/euid:30003/30003 gid/egid:30000/30000
[Tue Aug 23 20:53:56 2016] audit: type=1701 audit(1472010785.889:123): auid=4294967295 uid=30003 gid=30000 ses=4294967295 pid=28278 comm="lt-pcre_jit_tes" exe="/tmp/nix-build-pcre-8.38.drv-0/pcre-8.38/.libs/lt-pcre_jit_test" sig=11

This make sense to anyone here?

fpletz added some commits Aug 24, 2016
@fpletz fpletz cc-wrapper: fix detection of unsupported linker flags 8576aea
@fpletz fpletz Merge remote-tracking branch 'origin/master' into hardened-stdenv
c0fa26e
@globin
Member
globin commented Aug 24, 2016

@mrobbetts there was a bug in yesterdays commits.

@mrobbetts
Contributor

@globin ah, fabulous. Rebuilding now :)

@mrobbetts
Contributor

Is #17999 another such case? It is failing for me now.

@obadz
Contributor
obadz commented Aug 27, 2016

@edolstra, are you OK for us to merge staging if http://hydra.nixos.org/build/39310332#tabs-constituents looks good?

@obadz
Contributor
obadz commented Aug 28, 2016

The tests looked pretty good but the Golang ecosystem was broken by the binutils version bump in 0c12ae5. Was fixed by 6eb4014.

If there are no objections (cc @edolstra) AND the latest eval looks clean (http://hydra.nixos.org/build/39336299#tabs-constituents), I will merge staging tomorrow.

@domenkozar
Member

There are still 65 "newly failing jobs" compared to trunk-combined: http://hydra.nixos.org/eval/1289558?compare=trunk-combined

@globin
Member
globin commented Aug 28, 2016

But 97 newly succeeding Jobs 🙈
I guess we should merge nonetheless as it's getting hard to fix stuff without creating conflicts on master regularly.. I'm constantly fixing up new stuff and real failures disregarding dependencies are 3 or 4 packages that look unrelated to hardening at least

@obadz
Contributor
obadz commented Aug 28, 2016

Agreed, unless @edolstra (or someone else) has concerns, let's go ahead and merge and deal with the minor remaining issues (which likely won't require a mass rebuild) in master.

@obadz
Contributor
obadz commented Aug 28, 2016

@domenkozar, are you concerned enough that you're saying we shouldn't merge?

@domenkozar
Member

If you're willing to help fix those later (which I'm sure you do), let's merge if there are no objections from others.

@edolstra
Member

Looks great to me. Thanks for all the work on this!

@obadz obadz merged commit c0fa26e into master Aug 29, 2016

0 of 2 checks passed

continuous-integration/travis-ci/pr The Travis CI build could not complete due to an error
Details
continuous-integration/travis-ci/push The Travis CI build could not complete due to an error
Details
@globin globin deleted the hardened-stdenv branch Aug 29, 2016
@offlinehacker
Contributor

Great work guys, thanks :)

@cleverca22
Contributor
cleverca22 commented Sep 4, 2016 edited

https://gist.github.com/cleverca22/b1300b91ea6bf8951256c60acf2844ee

__memcpy_chk appears to be missing from the libc.a in glibc.static master, but it is present on an older nixpkgs from 20f009d

edit:
ah, that function just moved to ${stdenv.cc.cc.out}/lib/libssp.a for some strange reason, -lssp solves the problem

@vcunat
Member
vcunat commented Sep 11, 2016

Hmm, it seems we still have glibc without stack protector: #1.

@fpletz
Member
fpletz commented Sep 11, 2016

Thanks for pointing that out. We had to disable stackprotector for the glibc build but didn't investigate further. There are even more hardening options available in the configure script for glibc. I'll check what we can enable. Unfortunately, this will be another mass rebuild that probably won't make it into 16.09.

@andrewrk
Contributor

Great work on this issue. Is there a way so that we can have these hardening flags applied to nixpkgs, but not always forcing gcc users to use the flags? See #18995

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment