Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

mosh hardening flags conflict with Ubuntu Precise hardening flags #203

Closed
keithw opened this Issue · 3 comments

2 participants

@keithw
Owner

mosh (current git master) didn't build on the Ubuntu precise PPA builder, because Ubuntu's hardening flags work poorly with our hardening flags. It built fine on the other Ubuntu releases.

g++ -DHAVE_CONFIG_H -I. -I../..  -I./../util  -D_FORTIFY_SOURCE=2 -Wall -Werror -Wextra -pedantic -Wno-long-long -Weffc++ -fno-strict-overflow -D_FORTIFY_SOURCE=2 -fstack-protector-all -Wstack-protector --param ssp-buffer-size=1 -fPIE -fno-default-inline -pipe -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -c -o terminaldispatcher.o terminaldispatcher.cc
terminaldispatcher.cc: In member function 'void Terminal::Dispatcher::dispatch(Terminal::Function_Type, const Parser::Action*, Terminal::Framebuffer*)':
terminaldispatcher.cc:173:6: error: stack protector not protecting function: all local arrays are less than 4 bytes long [-Werror=stack-protector]
cc1plus: all warnings being treated as errors
make[4]: *** [terminaldispatcher.o] Error 1

https://launchpadlibrarian.net/102270658/buildlog_ubuntu-precise-amd64.mosh_1.1.94-0~684~precise1_FAILEDTOBUILD.txt.gz

@kmcallister
Collaborator

In particular, we set

-Werror -fstack-protector-all -Wstack-protector --param ssp-buffer-size=1

and then Ubuntu sets

-fstack-protector --param=ssp-buffer-size=4

overriding our value for "minimum size of buffer to protect". So any function with less than 4 bytes of buffer triggers -Wstack-protector, which errors out due to -Werror.

Is there some way to tell the Ubuntu build process that we'll do hardening ourselves? I'd rather disable Ubuntu's flags than ours, since our protections are a superset of theirs. In particular we build PIEs, which Ubuntu does for openssh (it was the first package added!) but not in general.

(By the way, I'm very glad that Ubuntu sets these flags for the vast majority of packages that do no hardening by default.)

@keithw
Owner

I'm afraid the pull request doesn't seem to have suppressed the Ubuntu `-fstack-protector --param=ssp-buffer-size=4 flag:

https://code.launchpad.net/~keithw/+archive/mosh/+build/3411596

@kmcallister
Collaborator

Seems to be fixed as of 87f6396. We have successful build logs for Precise i386 and amd64.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.