mosh hardening flags conflict with Ubuntu Precise hardening flags #203

Closed
keithw opened this Issue Apr 17, 2012 · 3 comments

Projects

None yet

2 participants

@keithw
Member
keithw commented Apr 17, 2012

mosh (current git master) didn't build on the Ubuntu precise PPA builder, because Ubuntu's hardening flags work poorly with our hardening flags. It built fine on the other Ubuntu releases.

g++ -DHAVE_CONFIG_H -I. -I../..  -I./../util  -D_FORTIFY_SOURCE=2 -Wall -Werror -Wextra -pedantic -Wno-long-long -Weffc++ -fno-strict-overflow -D_FORTIFY_SOURCE=2 -fstack-protector-all -Wstack-protector --param ssp-buffer-size=1 -fPIE -fno-default-inline -pipe -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -c -o terminaldispatcher.o terminaldispatcher.cc
terminaldispatcher.cc: In member function 'void Terminal::Dispatcher::dispatch(Terminal::Function_Type, const Parser::Action*, Terminal::Framebuffer*)':
terminaldispatcher.cc:173:6: error: stack protector not protecting function: all local arrays are less than 4 bytes long [-Werror=stack-protector]
cc1plus: all warnings being treated as errors
make[4]: *** [terminaldispatcher.o] Error 1

https://launchpadlibrarian.net/102270658/buildlog_ubuntu-precise-amd64.mosh_1.1.94-0~684~precise1_FAILEDTOBUILD.txt.gz

@kmcallister
Contributor

In particular, we set

-Werror -fstack-protector-all -Wstack-protector --param ssp-buffer-size=1

and then Ubuntu sets

-fstack-protector --param=ssp-buffer-size=4

overriding our value for "minimum size of buffer to protect". So any function with less than 4 bytes of buffer triggers -Wstack-protector, which errors out due to -Werror.

Is there some way to tell the Ubuntu build process that we'll do hardening ourselves? I'd rather disable Ubuntu's flags than ours, since our protections are a superset of theirs. In particular we build PIEs, which Ubuntu does for openssh (it was the first package added!) but not in general.

(By the way, I'm very glad that Ubuntu sets these flags for the vast majority of packages that do no hardening by default.)

@keithw
Member
keithw commented Apr 17, 2012

I'm afraid the pull request doesn't seem to have suppressed the Ubuntu `-fstack-protector --param=ssp-buffer-size=4 flag:

https://code.launchpad.net/~keithw/+archive/mosh/+build/3411596

@kmcallister
Contributor

Seems to be fixed as of 87f6396. We have successful build logs for Precise i386 and amd64.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment