[Fedora-packaging] RFC mass bug reporting: checksec failures

[Steve Grubb]

On Thu, 17 Sep 2015 13:53:38 +0300
Alexander Todorov <atodorov at redhat.com> wrote:

> На 17.09.2015 в 13:34, Steve Grubb написа:
> > On Thu, 17 Sep 2015 11:07:37 +0300
> > Alexander Todorov <atodorov at redhat.com> wrote:
> >
> >> Can somebody comment on the -fstack-protector-all vs
> >> -fstack-protector-strong issue ? Do we want to change the default
> >> for %__global_cflags in /usr/lib/rpm/redhat/macros ?
> >
> > -all is not needed, -strong is the right balance between security
> > and performance. For example
> >
> > int add(int a, int b)
> > {
> > 	return a+b;
> > }
> >
> > Does that need a stack canary? This is the nature of why some
> > functions don't get a canary. Whenever knowledge of a stack frame
> > is passed as a pointer to a function, then -strong will kick in and
> > do a stack check on return.
> >
> 
> Hi Steve,
> thanks for the explanation.
> 
> So it looks like I should ignore stack canary warnings (assuming the
> package is using the default flags). Should this be ignore for both
> libraries and executable binaries or only libraries ? Or the answer
> is once again, you can't tell that easily ?

Not completely. See below.


> > To know if the right thing is being done is hard to script. You
> > really need to see what flags are passed to each source file being
> > compiled. You just can't get at that from readelf.
> >
> 
> Is it realistic to request a RFE with this information stored in the
> compiled object and then be read by readelf ? If so I can file bugs
> in bugzilla.redhat.com or upstream .
> 

I think Florian answered this. Indeed, the --debug-dump option does
find these strings, but they are mixed in with other data. I think that
if there is no canary and flags were passed, its not a problem. If the
flags are absent, the build scripts are suspect.

-Steve