RFC mass bug reporting: checksec failures

Orion Poplawski orion at cora.nwra.com
Fri Sep 18 04:51:11 UTC 2015 

On 09/17/2015 06:15 PM, Steve Grubb wrote:
> On Thu, 17 Sep 2015 13:53:38 +0300
> Alexander Todorov <atodorov at redhat.com> wrote:
>
>> На 17.09.2015 в 13:34, Steve Grubb написа:
>>> On Thu, 17 Sep 2015 11:07:37 +0300
>>> Alexander Todorov <atodorov at redhat.com> wrote:
>>>
>>>> Can somebody comment on the -fstack-protector-all vs
>>>> -fstack-protector-strong issue ? Do we want to change the default
>>>> for %__global_cflags in /usr/lib/rpm/redhat/macros ?
>>>
>>> -all is not needed, -strong is the right balance between security
>>> and performance. For example
>>>
>>> int add(int a, int b)
>>> {
>>> 	return a+b;
>>> }
>>>
>>> Does that need a stack canary? This is the nature of why some
>>> functions don't get a canary. Whenever knowledge of a stack frame
>>> is passed as a pointer to a function, then -strong will kick in and
>>> do a stack check on return.
>>>
>>
>> Hi Steve,
>> thanks for the explanation.
>>
>> So it looks like I should ignore stack canary warnings (assuming the
>> package is using the default flags). Should this be ignore for both
>> libraries and executable binaries or only libraries ? Or the answer
>> is once again, you can't tell that easily ?
>
> Not completely. See below.
>
>
>>> To know if the right thing is being done is hard to script. You
>>> really need to see what flags are passed to each source file being
>>> compiled. You just can't get at that from readelf.
>>>
>>
>> Is it realistic to request a RFE with this information stored in the
>> compiled object and then be read by readelf ? If so I can file bugs
>> in bugzilla.redhat.com or upstream .
>>
>
> I think Florian answered this. Indeed, the --debug-dump option does
> find these strings, but they are mixed in with other data. I think that
> if there is no canary and flags were passed, its not a problem. If the
> flags are absent, the build scripts are suspect.
>
> -Steve
>

So, I see that the various vtk libraries show No canary found.  However, 
I'm pretty sure that the proper --specs=redhat-hardened-{cc1,ld} flags 
etc are getting passed to the compile.  Perhaps there is some issue 
parsing the C++ libraries or is something else going on like the above?

-- 
Orion Poplawski
Technical Manager                     303-415-9701 x222
NWRA/CoRA Division                    FAX: 303-415-9702
3380 Mitchell Lane                  orion at cora.nwra.com
Boulder, CO 80301              http://www.cora.nwra.com

More information about the devel mailing list