Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

socat: hardening with Canary, PIE, Full RELRO and FORTIFY_SOURCE #7214

Closed
wants to merge 1 commit into from
Closed

socat: hardening with Canary, PIE, Full RELRO and FORTIFY_SOURCE #7214

wants to merge 1 commit into from

Conversation

arno01
Copy link
Contributor

@arno01 arno01 commented Apr 6, 2015 

# checksec --proc socat
         COMMAND    PID RELRO             STACK CANARY           NX/PaX        PIE
           socat  13035 Full RELRO        Canary found           NX enabled    PIE enabled

@peti
Copy link
Member

peti commented Apr 6, 2015

Won't these changes break the build on non-Linux / non-gcc platforms?

@arno01
Copy link
Contributor Author

arno01 commented Apr 6, 2015

Based on https://wiki.debian.org/Hardening#DEB_BUILD_HARDENING_PIE_.28gcc.2Fg.2B-.2B-_-fPIE_-pie.29

-fPIE -pie

Doesn't work on hppa and m68k (disabled for these archs by default in hardening-wrapper 1.6)
Doesn't work on some assembler, due to lack of registers. e.g.:

vf_decimate.c:26: error: can't find a register in class 'BREG' while reloading 'asm'

ld -z relro

    Unimplemented on ia64 (ld silently ignores the option).

ld -z now
seems to be OK

Canaries (-fstack-protector)

Not supported on ia64 and alpha. (disabled for these archs by default in hardening-wrapper 1.8)

warning: -fstack-protector not supported for this target
Not supported on mips and hppa. (disabled for these archs by default in hardening-wrapper 1.10)

warning: -fstack-protector not supported for this target

-D_FORTIFY_SOURCE=2

    Code compiled with -Werror and using memcpy/strcpy with qualifier overrides will fail with FORTIFY enabled. See https://launchpad.net/bugs/217481

@arno01 arno01 mentioned this pull request Apr 6, 2015
Closed
@peti
Copy link
Member

peti commented Apr 6, 2015

How about Darwin, which uses clang instead of gcc to compile?

@arno01
Copy link
Contributor Author

arno01 commented Apr 6, 2015

@peti I've no idea to be honest about Darwin. Perhaps, there is someone who would know it for sure :)

@spwhitt
Copy link
Contributor

spwhitt commented Apr 6, 2015

This does cause a failure when building with clang. You can simply change to the following:

preConfigure = if (stdenv.cc.cc.isGNU or false) then ''
  ...
'' else null;

Which will only apply the flags if we're compiling with gcc.

@aristidb aristidb added 9.needs: reporter feedback This issue needs the person who filed it to respond 1.severity: security Issues which raise a security issue, or PRs that fix one labels Apr 8, 2015
@fpletz
Copy link
Member

fpletz commented Mar 5, 2016

Closing in favor of #12895.

@fpletz fpletz closed this Mar 5, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
1.severity: security Issues which raise a security issue, or PRs that fix one 9.needs: reporter feedback This issue needs the person who filed it to respond
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@arno01 @peti @spwhitt @fpletz @aristidb