[OE-core] [PATCH 00/19] Rework GCC PIE and security flags (take 3)

Khem Raj raj.khem at gmail.com
Sat Jul 1 14:23:04 UTC 2017


* This patchset add a switch to configure gcc driver with PIE defaults
* Add support for generating static PIE in gcc
* Gets rid of lot of bandaids from distro security flags file
* Adjust recipes for new way of specifying pie

v1->v2:

* apply linking spec changes libssp_nonshared.a to musl alone
* icu/iptable/gstreamer1.0-plugins-bad fixes are done on top not really depend on pie rework

v2->v3:

* Add glibc 2.25.90 upgrade patches to this pull request as it has few depending gcc patches with hardening
* Fixes for recipes to build against glibc 2.26
* Add fixes to sysklogd
* Dont compile sysklogd with PIE

The following changes since commit de7914954571ea8e717f56b6d6df13157b0973bc:

  scripts/contrib/patchreview: add new script (2017-06-29 13:01:32 +0100)

are available in the git repository at:

  git://git.openembedded.org/openembedded-core-contrib kraj/hardening-fixes
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=kraj/hardening-fixes

Khem Raj (19):
  glibc: Upgrade to 2.25.90
  glibc: Drop obsoleted bits/string.h from multilibbing
  glibc: Enable obsoleted nsl
  gcc: Introduce a knob to configure gcc to default to PIE
  security_flags.inc: Delete pinnings for SECURITY_NO_PIE_CFLAGS
  distutils,setuptools: Delete use of SECURITY_NO_PIE_CFLAGS
  gcc7: Enable static PIE
  gcc: Link libssp_nonshared.a only on musl targets
  sysklogd: Improve build and fix runtime crash
  libunwind: We set -fPIE in security flags now if gcc is not configured
    for default PIE
  valgrind: Remove -no-pie from cflags
  icu: Fix build with glibc 2.26
  gstreamer1.0-plugins-bad: Fix missing library with bcm egl
  gcc-sanitizer: Fix build with glibc 2.26
  gcc: Use ucontext_t instead of ucontext
  valgrind: Fix build with glibc 2.26
  strace: upgrade to 4.17
  qemu: Replace use of struct ucontext with ucontext_t
  epiphany: Fix build errors when compiling with security flags

 meta/classes/distutils-common-base.bbclass         |   2 -
 meta/classes/setuptools.bbclass                    |   2 -
 meta/conf/distro/include/security_flags.inc        |  85 ++-----
 meta/conf/distro/include/tcmode-default.inc        |   2 +-
 ...e_2.25.bb => cross-localedef-native_2.25.90.bb} |  27 ++-
 ...bc-initial_2.25.bb => glibc-initial_2.25.90.bb} |   0
 ...libc-locale_2.25.bb => glibc-locale_2.25.90.bb} |   0
 ...libc-mtrace_2.25.bb => glibc-mtrace_2.25.90.bb} |   0
 meta/recipes-core/glibc/glibc-package.inc          |   2 +-
 ...bc-scripts_2.25.bb => glibc-scripts_2.25.90.bb} |   0
 ...libc-Look-for-host-system-ld.so.cache-as-.patch |   6 +-
 ...libc-Fix-buffer-overrun-with-a-relocated-.patch |   6 +-
 ...libc-Raise-the-size-of-arrays-containing-.patch |  34 +--
 ...ivesdk-glibc-Allow-64-bit-atomics-for-x86.patch |  11 +-
 ...500-e5500-e6500-603e-fsqrt-implementation.patch |  42 ++--
 ...-OECORE_KNOWN_INTERPRETER_NAMES-to-known-.patch |   6 +-
 ...-Fix-undefined-reference-to-__sqrt_finite.patch |  28 +--
 ...qrt-f-are-now-inline-functions-and-call-o.patch |  28 +--
 ...bug-1443-which-explains-what-the-patch-do.patch |   8 +-
 ...n-libm-err-tab.pl-with-specific-dirs-in-S.patch |   6 +-
 ...qrt-f-are-now-inline-functions-and-call-o.patch |   8 +-
 ...ersion-output-matching-grok-gold-s-output.patch |  44 ----
 ...configure.ac-handle-correctly-libc_cv_ro.patch} |  10 +-
 ...ibute.patch => 0013-Add-unused-attribute.patch} |   8 +-
 ...hin-the-path-sets-wrong-config-variables.patch} |  30 +--
 ...timezone-re-written-tzselect-as-posix-sh.patch} |  12 +-
 ...ove-bash-dependency-for-nscd-init-script.patch} |  11 +-
 ...-Cross-building-and-testing-instructions.patch} |  10 +-
 ...18-eglibc-Help-bootstrap-cross-toolchain.patch} |  10 +-
 ... 0019-eglibc-Clear-cache-lines-on-ppc8xx.patch} |  10 +-
 ...020-eglibc-Resolve-__fpscr_values-on-SH4.patch} |  10 +-
 ...atch => 0021-eglibc-Install-PIC-archives.patch} |  20 +-
 ...ard-port-cross-locale-generation-support.patch} |  36 +--
 ...023-Define-DUMMY_LOCALE_T-if-not-defined.patch} |   8 +-
 ...m.patch => 0024-local-dynamic-resolvconf.patch} |  57 +++--
 ...c-Make-_dl_build_local_scope-breadth-fir.patch} |   8 +-
 ...locale-fix-hard-coded-reference-to-gcc-E.patch} |  10 +-
 .../glibc/{glibc_2.25.bb => glibc_2.25.90.bb}      |  37 +--
 meta/recipes-devtools/gcc/gcc-7.1.inc              |   5 +-
 ...shared-to-link-commandline-for-musl-targe.patch |  42 ++++
 .../gcc/gcc-7.1/0040-ssp_nonshared.patch           |  28 ---
 .../gcc/gcc-7.1/0048-gcc-Enable-static-PIE.patch   |  37 +++
 ...r-Use-stack_t-instead-of-struct-sigaltsta.patch | 160 +++++++++++++
 ...0-replace-struct-ucontext-with-ucontext_t.patch | 149 ++++++++++++
 meta/recipes-devtools/gcc/gcc-configure-common.inc |   3 +
 ...lace-struct-ucontext-with-ucontext_t-type.patch | 265 +++++++++++++++++++++
 meta/recipes-devtools/qemu/qemu_2.8.1.1.bb         |  46 ++--
 ...8-replace-struct-ucontext-with-ucontext_t.patch |  31 +++
 .../strace/strace/Makefile-ptest.patch             |  19 +-
 .../strace/{strace_4.16.bb => strace_4.17.bb}      |   5 +-
 ...sts-Use-ucontext_t-instead-of-struct-ucon.patch |  30 +++
 meta/recipes-devtools/valgrind/valgrind_3.12.0.bb  |   3 +-
 ...s-that-causes-a-segmentation-fault-under-.patch |  28 +++
 ...way-for-respecting-flags-from-environment.patch |  35 +++
 meta/recipes-extended/sysklogd/sysklogd.inc        |   6 +-
 meta/recipes-gnome/epiphany/epiphany_3.24.2.bb     |   6 +-
 ...bookmarks-Check-for-return-value-of-fread.patch |  32 +++
 .../link-with-libvchostif.patch                    |  35 +++
 .../gstreamer/gstreamer1.0-plugins-bad_1.10.4.bb   |   1 +
 .../icu/icu/0001-i18n-Drop-include-xlocale.h.patch |  31 +++
 meta/recipes-support/icu/icu_58.2.bb               |   3 +-
 meta/recipes-support/libunwind/libunwind_1.2.bb    |   4 -
 62 files changed, 1209 insertions(+), 429 deletions(-)
 rename meta/recipes-core/glibc/{cross-localedef-native_2.25.bb => cross-localedef-native_2.25.90.bb} (61%)
 rename meta/recipes-core/glibc/{glibc-initial_2.25.bb => glibc-initial_2.25.90.bb} (100%)
 rename meta/recipes-core/glibc/{glibc-locale_2.25.bb => glibc-locale_2.25.90.bb} (100%)
 rename meta/recipes-core/glibc/{glibc-mtrace_2.25.bb => glibc-mtrace_2.25.90.bb} (100%)
 rename meta/recipes-core/glibc/{glibc-scripts_2.25.bb => glibc-scripts_2.25.90.bb} (100%)
 delete mode 100644 meta/recipes-core/glibc/glibc/0012-Make-ld-version-output-matching-grok-gold-s-output.patch
 rename meta/recipes-core/glibc/glibc/{0013-sysdeps-gnu-configure.ac-handle-correctly-libc_cv_ro.patch => 0012-sysdeps-gnu-configure.ac-handle-correctly-libc_cv_ro.patch} (82%)
 rename meta/recipes-core/glibc/glibc/{0014-Add-unused-attribute.patch => 0013-Add-unused-attribute.patch} (82%)
 rename meta/recipes-core/glibc/glibc/{0015-yes-within-the-path-sets-wrong-config-variables.patch => 0014-yes-within-the-path-sets-wrong-config-variables.patch} (94%)
 rename meta/recipes-core/glibc/glibc/{0016-timezone-re-written-tzselect-as-posix-sh.patch => 0015-timezone-re-written-tzselect-as-posix-sh.patch} (81%)
 rename meta/recipes-core/glibc/glibc/{0017-Remove-bash-dependency-for-nscd-init-script.patch => 0016-Remove-bash-dependency-for-nscd-init-script.patch} (89%)
 rename meta/recipes-core/glibc/glibc/{0018-eglibc-Cross-building-and-testing-instructions.patch => 0017-eglibc-Cross-building-and-testing-instructions.patch} (99%)
 rename meta/recipes-core/glibc/glibc/{0019-eglibc-Help-bootstrap-cross-toolchain.patch => 0018-eglibc-Help-bootstrap-cross-toolchain.patch} (94%)
 rename meta/recipes-core/glibc/glibc/{0021-eglibc-Clear-cache-lines-on-ppc8xx.patch => 0019-eglibc-Clear-cache-lines-on-ppc8xx.patch} (94%)
 rename meta/recipes-core/glibc/glibc/{0022-eglibc-Resolve-__fpscr_values-on-SH4.patch => 0020-eglibc-Resolve-__fpscr_values-on-SH4.patch} (88%)
 rename meta/recipes-core/glibc/glibc/{0023-eglibc-Install-PIC-archives.patch => 0021-eglibc-Install-PIC-archives.patch} (90%)
 rename meta/recipes-core/glibc/glibc/{0024-eglibc-Forward-port-cross-locale-generation-support.patch => 0022-eglibc-Forward-port-cross-locale-generation-support.patch} (96%)
 rename meta/recipes-core/glibc/glibc/{0025-Define-DUMMY_LOCALE_T-if-not-defined.patch => 0023-Define-DUMMY_LOCALE_T-if-not-defined.patch} (80%)
 rename meta/recipes-core/glibc/glibc/{0020-eglibc-cherry-picked-from.patch => 0024-local-dynamic-resolvconf.patch} (49%)
 rename meta/recipes-core/glibc/glibc/{0026-elf-dl-deps.c-Make-_dl_build_local_scope-breadth-fir.patch => 0025-elf-dl-deps.c-Make-_dl_build_local_scope-breadth-fir.patch} (89%)
 rename meta/recipes-core/glibc/glibc/{0027-locale-fix-hard-coded-reference-to-gcc-E.patch => 0026-locale-fix-hard-coded-reference-to-gcc-E.patch} (82%)
 rename meta/recipes-core/glibc/{glibc_2.25.bb => glibc_2.25.90.bb} (80%)
 create mode 100644 meta/recipes-devtools/gcc/gcc-7.1/0040-Add-ssp_nonshared-to-link-commandline-for-musl-targe.patch
 delete mode 100644 meta/recipes-devtools/gcc/gcc-7.1/0040-ssp_nonshared.patch
 create mode 100644 meta/recipes-devtools/gcc/gcc-7.1/0048-gcc-Enable-static-PIE.patch
 create mode 100644 meta/recipes-devtools/gcc/gcc-7.1/0049-libsanitizer-Use-stack_t-instead-of-struct-sigaltsta.patch
 create mode 100644 meta/recipes-devtools/gcc/gcc-7.1/0050-replace-struct-ucontext-with-ucontext_t.patch
 create mode 100644 meta/recipes-devtools/qemu/qemu/0001-replace-struct-ucontext-with-ucontext_t-type.patch
 create mode 100644 meta/recipes-devtools/strace/strace/0008-replace-struct-ucontext-with-ucontext_t.patch
 rename meta/recipes-devtools/strace/{strace_4.16.bb => strace_4.17.bb} (87%)
 create mode 100644 meta/recipes-devtools/valgrind/valgrind/0001-memcheck-tests-Use-ucontext_t-instead-of-struct-ucon.patch
 create mode 100644 meta/recipes-extended/sysklogd/files/0001-fix-problems-that-causes-a-segmentation-fault-under-.patch
 create mode 100644 meta/recipes-extended/sysklogd/files/0002-Make-way-for-respecting-flags-from-environment.patch
 create mode 100644 meta/recipes-gnome/epiphany/files/0001-bookmarks-Check-for-return-value-of-fread.patch
 create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad/link-with-libvchostif.patch
 create mode 100644 meta/recipes-support/icu/icu/0001-i18n-Drop-include-xlocale.h.patch

-- 
2.13.2




More information about the Openembedded-core mailing list