winter.txt

Robert Connolly cendres at videotron.ca
Sun Feb 1 23:52:22 PST 2004


Please update winter.txt with the attachment. New patches sent to patches at .
-------------- next part --------------
AUTHOR: Robert Connolly <cendres at videotron dot ca> (ashes)

DATE:   2004-02-02

LICENSE:        Public Domain

SYNOPSIS:       Position independent executables

PRIMARY URL:	ftp://twocents.mooo.com/pub/

DESCRIPTION:
Experimental
Position independent executables (pie) is the superset of position independent
code (pic). Pie will be formally available with gcc-3.4, this hint uses the
original patch which made it in gcc-3.4. This provides extra security features
that can be used by Pax/Grsecurity, exec-shield, and others. It is also a good
idea to use ProPolice together with this even though there is overlapping
functionality.

http://gcc.gnu.org/ml/gcc-patches/2003-06/msg00140.html
http://pax.grsecurity.net/
http://www.grsecurity.net/
http://people.redhat.com/mingo/exec-shield/

PREREQUISITES: LFS-5.0

HINT:

=======
Context
=======

	Introduction
	Downloads
	Installation
	Testing
	Feedback
	Acknowledgments

============
Introduction
============
Follow the cvs book with this hint. Unfortunately -fpie is slightly broken in
the glibc-2.3.3 that is in the LFS cvs book. I tested this against 
glibc-2.3-20040129. You also need a binutils that understands -pie, either HJL,
or FSF-cvs. If you use FSF-cvs binutils you will have to comment out the sanity
code in glibc/configure. grep -n -e "too old" configure, and comment out the
whole test. HJL should work without that hassle.

=========
Downloads
=========
-----
Glibc
-----
Thanks to Teemu Tervo nptl hint.

cvs -d :pserver:anoncvs at sources.redhat.com:/cvs/glibc -z3 co libc
mv libc glibc-2.3-`date +%Y%m%d`
tar cjf glibc-2.3-`date +%Y%m%d`.tar.bz2 glibc-2.3-`date +%Y%m%d`
rm -rf glibc-2.3-`date +%Y%m%d

Glibc uses an executable stack in ld.so. To use Pax you will need this patch.
http://csociety-ftp.ecn.purdue.edu/pub/gentoo-portage/ \
	sys-libs/glibc/files/2.3.3/glibc-2.3.3-dl_execstack-PaX-support.patch
http://www.linuxfromscratch.org/patches/downloads/glibc/ \
	glibc-2.3.3-dl_execstack-PaX-support-1.patch
ftp://twocents.mooo.com/pub/hcc/pie/glibc-2.3.3-dl_execstack-PaX-support-1.patch

--------
Binutils
--------
Only need one.
HJL
ftp://ftp.kernel.org/pub/linux/devel/binutils/binutils-2.14.90.0.8.tar.bz2
FSF
ftp://sources.redhat.com/pub/binutils/snapshots/binutils-${%Y%m%d}.tar.bz2

----
PIE
----
Only need one.
http://cvs.mandrakesoft.com/cgi-bin/cvsweb.cgi/~checkout~/ \
        SPECS/gcc/gcc33-pie.patch
http://www.linuxfromscratch.org/patches/downloads/gcc/ \
        gcc-3.3-pie-1.patch
ftp://twocents.mooo.com/pub/hcc/pie/gcc-3.3-pie-2.patch

----
Pax
----
Kernel 2.4
http://pax.grsecurity.net/pax-linux-2.4.23-200401091805.patch

Kernel 2.6
http://pax.grsecurity.net/pax-linux-2.6.1-200401091905.patch

This is an information leak patch. Its not available for 2.6 yet :(
http://cr0.org/pax-obscure/pax+obs-linux-2.4.22-200308302223.tar.gz

----
HGCC
----
This is a specs file editor for changing the default behavior of gcc to use
-fpie and -ftack-protector-all. Check for newer versions. If anyone wants to
take over writing this script email me.
ftp://twocents.mooo.com/pub/hcc/hgcc2.sh

=====================
Installation
=====================
---------
Chapter 5
---------
 - Glibc-cvs
patch -Np1 -i ../glibc-2.3.3-dl_execstack-PaX-support-1.patch

 - GCC pass 2
patch -Np1 -i ../gcc-3.3-pie-2.patch

 - HGCC
cp hgcc2.sh /tools/bin/hgcc
chmod +x /tools/bin/hgcc
hgcc -pa-fpie

 - Binutils pass 2
Before make check do hgcc -r. Before make install do hgcc -pa-fpie
Repeat this for any binutils make check. No other packages are known to have
issues like this.

# And now we have "shared object" because of -pie.
$ file /tools/bin/ld
/tools/bin/ld: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), not 
stripped

---------
Chapter 6
---------
 - Glibc
patch -Np1 -i ../glibc-2.3.3-dl_execstack-PaX-support-1.patch

 - GCC
patch -Np1 -i ../gcc-3.3-pie-2.patch

 - HGCC
cp hgcc2.sh /usr/bin/hgcc
chmod +x /usr/bin/hgcc
hgcc -pa-fpie

========
Testing
========
Download:
http://pax.grsecurity.net/paxtest-0.9.5.tar.gz

========
Feedback
========

<cendres at videotron dot ca>

ACKNOWLEDGMENTS:

* Thanks to Hiroaki Etoh for providing the protector patch to IBM
* Thanks to IBM for providing the protector patch at
	http://www.research.ibm.com/trl/projects/security/ssp/

CHANGELOG:
[2003-10-18]
* Debut
* Reformat hint
[2003-10-22]
* Reformatted the patches so they're much easier to apply.
* Edit/rewrite hint & synopsis.
[2003-10-24]
* Added caveat.
* Fixed URLS.
* Lite edit
[2003-10-25]
* New bugs found.
[2003-10-26]
* GCC 2.95.3 patches made.
[2003-10-27]
* XFree86-4.3.0 patch made.
* Hint is now Beta - Need more feedback.
[2003-11-03]
* Edit
* Reformatted patches.
[2003-11-12]
* Reformat patches.
* Update/edit hint.
* Add new example tests.
[2003-11-21]
* Reformat patches.
* Add homepage/mirror url.
* Small edit.
[2003-12-01]
* Added Glibc and kernel patches.
* Rewrote install procedure.
[2003-12-20]
* Try to be more informative.
* Removed Gentoo property.
* Added Libsafe.
* Added Pax.
* Added new versions of binutils and glibc.
* Added GCC PIE.
* Rename filename to winter.txt.
[2003-12-21]
* Do not use "Enforce non-executable pages"
* Spell check.
* Fixed URL.
[2003-12-22]
* Added LOPTS to Net-tools.
* Added LDFLAGS to Perl.
[2003-12-25]
* More cflags.
* New tests.
[2004-02-02]
* Update gcc pie patch.
* Moved Libsafe and ProPolice to prolice.txt
* Added fpie to hgcc2.sh


More information about the hints mailing list