r904 - trunk

tushar at linuxfromscratch.org tushar at linuxfromscratch.org
Sun Oct 31 22:57:31 PST 2004


Author: tushar
Date: 2004-10-31 23:57:29 -0700 (Sun, 31 Oct 2004)
New Revision: 904

Modified:
   trunk/ssp.txt
Log:
Updated: ssp

Modified: trunk/ssp.txt
===================================================================
--- trunk/ssp.txt	2004-11-01 06:56:36 UTC (rev 903)
+++ trunk/ssp.txt	2004-11-01 06:57:29 UTC (rev 904)
@@ -1,6 +1,6 @@
 AUTHOR:		Robert Connolly <robert at linuxfromscratch dot org> (ashes)
 
-DATE:		2004-10-01
+DATE:		2004-10-30
 
 LICENSE:	Public Domain
 
@@ -55,7 +55,6 @@
 	Extras
 		Extra security patches
 		Libsafe
-	GCC 3.4 notes
 	Installation
 	Testing
 	Feedback
@@ -74,12 +73,19 @@
 added "ssp" to the version string. The gcc2 patch is only needed if you plan to
 use gcc2 to build the kernel, and want stack protection in the kernel.
 
+If any of these links are broken look for a newer version.
+
+*** All of these patches are in:
+http://www.linuxfromscratch.org/~robert/hlfs/downloads/cvs/\
+	hlfs-patches-{date}.tar.bz2
+For example: hlfs-patches-20041028.tar.bz2
+
 Note: gcc-3.3 patches apply to gcc-3.3.* too. Likewise with gcc-3.4 patches.
 
 http://www.linuxfromscratch.org/patches/downloads/gcc/\
-        gcc-3.3-ssp-3.patch
-	gcc-3.4-ssp-1.patch
-        gcc-2.95.3-ssp-3.patch
+        gcc-3.3-ssp-4.patch
+	gcc-3.4-ssp-2.patch
+        gcc-2.95.3-ssp-4.patch
 
 The Glibc patch will define __guard_setup and __stack_smash_handler in libc.so
 so the kill function can be kept in a shared object. In the Glibc patch the
@@ -89,8 +95,8 @@
 logs for these alerts.
 
 http://www.linuxfromscratch.org/patches/downloads/glibc/\
-        glibc-2.3.2-ssp-frandom-4.patch
-	glibc-2.3.4-ssp_frandom-3.patch # This works for glibc-2.3.3 too.
+        glibc-2.3.2-ssp-frandom-5.patch
+	glibc-2.3.4-ssp_frandom-4.patch # This works for glibc-2.3.3 too.
 
 This GCC Specs patch adds -fstack-protector-all to GCC's default compiler flags.
 Filters prevent libraries and the kernel from being built with unnessesary
@@ -101,7 +107,7 @@
 
 http://www.linuxfromscratch.org/patches/downloads/gcc/\
 	gcc-3.3-sspspecs-3.patch
-	gcc-3.4-sspspecs-1.patch
+	gcc-3.4-sspspecs-2.patch
 	gcc-2.95.3-sspspecs-2.patch
 
 The Linux kernel patch adds support to the Linux kernel for smash symbols. It
@@ -113,8 +119,8 @@
         linux-2.6.5-ssp-1.patch # This still works on newer 2.6 kernels.
 
 http://www.linuxfromscratch.org/patches/downloads/linux/\
-        linux-2.4.26-frandom-1.patch # or
-	linux-2.6.8.1-frandom-1.patch
+        linux-2.4.27-frandom-1.patch # or
+	linux-2.6.8.1-frandom-1.patch # This works on 2.6.9 too.
 
 There is also an mktemp patch for frandom:
 
@@ -126,10 +132,11 @@
 http://www.linuxfromscratch.org/patches/downloads/XFree86/ \
         XFree86-4.3.0-ssp-1.patch
 
-And for LFS-6.0
+And for LFS-6
 
 http://www.linuxfromscratch.org/patches/downloads/\
         linux-libc-headers/linux-libc-headers-2.6-frandom-1.patch
+ftp://twocents.mooo.com/pub/hlfs-patches/linux-libc-headers-2.6-frandom-1.patch
 
 ======
 Extras
@@ -181,23 +188,19 @@
 uses them properly. All of the example exploits in exploits/ will fail because
 of SSP.
 
-=============
-GCC 3.4 notes
-=============
-The 3.4 series of GCC has a very picky testsuite. You can expect many
-testsuite failues if you use the sspspecs patch, for now. I'll keep trying to
-find a fix.
-
 =====================
 Installation
 =====================
 
+Do not use -O3 (or -O4) optimizations with stack protector or things will
+not work.
+
 ---------
 Chapter 5
 ---------
 Kernel headers
 (See under PREREQUISITES above)
-patch -Npq -i ../linux-2.4.27-frandom-1.patch
+patch -Np1 -i ../linux-2.4.27-frandom-1.patch
 
  - GCC pass 1
 If the host system has SSP in Glibc already, then you can patch gcc
@@ -220,7 +223,7 @@
 Make sure the frandom header get installed again.
 
  - Glibc
-patch -Np1 -i ../glibc-2.3.4-ssp-frandom-3.patch
+patch -Np1 -i ../glibc-2.3.4-ssp-frandom-4.patch
 
  - Binutils
 make CFLAGS="-fno-stack-protector" check
@@ -234,8 +237,13 @@
 CFLAGS="-fno-stack-protector" ./configure...
 
  - GCC 2.95.3
-patch -Np1 -i ../gcc-2.95.3-ssp-3.patch
+patch -Np1 -i ../gcc-2.95.3-ssp-4.patch
 
+ - Perl
+# Perl uses -O3 by default which can cause problems with SSP, reset it
+# to use -O2.
+env CFLAGS="-O2" ./configure...
+
 ---------
 Chapter 8
 ---------
@@ -280,7 +288,10 @@
 gcc -fstack-protector-all -o fail fail.c &&
 ./fail
 
-This will display the __guard value. It should change each runtime.
+This will display the __guard value. It should change each runtime. This will
+test erandom/urandom/gettimeofday is working. Test urandom by booting a
+vanilla kernel, test gettimeofday by removing /dev/urandom with a vanilla
+kernel, or compile this statically linked and `chroot . ./guard-test`.
 
 cat > guard-test.c << "EOF"
 extern unsigned long __guard[];
@@ -387,3 +398,8 @@
 [2004-10-01]
 * New patches.
 * Added guard-test.c
+[2004-10-28]
+* New patches
+[2004-10-30]
+* Do not use -O3 or -O4
+* Use CFLAGS="-O2" for Perl chapter 6.




More information about the hints mailing list