Robert Connolly robert at
Thu Jan 27 16:58:16 PST 2005

:\ Last update, today.

On January 27, 2005 03:01 pm, Robert Connolly wrote:
> Typos. I'm pretty sure this is the last one, for a while.
> :)
> On January 27, 2005 02:55 pm, Robert Connolly wrote:
> > Sorry. Added something else.
> >
> > On January 27, 2005 02:34 pm, Robert Connolly wrote:
> > > Added another patch
> > >
> > > On January 27, 2005 02:12 pm, Robert Connolly wrote:
> > > > Hello. Please update this attached hint.
> > > >
> > > > robert
-------------- next part --------------
AUTHOR:		Robert Connolly <robert at linuxfromscratch dot org> (ashes)

DATE:		2005-01-27

LICENSE:	Public Domain

SYNOPSIS:	Smashing Stack Protector and Libsafe


Smashing Stack Protector is a C and C++ security extension for GCC.
Libsafe prevents format string attacks.

Based on StackGaurd, SSP was developed by IBM for protecting applications
from stack smashing attacks. This is the single largest class of attacks and
many security oriented vendors have added it to their default compiler. The
overhead lost to this type of guard is minimal. In practice if the entire
system is built with SSP users shouldn't notice any difference in performance.

The official homepage for ProPolice Smashing Stack Srotector is at:\
"Hiroaki Etoh's ProPolice is a modification to the GNU C compiler that places a
random canary between any stack allocated character buffers and the return
pointer [5]. It then validates that the canary has not been dirtied by an
overflowed buffer before the function returns. ProPolice can also reorder local
variables to protect local pointers from being overwritten in a buffer overflow.
Also see:

The frandom kernel patch is now required for SSP. This provides the erandom
device and sysctl interface. Using erandom stops a serious entropy depletion
problem while still providing urandom quality random bytes. Ideally you should
reboot an frandom kernel before installing SSP, but SSP will build without it.
If the erandom sysctl interface is missing from the system (vanilla kernel)
then /dev/urandom will be used; if /dev/urandom is missing (chroot) then
gettimeofday() will be used. Read this to install frandom:
You will need the header from the frandom patch installed to build glibc.





Smashing Stack Protector

The GCC patch will add -fstack-protector-all, -fstack-protector, and
-fno-stack-protector to GCC extensions for C and C++; and
__guard_setup and __stack_smash_handler are defined in libgcc2.c. This code is
supplied by IBM, I have changed one definition to enable libc functions, and
added "ssp" to the version string.

There have been reports of problems with SSP and 'gcc -O3' with Python. It
may or may not cause problems in other packages with -O3.

If any of these links are broken look for a newer version.

*** All of these patches are in:\
For example: hlfs-patches-20041121.tar.bz2

Note: gcc-3.3 patches apply to gcc-3.3.* too. Likewise with gcc-3.4 patches.\

The Glibc patch will define __guard_setup and __stack_smash_handler in
so the kill function can be kept in a shared object. In the Glibc patch the
erandom device is used to gather a small amount of random bits for the gaurd
value. /dev/log will also need to be present in chroot for syslog to log stack
overflows. It is recommended intrusion detection systems monitor the system
logs for these alerts.\
	glibc-2.3.4-ssp_frandom-6.patch # This works for glibc-2.3.3 too.

Optionally if you would like to build some of Glibc's libraries and utilities
with -fstack-protector-all then use this patch. If you get rejected parts try
the other patch.\

The sspspecs patch is depreciated. Use the Perl commands below.

The Linux kernel patch for SSP is depreciated. The kernel has its own overflow
        linux-2.4.27-frandom-2.patch # or

If you are using a kernel before version 2.6.8 the above patch won't work.
A few things changed in 2.6.8, if you are using 2.6.5, for example, then use
this patch.

The XFree86 patch disables stack protection for some modules. This patch
works for Xorg and XFree86-4.4 too. \

And for LFS-6\

Official site:

Note: Libsafe is obsolete, you can still use it if you wish.

Libsafe was developed by Avaya Labs to protect against format string
vulnerabilities. Though not widely used it has been widely tested. This
protection can be installed on an already running system, using
to watch applications at runtime for functions which are known to be vulnerable.
This of course only protects dynamically linked applications. There should not
be a noticeable performance decrease, and it also logs to syslog.

We get some errors if we install Libsafe early in the build.
FAIL: g++.dg/expr/anew1.C execution test
FAIL: g++.dg/expr/anew2.C execution test
FAIL: g++.dg/expr/anew3.C execution test
FAIL: g++.dg/expr/anew4.C execution test

FAIL: S-records
FAIL: S-records with constructors

To avoid these errors install Libsafe after GCC in chapter 6. Libsafe is
somewhat obsolete. Most modern software either doesn't use these strings, or
uses them properly. All of the example exploits in exploits/ will fail because
of SSP.


Chapter 5
 - GCC pass 1
No patches.

- Libc-linux-headers headers
patch --no-backup-if-mismatch \
	-Np1 -i ../linux-libc-headers-2.6-frandom-2.patch

 - Glibc
patch -Np1 -i ../glibc-2.3.4-ssp_frandom-6.patch # or 2.3.2's patch

 - GCC pass 2
patch -Np1 -i ../gcc-3.4-ssp-3.patch &&
sed -e 's at at' \
        -e 's/3.4.3/3.4.3 (ssp)/' -i gcc/version.c

After make install do this. This will add -fstack-protector-all for C and C++:

cat > << "EOF"
perl -pi -e 's@\*cc1:\n@$_%(cc1_ssp) @;' \
        $(gcc --print-file specs) &&
perl -pi -e 's@\*cc1plus:\n@$_%(cc1_ssp) @;' \
        $(gcc --print-file specs) &&
echo '*cc1_ssp:
%{!fno-stack-protector*: -fstack-protector-all}
' >> $(gcc --print-file specs)
install /tools/bin &&

 - Binutils pass 2
Just for the testsuite.
make CFLAGS="-fno-stack-protector" check

Chapter 6
- Libc-linux-headers headers
patch --no-backup-if-mismatch \
	-Np1 -i ../linux-libc-headers-2.6-frandom-2.patch

 - Glibc
patch -Np1 -i ../glibc-2.3.4-ssp_frandom-6.patch &&
patch -Np1 -i ../glibc-20050124-fstack_protector-1.patch

Then modify CC. This will let some parts get skipped, but the fstack_protector
patch above will add -fstack-protector-all on most of the utils and libs.

env CC="gcc -fno-stack-protector" ../glibc-20050124/configure...

 - Binutils
make CFLAGS="-fno-stack-protector" check

 - GCC
patch -Np1 -i ../gcc-3.4-ssp-3.patch &&
sed -e 's at at' \
        -e 's/3.4.3/3.4.3 (ssp)/' -i gcc/version.c

make CFLAGS="-fstack-protector-all -O2" CXXFLAGS="-fstack-protector-all -O2"

After make install run the script again to put -fstack-protector-all back in
the specs file:


 - Grub
env CC="gcc -fno-stack-protector" ./configure...

 - GCC 2.95.3
If you are still using gcc2:
patch -Np1 -i ../gcc-2.95.3-ssp-4.patch

Chapter 8
Linux kernel

make mrproper &&

make menuconfig

make CC="gcc -fstack-protector" dep
make CC="gcc -fstack-protector" bzImage

There are a couple tests in this package which may also be usefull here.
There are also tests in the libsafe source.

This will test -fstack-protector-all and will display the __guard value.

cat > test.c << "EOF"
#include <stdio.h>
#include <unistd.h>
extern long __guard[];
int overflow(char *test) {
        char buffer[7];
        sprintf(buffer, "12345678901234567890123456789012345678901234567890");
int main(int argc, char **argv) {
        printf("__guard\t=\t0x%08x;\n", __guard[0]);
        printf("This line should never get printed.\n");

gcc -o fail fail.c &&
./fail &&
g++ -o fail++ fail.c &&

This should display abort signals for each. The __guard value should change
for each runtime. The system syslog daemon should also log each of these.

Should a program on your system ever have a stack overflow you should get
similar messages in your logs and perhaps in the console controling the


* Thanks to Hiroaki Etoh for providing the SSP patch to IBM
* Thanks to IBM for providing the SSP patch at
* Thanks to OpenBSD for their XFree86 code.
* Thanks to for this
* Thanks to and for this
* Thanks to for kernel patches.
* Thanks to Avaya Labs for Libsafe
* Thanks to Teemu Tervo for nptl hint
* Thanks to cross compiling hint \
* Thanks to for proof of concept tests.
* Thanks to Eli Billauer for the Frandom suite

* Debut
* Reformat hint
* Reformatted the patches so they're much easier to apply.
* Edit/rewrite hint & synopsis.
* Added caveat.
* Fixed URLS.
* Lite edit
* New bugs found.
* GCC 2.95.3 patches made.
* XFree86-4.3.0 patch made.
* Hint is now Beta - Need more feedback.
* Edit
* Reformatted patches.
* Reformat patches.
* Update/edit hint.
* Add new example tests.
* Reformat patches.
* Add homepage/mirror url.
* Small edit.
* Added Glibc and kernel patches.
* Rewrote install procedure.
* Try to be more informative.
* Removed Gentoo property.
* Added Libsafe.
* Added Pax.
* Added new versions of binutils and glibc.
* Added GCC PIE.
* Rename filename to winter.txt.
* Do not use "Enforce non-executable pages"
* Spell check.
* Fixed URL.
* Added LOPTS to Net-tools.
* Added LDFLAGS to Perl.
* More cflags.
* New tests.
* Renamed hint back to propolice.txt.
* Added back Gentoo property as optional.
* Added HCC
* Cleanup
* Update urls
* Convert propolice to ssp
* Update gcc-3.3.3 and linux-2.6.2 ssp patches
* Update linux-2.6.3 patch and hgcc url
* Add sspspecs patch. Update.
* Added entropy.txt link for erandom.
* Fix more/again for erandom.
* Update some patches.
* New patches.
* Added guard-test.c
* New patches
* Do not use -O3 or -O4
* Use CFLAGS="-O2" for Perl chapter 6.
* Remove frandom mktemp patch.
* Add note about arc4random.
* Update patches, new define for SYSCTL_ERANDOM.
* Fix typos
* Add new Glibc patches with stderr overflow messages.
* Fixed sspspecs patches so they actually work with g++.
* New glibc patches.
* Added note about using 2.6.7 frandom patch for older kernels.
* XFree86 patch works with Xorg too.
* -O3 optimizations are fine.
* Added -O2 to Grub's CFLAGS.
* Updated for LFS-6.0.
* Removed sspspecs patches, replaced with Perl command/script.
* Removed obsolete kernel patch.
* Added sed command for version.c.
* Added fstack_protector patch to Glibc in chapter 6.
* Add note for -O3 and Python.
* Fixed misspellings.
* Added --no-backup-if-mismatch to patch command.

More information about the hints mailing list