commit: 86ac5c16e3149458710b691e1cad81c50be8d661
Author: Sam James <sam <AT> gentoo <DOT> org>
AuthorDate: Sun Jul 30 16:26:38 2023 +0000
Commit: Sam James <sam <AT> gentoo <DOT> org>
CommitDate: Sun Jul 30 16:42:29 2023 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=86ac5c16
sys-devel/binutils: add various hardening options to 2.41
Newer Binutils has its several configure arguments we can use:
* --enable-textrel-check={warning,error}
* --enable-warn-execstack=yes (*)
* --enable-warn-rwx-segments=yes (*)
* --enable-default-execstack=no
We chuck these in now unconditionally (with some stricter changes for
USE=hardened,
as described below) except for those marked with (*) where we whitelist certain
arches (amd64/arm64/x86 for now) because the autoconf logic is broken, see
https://sourceware.org/bugzilla/show_bug.cgi?id=29592 (it both needs
--enable...=no
rather than --disable, but it also breaks arches where executable stacks are
unavoidable.)
In the past (see 47b8db23ff55dd29992198dfbadda53984a4ab2d,
e4b8746852919960969944904c59334cecddfe25
in binutils-patches.git), we patched Binutils to always warn on textrels
opt-out on a per-build basis with '--no-warn-shared-textrel'). From >= Binutils
2.35,
upstream has a '--enable-textrel-check=warning' configure option we use.
For USE=hardened, our new changes for TEXTRELs are equivalent to `-z text`
which make TEXTRELs fatal.
Now, while at it, also make TEXTRELs fatal on musl unconditionally because
musl doesn't support them and they explode at runtime. Yet another reason
to get rid of them entirely.
So, in summary: there's several changes here:
* Make textrels fatal for USE=hardened (we've warned about them for a while
on all profiles)
* Make textrels fatal for musl (they don't work there at all, bug #707660)
* Disable implicit/automatic executable stacks for USE=hardened (plan to do this
in general later on)
* Warn on executable stacks in general
* Warn on RWX segments in general
See also
https://www.redhat.com/en/blog/linkers-warnings-about-executable-stacks-and-segments
for more information.
All of this came to mind again after reading the Qualys writeup for the recent
OpenSSH bug (bug #910553):
https://www.qualys.com/2023/07/19/cve-2023-38408/rce-openssh-forwarded-ssh-agent.txt.
(Note their use of various gadgets involving these.)
Bug: https://sourceware.org/bugzilla/show_bug.cgi?id=29592
Bug: https://bugs.gentoo.org/707660
Bug: https://bugs.gentoo.org/869881
Bug: https://bugs.gentoo.org/871150
Bug: https://bugs.gentoo.org/910553
Signed-off-by: Sam James <sam <AT> gentoo.org>
sys-devel/binutils/binutils-2.41.ebuild | 43 +++++++++++++++++++++++-------
sys-devel/binutils/binutils-9999.ebuild | 47 ++++++++++++++++++++++++---------
2 files changed, 68 insertions(+), 22 deletions(-)
diff --git a/sys-devel/binutils/binutils-2.41.ebuild
b/sys-devel/binutils/binutils-2.41.ebuild
index 3e6b9da5d246..143d9cf7857b 100644
--- a/sys-devel/binutils/binutils-2.41.ebuild
+++ b/sys-devel/binutils/binutils-2.41.ebuild
@@ -9,7 +9,7 @@ DESCRIPTION="Tools necessary to build programs"
HOMEPAGE="https://sourceware.org/binutils/";
LICENSE="GPL-3+"
-IUSE="cet debuginfod doc gold gprofng multitarget +nls pgo +plugins
static-libs test vanilla zstd"
+IUSE="cet debuginfod doc gold gprofng hardened multitarget +nls pgo +plugins
static-libs test vanilla zstd"
# Variables that can be set here (ignored for live ebuilds)
# PATCH_VER - the patchset version
@@ -258,15 +258,7 @@ src_configure() {
# Newer versions (>=2.24) make this an explicit option, bug
#497268
--enable-install-libiberty
# Available from 2.35 on
- --enable-textrel-check=warning
-
- # These hardening options are available from 2.39+ but
- # they unconditionally enable the behaviour even on arches
- # where e.g. execstacks can't be avoided.
- # See https://sourceware.org/bugzilla/show_bug.cgi?id=29592.
- #--enable-warn-execstack
- #--enable-warn-rwx-segments
- #--disable-default-execstack (or is it
--enable-default-execstack=no? docs are confusing)
+ --enable-textrel-check=$(usex hardened error warning)
# Things to think about
#--enable-deterministic-archives
@@ -309,6 +301,37 @@ src_configure() {
$(use_enable gprofng)
)
+ if use amd64 || use arm64 || use x86 ; then
+ # These hardening options are available from 2.39+ but
+ # they unconditionally enable the behaviour even on arches
+ # where e.g. execstacks can't be avoided.
+ # See https://sourceware.org/bugzilla/show_bug.cgi?id=29592.
+ #
+ # TODO: Get the logic for this fixed upstream so it doesn't
+ # create impossible broken combinations on some arches, like
mips.
+ #
+ # TODO: Get the logic for this fixed upstream so --disable-*
works
+ # as expected.
+ myconf+=(
+ --enable-warn-execstack=yes
+ --enable-warn-rwx-segments=yes
+ )
+
+ if use hardened ; then
+ myconf+=(
+ --enable-default-execstack=no
+ )
+ fi
+ fi
+
+ if use elibc_musl ; then
+ # Override our earlier setting for musl, as textrels don't
+ # work there at all. See bug #707660.
+ myconf+=(
+ --enable-textrel-check=error
+ )
+ fi
+
if ! is_cross ; then
myconf+=( $(use_enable pgo pgo-build lto) )
diff --git a/sys-devel/binutils/binutils-9999.ebuild
b/sys-devel/binutils/binutils-9999.ebuild
index ce9b9958cd11..143d9cf7857b 100644
--- a/sys-devel/binutils/binutils-9999.ebuild
+++ b/sys-devel/binutils/binutils-9999.ebuild
@@ -9,7 +9,7 @@ DESCRIPTION="Tools necessary to build programs"
HOMEPAGE="https://sourceware.org/binutils/";
LICENSE="GPL-3+"
-IUSE="cet debuginfod doc gold gprofng multitarget +nls pgo +plugins
static-libs test vanilla zstd"
+IUSE="cet debuginfod doc gold gprofng hardened multitarget +nls pgo +plugins
static-libs test vanilla zstd"
# Variables that can be set here (ignored for live ebuilds)
# PATCH_VER - the patchset version
@@ -19,7 +19,7 @@ IUSE="cet debuginfod doc gold gprofng multitarget +nls pgo
+plugins static-libs
# PATCH_DEV - Use download URI
https://dev.gentoo.org/~{PATCH_DEV}/distfiles/...
# for the patchsets
-PATCH_VER=2
+PATCH_VER=1
PATCH_DEV=dilfridge
if [[ ${PV} == 9999* ]]; then
@@ -32,7 +32,7 @@ else
[[ -z ${PATCH_VER} ]] || SRC_URI="${SRC_URI}
https://dev.gentoo.org/~${PATCH_DEV}/distfiles/binutils-${PATCH_BINUTILS_VER}-patches-${PATCH_VER}.tar.xz";
SLOT=$(ver_cut 1-2)
- KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc
~ppc64 ~riscv ~s390 ~sparc ~x86"
+ #KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips
~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86"
fi
#
@@ -258,15 +258,7 @@ src_configure() {
# Newer versions (>=2.24) make this an explicit option, bug
#497268
--enable-install-libiberty
# Available from 2.35 on
- --enable-textrel-check=warning
-
- # These hardening options are available from 2.39+ but
- # they unconditionally enable the behaviour even on arches
- # where e.g. execstacks can't be avoided.
- # See https://sourceware.org/bugzilla/show_bug.cgi?id=29592.
- #--enable-warn-execstack
- #--enable-warn-rwx-segments
- #--disable-default-execstack (or is it
--enable-default-execstack=no? docs are confusing)
+ --enable-textrel-check=$(usex hardened error warning)
# Things to think about
#--enable-deterministic-archives
@@ -309,6 +301,37 @@ src_configure() {
$(use_enable gprofng)
)
+ if use amd64 || use arm64 || use x86 ; then
+ # These hardening options are available from 2.39+ but
+ # they unconditionally enable the behaviour even on arches
+ # where e.g. execstacks can't be avoided.
+ # See https://sourceware.org/bugzilla/show_bug.cgi?id=29592.
+ #
+ # TODO: Get the logic for this fixed upstream so it doesn't
+ # create impossible broken combinations on some arches, like
mips.
+ #
+ # TODO: Get the logic for this fixed upstream so --disable-*
works
+ # as expected.
+ myconf+=(
+ --enable-warn-execstack=yes
+ --enable-warn-rwx-segments=yes
+ )
+
+ if use hardened ; then
+ myconf+=(
+ --enable-default-execstack=no
+ )
+ fi
+ fi
+
+ if use elibc_musl ; then
+ # Override our earlier setting for musl, as textrels don't
+ # work there at all. See bug #707660.
+ myconf+=(
+ --enable-textrel-check=error
+ )
+ fi
+
if ! is_cross ; then
myconf+=( $(use_enable pgo pgo-build lto) )
