[OpenWrt-Devel] Hardening Issues / Revert r46146 ?

Dirk Neukirchen dirkneukirchen at web.de
Wed Jul 8 05:37:22 EDT 2015


On 08.07.2015 09:41, Steven Barth wrote:
> The reason for the commit was that supporting hardening such as SSP
> accross 3 libcs is a PITA to maintain. I'm fine if someone comes up
> with a patch that would fix it, though.
> 
> In general, you suggest to always enabled UCLIBCs SSP options and get
> rid of the GCCs libssp?
> 

If I read the documents correctly libssp will be "empty" because
glibc and uclibc both contain the symbols for SSP in libc.so/ldso
(by default (?) in glibc, if enabled in uclibc case)
This since around 2005/2006.

Most normal software should link/use that glibc/uclibc implementation in OpenWrt environment.

Since libssp is empty the libssp switch should have no effect on building binaries
because gcc decides what to link against in both cases of "--disable/enable-libssp"
("If your libc does not provide SSP, then libssp will be linked automatically.")

so we only need libssp when:
- using a libc without SSP that requires libssp from gcc (dietlibc)
- we disable the SSP features that are in uclibc/glibc
- software not linked against libc (?, example: grub2 upstream disables ssp)

The main issues are probably bad __FLAGS handling when cross compiling and
most of these issues are/should be already fixed by upstream, other hardened distros 
or variants of these.


> 
> Cheers,
> 
> Steven
> _______________________________________________
> openwrt-devel mailing list
> openwrt-devel at lists.openwrt.org
> https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
> 
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel



More information about the openwrt-devel mailing list