diff options
| author |   Mike Frysinger <vapier@gentoo.org> | 2007-11-11 20:12:38 +0000 |
|---|---|---|
| committer | Mike Frysinger <vapier@gentoo.org> | 2007-11-11 20:12:38 +0000 |
| commit | 96eaca19ad6009104d2bf9c85f364530954e6489 (patch) | |
| tree | fac5fff5b8ef119e6f6a886636ba902068142342 | |
| parent | alpha/ia64/sparc stable wrt #198578 (diff) | |
| download | gentoo-2-96eaca19ad6009104d2bf9c85f364530954e6489.tar.gz gentoo-2-96eaca19ad6009104d2bf9c85f364530954e6489.tar.bz2 gentoo-2-96eaca19ad6009104d2bf9c85f364530954e6489.zip | |
Move hardened stuff back to each ebuild (since that is how we are tracking it) and add support for pre/post eblit hooks. Also fixup hardened patch to apply #198335.
(Portage version: 2.1.3.19)
| -rw-r--r-- | sys-libs/glibc/ChangeLog | 9 | ||||
| -rw-r--r-- | sys-libs/glibc/files/2.7/glibc-2.7-hardened-inittls-nosysenter.patch | 273 | ||||
| -rw-r--r-- | sys-libs/glibc/files/eblits/src_unpack.eblit | 30 | ||||
| -rw-r--r-- | sys-libs/glibc/glibc-2.6.1.ebuild | 40 | ||||
| -rw-r--r-- | sys-libs/glibc/glibc-2.7.ebuild | 40 |
5 files changed, 360 insertions, 32 deletions
diff --git a/sys-libs/glibc/ChangeLog b/sys-libs/glibc/ChangeLog index 5e05ab40cc17..897666c0615a 100644 --- a/sys-libs/glibc/ChangeLog +++ b/sys-libs/glibc/ChangeLog @@ -1,6 +1,13 @@ # ChangeLog for sys-libs/glibc # Copyright 1999-2007 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/sys-libs/glibc/ChangeLog,v 1.563 2007/11/10 14:40:55 vapier Exp $ +# $Header: /var/cvsroot/gentoo-x86/sys-libs/glibc/ChangeLog,v 1.564 2007/11/11 20:12:37 vapier Exp $ + + 11 Nov 2007; Mike Frysinger <vapier@gentoo.org> + +files/2.7/glibc-2.7-hardened-inittls-nosysenter.patch, + files/eblits/src_unpack.eblit, glibc-2.6.1.ebuild, glibc-2.7.ebuild: + Move hardened stuff back to each ebuild (since that is how we are tracking + it) and add support for pre/post eblit hooks. Also fixup hardened patch to + apply #198335. 10 Nov 2007; Mike Frysinger <vapier@gentoo.org> glibc-2.6.ebuild, glibc-2.6.1.ebuild, glibc-2.7.ebuild: diff --git a/sys-libs/glibc/files/2.7/glibc-2.7-hardened-inittls-nosysenter.patch b/sys-libs/glibc/files/2.7/glibc-2.7-hardened-inittls-nosysenter.patch new file mode 100644 index 000000000000..ecf57a911b0f --- /dev/null +++ b/sys-libs/glibc/files/2.7/glibc-2.7-hardened-inittls-nosysenter.patch @@ -0,0 +1,273 @@ +When building glibc PIE (which is not something upstream support), +several modifications are necessary to the glibc build process. + +First, any syscalls in PIEs must be of the PIC variant, otherwise +textrels ensue. Then, any syscalls made before the initialisation +of the TLS will fail on i386, as the sysenter variant on i386 uses +the TLS, giving rise to a chicken-and-egg situation. This patch +defines a PIC syscall variant that doesn't use sysenter, even when the sysenter +version is normally used, and uses the non-sysenter version for the brk +syscall that is performed by the TLS initialisation. Further, the TLS +initialisation is moved in this case prior to the initialisation of +dl_osversion, as that requires further syscalls. + +csu/libc-start.c: Move initial TLS initialization to before the +initialisation of dl_osversion, when INTERNAL_SYSCALL_NOSYSENTER is defined + +csu/libc-tls.c: Use the no-sysenter version of sbrk when +INTERNAL_SYSCALL_NOSYSENTER is defined. + +misc/sbrk.c: Define a no-sysenter version of sbrk, using the no-sysenter +version of brk - if INTERNAL_SYSCALL_NOSYSENTER is defined. + +misc/brk.c: Define a no-sysenter version of brk if +INTERNAL_SYSCALL_NOSYSENTER is defined. + +sysdeps/unix/sysv/linux/i386/sysdep.h: Define INTERNAL_SYSCALL_NOSYSENTER +Make INTERNAL_SYSCALL always use the PIC variant, even if not SHARED. + +Patch by Kevin F. Quinn <kevquinn@gentoo.org> + +--- csu/libc-start.c ++++ csu/libc-start.c +@@ -28,6 +28,7 @@ + extern int __libc_multiple_libcs; + + #include <tls.h> ++#include <sysdep.h> + #ifndef SHARED + # include <dl-osinfo.h> + extern void __pthread_initialize_minimal (void); +@@ -129,6 +130,11 @@ + # endif + _dl_aux_init (auxvec); + # endif ++# ifdef INTERNAL_SYSCALL_NOSYSENTER ++ /* Do the initial TLS initialization before _dl_osversion, ++ since the latter uses the uname syscall. */ ++ __pthread_initialize_minimal (); ++# endif + # ifdef DL_SYSDEP_OSCHECK + if (!__libc_multiple_libcs) + { +@@ -138,10 +144,12 @@ + } + # endif + ++# ifndef INTERNAL_SYSCALL_NOSYSENTER + /* Initialize the thread library at least a bit since the libgcc + functions are using thread functions if these are available and + we need to setup errno. */ + __pthread_initialize_minimal (); ++# endif + + /* Set up the stack checker's canary. */ + uintptr_t stack_chk_guard = _dl_setup_stack_chk_guard (); +--- csu/libc-tls.c ++++ csu/libc-tls.c +@@ -23,6 +23,7 @@ + #include <unistd.h> + #include <stdio.h> + #include <sys/param.h> ++#include <sysdep.h> + + + #ifdef SHARED +@@ -29,6 +30,9 @@ + #error makefile bug, this file is for static only + #endif + ++#ifdef INTERNAL_SYSCALL_NOSYSENTER ++extern void *__sbrk_nosysenter (intptr_t __delta); ++#endif + extern ElfW(Phdr) *_dl_phdr; + extern size_t _dl_phnum; + +@@ -141,14 +145,26 @@ + + The initialized value of _dl_tls_static_size is provided by dl-open.c + to request some surplus that permits dynamic loading of modules with +- IE-model TLS. */ ++ IE-model TLS. ++ ++ Where the normal sbrk would use a syscall that needs the TLS (i386) ++ use the special non-sysenter version instead. */ + #if TLS_TCB_AT_TP + tcb_offset = roundup (memsz + GL(dl_tls_static_size), tcbalign); ++# ifdef INTERNAL_SYSCALL_NOSYSENTER ++ tlsblock = __sbrk_nosysenter (tcb_offset + tcbsize + max_align); ++# else + tlsblock = __sbrk (tcb_offset + tcbsize + max_align); ++# endif + #elif TLS_DTV_AT_TP + tcb_offset = roundup (tcbsize, align ?: 1); ++# ifdef INTERNAL_SYSCALL_NOSYSENTER ++ tlsblock = __sbrk_nosysenter (tcb_offset + memsz + max_align ++ + TLS_PRE_TCB_SIZE + GL(dl_tls_static_size)); ++# else + tlsblock = __sbrk (tcb_offset + memsz + max_align + + TLS_PRE_TCB_SIZE + GL(dl_tls_static_size)); ++# endif + tlsblock += TLS_PRE_TCB_SIZE; + #else + /* In case a model with a different layout for the TCB and DTV +--- misc/sbrk.c ++++ misc/sbrk.c +@@ -18,6 +18,7 @@ + + #include <unistd.h> + #include <errno.h> ++#include <sysdep.h> + + /* Defined in brk.c. */ + extern void *__curbrk; +@@ -29,6 +30,35 @@ + /* Extend the process's data space by INCREMENT. + If INCREMENT is negative, shrink data space by - INCREMENT. + Return start of new space allocated, or -1 for errors. */ ++#ifdef INTERNAL_SYSCALL_NOSYSENTER ++/* This version is used by csu/libc-tls.c whem initialising the TLS ++ if the SYSENTER version requires the TLS (which it does on i386). ++ Obviously using the TLS before it is initialised is broken. */ ++extern int __brk_nosysenter (void *addr); ++void * ++__sbrk_nosysenter (intptr_t increment) ++{ ++ void *oldbrk; ++ ++ /* If this is not part of the dynamic library or the library is used ++ via dynamic loading in a statically linked program update ++ __curbrk from the kernel's brk value. That way two separate ++ instances of __brk and __sbrk can share the heap, returning ++ interleaved pieces of it. */ ++ if (__curbrk == NULL || __libc_multiple_libcs) ++ if (__brk_nosysenter (0) < 0) /* Initialize the break. */ ++ return (void *) -1; ++ ++ if (increment == 0) ++ return __curbrk; ++ ++ oldbrk = __curbrk; ++ if (__brk_nosysenter (oldbrk + increment) < 0) ++ return (void *) -1; ++ ++ return oldbrk; ++} ++#endif + void * + __sbrk (intptr_t increment) + { +--- sysdeps/unix/sysv/linux/i386/brk.c ++++ sysdeps/unix/sysv/linux/i386/brk.c +@@ -31,6 +31,30 @@ + linker. */ + weak_alias (__curbrk, ___brk_addr) + ++#ifdef INTERNAL_SYSCALL_NOSYSENTER ++/* This version is used by csu/libc-tls.c whem initialising the TLS ++ * if the SYSENTER version requires the TLS (which it does on i386). ++ * Obviously using the TLS before it is initialised is broken. */ ++int ++__brk_nosysenter (void *addr) ++{ ++ void *__unbounded newbrk; ++ ++ INTERNAL_SYSCALL_DECL (err); ++ newbrk = (void *__unbounded) INTERNAL_SYSCALL_NOSYSENTER (brk, err, 1, ++ __ptrvalue (addr)); ++ ++ __curbrk = newbrk; ++ ++ if (newbrk < addr) ++ { ++ __set_errno (ENOMEM); ++ return -1; ++ } ++ ++ return 0; ++} ++#endif + int + __brk (void *addr) + { +--- sysdeps/unix/sysv/linux/i386/sysdep.h ++++ sysdeps/unix/sysv/linux/i386/sysdep.h +@@ -187,7 +187,7 @@ + /* The original calling convention for system calls on Linux/i386 is + to use int $0x80. */ + #ifdef I386_USE_SYSENTER +-# ifdef SHARED ++# if defined SHARED || defined __PIC__ + # define ENTER_KERNEL call *%gs:SYSINFO_OFFSET + # else + # define ENTER_KERNEL call *_dl_sysinfo +@@ -358,7 +358,7 @@ + possible to use more than four parameters. */ + #undef INTERNAL_SYSCALL + #ifdef I386_USE_SYSENTER +-# ifdef SHARED ++# if defined SHARED || defined __PIC__ + # define INTERNAL_SYSCALL(name, err, nr, args...) \ + ({ \ + register unsigned int resultvar; \ +@@ -384,6 +384,18 @@ + : "0" (name), "i" (offsetof (tcbhead_t, sysinfo)) \ + ASMFMT_##nr(args) : "memory", "cc"); \ + (int) resultvar; }) ++# define INTERNAL_SYSCALL_NOSYSENTER(name, err, nr, args...) \ ++ ({ \ ++ register unsigned int resultvar; \ ++ EXTRAVAR_##nr \ ++ asm volatile ( \ ++ LOADARGS_NOSYSENTER_##nr \ ++ "movl %1, %%eax\n\t" \ ++ "int $0x80\n\t" \ ++ RESTOREARGS_NOSYSENTER_##nr \ ++ : "=a" (resultvar) \ ++ : "i" (__NR_##name) ASMFMT_##nr(args) : "memory", "cc"); \ ++ (int) resultvar; }) + # else + # define INTERNAL_SYSCALL(name, err, nr, args...) \ + ({ \ +@@ -447,12 +459,20 @@ + + #define LOADARGS_0 + #ifdef __PIC__ +-# if defined I386_USE_SYSENTER && defined SHARED ++# if defined I386_USE_SYSENTER && ( defined SHARED || defined __PIC__ ) + # define LOADARGS_1 \ + "bpushl .L__X'%k3, %k3\n\t" + # define LOADARGS_5 \ + "movl %%ebx, %4\n\t" \ + "movl %3, %%ebx\n\t" ++# define LOADARGS_NOSYSENTER_1 \ ++ "bpushl .L__X'%k2, %k2\n\t" ++# define LOADARGS_NOSYSENTER_2 LOADARGS_NOSYSENTER_1 ++# define LOADARGS_NOSYSENTER_3 LOADARGS_3 ++# define LOADARGS_NOSYSENTER_4 LOADARGS_3 ++# define LOADARGS_NOSYSENTER_5 \ ++ "movl %%ebx, %3\n\t" \ ++ "movl %2, %%ebx\n\t" + # else + # define LOADARGS_1 \ + "bpushl .L__X'%k2, %k2\n\t" +@@ -474,11 +495,18 @@ + + #define RESTOREARGS_0 + #ifdef __PIC__ +-# if defined I386_USE_SYSENTER && defined SHARED ++# if defined I386_USE_SYSENTER && ( defined SHARED || defined __PIC__ ) + # define RESTOREARGS_1 \ + "bpopl .L__X'%k3, %k3\n\t" + # define RESTOREARGS_5 \ + "movl %4, %%ebx" ++# define RESTOREARGS_NOSYSENTER_1 \ ++ "bpopl .L__X'%k2, %k2\n\t" ++# define RESTOREARGS_NOSYSENTER_2 RESTOREARGS_NOSYSENTER_1 ++# define RESTOREARGS_NOSYSENTER_3 RESTOREARGS_3 ++# define RESTOREARGS_NOSYSENTER_4 RESTOREARGS_3 ++# define RESTOREARGS_NOSYSENTER_5 \ ++ "movl %3, %%ebx" + # else + # define RESTOREARGS_1 \ + "bpopl .L__X'%k2, %k2\n\t" diff --git a/sys-libs/glibc/files/eblits/src_unpack.eblit b/sys-libs/glibc/files/eblits/src_unpack.eblit index 67c3bdd1473f..d27345fcb51f 100644 --- a/sys-libs/glibc/files/eblits/src_unpack.eblit +++ b/sys-libs/glibc/files/eblits/src_unpack.eblit @@ -1,6 +1,6 @@ # Copyright 1999-2007 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/sys-libs/glibc/files/eblits/src_unpack.eblit,v 1.3 2007/11/10 04:07:21 vapier Exp $ +# $Header: /var/cvsroot/gentoo-x86/sys-libs/glibc/files/eblits/src_unpack.eblit,v 1.4 2007/11/11 20:12:38 vapier Exp $ check_kheader_version() { local version=$( @@ -108,34 +108,6 @@ toolchain-glibc_src_unpack() { echo "Gentoo patchset ${PATCH_VER}" > csu/Banner fi - if use hardened ; then - cd "${S}" - einfo "Patching to get working PIE binaries on PIE (hardened) platforms" - gcc-specs-pie && epatch "${FILESDIR}"/2.5/glibc-2.5-hardened-pie.patch - epatch "${FILESDIR}"/2.5/glibc-2.5-hardened-configure-picdefault.patch - epatch "${FILESDIR}"/2.6/glibc-2.6-hardened-inittls-nosysenter.patch - - einfo "Installing Hardened Gentoo SSP handler" - cp -f "${FILESDIR}"/2.6/glibc-2.6-gentoo-stack_chk_fail.c \ - debug/stack_chk_fail.c || die - - if use debug ; then - # When using Hardened Gentoo stack handler, have smashes dump core for - # analysis - debug only, as core could be an information leak - # (paranoia). - sed -i \ - -e '/^CFLAGS-backtrace.c/ iCFLAGS-stack_chk_fail.c = -DSSP_SMASH_DUMPS_CORE' \ - debug/Makefile \ - || die "Failed to modify debug/Makefile for debug stack handler" - fi - - # Build nscd with ssp-all - sed -i \ - -e 's:-fstack-protector$:-fstack-protector-all:' \ - nscd/Makefile \ - || die "Failed to ensure nscd builds with ssp-all" - fi - gnuconfig_update } diff --git a/sys-libs/glibc/glibc-2.6.1.ebuild b/sys-libs/glibc/glibc-2.6.1.ebuild index 6bcdcad150db..504eb1ee1e99 100644 --- a/sys-libs/glibc/glibc-2.6.1.ebuild +++ b/sys-libs/glibc/glibc-2.6.1.ebuild @@ -1,6 +1,6 @@ # Copyright 1999-2007 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/sys-libs/glibc/glibc-2.6.1.ebuild,v 1.15 2007/11/10 14:40:55 vapier Exp $ +# $Header: /var/cvsroot/gentoo-x86/sys-libs/glibc/glibc-2.6.1.ebuild,v 1.16 2007/11/11 20:12:37 vapier Exp $ inherit eutils versionator libtool toolchain-funcs flag-o-matic gnuconfig multilib @@ -135,12 +135,20 @@ eblit-include() { die "Could not locate requested eblit '${func}' in ${FILESDIR}/eblits/" } +# eblit-run-maybe <function> +# run the specified function if it is defined +eblit-run-maybe() { + [[ $(type -t "$@") == "function" ]] && "$@" +} + # eblit-run <function> [version] # aka: src_unpack() { eblit-run src_unpack ; } eblit-run() { eblit-include --skip common "${*:2}" eblit-include "$@" + eblit-run-maybe eblit-$1-pre eblit-${PN}-$1 || die + eblit-run-maybe eblit-$1-post } src_unpack() { eblit-run src_unpack ; } @@ -148,6 +156,36 @@ src_compile() { eblit-run src_compile ; } src_test() { eblit-run src_test ; } src_install() { eblit-run src_install ; } +eblit-src_unpack-post() { + if use hardened ; then + cd "${S}" + einfo "Patching to get working PIE binaries on PIE (hardened) platforms" + gcc-specs-pie && epatch "${FILESDIR}"/2.5/glibc-2.5-hardened-pie.patch + epatch "${FILESDIR}"/2.5/glibc-2.5-hardened-configure-picdefault.patch + epatch "${FILESDIR}"/2.6/glibc-2.6-hardened-inittls-nosysenter.patch + + einfo "Installing Hardened Gentoo SSP handler" + cp -f "${FILESDIR}"/2.6/glibc-2.6-gentoo-stack_chk_fail.c \ + debug/stack_chk_fail.c || die + + if use debug ; then + # When using Hardened Gentoo stack handler, have smashes dump core for + # analysis - debug only, as core could be an information leak + # (paranoia). + sed -i \ + -e '/^CFLAGS-backtrace.c/ iCFLAGS-stack_chk_fail.c = -DSSP_SMASH_DUMPS_CORE' \ + debug/Makefile \ + || die "Failed to modify debug/Makefile for debug stack handler" + fi + + # Build nscd with ssp-all + sed -i \ + -e 's:-fstack-protector$:-fstack-protector-all:' \ + nscd/Makefile \ + || die "Failed to ensure nscd builds with ssp-all" + fi +} + pkg_setup() { # prevent native builds from downgrading ... maybe update to allow people # to change between diff -r versions ? (2.3.6-r4 -> 2.3.6-r2) diff --git a/sys-libs/glibc/glibc-2.7.ebuild b/sys-libs/glibc/glibc-2.7.ebuild index d35be58b0130..29c2fc891f4f 100644 --- a/sys-libs/glibc/glibc-2.7.ebuild +++ b/sys-libs/glibc/glibc-2.7.ebuild @@ -1,6 +1,6 @@ # Copyright 1999-2007 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/sys-libs/glibc/glibc-2.7.ebuild,v 1.7 2007/11/10 14:40:55 vapier Exp $ +# $Header: /var/cvsroot/gentoo-x86/sys-libs/glibc/glibc-2.7.ebuild,v 1.8 2007/11/11 20:12:37 vapier Exp $ inherit eutils versionator libtool toolchain-funcs flag-o-matic gnuconfig multilib @@ -136,12 +136,20 @@ eblit-include() { die "Could not locate requested eblit '${func}' in ${FILESDIR}/eblits/" } +# eblit-run-maybe <function> +# run the specified function if it is defined +eblit-run-maybe() { + [[ $(type -t "$@") == "function" ]] && "$@" +} + # eblit-run <function> [version] # aka: src_unpack() { eblit-run src_unpack ; } eblit-run() { eblit-include --skip common "${*:2}" eblit-include "$@" + eblit-run-maybe eblit-$1-pre eblit-${PN}-$1 || die + eblit-run-maybe eblit-$1-post } src_unpack() { eblit-run src_unpack ; } @@ -149,6 +157,36 @@ src_compile() { eblit-run src_compile ; } src_test() { eblit-run src_test ; } src_install() { eblit-run src_install ; } +eblit-src_unpack-post() { + if use hardened ; then + cd "${S}" + einfo "Patching to get working PIE binaries on PIE (hardened) platforms" + gcc-specs-pie && epatch "${FILESDIR}"/2.5/glibc-2.5-hardened-pie.patch + epatch "${FILESDIR}"/2.5/glibc-2.5-hardened-configure-picdefault.patch + epatch "${FILESDIR}"/2.7/glibc-2.7-hardened-inittls-nosysenter.patch + + einfo "Installing Hardened Gentoo SSP handler" + cp -f "${FILESDIR}"/2.6/glibc-2.6-gentoo-stack_chk_fail.c \ + debug/stack_chk_fail.c || die + + if use debug ; then + # When using Hardened Gentoo stack handler, have smashes dump core for + # analysis - debug only, as core could be an information leak + # (paranoia). + sed -i \ + -e '/^CFLAGS-backtrace.c/ iCFLAGS-stack_chk_fail.c = -DSSP_SMASH_DUMPS_CORE' \ + debug/Makefile \ + || die "Failed to modify debug/Makefile for debug stack handler" + fi + + # Build nscd with ssp-all + sed -i \ + -e 's:-fstack-protector$:-fstack-protector-all:' \ + nscd/Makefile \ + || die "Failed to ensure nscd builds with ssp-all" + fi +} + pkg_setup() { # prevent native builds from downgrading ... maybe update to allow people # to change between diff -r versions ? (2.3.6-r4 -> 2.3.6-r2) |