[lxc-devel] [lxc/master] compiler: hardening

brauner on Github lxc-bot at linuxcontainers.org
Mon Mar 11 22:44:45 UTC 2019 

A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 364 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20190311/5daebe68/attachment.bin>
-------------- next part --------------
From c9248f7162875e26abca94185d34c235ac0a48de Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner at ubuntu.com>
Date: Mon, 11 Mar 2019 23:30:41 +0100
Subject: [PATCH 1/4] compiler: -fasynchronous-unwind-tables hardening

Increased reliability of backtraces.

Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
---
 configure.ac | 1 +
 1 file changed, 1 insertion(+)

diff --git a/configure.ac b/configure.ac
index d43dabc0df..fedffe3c9e 100644
--- a/configure.ac
+++ b/configure.ac
@@ -719,6 +719,7 @@ AX_CHECK_COMPILE_FLAG([-Werror=shift-count-overflow], [CFLAGS="$CFLAGS -Werror=s
 AX_CHECK_COMPILE_FLAG([-Werror=shift-overflow=2], [CFLAGS="$CFLAGS -Werror=shift-overflow=2"],,[-Werror])
 AX_CHECK_COMPILE_FLAG([-Wdate-time], [CFLAGS="$CFLAGS -Wdate-time"],,[-Werror])
 AX_CHECK_COMPILE_FLAG([-Wnested-externs], [CFLAGS="$CFLAGS -Wnested-externs"],,[-Werror])
+AX_CHECK_COMPILE_FLAG([-fasynchronous-unwind-tables], [CFLAGS="$CFLAGS -fasynchronous-unwind-tables"],,[-Werror])
 
 AX_CHECK_LINK_FLAG([-z relro], [LDLAGS="$LDLAGS -z relro"],,[])
 AX_CHECK_LINK_FLAG([-z now], [LDLAGS="$LDLAGS -z now"],,[])

From a40093c6f748f1601d1e0f6ce9a3771486158a2e Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner at ubuntu.com>
Date: Mon, 11 Mar 2019 23:34:01 +0100
Subject: [PATCH 2/4] compiler: -pipe

Avoid temporary files, speeding up builds.

Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
---
 configure.ac | 1 +
 1 file changed, 1 insertion(+)

diff --git a/configure.ac b/configure.ac
index fedffe3c9e..28efe43e17 100644
--- a/configure.ac
+++ b/configure.ac
@@ -720,6 +720,7 @@ AX_CHECK_COMPILE_FLAG([-Werror=shift-overflow=2], [CFLAGS="$CFLAGS -Werror=shift
 AX_CHECK_COMPILE_FLAG([-Wdate-time], [CFLAGS="$CFLAGS -Wdate-time"],,[-Werror])
 AX_CHECK_COMPILE_FLAG([-Wnested-externs], [CFLAGS="$CFLAGS -Wnested-externs"],,[-Werror])
 AX_CHECK_COMPILE_FLAG([-fasynchronous-unwind-tables], [CFLAGS="$CFLAGS -fasynchronous-unwind-tables"],,[-Werror])
+AX_CHECK_COMPILE_FLAG([-pipe], [CFLAGS="$CFLAGS -pipe"],,[-Werror])
 
 AX_CHECK_LINK_FLAG([-z relro], [LDLAGS="$LDLAGS -z relro"],,[])
 AX_CHECK_LINK_FLAG([-z now], [LDLAGS="$LDLAGS -z now"],,[])

From e74d1fd9f3aa92f80e2ff5d7335158e4d52ab69e Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner at ubuntu.com>
Date: Mon, 11 Mar 2019 23:36:02 +0100
Subject: [PATCH 3/4] compiler: -fexceptions hardening

This hardens multi-threaded C. Without it, the implementation of thread
cancellation handlers (introduced by pthread_cleanup_push) uses a completely
unprotected function pointer on the stack. This function pointer can simplify
the exploitation of stack-based buffer overflows even if the thread in question
is never canceled.

Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
---
 configure.ac | 1 +
 1 file changed, 1 insertion(+)

diff --git a/configure.ac b/configure.ac
index 28efe43e17..3abee054f7 100644
--- a/configure.ac
+++ b/configure.ac
@@ -721,6 +721,7 @@ AX_CHECK_COMPILE_FLAG([-Wdate-time], [CFLAGS="$CFLAGS -Wdate-time"],,[-Werror])
 AX_CHECK_COMPILE_FLAG([-Wnested-externs], [CFLAGS="$CFLAGS -Wnested-externs"],,[-Werror])
 AX_CHECK_COMPILE_FLAG([-fasynchronous-unwind-tables], [CFLAGS="$CFLAGS -fasynchronous-unwind-tables"],,[-Werror])
 AX_CHECK_COMPILE_FLAG([-pipe], [CFLAGS="$CFLAGS -pipe"],,[-Werror])
+AX_CHECK_COMPILE_FLAG([-fexceptions], [CFLAGS="$CFLAGS -fexceptions"],,[-Werror])
 
 AX_CHECK_LINK_FLAG([-z relro], [LDLAGS="$LDLAGS -z relro"],,[])
 AX_CHECK_LINK_FLAG([-z now], [LDLAGS="$LDLAGS -z now"],,[])

From cb12422c9348088648b49c30b5b0878f90894936 Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner at ubuntu.com>
Date: Mon, 11 Mar 2019 23:41:10 +0100
Subject: [PATCH 4/4] compiler: -grecord-gcc-switches

Capture compiler flags, which can be useful to determine whether the intended
compiler flags are used throughout the build.

Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
---
 configure.ac | 1 +
 1 file changed, 1 insertion(+)

diff --git a/configure.ac b/configure.ac
index 3abee054f7..72d28f4edf 100644
--- a/configure.ac
+++ b/configure.ac
@@ -722,6 +722,7 @@ AX_CHECK_COMPILE_FLAG([-Wnested-externs], [CFLAGS="$CFLAGS -Wnested-externs"],,[
 AX_CHECK_COMPILE_FLAG([-fasynchronous-unwind-tables], [CFLAGS="$CFLAGS -fasynchronous-unwind-tables"],,[-Werror])
 AX_CHECK_COMPILE_FLAG([-pipe], [CFLAGS="$CFLAGS -pipe"],,[-Werror])
 AX_CHECK_COMPILE_FLAG([-fexceptions], [CFLAGS="$CFLAGS -fexceptions"],,[-Werror])
+AX_CHECK_COMPILE_FLAG([-grecord-gcc-switches], [CFLAGS="$CFLAGS -grecord-gcc-switches"],,[-Werror])
 
 AX_CHECK_LINK_FLAG([-z relro], [LDLAGS="$LDLAGS -z relro"],,[])
 AX_CHECK_LINK_FLAG([-z now], [LDLAGS="$LDLAGS -z now"],,[])

More information about the lxc-devel mailing list