Re: more build problems with "Makefile: move stackprotector availability out of Kconfig"

From: Kees Cook
Date: Tue Oct 17 2017 - 11:34:30 EST


On Tue, Oct 17, 2017 at 8:26 AM, Kees Cook <keescook@xxxxxxxxxxxx> wrote:
> On Tue, Oct 17, 2017 at 8:23 AM, Arnd Bergmann <arnd@xxxxxxxx> wrote:
>> On Tue, Oct 17, 2017 at 1:00 PM, Arnd Bergmann <arnd@xxxxxxxx> wrote:
>>> Hi Kees,
>>>
>>> On my test box, current linux-next kernels fail to build due to the
>>> patch that introduces CONFIG_CC_STACKPROTECTOR_AUTO, with my mainline
>>> gcc
>>> builds up to gcc-5.5.0. gcc-6 and higher work fine, as
>>> scripts/gcc-x86_64-has-stack-protector.sh returns 'y' for those.
>>>
>>> Using the compilers provided by Ubuntu (4.6/4.7/4.8/4.9), everything
>>> also works as expected, so my interpretation is that mainline gcc did
>>> not enable the stack protector until gcc-6, while distributions did.
>>>
>>> Do you agree with that interpretation?
>>
>> It's probably a little different. I tried bisecting the gcc commit that fixed
>> the issue for me, and ended up with this commit
>>
>> https://gitlab.indel.ch/thirdparty/gcc/commit/c14bac81551d6769741c2b1cc55e04d94fe8d3a7
>>
>> that caused the target to change from x86_64-unknown-linux to
>> x86_64-pc-linux, and apparently caused the compiler bootstrap
>> to incorrectly identify the capabilities of the assembler. As a result,
>> the assembler output inside of scripts/gcc-x86_64-has-stack-protector.sh
>> that should be
>> [snip]
>
> Yeah, %gs: vs __stack_chk_guard global.
>
> Do you know which gccs (of the past) had this?
>
> akpm's build error is different still, there are no warnings at all
> and then the build fails with missing __stack_chks. I'm still trying
> to figure that one out.

Oh, I think I know what's happening. I'm going to try to simulate this
and send another patch for testing...

(I'm still curious about the compiler versions, since my gcc 4.4.4
works fine for stack-protector.)

-Kees

--
Kees Cook
Pixel Security