Re: Introducing the hardening-wrapper package (was: Exim4 problems)

[Svante Signell]

On Tue, 2011-05-17 at 20:39 +0200, Svante Signell wrote:
> On Tue, 2011-05-17 at 19:47 +0200, Thomas Schwinge wrote:
 
> > Apparently there's something going very wrong for us, for some of the
> > hardening flags, such that GDB gets confused, SEGFAULTs arise, and all
> > what we've seen.  Svante, sorry, I really didn't expect something like
> > that...  (Welcome to the wonderful world of debugging.)  The reason I
> > don't know yet.  Perhaps some GCC specs oddity.  Or something in glibc/in
> > the dynamic linker.
> 

Yes, something is definitely different compared to other architectures
since the builds work there.

> > Next step, II: Figure out what's going wrong.  Svante, interested?  I
> > would begin as follows.
> 
> Ill take a look. Thanks for discovering this mess. I should have seen it
> too :-(

I found out which environment variable triggers the segfault by
compiling exim4-4.76 several times:

I tried with simpler ones without success:
1) A small file trivial.c at the debian wiki):
2) A small test example at:
http://gcc.gnu.org/ml/gcc-bugs/2008-04/msg01075.html

Next step would be to find out the differences in configuration for
gcc, glibc, dynamic linker etc causing the segfault.

Main environment variable:
DEB_BUILD_HARDENING=1

Sub-variables:
export DEB_BUILD_HARDENING_FORMAT=1        : NO
export DEB_BUILD_HARDENING_FORTIFY=1       : YES, both with -O1 and -O2!
export DEB_BUILD_HARDENING_STACKPROTECTOR=1: NO
export DEB_BUILD_HARDENING_PIE=0           : NO
export DEB_BUILD_HARDENING_RELRO=0         : NO
export DEB_BUILD_HARDENING_BINDNOW=0       : NO

>From http://wiki.debian.org/Hardening: Code compiled with -Werror and
using memcpy/strcpy with qualifier overrides will fail with FORTIFY
enabled. See https://launchpad.net/bugs/217481

More info from the gcc patch introducing hardening, see
http://gcc.gnu.org/ml/gcc-patches/2004-09/msg02055.html