Closed p5pRT closed 11 years ago
beginning with 5.10.something\, perl enforces the use of -fstack-protector\, even when Configure was explicitly told the compiler flags\, and there is no way to switch it off.
unfortunately\, gcc supports this flag on most platforms\, even if the underlying support is missing. simple test programs (sucha s the one used by Configure) might pass\, but the generated programs might segfault or worse (for exmaple\, on uclibc systems\, all the cast to float tests segfault).
besides\, it would be nice not to enforce the use of certain compiler flags that are absoltuely unnecessary (perl works fine without -fstack-protector).
so... please please please make -fstack-protector configurable somehow\, better yet\, don't override user-specified flags and/or improve the tets for platform support.
thanks :)
On Fri\, 26 Nov 2010\, perlbug @ plan9 . de wrote:
# New Ticket Created by perlbug@plan9.de # Please include the string: [perl #79838] # in the subject line of all future correspondence about this issue. # \<URL: http://rt.perl.org/rt3/Ticket/Display.html?id=79838 >
beginning with 5.10.something\, perl enforces the use of -fstack-protector\, even when Configure was explicitly told the compiler flags\, and there is no way to switch it off.
I agree with your general premise that it should be possible to get Configure to do what you need it to do in order to build perl the way you want to build it.
I should point out\, however\, that while it isn't easy\, it is possible to turn it off by running Configure interactively and removing it when prompted.
unfortunately\, gcc supports this flag on most platforms\, even if the underlying support is missing. simple test programs (sucha s the one used by Configure) might pass\, but the generated programs might segfault or worse (for exmaple\, on uclibc systems\, all the cast to float tests segfault).
I wasn't aware that gcc might be misleading us this way. If you could supply us with a better test program\, that would be very helpful.
besides\, it would be nice not to enforce the use of certain compiler flags that are absoltuely unnecessary (perl works fine without -fstack-protector).
so... please please please make -fstack-protector configurable somehow\, better yet\, don't override user-specified flags and/or improve the tets for platform support.
Unfortunately\, other users do rely on us supplementing the user-specified C flags\, so I don't think we can win there no matter what we do. There might be some clever approach\, but it's not occurring to me at the moment.
Meanwhile\, yes\, an improved test program would likely be a very good idea.
-- Andy Dougherty doughera@lafayette.edu
The RT System itself - Status changed from 'new' to 'open'
On Sun\, 28 Nov 2010 14:27:51 -0500 (EST)\, Andy Dougherty \doughera@​lafayette\.edu wrote:
so... please please please make -fstack-protector configurable somehow\, better yet\, don't override user-specified flags and/or improve the tets for platform support.
Unfortunately\, other users do rely on us supplementing the user-specified C flags\, so I don't think we can win there no matter what we do. There might be some clever approach\, but it's not occurring to me at the moment.
-Ucflags/-ffnork\,-DFROUBLE
/could/ be a way to go specify what CFLAGS/LDFLAGS/... should be filtered out before the final decision. Just a brainstorm idea
Meanwhile\, yes\, an improved test program would likely be a very good idea.
Absolutely
-- H.Merijn Brand http://tux.nl Perl Monger http://amsterdam.pm.org/ using 5.00307 through 5.12 and porting perl5.13.x on HP-UX 10.20\, 11.00\, 11.11\, 11.23 and 11.31\, OpenSuSE 10.1\, 11.0 .. 11.3 and AIX 5.2 and 5.3. http://mirrors.develooper.com/hpux/ http://www.test-smoke.org/ http://qa.perl.org http://www.goldmark.org/jeff/stupid-disclaimers/
On Sun\, Nov 28\, 2010 at 2:27 PM\, Andy Dougherty \doughera@​lafayette\.eduwrote:
On Fri\, 26 Nov 2010\, perlbug @ plan9 . de wrote:> so... please please please make -fstack-protector configurable somehow\,
better yet\, don't override user-specified flags and/or improve the tets for platform support.
Unfortunately\, other users do rely on us supplementing the user-specified C flags\, so I don't think we can win there no matter what we do. There might be some clever approach\, but it's not occurring to me at the moment.
If Perl only supplements\, then -fno-stack-protector should work\, right? Does it?
On Mon\, 29 Nov 2010\, Eric Brine wrote:
On Fri\, 26 Nov 2010\, perlbug @​ plan9 \. de wrote​:> so\.\.\. please please please make \-fstack\-protector configurable somehow\, > better yet\, don't override user\-specified flags and/or improve the tets > for platform support\.
If Perl only supplements\, then -fno-stack-protector should work\, right? Does it?
Yes\, good call. Configure even actually already contains code to explicitly deal with this situation. (Thanks\, Nicholas!) Explicitly adding -fno-stack-protector to ccflags will cause Configure to not add -fstack-protector. This will fix the immediate problem.
Still\, I agree that a test file that made this happen automatically would be even better. I just don't know what such a test might look like.
-- Andy Dougherty doughera@lafayette.edu
Andy Dougherty schrieb:
On Mon\, 29 Nov 2010\, Eric Brine wrote:
On Fri\, 26 Nov 2010\, perlbug @​ plan9 \. de wrote​:> so\.\.\. please please please make \-fstack\-protector configurable somehow\, > better yet\, don't override user\-specified flags and/or improve the tets > for platform support\.
If Perl only supplements\, then -fno-stack-protector should work\, right? Does it?
Yes\, good call. Configure even actually already contains code to explicitly deal with this situation. (Thanks\, Nicholas!) Explicitly adding -fno-stack-protector to ccflags will cause Configure to not add -fstack-protector. This will fix the immediate problem.
Still\, I agree that a test file that made this happen automatically would be even better. I just don't know what such a test might look like.
And just to add to the mix: Using -fstack-protector twice\, because it's in CCFLAGS and LDFLAGS\, because we call the compiler and linker seperately sometimes (GNUMakefile vs. ExtUtils::Embed)\, will cause a gcc crash.
So if I fold the compiler and linker flags together with the typical compile+link command\, I explicitly have to remove -fstack-protector from LDFLAGS; in B::C cc_harness.
$ perl -V:ccflags -V:ldflags ccflags='-DPERL_USE_SAFE_PUTENV -U__STRICT_ANSI__ -g3 -fno-strict-aliasing -pipe -fstack-protector -I/usr/local/include'; ldflags=' -Wl\,--enable-auto-import -Wl\,--export-all-symbols -Wl\,--enable-auto-image-base -fstack-protector -L/usr/local/lib';
-- Reini Urban http://phpwiki.org/ http://murbreak.at/
On Sun\, Nov 28\, 2010 at 02:27:51PM -0500\, Andy Dougherty \doughera@​lafayette\.edu wrote:
beginning with 5.10.something\, perl enforces the use of -fstack-protector\, even when Configure was explicitly told the compiler flags\, and there is no way to switch it off.
I agree with your general premise that it should be possible to get Configure to do what you need it to do in order to build perl the way you want to build it.
just saw your reply by accident (I wasn't included in your reply's address).
I should point out\, however\, that while it isn't easy\, it is possible to turn it off by running Configure interactively and removing it when prompted.
Yeah\, or by perl -pi -e 's/...' Configure\, which is wat I am doing now.
I wasn't aware that gcc might be misleading us this way. If you could supply us with a better test program\, that would be very helpful.
Presumably\, you would just need to run the program and if it crashes\, assume -fstack-protector doesn't quite work.
so... please please please make -fstack-protector configurable somehow\, better yet\, don't override user-specified flags and/or improve the tets for platform support.
Unfortunately\, other users do rely on us supplementing the user-specified C flags\,
I primarily asked for a way to disable -fstack-protector. Somehow.
So\, which other users rely on your enforcing -fstack-protector? Is there really any platform that needs that flag? I doubt that\, so that argument simply doesn't apply.
-- The choice of a Deliantra\, the free code+content MORPG -----==- _GNU_ http://www.deliantra.net ----==-- _ generation ---==---(_)__ __ ____ __ Marc Lehmann --==---/ / _ \/ // /\ \/ / schmorp@schmorp.de -=====/_/_//_/\_\,_/ /_/\_\
Sorry for the long delayed response.
On Fri Dec 10 19:07:02 2010\, schmorp@schmorp.de wrote:
On Sun\, Nov 28\, 2010 at 02:27:51PM -0500\, Andy Dougherty \doughera@​lafayette\.edu wrote:
beginning with 5.10.something\, perl enforces the use of -fstack-protector\, even when Configure was explicitly told the compiler flags\, and there is no way to switch it off.
I agree with your general premise that it should be possible to get Configure to do what you need it to do in order to build perl the way you want to build it.
just saw your reply by accident (I wasn't included in your reply's address).
I should point out\, however\, that while it isn't easy\, it is possible to turn it off by running Configure interactively and removing it when prompted.
Yeah\, or by perl -pi -e 's/...' Configure\, which is wat I am doing now.
I wasn't aware that gcc might be misleading us this way. If you could supply us with a better test program\, that would be very helpful.
Presumably\, you would just need to run the program and if it crashes\, assume -fstack-protector doesn't quite work.
The test does run the compiled program\, the check uses the checkccflag definition\, which does:
echo "int main(void) { return 0; }" > gcctest.c; if $cc -O2 $flag -o gcctest gcctest.c 2>gcctest.out && ./gcctest; then
So the only solution is a better test program\, which you'll need to supply since you're the one who sees the problem.
so... please please please make -fstack-protector configurable somehow\, better yet\, don't override user-specified flags and/or improve the tets for platform support.
Unfortunately\, other users do rely on us supplementing the user- specified C flags\,
I primarily asked for a way to disable -fstack-protector. Somehow.
As mentioned by Eric and confirmed by Andy\, adding -fno-stack-protector will disable -fstack-protector\, for example I did:
./Configure -des -Dusedevel -Accflags=-fno-stack-protector
and no -fstack-protector flag was added by Configure.
So\, which other users rely on your enforcing -fstack-protector? Is there really any platform that needs that flag? I doubt that\, so that argument simply doesn't apply.
-fstack-protector is a security hardening tool.
Is it necessary? It probably depends on how you're using perl.
Are you able to provide a test program for Configure that can be used to test for -fstack-protector?
Tony
On Tue\, Sep 03\, 2013 at 09:34:20PM -0700\, Tony Cook via RT \perlbug\-followup@​perl\.org wrote:
Presumably\, you would just need to run the program and if it crashes\, assume -fstack-protector doesn't quite work.
The test does run the compiled program\, the check uses the checkccflag definition\, which does:
Since the compiled tets program did crash\, I presume it's new that the tets program is atcually being executed\, which should fix it.
As mentioned by Eric and confirmed by Andy\, adding -fno-stack-protector will disable -fstack-protector\, for example I did:
That also didn't work (configure always added -fstack-protector after it)\, so if that is fixed\, that's all I need.
Is it necessary? It probably depends on how you're using perl.
Indeed\, which is why Configfure shouldn't force it's use it. If it no longer does\, that's fine. I don't think Configure needs to perfectly support any exotic platform.
Are you able to provide a test program for Configure that can be used to test for -fstack-protector?
The test program did crash when I ran it manually\, so that wasn't the problem. Either it wasn't run back then\, or it was run differently\, or the fact that it crashed didn't register enough.
-- The choice of a Deliantra\, the free code+content MORPG -----==- _GNU_ http://www.deliantra.net ----==-- _ generation ---==---(_)__ __ ____ __ Marc Lehmann --==---/ / _ \/ // /\ \/ / schmorp@schmorp.de -=====/_/_//_/\_\,_/ /_/\_\
On Tue Sep 03 23:12:12 2013\, schmorp@schmorp.de wrote:
On Tue\, Sep 03\, 2013 at 09:34:20PM -0700\, Tony Cook via RT \<perlbug- followup@perl.org> wrote:
Presumably\, you would just need to run the program and if it crashes\, assume -fstack-protector doesn't quite work.
The test does run the compiled program\, the check uses the checkccflag definition\, which does:
Since the compiled tets program did crash\, I presume it's new that the tets program is atcually being executed\, which should fix it.
Configure has been executing the test program it created since before 5.12 (which you reported this ticket against.)
But if you're happy with the current behaviour\, I'm happy to close the ticket.
Tony
On Wed Sep 04 22:31:24 2013\, tonyc wrote:
Configure has been executing the test program it created since before 5.12 (which you reported this ticket against.)
But if you're happy with the current behaviour\, I'm happy to close the ticket.
And so closing it.
Tony
@tonycoz - Status changed from 'open' to 'resolved'
Migrated from rt.perl.org#79838 (status was 'resolved')
Searchable as RT79838$