Bug 202311 - Request exp-run for FORTIFY_SOURCE
Summary: Request exp-run for FORTIFY_SOURCE
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Ports Framework (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: Pedro F. Giffuni
URL: https://reviews.freebsd.org/D3043
Depends on:
Reported: 2015-08-13 21:48 UTC by Pedro F. Giffuni
Modified: 2015-09-02 15:09 UTC (History)
2 users (show)

See Also:

FORTIFY_SOURCE enabled by default (WIP) (153.01 KB, patch)
2015-08-13 21:48 UTC, Pedro F. Giffuni
no flags Details | Diff
FORTIFY_SOURCE enabled by default (WIP) (152.09 KB, patch)
2015-08-14 03:14 UTC, Pedro F. Giffuni
no flags Details | Diff
FORTIFY_SOURCE enabled by default (WIP) (151.60 KB, patch)
2015-08-14 19:16 UTC, Pedro F. Giffuni
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Pedro F. Giffuni freebsd_committer 2015-08-13 21:48:14 UTC
Created attachment 159850 [details]
FORTIFY_SOURCE enabled by default (WIP)

The FORTIFY_SOURCE GSoC 2015 project has advanced enormously and is ready for testing.

The attached patch integrates the framework and fortifies the base system. An exp-run in the ports tree may detect two types of issues:

- Any buffer overfow in the base system will cause the utility to stop and report the issue.

- Some ports may define FORTIFY_SOURCE by default: they will grab the headers and run system checks. Some ports may have linuxisms upon detecting FORTIFY_SOURCE that would be interesting to find before bringing the framework.
Comment 1 Pedro F. Giffuni freebsd_committer 2015-08-14 03:14:30 UTC
Created attachment 159854 [details]
FORTIFY_SOURCE enabled by default (WIP)

Lets hold this request for a while:

I did some file moves in r286760 to make  future merge easier so the patch has to be updated. (I think Oliver will catch up tomorrow and we will be in sync again.)
Comment 2 Pedro F. Giffuni freebsd_committer 2015-08-14 19:16:59 UTC
Created attachment 159874 [details]
FORTIFY_SOURCE enabled by default (WIP)

This is ready or testing.
Comment 3 Antoine Brodin freebsd_committer 2015-08-18 18:27:43 UTC
Exp-run results:


There are 4 new failures,  and all ports depending on emacs (74) were skipped.

+ {"origin"=>"editors/emacs", "pkgname"=>"emacs24-24.5,3", "phase"=>"build", "errortype"=>"coredump"}
+ {"origin"=>"editors/emacs-nox11", "pkgname"=>"emacs-nox11-24.5,3", "phase"=>"build", "errortype"=>"coredump"}
+ {"origin"=>"mail/ifile", "pkgname"=>"ifile-1.3.8", "phase"=>"build", "errortype"=>"bad_C++_code"}
+ {"origin"=>"net-p2p/namecoin", "pkgname"=>"namecoin-0.3.80,1", "phase"=>"build", "errortype"=>"bad_C++_code"}

Failure logs:


Comment 4 Oliver Pinter freebsd_committer 2015-08-18 19:16:57 UTC
Do you have the core dumps and the dmesg from the error?

The fortified binary logs to system log on error / on violation.
Comment 5 Antoine Brodin freebsd_committer 2015-08-18 19:18:41 UTC
The only thing I have is:

Aug 18 18:24:11 package18 kernel: pid 86319 (temacs), uid 0: exited on signal 6 (core dumped)
Aug 18 18:24:32 package18 kernel: pid 1561 (temacs), uid 0: exited on signal 6 (core dumped)
Comment 6 Oliver Pinter freebsd_committer 2015-08-18 19:22:11 UTC
And what's about dmesg -a?
Comment 7 Antoine Brodin freebsd_committer 2015-08-18 19:29:12 UTC
the same  (builds are done inside temporary jails and I believe we don't setup syslog inside those jails)
Comment 8 Pedro F. Giffuni freebsd_committer 2015-08-18 19:30:01 UTC
(In reply to Antoine Brodin from comment #3)

This is very useful, thanks so much.
Oliver: We are not building the ports fortified,
you should be able to reproduce those failures locally.

Some notes:

editors/emacs is using gcc.
mail/ifile is using USE_CSTD= gnu89
Comment 9 Pedro F. Giffuni freebsd_committer 2015-08-22 18:47:31 UTC
We have found a real bug(TM) in emacs.
The other two issues are wrong code from upstream.
Patches to update the ports are coming.
Comment 10 Pedro F. Giffuni freebsd_committer 2015-09-02 15:09:01 UTC
The issues in ports have been fixed.
FORTIFY_SOURCE still needs some cleanups before making it to the tree but basic side of the ports issues are now done so we can close this PR.

Huge thanks to Antoine and the ports team!