Created attachment 159850 [details] FORTIFY_SOURCE enabled by default (WIP) The FORTIFY_SOURCE GSoC 2015 project has advanced enormously and is ready for testing. The attached patch integrates the framework and fortifies the base system. An exp-run in the ports tree may detect two types of issues: - Any buffer overfow in the base system will cause the utility to stop and report the issue. - Some ports may define FORTIFY_SOURCE by default: they will grab the headers and run system checks. Some ports may have linuxisms upon detecting FORTIFY_SOURCE that would be interesting to find before bringing the framework.
Created attachment 159854 [details] FORTIFY_SOURCE enabled by default (WIP) Lets hold this request for a while: I did some file moves in r286760 to make future merge easier so the patch has to be updated. (I think Oliver will catch up tomorrow and we will be in sync again.)
Created attachment 159874 [details] FORTIFY_SOURCE enabled by default (WIP) This is ready or testing.
Exp-run results: http://package18.nyi.freebsd.org/jail.html?mastername=headi386PR202311-default http://package18.nyi.freebsd.org/jail.html?mastername=headamd64PR202311-default There are 4 new failures, and all ports depending on emacs (74) were skipped. + {"origin"=>"editors/emacs", "pkgname"=>"emacs24-24.5,3", "phase"=>"build", "errortype"=>"coredump"} + {"origin"=>"editors/emacs-nox11", "pkgname"=>"emacs-nox11-24.5,3", "phase"=>"build", "errortype"=>"coredump"} + {"origin"=>"mail/ifile", "pkgname"=>"ifile-1.3.8", "phase"=>"build", "errortype"=>"bad_C++_code"} + {"origin"=>"net-p2p/namecoin", "pkgname"=>"namecoin-0.3.80,1", "phase"=>"build", "errortype"=>"bad_C++_code"} Failure logs: http://package18.nyi.freebsd.org/data/headi386PR202311-default/2015-08-18_17h55m59s/logs/errors/emacs24-24.5,3.log http://package18.nyi.freebsd.org/data/headi386PR202311-default/2015-08-18_17h55m59s/logs/errors/emacs-nox11-24.5,3.log http://package18.nyi.freebsd.org/data/headi386PR202311-default/2015-08-18_17h55m59s/logs/errors/ifile-1.3.8.log http://package18.nyi.freebsd.org/data/headi386PR202311-default/2015-08-18_17h55m59s/logs/errors/namecoin-0.3.80,1.log http://package18.nyi.freebsd.org/data/headamd64PR202311-default/2015-08-17_12h00m52s/logs/errors/emacs24-24.5,3.log http://package18.nyi.freebsd.org/data/headamd64PR202311-default/2015-08-17_12h00m52s/logs/errors/emacs-nox11-24.5,3.log http://package18.nyi.freebsd.org/data/headamd64PR202311-default/2015-08-17_12h00m52s/logs/errors/ifile-1.3.8.log http://package18.nyi.freebsd.org/data/headamd64PR202311-default/2015-08-17_12h00m52s/logs/errors/namecoin-0.3.80,1.log
Do you have the core dumps and the dmesg from the error? The fortified binary logs to system log on error / on violation.
The only thing I have is: Aug 18 18:24:11 package18 kernel: pid 86319 (temacs), uid 0: exited on signal 6 (core dumped) Aug 18 18:24:32 package18 kernel: pid 1561 (temacs), uid 0: exited on signal 6 (core dumped)
And what's about dmesg -a?
the same (builds are done inside temporary jails and I believe we don't setup syslog inside those jails)
(In reply to Antoine Brodin from comment #3) This is very useful, thanks so much. Oliver: We are not building the ports fortified, you should be able to reproduce those failures locally. Some notes: editors/emacs is using gcc. mail/ifile is using USE_CSTD= gnu89
We have found a real bug(TM) in emacs. The other two issues are wrong code from upstream. Patches to update the ports are coming.
The issues in ports have been fixed. FORTIFY_SOURCE still needs some cleanups before making it to the tree but basic side of the ports issues are now done so we can close this PR. Huge thanks to Antoine and the ports team!