diff options
author | Pierre Labastie <pierre.labastie@neuf.fr> | 2022-09-10 13:41:38 +0200 |
---|---|---|
committer | Pierre Labastie <pierre.labastie@neuf.fr> | 2022-09-10 13:41:38 +0200 |
commit | 1bade3f439265d1c964701316922ab5cbfed93c8 (patch) | |
tree | 1681f7c086b2fc55b1219356356e466ddabad439 | |
parent | 0611f706d5cf2c5f18e18d51f2866956870b131a (diff) |
Document the --enable-default-pie/ssp options
Also document test failures in gcc chapter 8
-rw-r--r-- | chapter05/gcc-pass1.xml | 14 | ||||
-rw-r--r-- | chapter08/gcc.xml | 21 |
2 files changed, 35 insertions, 0 deletions
diff --git a/chapter05/gcc-pass1.xml b/chapter05/gcc-pass1.xml index 0b7f17913..2c8fc4c31 100644 --- a/chapter05/gcc-pass1.xml +++ b/chapter05/gcc-pass1.xml @@ -135,6 +135,20 @@ cd build</userinput></screen> </varlistentry> <varlistentry> + <term><parameter>--enable-default-pie</parameter> and + <parameter>--enable-default-ssp</parameter></term> + <listitem> + <para>Those switches allow GCC to compile programs with + some hardening security features (more information on those in + the <xref linkend="pie-ssp-info"/> in chapter 8). They are not + strictly needed at this stage, since the compiler will only produce + temporary executables. But it is cleaner to have the temporary + packages be as close as possible to the final ones. + </para> + </listitem> + </varlistentry> + + <varlistentry> <term><parameter>--disable-shared</parameter></term> <listitem> <para>This switch forces GCC to link its internal libraries diff --git a/chapter08/gcc.xml b/chapter08/gcc.xml index fd6e5ae3c..171808df2 100644 --- a/chapter08/gcc.xml +++ b/chapter08/gcc.xml @@ -106,6 +106,23 @@ cd build</userinput></screen> </varlistentry> </variablelist> + <note id="pie-ssp-info" xreflabel="note on PIE and SSP"> + <para> + PIE (position independent executable) is a technique to produce + binary programs that can be loaded anywhere in memory. Together + with a feature named ASLR (Address Space Layout Randomization), + this allows programs to never have the same memory layout, + thus defeating attacks based on reproducible memory patterns. + </para> + <para> + SSP (Stack Smashing Protection) is a technique to ensure + that the parameter stack is not corrupted. Stack corruption can + for example alter the return address of a subroutine, + which would allow transferring control to an attacker program instead + of the original one. + </para> + </note> + <para>Compile the package:</para> <screen><userinput remap="make">make</userinput></screen> @@ -139,6 +156,10 @@ su tester -c "PATH=$PATH make -k check"</userinput></screen> url="&test-results;"/> and <ulink url="https://gcc.gnu.org/ml/gcc-testresults/"/>.</para> + <para>In gcc, eleven tests, in the i386 test suite are known to FAIL. + It's because the test files do not account for the + <parameter>--enable-default-pie</parameter> option.</para> + <para>In g++, four tests related to PR100400 are known to be reported as both XPASS and FAIL. It's because the test file for this known issue is not well written.</para> |