aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPierre Labastie <pierre.labastie@neuf.fr>2022-09-10 13:41:38 +0200
committerPierre Labastie <pierre.labastie@neuf.fr>2022-09-10 13:41:38 +0200
commit1bade3f439265d1c964701316922ab5cbfed93c8 (patch)
tree1681f7c086b2fc55b1219356356e466ddabad439
parent0611f706d5cf2c5f18e18d51f2866956870b131a (diff)
Document the --enable-default-pie/ssp options
Also document test failures in gcc chapter 8
-rw-r--r--chapter05/gcc-pass1.xml14
-rw-r--r--chapter08/gcc.xml21
2 files changed, 35 insertions, 0 deletions
diff --git a/chapter05/gcc-pass1.xml b/chapter05/gcc-pass1.xml
index 0b7f17913..2c8fc4c31 100644
--- a/chapter05/gcc-pass1.xml
+++ b/chapter05/gcc-pass1.xml
@@ -135,6 +135,20 @@ cd build</userinput></screen>
</varlistentry>
<varlistentry>
+ <term><parameter>--enable-default-pie</parameter> and
+ <parameter>--enable-default-ssp</parameter></term>
+ <listitem>
+ <para>Those switches allow GCC to compile programs with
+ some hardening security features (more information on those in
+ the <xref linkend="pie-ssp-info"/> in chapter 8). They are not
+ strictly needed at this stage, since the compiler will only produce
+ temporary executables. But it is cleaner to have the temporary
+ packages be as close as possible to the final ones.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
<term><parameter>--disable-shared</parameter></term>
<listitem>
<para>This switch forces GCC to link its internal libraries
diff --git a/chapter08/gcc.xml b/chapter08/gcc.xml
index fd6e5ae3c..171808df2 100644
--- a/chapter08/gcc.xml
+++ b/chapter08/gcc.xml
@@ -106,6 +106,23 @@ cd build</userinput></screen>
</varlistentry>
</variablelist>
+ <note id="pie-ssp-info" xreflabel="note on PIE and SSP">
+ <para>
+ PIE (position independent executable) is a technique to produce
+ binary programs that can be loaded anywhere in memory. Together
+ with a feature named ASLR (Address Space Layout Randomization),
+ this allows programs to never have the same memory layout,
+ thus defeating attacks based on reproducible memory patterns.
+ </para>
+ <para>
+ SSP (Stack Smashing Protection) is a technique to ensure
+ that the parameter stack is not corrupted. Stack corruption can
+ for example alter the return address of a subroutine,
+ which would allow transferring control to an attacker program instead
+ of the original one.
+ </para>
+ </note>
+
<para>Compile the package:</para>
<screen><userinput remap="make">make</userinput></screen>
@@ -139,6 +156,10 @@ su tester -c "PATH=$PATH make -k check"</userinput></screen>
url="&test-results;"/> and
<ulink url="https://gcc.gnu.org/ml/gcc-testresults/"/>.</para>
+ <para>In gcc, eleven tests, in the i386 test suite are known to FAIL.
+ It's because the test files do not account for the
+ <parameter>--enable-default-pie</parameter> option.</para>
+
<para>In g++, four tests related to PR100400 are known to be reported
as both XPASS and FAIL. It's because the test file for this known issue
is not well written.</para>