[uClibc] 3 patches, maybe for the upcoming uClibc-0.9.27?

Peter S. Mazinger ps.m at gmx.net
Fri Jan 30 22:44:51 UTC 2004 

Hello!

Two of them were sent earlier, but somehow got lost ;)

1. The pie-option patch allows really the usage of the TEXT_SEGM* option 
(due to unselectable COMPLETELY_PIC, or you can also remove the 
COMPLETELY_PIC dependancy from TEXT_SEGM*) and updates the home page of 
the project.
2. the Makefile patch allows building against installed kernel-headers, 
not only if the kernel-root/Makefile is present.
3. The ssp-signal patch allows the user to choose 1 of 3 signals, to stop 
an offending program.

Thanks, Peter

-- 
Peter S. Mazinger <ps dot m at gmx dot net>           ID: 0xA5F059F2
Key fingerprint = 92A4 31E1 56BC 3D5A 2D08  BB6E C389 975E A5F0 59F2

____________________________________________________________________
Miert fizetsz az internetert? Korlatlan, ingyenes internet hozzaferes a FreeStarttol.
Probald ki most! http://www.freestart.hu
-------------- next part --------------
diff -urN uClibc-0.9.26.orig/extra/Configs/Config.in uClibc-0.9.26/extra/Configs/Config.in
--- uClibc-0.9.26.orig/extra/Configs/Config.in	2004-01-29 11:37:48.000000000 +0100
+++ uClibc-0.9.26/extra/Configs/Config.in	2004-01-29 11:38:16.000000000 +0100
@@ -231,6 +231,34 @@
 	  gcc version, were __guard and __stack_smash_handler are removed from libgcc.
 	  Most people will answer N.
 
+choice
+	prompt "Propolice protection blocking signal"
+	depends on UCLIBC_PROPOLICE
+	default PROPOLICE_BLOCK_ABRT if ! DODEBUG
+	default PROPOLICE_BLOCK_SEGV if DODEBUG
+	help
+	  "abort" use SIGABRT to block offending programs.
+	  This is the default implementation.
+
+	  "segfault" use SIGSEGV to block offending programs.
+	  Use this for debugging.
+
+	  "kill" use SIGKILL to block offending programs.
+	  Perhaps the best for security.
+
+	  If unsure, answer "abort".
+
+config PROPOLICE_BLOCK_ABRT
+	bool "abort"
+
+config PROPOLICE_BLOCK_SEGV
+	bool "segfault"
+
+config PROPOLICE_BLOCK_KILL
+	bool "kill"
+
+endchoice
+
 config UCLIBC_PROFILING
 	bool "Support gprof profiling"
 	default y
diff -urN uClibc-0.9.26.orig/libc/sysdeps/linux/common/ssp.c uClibc-0.9.26/libc/sysdeps/linux/common/ssp.c
--- uClibc-0.9.26.orig/libc/sysdeps/linux/common/ssp.c	2004-01-29 11:37:48.000000000 +0100
+++ uClibc-0.9.26/libc/sysdeps/linux/common/ssp.c	2004-01-29 11:41:49.000000000 +0100
@@ -36,6 +36,19 @@
   ((char*)__guard)[2] = '\n'; ((char*)__guard)[3] = 255;
 }
 
+#ifdef __PROPOLICE_BLOCK_ABRT__
+#define SSP_SIGTYPE SIGABRT
+#endif
+#ifdef __PROPOLICE_BLOCK_SEGV__
+#define SSP_SIGTYPE SIGSEGV
+#endif
+#ifdef __PROPOLICE_BLOCK_KILL__
+#define SSP_SIGTYPE SIGKILL
+#endif
+#ifndef SSP_SIGTYPE
+#define SSP_SIGTYPE SIGABRT
+#endif
+
 void __stack_smash_handler (char func[], int damaged)
 {
 #if defined (__GNU_LIBRARY__)
@@ -52,8 +65,8 @@
   {
     sigset_t mask;
     sigfillset(&mask);
-    sigdelset(&mask, SIGABRT);  /* Block all signal handlers */
-    sigprocmask(SIG_BLOCK, &mask, NULL); /* except SIGABRT */
+    sigdelset(&mask, SSP_SIGTYPE);  /* Block all signal handlers */
+    sigprocmask(SIG_BLOCK, &mask, NULL); /* except signal type */
   }
 #endif
 
@@ -65,6 +78,7 @@
   if (bufsz>len) {strncat(buf, func, bufsz-len-1); len = strlen(buf);}
   /* print error message */
   write (STDERR_FILENO, buf+3, len-3);
+  write (STDERR_FILENO, "()\n", 3);
 #if defined(HAVE_SYSLOG)
   if ((LogFile = socket(AF_UNIX, SOCK_DGRAM, 0)) != -1) {
 
@@ -81,15 +95,15 @@
 #endif
 
 #ifdef _POSIX_SOURCE
-  { /* Make sure the default handler is associated with SIGABRT */
+  { /* Make sure the default handler is associated correctly */
     struct sigaction sa;
 
     memset(&sa, 0, sizeof(struct sigaction));
     sigfillset(&sa.sa_mask);    /* Block all signals */
     sa.sa_flags = 0;
     sa.sa_handler = SIG_DFL;
-    sigaction(SIGABRT, &sa, NULL);
-    (void)kill(getpid(), SIGABRT);
+    sigaction(SSP_SIGTYPE, &sa, NULL);
+    (void)kill(getpid(), SSP_SIGTYPE);
   }
 #endif
   _exit(127);
-------------- next part --------------
--- extra/scripts/fix_includes.sh.mps	2004-01-05 11:14:05.000000000 +0100
+++ extra/scripts/fix_includes.sh	2004-01-05 12:25:11.000000000 +0100
@@ -59,10 +59,10 @@
     esac;
 done;
 
-if [ ! -f "$KERNEL_SOURCE/Makefile" ]; then
+if [ ! -f "$KERNEL_SOURCE/Makefile" -a ! -f "$KERNEL_SOURCE/include/linux/version.h" ]; then
     echo "";
     echo "";
-    echo "The file $KERNEL_SOURCE/Makefile is missing!";
+    echo "The file $KERNEL_SOURCE/Makefile or $KERNEL_SOURCE/include/linux/version.h is missing!";
     echo "Perhaps your kernel source is broken?"
     echo "";
     echo "";
@@ -78,8 +78,21 @@
     exit 1;
 fi;
 
-# set current VERSION, PATCHLEVEL, SUBLEVEL, EXTERVERSION
+if [ -f "$KERNEL_SOURCE/Makefile" ] ; then
+# set current VERSION, PATCHLEVEL, SUBLEVEL, EXTRAVERSION
 eval `sed -n -e 's/^\([A-Z]*\) = \([0-9]*\)$/\1=\2/p' -e 's/^\([A-Z]*\) = \(-[-a-z0-9]*\)$/\1=\2/p' $KERNEL_SOURCE/Makefile`
+else
+ver=`grep UTS_RELEASE $KERNEL_SOURCE/include/linux/version.h | cut -d '"' -f 2`
+VERSION=`echo "$ver" | cut -d '.' -f 1`
+PATCHLEVEL=`echo "$ver" | cut -d '.' -f 2`
+if echo "$ver" | grep -q '-' ; then
+SUBLEVEL=`echo "$ver" | sed "s/${VERSION}.${PATCHLEVEL}.//" | cut -d '-' -f 1`
+EXTRAVERSION=`echo "$ver" | sed "s/${VERSION}.${PATCHLEVEL}.${SUBLEVEL}-//"`
+else
+SUBLEVEL=`echo "$ver" | cut -d '.' -f 3`
+#EXTRAVERSION=
+fi
+fi
 if [ -z "$VERSION" -o -z "$PATCHLEVEL" -o -z "$SUBLEVEL" ]
 then
     echo "Unable to determine version for kernel headers"
-------------- next part --------------
--- extra/Configs/Config.in.mps	2004-01-05 11:07:27.000000000 +0100
+++ extra/Configs/Config.in	2004-01-05 11:10:58.000000000 +0100
@@ -180,13 +180,14 @@
 config UCLIBC_PIE_SUPPORT
 	bool "Support ET_DYN in shared library loader"
 	select FORCE_SHAREABLE_TEXT_SEGMENTS
+	select UCLIBC_COMPLETELY_PIC
 	default n
 	help
 	  If you answer Y here, the uClibc native shared library loader will
 	  support ET_DYN/PIE executables.
 	  It requires binutils-2.14.90.0.6 or later and the usage of the
 	  -pie option.
-	  More about ET_DYN/PIE binaries on <http://pageexec.virtualave.net/> .
+	  More about ET_DYN/PIE binaries on <http://pax.grsecurity.net/> .
 	  WARNING: This option also enables FORCE_SHAREABLE_TEXT_SEGMENTS, so all
 		libraries have to be built with -fPIC or -fpic, and all assembler
 		functions must be written as position independent code (PIC).

More information about the uClibc mailing list