[uClibc] 3 patches, maybe for the upcoming uClibc-0.9.27?
Peter S. Mazinger
ps.m at gmx.net
Fri Jan 30 22:44:51 UTC 2004
Hello!
Two of them were sent earlier, but somehow got lost ;)
1. The pie-option patch allows really the usage of the TEXT_SEGM* option
(due to unselectable COMPLETELY_PIC, or you can also remove the
COMPLETELY_PIC dependancy from TEXT_SEGM*) and updates the home page of
the project.
2. the Makefile patch allows building against installed kernel-headers,
not only if the kernel-root/Makefile is present.
3. The ssp-signal patch allows the user to choose 1 of 3 signals, to stop
an offending program.
Thanks, Peter
--
Peter S. Mazinger <ps dot m at gmx dot net> ID: 0xA5F059F2
Key fingerprint = 92A4 31E1 56BC 3D5A 2D08 BB6E C389 975E A5F0 59F2
____________________________________________________________________
Miert fizetsz az internetert? Korlatlan, ingyenes internet hozzaferes a FreeStarttol.
Probald ki most! http://www.freestart.hu
-------------- next part --------------
diff -urN uClibc-0.9.26.orig/extra/Configs/Config.in uClibc-0.9.26/extra/Configs/Config.in
--- uClibc-0.9.26.orig/extra/Configs/Config.in 2004-01-29 11:37:48.000000000 +0100
+++ uClibc-0.9.26/extra/Configs/Config.in 2004-01-29 11:38:16.000000000 +0100
@@ -231,6 +231,34 @@
gcc version, were __guard and __stack_smash_handler are removed from libgcc.
Most people will answer N.
+choice
+ prompt "Propolice protection blocking signal"
+ depends on UCLIBC_PROPOLICE
+ default PROPOLICE_BLOCK_ABRT if ! DODEBUG
+ default PROPOLICE_BLOCK_SEGV if DODEBUG
+ help
+ "abort" use SIGABRT to block offending programs.
+ This is the default implementation.
+
+ "segfault" use SIGSEGV to block offending programs.
+ Use this for debugging.
+
+ "kill" use SIGKILL to block offending programs.
+ Perhaps the best for security.
+
+ If unsure, answer "abort".
+
+config PROPOLICE_BLOCK_ABRT
+ bool "abort"
+
+config PROPOLICE_BLOCK_SEGV
+ bool "segfault"
+
+config PROPOLICE_BLOCK_KILL
+ bool "kill"
+
+endchoice
+
config UCLIBC_PROFILING
bool "Support gprof profiling"
default y
diff -urN uClibc-0.9.26.orig/libc/sysdeps/linux/common/ssp.c uClibc-0.9.26/libc/sysdeps/linux/common/ssp.c
--- uClibc-0.9.26.orig/libc/sysdeps/linux/common/ssp.c 2004-01-29 11:37:48.000000000 +0100
+++ uClibc-0.9.26/libc/sysdeps/linux/common/ssp.c 2004-01-29 11:41:49.000000000 +0100
@@ -36,6 +36,19 @@
((char*)__guard)[2] = '\n'; ((char*)__guard)[3] = 255;
}
+#ifdef __PROPOLICE_BLOCK_ABRT__
+#define SSP_SIGTYPE SIGABRT
+#endif
+#ifdef __PROPOLICE_BLOCK_SEGV__
+#define SSP_SIGTYPE SIGSEGV
+#endif
+#ifdef __PROPOLICE_BLOCK_KILL__
+#define SSP_SIGTYPE SIGKILL
+#endif
+#ifndef SSP_SIGTYPE
+#define SSP_SIGTYPE SIGABRT
+#endif
+
void __stack_smash_handler (char func[], int damaged)
{
#if defined (__GNU_LIBRARY__)
@@ -52,8 +65,8 @@
{
sigset_t mask;
sigfillset(&mask);
- sigdelset(&mask, SIGABRT); /* Block all signal handlers */
- sigprocmask(SIG_BLOCK, &mask, NULL); /* except SIGABRT */
+ sigdelset(&mask, SSP_SIGTYPE); /* Block all signal handlers */
+ sigprocmask(SIG_BLOCK, &mask, NULL); /* except signal type */
}
#endif
@@ -65,6 +78,7 @@
if (bufsz>len) {strncat(buf, func, bufsz-len-1); len = strlen(buf);}
/* print error message */
write (STDERR_FILENO, buf+3, len-3);
+ write (STDERR_FILENO, "()\n", 3);
#if defined(HAVE_SYSLOG)
if ((LogFile = socket(AF_UNIX, SOCK_DGRAM, 0)) != -1) {
@@ -81,15 +95,15 @@
#endif
#ifdef _POSIX_SOURCE
- { /* Make sure the default handler is associated with SIGABRT */
+ { /* Make sure the default handler is associated correctly */
struct sigaction sa;
memset(&sa, 0, sizeof(struct sigaction));
sigfillset(&sa.sa_mask); /* Block all signals */
sa.sa_flags = 0;
sa.sa_handler = SIG_DFL;
- sigaction(SIGABRT, &sa, NULL);
- (void)kill(getpid(), SIGABRT);
+ sigaction(SSP_SIGTYPE, &sa, NULL);
+ (void)kill(getpid(), SSP_SIGTYPE);
}
#endif
_exit(127);
-------------- next part --------------
--- extra/scripts/fix_includes.sh.mps 2004-01-05 11:14:05.000000000 +0100
+++ extra/scripts/fix_includes.sh 2004-01-05 12:25:11.000000000 +0100
@@ -59,10 +59,10 @@
esac;
done;
-if [ ! -f "$KERNEL_SOURCE/Makefile" ]; then
+if [ ! -f "$KERNEL_SOURCE/Makefile" -a ! -f "$KERNEL_SOURCE/include/linux/version.h" ]; then
echo "";
echo "";
- echo "The file $KERNEL_SOURCE/Makefile is missing!";
+ echo "The file $KERNEL_SOURCE/Makefile or $KERNEL_SOURCE/include/linux/version.h is missing!";
echo "Perhaps your kernel source is broken?"
echo "";
echo "";
@@ -78,8 +78,21 @@
exit 1;
fi;
-# set current VERSION, PATCHLEVEL, SUBLEVEL, EXTERVERSION
+if [ -f "$KERNEL_SOURCE/Makefile" ] ; then
+# set current VERSION, PATCHLEVEL, SUBLEVEL, EXTRAVERSION
eval `sed -n -e 's/^\([A-Z]*\) = \([0-9]*\)$/\1=\2/p' -e 's/^\([A-Z]*\) = \(-[-a-z0-9]*\)$/\1=\2/p' $KERNEL_SOURCE/Makefile`
+else
+ver=`grep UTS_RELEASE $KERNEL_SOURCE/include/linux/version.h | cut -d '"' -f 2`
+VERSION=`echo "$ver" | cut -d '.' -f 1`
+PATCHLEVEL=`echo "$ver" | cut -d '.' -f 2`
+if echo "$ver" | grep -q '-' ; then
+SUBLEVEL=`echo "$ver" | sed "s/${VERSION}.${PATCHLEVEL}.//" | cut -d '-' -f 1`
+EXTRAVERSION=`echo "$ver" | sed "s/${VERSION}.${PATCHLEVEL}.${SUBLEVEL}-//"`
+else
+SUBLEVEL=`echo "$ver" | cut -d '.' -f 3`
+#EXTRAVERSION=
+fi
+fi
if [ -z "$VERSION" -o -z "$PATCHLEVEL" -o -z "$SUBLEVEL" ]
then
echo "Unable to determine version for kernel headers"
-------------- next part --------------
--- extra/Configs/Config.in.mps 2004-01-05 11:07:27.000000000 +0100
+++ extra/Configs/Config.in 2004-01-05 11:10:58.000000000 +0100
@@ -180,13 +180,14 @@
config UCLIBC_PIE_SUPPORT
bool "Support ET_DYN in shared library loader"
select FORCE_SHAREABLE_TEXT_SEGMENTS
+ select UCLIBC_COMPLETELY_PIC
default n
help
If you answer Y here, the uClibc native shared library loader will
support ET_DYN/PIE executables.
It requires binutils-2.14.90.0.6 or later and the usage of the
-pie option.
- More about ET_DYN/PIE binaries on <http://pageexec.virtualave.net/> .
+ More about ET_DYN/PIE binaries on <http://pax.grsecurity.net/> .
WARNING: This option also enables FORCE_SHAREABLE_TEXT_SEGMENTS, so all
libraries have to be built with -fPIC or -fpic, and all assembler
functions must be written as position independent code (PIC).
More information about the uClibc
mailing list