mirrors/flatcar-scripts
1
0
Fork 0
mirror of https://github.com/flatcar/scripts.git synced 2025-08-22 15:01:00 +02:00
Code Issues Packages Projects Releases Wiki Activity

coreos-kernel: add -fstack-check=no to kernel build

Browse Source 
In addition to enabling PIE and stack protector, hardened compilers also
enable the -fstack-check option which I had previously overlooked,
conflating it with -fstack-protector which the kernel build already
handles properly. This is the second time I hit this trying to use
ccache, I forgot that -nopie was insufficent for kernel builds. Last
time around reverted in cd043688f09b22ccf245ffd11f8a22a5ff31e577.

At least this time I finally dug deep enough to find the cause instead
of setting myself up for repeating history in another 6 months. For
reference the issue is that the Go 1.3.x runtime can call clock_gettime
with a very small stack. If the vDSO library was built with
-fstack-check it will attempt to write 0 to a location beyond the end of
the very small stack, triggering SEGV:

    Dump of assembler code for function __vdso_clock_gettime:
       0x00007ffff7ffaa50 <+0>:     push   %rbp
       0x00007ffff7ffaa51 <+1>:     mov    %rsp,%rbp
       0x00007ffff7ffaa54 <+4>:     push   %r14
       0x00007ffff7ffaa56 <+6>:     push   %r13
       0x00007ffff7ffaa58 <+8>:     push   %r12
       0x00007ffff7ffaa5a <+10>:    push   %rbx
       0x00007ffff7ffaa5b <+11>:    sub    $0x1038,%rsp
    => 0x00007ffff7ffaa62 <+18>:    orq    $0x0,(%rsp)
       0x00007ffff7ffaa67 <+23>:    add    $0x1020,%rsp
This commit is contained in:
Michael Marineau 2015-07-13 23:20:16 -07:00
parent 5278dc6ce2
commit fe3b111c6a
2 changed files with 4 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
sdk_container/src/third_party/coreos-overlay/eclass/coreos-kernel.eclass vendored
View File

@ -94,7 +94,7 @@ update_bootengine_cpio() {
kmake() { kmake() {
local kernel_arch=$(tc-arch-kernel) kernel_cflags= local kernel_arch=$(tc-arch-kernel) kernel_cflags=
if gcc-specs-pie; then if gcc-specs-pie; then
kernel_cflags="-nopie" kernel_cflags="-nopie -fstack-check=no"
fi fi
emake ARCH="${kernel_arch}" CROSS_COMPILE="${CHOST}-" \ emake ARCH="${kernel_arch}" CROSS_COMPILE="${CHOST}-" \
KCFLAGS="${kernel_cflags}" LDFLAGS="" "$@" KCFLAGS="${kernel_cflags}" LDFLAGS="" "$@"
@ -182,10 +182,12 @@ coreos-kernel_src_install() {
# Install firmware to a temporary (bogus) location. # Install firmware to a temporary (bogus) location.
# The linux-firmware package will be used instead. # The linux-firmware package will be used instead.
# Stripping must be done here, not portage, to preserve sigs. # Stripping must be done here, not portage, to preserve sigs.
# Uncomment vdso_install for easy access to debug symbols in gdb:
# set debug-file-directory /lib/modules/4.0.7-coreos-r2/vdso/
kmake INSTALL_MOD_PATH="${D}" \ kmake INSTALL_MOD_PATH="${D}" \
INSTALL_MOD_STRIP="--strip-unneeded" \ INSTALL_MOD_STRIP="--strip-unneeded" \
INSTALL_FW_PATH="${T}/fw" \ INSTALL_FW_PATH="${T}/fw" \
modules_install modules_install # vdso_install
local version=$(kmake -s --no-print-directory kernelrelease) local version=$(kmake -s --no-print-directory kernelrelease)
dosym "vmlinuz-${version}" /usr/boot/vmlinuz dosym "vmlinuz-${version}" /usr/boot/vmlinuz

0
sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.0.7-r3.ebuild → sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.0.7-r4.ebuild vendored
View File