Details
-
Task
-
Status: Closed (View Workflow)
-
Major
-
Resolution: Fixed
-
None
-
None
Description
gcc/ld have different options that can make resulting binaries more secure against buffer/stack overflow exploits. RedHat uses most of them for distribution binaries. We need to analyze these options, understand the benefits and drawbacks, and possibly use them too in our builds.
The (incomplete) list is
-pie
|
-Wp,-D_FORTIFY_SOURCE=2
|
-fstack-protector --param=ssp-buffer-size=4
|
-Wl,-z,relro,-z,now
|
Attachments
Issue Links
- relates to
-
MDEV-6479 stack traces in 10.1
-
- Closed
-
- links to
Activity
| Field | Original Value | New Value |
|---|---|---|
| Fix Version/s | 10.0.10 [ 14500 ] |
| Remote Link | This issue links to "an article about RELRO (Web Link)" [ 14900 ] |
| Fix Version/s | 10.0.11 [ 15200 ] | |
| Fix Version/s | 5.5.38 [ 15400 ] | |
| Fix Version/s | 10.0.10 [ 14500 ] | |
| Fix Version/s | 5.5.37 [ 15000 ] |
| Status | Open [ 1 ] | In Progress [ 3 ] |
| Fix Version/s | 10.2.0 [ 14601 ] | |
| Fix Version/s | 10.0.11 [ 15200 ] | |
| Fix Version/s | 5.5.38 [ 15400 ] |
| Status | In Progress [ 3 ] | Stalled [ 10000 ] |
| Workflow | defaullt [ 34912 ] | MariaDB v2 [ 42461 ] |
| Fix Version/s | 10.1.0 [ 12200 ] | |
| Fix Version/s | 10.2.0 [ 14601 ] |
| Status | Stalled [ 10000 ] | In Progress [ 3 ] |
| Status | In Progress [ 3 ] | Stalled [ 10000 ] |
| Assignee | Sergei Golubchik [ serg ] | Axel Schwenke [ axel ] |
| Remote Link | This issue links to "Review of the patch (Web Link)" [ 18000 ] |
| Status | Stalled [ 10000 ] | In Progress [ 3 ] |
Attached two PDFs summarizing the results of sysbench OLTP. The tested server tree was MariaDB-10.0.12. Once compiled with default gcc flags, once with the "security" options added.
There were 3 executions of each build, each delivering 20 data points (transactions per second, averaged over 3 second intervals). There is considerable noise on the data, both during a run and also between different runs of the same build. Still there is a visible difference between "default" and "security" builds of approximately 1%
Each dot in the plots represents one data point. The lines and numbers represent the median of the values. The median was preferred over the average because it is more stable re. outliers.
| Attachment | graph.ro.pdf [ 31504 ] | |
| Attachment | graph.rw.pdf [ 31505 ] |
| Status | In Progress [ 3 ] | Stalled [ 10000 ] |
| Assignee | Axel Schwenke [ axel ] | Sergei Golubchik [ serg ] |
FTR, this are the changes to my build script
--- xl_build_new 2014-06-25 14:40:40.354214993 +0200
|
+++ xl_build_MDEV-5730 2014-06-25 14:40:33.154617307 +0200
|
@@ -5,5 +5,5 @@
|
#CC=gcc
|
#CXX=g++
|
-CFLAGS="-O3 -g -fno-omit-frame-pointer -fno-strict-aliasing -DNDEBUG -DDBUG_OFF -Wno-maybe-uninitialized"
|
+CFLAGS="-O3 -g -fno-omit-frame-pointer -fno-strict-aliasing -DNDEBUG -DDBUG_OFF -Wno-maybe-uninitialized -pie -fPIC -Wl,-z,relro,-z,now -fstack-protector --param=ssp-buffer-size=4 -D_FORTIFY_SOURCE=2"
|
CXXFLAGS="$CFLAGS -felide-constructors"
|
|
| Resolution | Fixed [ 1 ] | |
| Status | Stalled [ 10000 ] | Closed [ 6 ] |
| Workflow | MariaDB v2 [ 42461 ] | MariaDB v3 [ 63882 ] |
| Workflow | MariaDB v3 [ 63882 ] | MariaDB v4 [ 132279 ] |
axel, could you please benchmark the effect of this patch? Thanks!