Assembler code contained in some of the assembler string functions (used
if "configure --enable-assembler") contain text relocations.
This prevent the enforcement of some security policies if MySQL database
is used.
Full reference at "http://bugs.gentoo.org/42968"
The patches attached cover MySQL versions 4.0, 4.1, 5.0.
035_x86_asm-pic-fixes-r0.patch ==> mysql-4.0
strings/longlong2str-x86.s
strings/strings-x86.s
035_x86_asm-pic-fixes-r1.patch ==> mysql-4.1, mysql-5.0
strings/longlong2str-x86.s
strings/my_strtoll10-x86.s
strings/strings-x86.s
Tests done:
The environment described in the attached file
mysqlbug_hardened_mysql-5.0.6_beta.txt is running a slave database of a
production system. (and pass all the testsuite)
On another x86 box it has run in many /not/ hardened environments,
ranging from
gcc-3.3.5-20050130, glibc-2.3.4.20041102-r1
to
gcc-4.0.1-beta20050507, glibc-2.3.5.20050421
without problem related to these patches.
Benchmarking:
Performances seem unchanged, or with not measurable differences (after
few and quick tests).
regards
Francesco Riosa
vivo at gentoo.org
Environment:
<machine, os, target, libraries (multiple lines)>
System: Linux aps 2.6.11-hardened-r13 #1 Tue Jun 14 07:17:35 CEST 2005 i686 GNU/Linux
Architecture: i686
Some paths: /usr/bin/perl /usr/bin/make /usr/bin/gmake /usr/bin/gcc /usr/bin/cc
GCC: Reading specs from /usr/lib/gcc/i686-pc-linux-gnu/3.4.4/specs
Configured with: /var/tmp/portage/gcc-3.4.4/work/gcc-3.4.4/configure
--enable-version-specific-runtime-libs --prefix=/usr --bindir=/usr/i686-p
c-linux-gnu/gcc-bin/3.4.4 --includedir=/usr/lib/gcc/i686-pc-linux-gnu/3.4.4/include
--datadir=/usr/share/gcc-data/i686-pc-linux-gnu/3.4.4 --ma
ndir=/usr/share/gcc-data/i686-pc-linux-gnu/3.4.4/man
--infodir=/usr/share/gcc-data/i686-pc-linux-gnu/3.4.4/info --with-gxx-include-dir=/usr/li
b/gcc/i686-pc-linux-gnu/3.4.4/include/g++-v3 --host=i686-pc-linux-gnu --disable-altivec
--enable-nls --without-included-gettext --with-system-
zlib --disable-checking --disable-werror --disable-libunwind-exceptions --disable-multilib
--disable-libgcj --enable-languages=c,c++ --enable-
shared --enable-threads=posix --enable-__cxa_atexit --enable-clocale=gnu
Thread model: posix
gcc version 3.4.4 (Gentoo Hardened 3.4.4, ssp-3.4.4-1.0, pie-8.7.8)
Compilation info: CC='i686-pc-linux-gnu-gcc' CFLAGS='-O2 -march=athlon-xp
-fomit-frame-pointer -fforce-addr -fstack-protector -DHAVE_ERRNO_AS
_DEFINE=1' CXX='i686-pc-linux-gnu-g++' CXXFLAGS='-O2 -march=athlon-xp
-fomit-frame-pointer -fforce-addr -fstack-protector -DHAVE_ERRNO_AS_DE
FINE=1 -fno-implicit-templates -felide-constructors -fno-exceptions -fno-rtti' LDFLAGS=''
ASFLAGS=''
LIBC:
lrwxrwxrwx 1 root root 13 Jun 14 14:01 /lib/libc.so.6 -> libc-2.3.5.so
-rwxr-xr-x 1 root root 1307808 Jun 14 05:09 /lib/libc-2.3.5.so
-rw-r--r-- 1 root root 3162920 Jun 14 05:09 /usr/lib/libc.a
-rwxr-xr-x 1 root root 204 Jun 14 05:09 /usr/lib/libc.so
Configure command: ./configure '--prefix=/usr' '--host=i686-pc-linux-gnu'
'--mandir=/usr/share/man' '--infodir=/usr/share/info' '--datadir=/us
r/share' '--sysconfdir=/etc' '--localstatedir=/var/lib' '--libexecdir=/usr/sbin'
'--sysconfdir=/etc/mysql' '--localstatedir=/var/lib/mysql' '-
-with-low-memory' '--enable-assembler' '--enable-local-infile' '--with-mysqld-user=mysql'
'--with-client-ldflags=-lstdc++' '--enable-thread-sa
fe-client' '--with-comment=Gentoo Linux mysql-5.0.6_beta-r1'
'--with-unix-socket-path=/var/run/mysqld/mysqld.sock' '--with-zlib-dir=/usr' '--w
ith-lib-ccflags=-fPIC' '--without-embedded-server' '--without-readline' '--enable-shared'
'--enable-static' '--with-libwrap' '--with-openssl'
'--without-debug' '--with-bench' '--with-server' '--with-embedded-server'
'--with-extra-tools' '--with-innodb' '--with-raid' '--with-extra-cha
rsets=all' '--with-berkeley-db=./bdb' '--with-geometry' '--without-ndbcluster'
'--with-big-tables' '--without-docs' '--with-archive-storage-en
gine' '--with-csv-storage-engine' '--with-federated-storage-engine'
'--with-blackhole-storage-engine' 'CFLAGS=-O2 -march=athlon-xp -fomit-fram
e-pointer -fforce-addr -fstack-protector -DHAVE_ERRNO_AS_DEFINE=1' 'CXXFLAGS=-O2
-march=athlon-xp -fomit-frame-pointer -fforce-addr -fstack-pr
otector -DHAVE_ERRNO_AS_DEFINE=1 -fno-implicit-templates -felide-constructors
-fno-exceptions -fno-rtti' 'host_alias=i686-pc-linux-gnu'
Attachment: [text/x-patch] 035_x86_asm-pic-fixes-r1.patch
Attachment: [text/x-patch] 035_x86_asm-pic-fixes-r0.patch
