Re: False positives in nolibc check

[Stefan Hajnoczi <stefanha@redhat.com>]

[-- Attachment #1: Type: text/plain, Size: 2068 bytes --]

On Tue, Jun 20, 2023 at 10:49:08PM +0700, Ammar Faizi wrote:
> On Tue, Jun 20, 2023 at 03:31:52PM +0200, Stefan Hajnoczi wrote:
> > This is caused by the stack protector compiler options, which depend on
> > the libc __stack_chk_fail_local symbol.
> 
> Guillem fixed it last week. Does this commit fix the stack protector
> problem? https://github.com/axboe/liburing/commit/319f4be8bd049055c333185928758d0fb445fc43
> 
> > In general, I'm concerned that nolibc is fragile because the toolchain
> > and libc sometimes have dependencies that are activated by certain
> > compiler options. Some users will want libc and others will not. Maybe
> > make it an explicit option instead of probing?
> 
> I made nolibc always enabled because I don't see the need of using libc
> in liburing. If we have a real reason of using libc, maybe adding
> '--use-libc' is better than bringing back '--nolibc'. 
> 
> I agree with what Alviro said that using stack protector in liburing is
> too overkill. That's why I see no reason for the upstream to support it.
> 
> Can you mention other dependencies that do need libc? That information
> would be useful to consider bringing back libc to liburing.

I don't know which features require the toolchain and libc to cooperate.
I guess Thread Local Storage won't work and helper functions that
compilers emit (like the memset example that Alviro gave).

Disabling hardening because it requires work to support it in a nolibc
world seems dubious to me. I don't think it's a good idea for io_uring
to lower security because that hurts its image and reduces adoption.
Especially right now, when the security of io_uring is being scrutinized
(https://security.googleblog.com/2023/06/learnings-from-kctf-vrps-42-linux.html).

While I'm sharing these opinions with you, I understand that some people
want nolibc and are fine with disabling the stack protector. The main
thing I would like is for liburing to compile or fail with a clear error
message instead of breaking somewhere during the build.

Stefan

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]