Bugzilla Bug 134403

make[1]: Entering directory
`/var/tmp/portage/ocaml-3.08.4/work/ocaml-3.08.4/yacc'
gcc -O -DNDEBUG -fno-defer-pop -Wall -D_FILE_OFFSET_BITS=64 -D_REENTRANT
-march=athlon64 -O2 -ftracer -pipe -msse3 -fno-stack-protector   -c -o
closure.o closure.c
gcc -O -DNDEBUG -fno-defer-pop -Wall -D_FILE_OFFSET_BITS=64 -D_REENTRANT
-march=athlon64 -O2 -ftracer -pipe -msse3 -fno-stack-protector   -c -o error.o
error.c
gcc -O -DNDEBUG -fno-defer-pop -Wall -D_FILE_OFFSET_BITS=64 -D_REENTRANT
-march=athlon64 -O2 -ftracer -pipe -msse3 -fno-stack-protector   -c -o lalr.o
lalr.c
gcc -O -DNDEBUG -fno-defer-pop -Wall -D_FILE_OFFSET_BITS=64 -D_REENTRANT
-march=athlon64 -O2 -ftracer -pipe -msse3 -fno-stack-protector   -c -o lr0.o
lr0.c
gcc -O -DNDEBUG -fno-defer-pop -Wall -D_FILE_OFFSET_BITS=64 -D_REENTRANT
-march=athlon64 -O2 -ftracer -pipe -msse3 -fno-stack-protector   -c -o main.o
main.c
gcc -O -DNDEBUG -fno-defer-pop -Wall -D_FILE_OFFSET_BITS=64 -D_REENTRANT
-march=athlon64 -O2 -ftracer -pipe -msse3 -fno-stack-protector   -c -o mkpar.o
mkpar.c
gcc -O -DNDEBUG -fno-defer-pop -Wall -D_FILE_OFFSET_BITS=64 -D_REENTRANT
-march=athlon64 -O2 -ftracer -pipe -msse3 -fno-stack-protector   -c -o output.o
output.c
gcc -O -DNDEBUG -fno-defer-pop -Wall -D_FILE_OFFSET_BITS=64 -D_REENTRANT
-march=athlon64 -O2 -ftracer -pipe -msse3 -fno-stack-protector   -c -o reader.o
reader.c
gcc -O -DNDEBUG -fno-defer-pop -Wall -D_FILE_OFFSET_BITS=64 -D_REENTRANT
-march=athlon64 -O2 -ftracer -pipe -msse3 -fno-stack-protector   -c -o
skeleton.o skeleton.c
gcc -O -DNDEBUG -fno-defer-pop -Wall -D_FILE_OFFSET_BITS=64 -D_REENTRANT
-march=athlon64 -O2 -ftracer -pipe -msse3 -fno-stack-protector   -c -o symtab.o
symtab.c
gcc -O -DNDEBUG -fno-defer-pop -Wall -D_FILE_OFFSET_BITS=64 -D_REENTRANT
-march=athlon64 -O2 -ftracer -pipe -msse3 -fno-stack-protector   -c -o
verbose.o verbose.c
gcc -O -DNDEBUG -fno-defer-pop -Wall -D_FILE_OFFSET_BITS=64 -D_REENTRANT
-march=athlon64 -O2 -ftracer -pipe -msse3 -fno-stack-protector   -c -o
warshall.o warshall.c
gcc -O -DNDEBUG -fno-defer-pop -Wall -D_FILE_OFFSET_BITS=64 -D_REENTRANT
-march=athlon64 -O2 -ftracer -pipe -msse3 -fno-stack-protector  -o ocamlyacc
closure.o error.o lalr.o lr0.o main.o mkpar.o output.o reader.o skeleton.o
symtab.o verbose.o warshall.o
main.o: In function `create_file_names':
main.c:(.text+0x643): warning: the use of `mktemp' is dangerous, better use
`mkstemp'
make[1]: Leaving directory
`/var/tmp/portage/ocaml-3.08.4/work/ocaml-3.08.4/yacc'
cp yacc/ocamlyacc boot/ocamlyacc
cd stdlib; make COMPILER=../boot/ocamlc all
make[1]: Entering directory
`/var/tmp/portage/ocaml-3.08.4/work/ocaml-3.08.4/stdlib'
../boot/ocamlrun ../boot/ocamlc -g -warn-error A -nostdlib `./Compflags
pervasives.cmi` -c pervasives.mli
make[1]: *** [pervasives.cmi] Killed
make[1]: Leaving directory
`/var/tmp/portage/ocaml-3.08.4/work/ocaml-3.08.4/stdlib'
make: *** [coldstart] Error 2

!!! ERROR: dev-lang/ocaml-3.08.4 failed.
Call stack:
  ebuild.sh, line 1531:   Called dyn_compile
  ebuild.sh, line 931:   Called src_compile
  ocaml-3.08.4.ebuild, line 52:   Called die

!!! (no error message)
!!! If you need support, post the topmost build error, and the call stack if
relevant.

# tail -f /var/log/kern.log
May 26 13:21:30 Atlantis ocamlrun[961]: segfault at ffffffff8715f0f4 rip
ffffffff8715f0f4 rsp 000077d46d2a24b0 error 14
May 26 13:21:30 Atlantis PAX: execution attempt in: <NULL>, 00000000-00000000
00000000
May 26 13:21:30 Atlantis PAX: terminating task:
/var/tmp/portage/ocaml-3.08.4/work/ocaml-3.08.4/boot/ocamlrun(ocamlrun):961,
uid/euid: 0/0, PC: ffffffff8715f0f4, SP: 000077d46d2a24b0
May 26 13:21:30 Atlantis PAX: bytes at PC: ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ??
?? ?? ?? ?? ?? ?? ?? ??
May 26 13:21:30 Atlantis PAX: bytes at SP-8: 00000aa28715d788 00002f91d98973c8
00002f91d962307c 000000000001d7ef 0000000000000040 0000000000000021
0000000000000034 0000000000000000 0000000000000000 00000aa28726dde8
00002f91d989a010


Portage 2.1_rc2-r3 (hardened/amd64, gcc-3.4.4, glibc-2.3.6-r4,
2.6.16-hardened-r6-Teo x86_64)
=================================================================
System uname: 2.6.16-hardened-r6-Teo x86_64 AMD Sempron(tm) Processor 3000+
Gentoo Base System version 1.12.0
ccache version 2.4 [enabled]
dev-lang/python:     2.4.2
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache:     2.4-r1
dev-util/confcache:  0.4.2-r1
sys-apps/sandbox:    1.2.18.1
sys-devel/autoconf:  2.13, 2.59-r7
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r1
sys-devel/binutils:  2.16.1
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.11-r3
ACCEPT_KEYWORDS="amd64 ~amd64"
AUTOCLEAN="yes"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=athlon64 -O3 -ftracer -pipe -msse3"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc"
CONFIG_PROTECT_MASK="/etc/gconf /etc/revdep-rebuild /etc/terminfo /etc/env.d"
CXXFLAGS="-march=athlon64 -O3 -ftracer -pipe -msse3"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoaddcvs autoconfig ccache confcache distcc distlocks
metadata-transfer sandbox sfperms strict"
GENTOO_MIRRORS="ftp://mirror.switch.ch/mirror/gentoo/ http://gentoo.ngi.it/
http://distfiles.gentoo.org"
LANG="it_IT.UTF-8"
LC_ALL="it_IT.UTF-8"
LINGUAS="it"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress
--force --whole-file --delete --delete-after --stats --timeout=180
--exclude='/distfiles' --exclude='/local' --exclude='/packages'"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage"
USE="acl amd64 bash-completion berkdb bzip2 crypt dlloader gmp gnutls gpm
hardened idn ipv6 jpeg justify lm_sensors mailwrapper mysql ncurses nls nptl
pam pic png readline samba snmp ssl tcpd truetype unicode userlocales xml zlib
elibc_glibc kernel_linux linguas_it userland_GNU"
Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LDFLAGS,
PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY

It is my understanding that dev-lang/ocaml creates code on the fly and executes
it 
(JIT/shellcode). With a PaX enabled kernel this would always fail as the goal 
of the PaX project is to protect programs from doing exactly this.
If you don't care and wish to permit this behavior then you can probably 
paxctl/chpax the ocamlrun util.

Builds fine on x86 with PaX enabled here, so looks like an AMD64 issue rather
than a PaX issue.

The PaX report seems to indicate a null pointer dereference problem - the
executable was killed when trying to execute address 0.

(In reply to comment #2)
> executable was killed when trying to execute address 0.

No it wasn't - I was talking from the wrong end, again.  PC was
ffffffff8715f0f4, which is not code space so it definitely looks like a 64-bit
error.

to me it looks like some int->long signed extension where someone stored a
function ptr in that int previously and ended up losing the high 32 bits. get a
coredump and look at it in gdb, it'll probably be simple to find the culprit
function ptr (turn off ASLR for easier reproduction).

Do we think this bug should occur on a standard amd64 as well then?

I have another amd64, whithout hardened, and it works.

[cut]
gcc -O -DNDEBUG -fno-defer-pop -Wall -D_FILE_OFFSET_BITS=64 -D_REENTRANT
-march=athlon64 -O2 -ftracer -pipe -msse3   -c -o warshall.o warshall.c
gcc -O -DNDEBUG -fno-defer-pop -Wall -D_FILE_OFFSET_BITS=64 -D_REENTRANT
-march=athlon64 -O2 -ftracer -pipe -msse3  -o ocamlyacc closure.o error.o
lalr.o lr0.o main.o mkpar.o output.o reader.o skeleton.o symtab.o verbose.o
warshall.o
main.o: In function `create_file_names':
main.c:(.text+0x1b5): warning: the use of `mktemp' is dangerous, better use
`mkstemp'
make[1]: Leaving directory
`/var/tmp/portage/ocaml-3.08.4/work/ocaml-3.08.4/yacc'
cp yacc/ocamlyacc boot/ocamlyacc
cd stdlib; make COMPILER=../boot/ocamlc all
make[1]: Entering directory
`/var/tmp/portage/ocaml-3.08.4/work/ocaml-3.08.4/stdlib'
../boot/ocamlrun ../boot/ocamlc -g -warn-error A -nostdlib `./Compflags
pervasives.cmi` -c pervasives.mli
../boot/ocamlrun ../boot/ocamlc -g -warn-error A -nostdlib `./Compflags
pervasives.cmo` -c pervasives.ml
[cut]

Portage 2.1_rc2-r3 (default-linux/amd64/2006.0, gcc-4.1.1, glibc-2.4-r2,
2.6.16-gentoo-r8-Teo x86_64)
=================================================================
System uname: 2.6.16-gentoo-r8-Teo x86_64 AMD Athlon(tm) 64 X2 Dual Core
Processor 3800+
Gentoo Base System version 1.12.0
distcc 2.18.3 x86_64-pc-linux-gnu (protocols 1 and 2) (default port 3632)
[disabled]
ccache version 2.4 [enabled]
dev-lang/python:     2.4.3-r1
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache:     2.4-r1
dev-util/confcache:  0.4.2-r1
sys-apps/sandbox:    1.2.18.1
sys-devel/autoconf:  2.13, 2.59-r7
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2
sys-devel/binutils:  2.16.1-r2
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.11-r3
ACCEPT_KEYWORDS="amd64 ~amd64"
AUTOCLEAN="yes"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=athlon64 -O3 -ftracer -pipe -msse3"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/grass60/etc /usr/kde/3.5/env
/usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb
/usr/share/config /usr/spool/PBS"
CONFIG_PROTECT_MASK="/etc/gconf /etc/revdep-rebuild /etc/splash /etc/terminfo
/etc/texmf/web2c /etc/env.d"
CXXFLAGS="-march=athlon64 -O3 -ftracer -pipe -msse3"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoaddcvs autoconfig ccache confcache distlocks metadata-transfer
sandbox sfperms strict"
GENTOO_MIRRORS="ftp://mirror.switch.ch/mirror/gentoo/ http://gentoo.ngi.it/
http://distfiles.gentoo.org"
LANG="it_IT.UTF-8"
LC_ALL="it_IT.UTF-8"
LDFLAGS="-Wl,-O1"
LINGUAS="it"
MAKEOPTS="-j3"
PKGDIR="/usr/portage/packages-p2"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress
--force --whole-file --delete --delete-after --stats --timeout=180
--exclude='/distfiles' --exclude='/local' --exclude='/packages'"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage"
SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage"
USE="amd64 X a52 aac aalib acl acpi alsa apache2 arts audiofile avi
bash-completion berkdb bitmap-fonts blas bzip2 caps cdparanoia cdr cli crypt
ctype cups curl curlwrappers dba dbus dri dts dvd dvdr dvdread eds emboss
encode esd exif expat ffmpeg fftw flac flash foomaticdb fortran ftp gcj gd gdbm
gif gmp gnome gnutls gpm gstreamer gtk gtk2 gtkhtml hal iconv idn imagemagick
imap imlib iodbc ipv6 isdnlog java javascript jpeg jpeg2k kde kdeenablefinal
lapack lcms ldap libcaca libedit libgda lm_sensors lzw lzw-tiff mad mailwrapper
matroska mbox mhash ming mng motif mp3 mpeg mysql ncurses netcdf nis nls nptl
nsplugin odbc offensive ogg opengl pam pcntl pcre pdf pdflib perl php png posix
postgres ppds pppd prelude python qt quicktime readline reflection samba sasl
scanner sdl session simplexml slang slp smartcard sndfile snmp sockets socks5
speex spell spl sqlite ssl svg sysvipc szip tcltk tcpd tetex theora threads
tidy tiff truetype truetype-fonts type1-fonts unicode usb vcd vorbis wmf xine
xml xml2 xmlrpc xmms xorg xosd xpm xprint xsl xv xvid zlib elibc_glibc
input_devices_keyboard input_devices_mouse kernel_linux linguas_it userland_GNU
video_cards_nvidia video_cards_vesa video_cards_vga video_cards_fbdev"
Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, PORTAGE_RSYNC_EXTRA_OPTS

(In reply to comment #6)
> I have another amd64, whithout hardened, and it works.
> 
> Portage 2.1_rc2-r3 (default-linux/amd64/2006.0, gcc-4.1.1, glibc-2.4-r2,
> 2.6.16-gentoo-r8-Teo x86_64)

can you try it with gcc-3.4.4 as well?

(In reply to comment #5)
> Do we think this bug should occur on a standard amd64 as well then?

i'd say yes but it may also be a compiler problem, let's see if different gcc
versions behave differently on non-hardened (with that said, looking at a
coredump is still the best approach).

(In reply to comment #7)
> can you try it with gcc-3.4.4 as well?

Not now, but I have

gcc (GCC) 3.4.6 (Gentoo 3.4.6-r1, ssp-3.4.5-1.0, pie-8.7.9)
Copyright (C) 2006 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

with x86_64-pc-linux-gnu-3.4.6 it works

[cut]
gcc -O -DNDEBUG -fno-defer-pop -Wall -D_FILE_OFFSET_BITS=64 -D_REENTRANT
-march=athlon64 -O2 -ftracer -pipe -msse3   -c -o warshall.o warshall.c
gcc -O -DNDEBUG -fno-defer-pop -Wall -D_FILE_OFFSET_BITS=64 -D_REENTRANT
-march=athlon64 -O2 -ftracer -pipe -msse3  -o ocamlyacc closure.o error.o
lalr.o lr0.o main.o mkpar.o output.o reader.o skeleton.o symtab.o verbose.o
warshall.o
main.o: In function `create_file_names':
main.c:(.text+0x5cf): warning: the use of `mktemp' is dangerous, better use
`mkstemp'
make[1]: Leaving directory
`/var/tmp/portage/ocaml-3.08.4/work/ocaml-3.08.4/yacc'
cp yacc/ocamlyacc boot/ocamlyacc
cd stdlib; make COMPILER=../boot/ocamlc all
make[1]: Entering directory
`/var/tmp/portage/ocaml-3.08.4/work/ocaml-3.08.4/stdlib'
../boot/ocamlrun ../boot/ocamlc -g -warn-error A -nostdlib `./Compflags
pervasives.cmi` -c pervasives.mli
../boot/ocamlrun ../boot/ocamlc -g -warn-error A -nostdlib `./Compflags
pervasives.cmo` -c pervasives.ml
[cut]

with x86_64-pc-linux-gnu-3.4.6-hardened

[cut]
gcc -O -DNDEBUG -fno-defer-pop -Wall -D_FILE_OFFSET_BITS=64 -D_REENTRANT
-march=athlon64 -O2 -ftracer -pipe -msse3 -fno-stack-protector   -c -o
warshall.o warshall.c
gcc -O -DNDEBUG -fno-defer-pop -Wall -D_FILE_OFFSET_BITS=64 -D_REENTRANT
-march=athlon64 -O2 -ftracer -pipe -msse3 -fno-stack-protector  -o ocamlyacc
closure.o error.o lalr.o lr0.o main.o mkpar.o output.o reader.o skeleton.o
symtab.o verbose.o warshall.o
main.o: In function `create_file_names':
main.c:(.text+0x643): warning: the use of `mktemp' is dangerous, better use
`mkstemp'
make[1]: Leaving directory
`/var/tmp/portage/ocaml-3.08.4/work/ocaml-3.08.4/yacc'
cp yacc/ocamlyacc boot/ocamlyacc
cd stdlib; make COMPILER=../boot/ocamlc all
make[1]: Entering directory
`/var/tmp/portage/ocaml-3.08.4/work/ocaml-3.08.4/stdlib'
../boot/ocamlrun ../boot/ocamlc -g -warn-error A -nostdlib `./Compflags
pervasives.cmi` -c pervasives.mli
make[1]: *** [pervasives.cmi] Segmentation fault
make[1]: Leaving directory
`/var/tmp/portage/ocaml-3.08.4/work/ocaml-3.08.4/stdlib'
make: *** [coldstart] Error 2

!!! ERROR: dev-lang/ocaml-3.08.4 failed.
Call stack:
  ebuild.sh, line 1531:   Called dyn_compile
  ebuild.sh, line 931:   Called src_compile
  ocaml-3.08.4.ebuild, line 52:   Called die

!!! (no error message)
!!! If you need support, post the topmost build error, and the call stack if
relevant.

looks like a hardened gcc issue then, a gdb/coredump session is inavoidable...

Looks like ssp is already filtered via ebuild-o-magic.
But can you try with each of the gcc provided specs to help narrow it down.

gcc-config -l
gcc-config <number>
. /etc/profile
emerge dev-lang/ocaml
<repeat as needed>

# Also could you try relaxing your CFLAGS to just "-O2 -pipe"

On the non-hardened system

[1] x86_64-pc-linux-gnu-3.4.6                  OK
[2] x86_64-pc-linux-gnu-3.4.6-hardened         KO
[3] x86_64-pc-linux-gnu-3.4.6-hardenednopie    OK
[4] x86_64-pc-linux-gnu-3.4.6-hardenednopiessp OK
[5] x86_64-pc-linux-gnu-3.4.6-hardenednossp    KO
[6] x86_64-pc-linux-gnu-4.1.1                  OK

On the hardened system

[1] x86_64-pc-linux-gnu-3.4.6                  KO
[2] x86_64-pc-linux-gnu-3.4.6-hardenednopie    OK
[3] x86_64-pc-linux-gnu-3.4.6-hardenednopiessp OK
[4] x86_64-pc-linux-gnu-3.4.6-hardenednossp    KO
[5] x86_64-pc-linux-gnu-3.4.6-vanilla          OK

seems like PIE's triggering something bad.

I think we've seen PIE cause this sort of thing before, but can't put my finger
on it right now.

Here is another "me too":

gcc -O -DNDEBUG -fno-defer-pop -Wall -D_FILE_OFFSET_BITS=64 -D_REENTRANT
-march=k8 -O2 -pipe -fno-stack-protector  -o ocamlyacc closure.o error.o lalr.o
lr0.o main.o mkpar.o output.o reader.o skeleton.o symtab.o verbose.o warshall.o
main.o: In function `create_file_names':
main.c:(.text+0x63e): warning: the use of `mktemp' is dangerous, better use
`mkstemp'
make[1]: Leaving directory
`/var/tmp/portage/ocaml-3.08.4/work/ocaml-3.08.4/yacc'
cp yacc/ocamlyacc boot/ocamlyacc
cd stdlib; make COMPILER=../boot/ocamlc all
make[1]: Entering directory
`/var/tmp/portage/ocaml-3.08.4/work/ocaml-3.08.4/stdlib'
../boot/ocamlrun ../boot/ocamlc -g -warn-error A -nostdlib `./Compflags
pervasives.cmi` -c pervasives.mli
make[1]: *** [pervasives.cmi] Segmentation fault
make[1]: Leaving directory
`/var/tmp/portage/ocaml-3.08.4/work/ocaml-3.08.4/stdlib'
make: *** [coldstart] Error 2

!!! ERROR: dev-lang/ocaml-3.08.4 failed.
Call stack:
  ebuild.sh, line 1539:   Called dyn_compile
  ebuild.sh, line 939:   Called src_compile
  ocaml-3.08.4.ebuild, line 52:   Called die

# dmesg | tail
ocamlrun[27973]: segfault at 0000000055572841 rip 0000000055572841 rsp
00007fffff849780 error 14


This is with gcc version x86_64-pc-linux-gnu-3.4.5 (not hardened) running on an
AMD64.

# emerge --info
Portage 2.1 (default-linux/amd64/2006.0, gcc-3.4.5, glibc-2.3.6-r3,
2.6.16-gentoo-r9 x86_64)
=================================================================
System uname: 2.6.16-gentoo-r9 x86_64 AMD Athlon(tm) 64 Processor 3800+
Gentoo Base System version 1.6.14
dev-lang/python:     2.3.5-r2, 2.4.2
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache:     [Not Present]
dev-util/confcache:  [Not Present]
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.59-r7
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r1
sys-devel/binutils:  2.16.1-r2
sys-devel/gcc-config: 1.3.13-r2
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.11-r2
ACCEPT_KEYWORDS="amd64"
AUTOCLEAN="yes"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=k8 -O2 -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/lib/fax /var/bind /var/spool/fax/etc"
CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/terminfo"
CXXFLAGS="-march=k8 -O2 -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoconfig distlocks fixpackages metadata-transfer sandbox sfperms
strict"
GENTOO_MIRRORS="http://gentoo.osuosl.org/"
MAKEOPTS="-j2"
PKGDIR="/var/pkgdir"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress
--force --whole-file --delete --delete-after --stats --timeout=180
--exclude='/distfiles' --exclude='/local' --exclude='/packages'"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage"
SYNC="rsync://vangelis.dmj.nu/gentoo-portage"
USE="amd64 apache2 avi bash-completion berkdb bitmap-fonts bzip2 cli crypt
ctype cups curl dcc dri eds emboss encode fam fax foomaticdb fortran gd gdbm
gif gmp gstreamer hardened hardenedphp idn imlib isdnlog jpeg ldap logrotate
logwatch lzw lzw-tiff mhash mp3 mpeg mysql ncurses nls no-htdocs nptl pcre
pdflib perl png posix ppds python quicktime readline reflection rrdtool samba
scanner sdl session slp spl ssl swat syslog tcpd tiff urandom usb xml xorg xv
zlib elibc_glibc kernel_linux userland_GNU"
Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS,
LINGUAS, PORTAGE_RSYNC_EXTRA_OPTS

same problem with dev-lang/ocaml-3.09.2

(In reply to comment #15)

Sorry my error, I was using the hardened version of gcc. After changing to
x86_64-pc-linux-gnu-3.4.5-vanilla the compilation of ocaml went OK.

--Dan

dev-lang/ocaml-3.09.3 doesn't work

cd asmrun; make meta.o dynlink.o
make[1]: Entering directory
`/var/tmp/portage/ocaml-3.09.3/work/ocaml-3.09.3/asmrun'
ln -s ../byterun/meta.c meta.c
gcc -I../byterun -DCAML_NAME_SPACE -DNATIVE_CODE -DTARGET_amd64 -DSYS_linux  -O
-Wall -D_FILE_OFFSET_BITS=64 -D_REENTRANT -march=athlon64 -O2 -ftracer -pipe
-msse3 -fno-stack-protector   -c -o meta.o meta.c
ln -s ../byterun/dynlink.c dynlink.c
gcc -I../byterun -DCAML_NAME_SPACE -DNATIVE_CODE -DTARGET_amd64 -DSYS_linux  -O
-Wall -D_FILE_OFFSET_BITS=64 -D_REENTRANT -march=athlon64 -O2 -ftracer -pipe
-msse3 -fno-stack-protector   -c -o dynlink.o dynlink.c
make[1]: Leaving directory
`/var/tmp/portage/ocaml-3.09.3/work/ocaml-3.09.3/asmrun'
boot/ocamlrun ./ocamlopt -nostdlib -I stdlib  -ccopt "-Wl,-E" -o ocamlc.opt \
          utils/misc.cmx utils/tbl.cmx utils/config.cmx utils/clflags.cmx
utils/terminfo.cmx utils/ccomp.cmx utils/warnings.cmx utils/consistbl.cmx
parsing/linenum.cmx parsing/location.cmx parsing/longident.cmx
parsing/syntaxerr.cmx parsing/parser.cmx parsing/lexer.cmx parsing/parse.cmx
parsing/printast.cmx typing/unused_var.cmx typing/ident.cmx typing/path.cmx
typing/primitive.cmx typing/types.cmx typing/btype.cmx typing/oprint.cmx
typing/subst.cmx typing/predef.cmx typing/datarepr.cmx typing/env.cmx
typing/typedtree.cmx typing/ctype.cmx typing/printtyp.cmx
typing/includeclass.cmx typing/mtype.cmx typing/includecore.cmx
typing/includemod.cmx typing/parmatch.cmx typing/typetexp.cmx typing/stypes.cmx
typing/typecore.cmx typing/typedecl.cmx typing/typeclass.cmx typing/typemod.cmx
bytecomp/lambda.cmx bytecomp/printlambda.cmx bytecomp/typeopt.cmx
bytecomp/switch.cmx bytecomp/matching.cmx bytecomp/translobj.cmx
bytecomp/translcore.cmx bytecomp/translclass.cmx bytecomp/translmod.cmx
bytecomp/simplif.cmx bytecomp/runtimedef.cmx bytecomp/meta.cmx
bytecomp/instruct.cmx bytecomp/bytegen.cmx bytecomp/printinstr.cmx
bytecomp/opcodes.cmx bytecomp/emitcode.cmx bytecomp/bytesections.cmx
bytecomp/dll.cmx bytecomp/symtable.cmx bytecomp/bytelink.cmx
bytecomp/bytelibrarian.cmx bytecomp/bytepack
ager.cmx driver/pparse.cmx driver/errors.cmx driver/compile.cmx
driver/main_args.cmx driver/main.cmx \
          asmrun/meta.o asmrun/dynlink.o -cclib "-lm  -ldl -lcurses -lpthread"
/usr/lib/gcc/x86_64-pc-linux-gnu/3.4.6/../../../../x86_64-pc-linux-gnu/bin/ld:
/var/tmp/portage/ocaml-3.09.3/temp/camlstartup38ccda.o: relocation R_X86_64_32S
against `caml_curry2_1' can not be used when making a shared object; recompile
with -fPIC
/var/tmp/portage/ocaml-3.09.3/temp/camlstartup38ccda.o: could not read symbols:
Bad value
collect2: ld returned 1 exit status
Error during linking
make: *** [ocamlc.opt] Error 2

!!! ERROR: dev-lang/ocaml-3.09.3 failed.
Call stack:
  ebuild.sh, line 1546:   Called dyn_compile
  ebuild.sh, line 937:   Called src_compile
  ocaml-3.09.3.ebuild, line 52:   Called die

!!! (no error message)
!!! If you need support, post the topmost build error, and the call stack if
relevant.

There is a very little probability ocaml will ever work with a hardened gcc
given it manages its memory itself using a garbage collector.

(In reply to comment #19)
> There is a very little probability ocaml will ever work with a hardened gcc
> given it manages its memory itself using a garbage collector.

gc has nothing to do with hardened (gcc) or this bug. what happens here is that
ocaml builds some assembly code at compile time (asmcomp/amd64/emit.mlp +390
seems to be the culprit in case anyone wants to investigate it further) that is
not PIC (by design i assume, but upstream can tell for sure) which then gets
linked into a PIE, except amd64 is more strict about mixing PIC/non-PIC and the
linker doesn't allow it. quick fix is to switch to a gcc profile that doesn't
produce PIE (i think some Xorg ebuilds do that already).

the other problem reported in comment #1 seems to have been fixed since, at
least i could successfully emerge ocaml-3.09.3 without any PaX kills (and a
non-PIE profile).

How is hardened supposed to cope with a program that executes things in memory
(which were potentially created by the program itself) ? With garbage
collection and higher order functions i doubt PaX can do much, so how does it
work ?

(In reply to comment #20)
> quick fix is to switch to a gcc profile that doesn't
> produce PIE (i think some Xorg ebuilds do that already).

Yes, I don't have any problem with gcc-vanilla

(In reply to comment #21)
> How is hardened supposed to cope with a program that executes things in memory
> (which were potentially created by the program itself) ? With garbage
> collection and higher order functions i doubt PaX can do much, so how does it
> work ?

this bug is not about runtime code generation issues but bugs/features that
manifest during the ocaml build process, that's why i said that the garbage
collector and other features like runtime code generation had nothing to with
this.

but now that you asked ;-): i doubt PaX stops gc from working (at most if it
relies on non-randomized addresses it can fail, but that'd manifest under
vanilla kernels too these days, so i guess it'd be fixed by now). runtime code
generation is simple to handle: paxctl -m (preferably the ebuild should do it,
there's bug #148170 about that issue in general).

So where are we standing on this? I can contact upstream if you want me to, but
I'm far from an expert on PIC issues.

(In reply to comment #24)
> So where are we standing on this? I can contact upstream if you want me to, but
> I'm far from an expert on PIC issues.

i think telling upstream about comment #20 should get them started, based on
that info they can at least tell us if they're even interested in fixing this
kind of problem or not. otherwise ocaml will have to follow the Xorg
server/driver path and switch the gcc profile during compilation.

@hardenend: does this still happen with >=3.10.0 ?
since we forced linking with -nopie due to ocaml producing its own non pic asm,
this should be fixed; but I am not 100% sure and can't remember what was the
outcome.

(In reply to comment #26)
> @hardenend: does this still happen with >=3.10.0 ?
> since we forced linking with -nopie due to ocaml producing its own non pic asm,
> this should be fixed; but I am not 100% sure and can't remember what was the
> outcome.
> 

supposedly fixed then...