Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 326689 - sys-libs/glibc compile fails with -fstack-protector and -fstack-protector-all
Summary: sys-libs/glibc compile fails with -fstack-protector and -fstack-protector-all
Status: RESOLVED WORKSFORME
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: AMD64 Linux
: High normal (vote)
Assignee: The Gentoo Linux Hardened Team
URL: http://sources.redhat.com/bugzilla/sh...
Whiteboard:
Keywords:
: 326675 330571 (view as bug list)
Depends on:
Blocks:
 
Reported: 2010-07-02 22:07 UTC by George Prowse
Modified: 2010-07-31 10:43 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description George Prowse 2010-07-02 22:07:02 UTC
When compiling glibc, if you have -fstack-protector or -fstack-protector-all for SSP protection in your CFLAGS the compile will fail. The errors seem to be to do with a possible broken make script.

-fstack-protector=all fails with:


configure: error: Need linker with .init_array/.fini_array support.
 * ERROR: sys-libs/glibc-2.11.2 failed:
 *   failed to configure glibc
 * 
 * Call stack:
 *           ebuild.sh, line   54:  Called src_compile
 *         environment, line 3859:  Called eblit-run 'src_compile'
 *         environment, line 1248:  Called eblit-glibc-src_compile
 *   src_compile.eblit, line  199:  Called src_compile
 *         environment, line 3859:  Called eblit-run 'src_compile'
 *         environment, line 1248:  Called eblit-glibc-src_compile
 *   src_compile.eblit, line  207:  Called toolchain-glibc_src_compile
 *   src_compile.eblit, line  121:  Called glibc_do_configure 'nptl'
 *   src_compile.eblit, line   98:  Called die
 * The specific snippet of code:
 *   	"${S}"/configure ${myconf} || die "failed to configure glibc"
 * 

-fstack protector fails with:


/var/tmp/portage/sys-libs/glibc-2.11.2/work/build-amd64-x86_64-pc-linux-gnu-nptl/libc_pic.a(init-first.os):(.data+0x0): multiple definition of `__libc_multiple_libcs'
/var/tmp/portage/sys-libs/glibc-2.11.2/work/build-amd64-x86_64-pc-linux-gnu-nptl/elf/dl-allobjs.os:/var/tmp/portage/sys-libs/glibc-2.11.2/work/glibc-2.11.2/elf/rtld.c:654: first defined here
/var/tmp/portage/sys-libs/glibc-2.11.2/work/build-amd64-x86_64-pc-linux-gnu-nptl/libc_pic.a(dl-addr.os): In function `_dl_addr_inside_object':
/var/tmp/portage/sys-libs/glibc-2.11.2/work/glibc-2.11.2/elf/dl-addr.c:158: multiple definition of `_dl_addr_inside_object'
/var/tmp/portage/sys-libs/glibc-2.11.2/work/build-amd64-x86_64-pc-linux-gnu-nptl/elf/dl-allobjs.os:/var/tmp/portage/sys-libs/glibc-2.11.2/work/glibc-2.11.2/elf/dl-open.c:688: first defined here
collect2: ld returned 1 exit status
make[2]: *** [/var/tmp/portage/sys-libs/glibc-2.11.2/work/build-amd64-x86_64-pc-linux-gnu-nptl/elf/librtld.map] Error 1
make[2]: Leaving directory `/var/tmp/portage/sys-libs/glibc-2.11.2/work/glibc-2.11.2/elf'
make[1]: *** [elf/subdir_lib] Error 2
make[1]: Leaving directory `/var/tmp/portage/sys-libs/glibc-2.11.2/work/glibc-2.11.2'
make: *** [all] Error 2
 * ERROR: sys-libs/glibc-2.11.2 failed:
 *   make for amd64 failed
 * 
 * Call stack:
 *           ebuild.sh, line   54:  Called src_compile
 *         environment, line 3859:  Called eblit-run 'src_compile'
 *         environment, line 1248:  Called eblit-glibc-src_compile
 *   src_compile.eblit, line  199:  Called src_compile
 *         environment, line 3859:  Called eblit-run 'src_compile'
 *         environment, line 1248:  Called eblit-glibc-src_compile
 *   src_compile.eblit, line  207:  Called toolchain-glibc_src_compile
 *   src_compile.eblit, line  123:  Called die
 * The specific snippet of code:
 *   		make PARALLELMFLAGS="${MAKEOPTS}" || die "make for ${ABI} failed"

Reproducible: Always

Steps to Reproduce:
1. emerge glibc
2.
3.




Portage 2.1.8.3 (default/linux/amd64/10.0, gcc-4.4.4, glibc-2.11.2-r0, 2.6.32-gentoo-r5 x86_64)
=================================================================
System uname: Linux-2.6.32-gentoo-r5-x86_64-Intel-R-_Core-TM-2_Quad_CPU_Q6600_@_2.40GHz-with-gentoo-2.0.1
Timestamp of tree: Fri, 02 Jul 2010 11:45:01 +0000
ccache version 2.4 [enabled]
app-shells/bash:     4.1_p7
dev-java/java-config: 2.1.11
dev-lang/python:     2.6.5-r2, 3.1.2-r3
dev-util/ccache:     2.4-r8
dev-util/cmake:      2.8.1-r2
sys-apps/baselayout: 2.0.1
sys-apps/openrc:     9999
sys-apps/sandbox:    2.2
sys-devel/autoconf:  2.13, 2.65-r1
sys-devel/automake:  1.9.6-r3, 1.10.3, 1.11.1
sys-devel/binutils:  2.20.1-r1
sys-devel/gcc:       4.4.4-r1
sys-devel/gcc-config: 1.4.1
sys-devel/libtool:   2.2.10
virtual/os-headers:  2.6.34
ACCEPT_KEYWORDS="amd64 ~amd64"
ACCEPT_LICENSE="*"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=core2 -mtune=core2 -O2 -pipe -ggdb -fstack-protector=all -Wformat-security"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/X11/xkb /usr/share/config"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/splash /etc/terminfo"
CXXFLAGS="-march=core2 -mtune=core2 -O2 -pipe -ggdb -fstack-protector -Wformat-security"
DISTDIR="/usr/portage/distfiles"
FEATURES="assume-digests ccache distlocks fixpackages news nostrip parallel-fetch protect-owned sandbox sfperms splitdebug strict unmerge-logs unmerge-orphans userfetch"
GENTOO_MIRRORS="http://gentoo.virginmedia.com/ "
LANG="en_GB.UTF-8"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
LINGUAS="en_GB en"
MAKEOPTS="-j6"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/var/lib/layman/zen-sources /var/lib/layman/webapps-experimental /var/lib/layman/vmware /var/lib/layman/rox /var/lib/layman/openrc /var/lib/layman/jyujin /var/lib/layman/gnome /var/lib/layman/games /var/lib/layman/gamerlay /var/lib/layman/desktop-effects /var/lib/layman/sunrise"
SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage"
USE="X acl alsa amd64 apache2 artworkextra aspell berkdb bzip2 cairo cdr cli consolekit cracklib crypt ctype cups cxx dbus device-mapper devicekit divx dns dri dvd dvdr emerald esd extra extras ffmpeg filter flac fortran gdbm gdu glitz gnome gpm gstreamer gtk h323 hal hog htmlhandbook iconv imagemagick ipv6 java jpeg jpg kdrive mad mmx mng modules mozbranding mp3 mpeg msn mudflap multilib mysql nautilus ncurses networkmanager nls nptl nptlonly nsplugin nvidia ogg opengl openmp openssl pam pcre pdf perl php pipechan png policykit pppd python qt3support readline reflection samba scrobbler secure-delete session simplexml sip skins spl sql sqlite sse sse2 ssl svg sysfs tabs tcpd threads tiff truetype unicode unsupported vorbis wad wav wavpack webkit wma xcb xine xml xorg xulrunner xvid zlib" ALSA_CARDS="emu10k1 intel" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="mouse keyboard evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en_GB en" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="nvidia" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" 
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LC_ALL, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
Comment 1 Ryan Hill (RETIRED) gentoo-dev 2010-07-03 06:33:22 UTC
http://sources.redhat.com/bugzilla/show_bug.cgi?id=7065
Comment 2 SpanKY gentoo-dev 2010-07-03 16:49:57 UTC
if you want SSP support, use the hardened toolchain+profile.  randomly dropping SSP into CFLAGS is otherwise not currently supported.

i believe building glibc with a hardened toolchain works just fine.
Comment 3 SpanKY gentoo-dev 2010-07-03 21:34:39 UTC
*** Bug 326675 has been marked as a duplicate of this bug. ***
Comment 4 George Prowse 2010-07-04 00:58:59 UTC
I understand why you say I should use the hardened toolchain but why is this a problem with glibc and glibc only? If this is fixed for glibc then I have no need to use the hardened toolchain.
Comment 5 Magnus Granberg gentoo-dev 2010-07-18 15:26:16 UTC
(In reply to comment #4)
> I understand why you say I should use the hardened toolchain but why is this a
> problem with glibc and glibc only? If this is fixed for glibc then I have no
> need to use the hardened toolchain.
> 

We disable -fstack-protector and -fstack-protector-all on the hardened toolchain when building glibc for it is not supported upstream. See the bug in the URL.
Comment 6 Andrew Savchenko gentoo-dev 2010-07-18 19:49:52 UTC
(In reply to comment #5)
> We disable -fstack-protector and -fstack-protector-all on the hardened
> toolchain when building glibc for it is not supported upstream. See the bug in
> the URL.

Then why not to filter -fstack-protector* in the ebuild itself for any toolschain? This will save a lot of time and health for many people.
Comment 7 Xake 2010-07-18 20:22:38 UTC
(In reply to comment #6)
> Then why not to filter -fstack-protector* in the ebuild itself for any
> toolschain? This will save a lot of time and health for many people.
> 

Well we filter in the ebuild, or rather in the file the ebuild uses, line 173 in the following file:
http://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/sys-libs/glibc/files/eblits/common.eblit?view=markup

We do however only filter it for hardened since adding -fno-stack-protector for all builds would be unnecessary as the only benefit that would give is for unsupported usages of SSP, and have some disadvantages as bigger build.logs when stuff goes wrong and so on.
Comment 8 George Prowse 2010-07-18 23:09:44 UTC
is there a way to warn users of this so they dont have to look for a bug?
Comment 9 Magnus Granberg gentoo-dev 2010-07-31 10:43:45 UTC
*** Bug 330571 has been marked as a duplicate of this bug. ***