361687 – =sci-chemistry/gromacs-4.5.4 RWX on libgmx*.so.6.0.0

Bug 361687 - =sci-chemistry/gromacs-4.5.4 RWX on libgmx*.so.6.0.0

Summary: =sci-chemistry/gromacs-4.5.4 RWX on libgmx*.so.6.0.0

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	New packages (show other bugs)
Hardware:	All Linux

Importance:	Normal QA (vote)
Assignee:	Gentoo Chemistry-Related Packages

URL:	http://redmine.gromacs.org/issues/732
Whiteboard:
Keywords:

Depends on:
Blocks:	357017
	Show dependency tree

Reported:	2011-04-02 15:07 UTC by Agostino Sarubbo
Modified:	2011-04-10 09:53 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Build log (gromacs-4.5.4:20110402-142641.log.bz2,41.57 KB, text/bzip2) 2011-04-02 15:07 UTC, Agostino Sarubbo	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Agostino Sarubbo gentoo-dev

2011-04-02 15:07:01 UTC

Created attachment 268215 [details]
Build log

$summary


* QA Notice: The following files contain writable and executable sections
 *  Files with such sections will not work properly (or at all!) on some
 *  architectures/operating systems.  A bug should be filed at
 *  http://bugs.gentoo.org/ to make sure the issue is fixed.
 *  For more information, see http://hardened.gentoo.org/gnu-stack.xml
 *  Please include the following list of files in your report:
 *  Note: Bugs should be filed for the respective maintainers
 *  of the package in question and not hardened@g.o.
 * RWX --- --- usr/lib64/libgmx.so.6.0.0


( is not a regression )

Comment 1 Agostino Sarubbo gentoo-dev

2011-04-02 19:02:22 UTC

sorry, other rwx:

 * RWX --- --- usr/lib64/libgmx.so.6.0.0
 * RWX --- --- usr/lib64/libgmx_mpi.so.6.0.0
 * RWX --- --- usr/lib64/libgmx_d.so.6.0.0
 * RWX --- --- usr/lib64/libgmx_mpi_d.so.6.0.0

Comment 2 Agostino Sarubbo gentoo-dev

2011-04-02 19:03:49 UTC

add hardened from zorry's irc request
[17:12:14] <Zorry> ago`: can you cc hardened?

Comment 3 Francisco Blas Izquierdo Riera (RETIRED) gentoo-dev

2011-04-02 21:13:46 UTC

Well here is what we have:

Most of the files in gromacs seems to be non preprocessable assembly. This is quite bad since the fix needs them to be preprocessable. This can be solved by moving the .s files into .S files and fixing the build system so it recognises them.

The next step is marking the stack non executable. For this adding:
#if defined(__linux__) && defined(__ELF__)
.section .note.GNU-stack,"",%progbits
#endif

in ATT assembly files and adding
%ifidn __OUTPUT_FORMAT__,elf
section .note.GNU-stack noalloc noexec nowrite progbits
%endif

in the intel assembly ones (seem to be the ones with _intel_syntax in the name) should fix the issue.

Comment 4 Alexey Shvetsov archtester

2011-04-04 21:04:13 UTC

Ok. I created two patches for gromacs. One for ATT and one for GAS assembly since both patches are huge (~30M each) i put both of them on my devspace 

http://dev.gentoo.org/~alexxy/gromacs/

Comment 5 Alexey Shvetsov archtester

2011-04-04 21:27:22 UTC

Also i commited changes for gromacs-4.5.4-r1

Comment 6 Anthony Basile gentoo-dev

2011-04-04 22:38:56 UTC

Hi alexxy, the alternative (albeit not as good a solution) would have been to pass -noexecstack ldflag.  This doesn't fix the static libs, but it would have avoided the huge patches.

Are you passing this along to upstream?

Comment 7 Agostino Sarubbo gentoo-dev

2011-04-05 10:07:29 UTC

now is ok, fixed for me

Comment 8 Alexey Shvetsov archtester

2011-04-05 10:18:14 UTC

Yep. Patch was send upstream

Comment 9 Christoph Junghans (RETIRED) gentoo-dev

2011-04-10 09:53:57 UTC

Fixed in gromacs-4.5.4-r1, thanks alexxy. Hopefully it will be included by upstream in 4.5.5.