Created attachment 377726 [details] build.log I'm not sure if it's OK to append-cflags -Wa,--no-execstack type of solution here or not, or why this is happening at all, since I'm seeing the GNU stack markings in the code and this only happens to the 32bit library, not the 64bit one, when building on a multilib amd64 Some advise from the hardened@g.o would be welcome here. Thanks! * QA Notice: The following files contain writable and executable sections * Files with such sections will not work properly (or at all!) on some * architectures/operating systems. A bug should be filed at * http://bugs.gentoo.org/ to make sure the issue is fixed. * For more information, see http://hardened.gentoo.org/gnu-stack.xml * Please include the following list of files in your report: * Note: Bugs should be filed for the respective maintainers * of the package in question and not hardened@g.o. * RWX --- --- usr/lib32/libffi.so.6.0.2 Portage 2.2.10 (default/linux/amd64/13.0/developer, gcc-4.8.2, glibc-2.19, 3.13.4 x86_64) ================================================================= System uname: Linux-3.13.4-x86_64-Intel-R-_Core-TM-_i5-2400_CPU_@_3.10GHz-with-gentoo-2.2 KiB Mem: 16417644 total, 206680 free KiB Swap: 524284 total, 524284 free Timestamp of tree: Unknown ld GNU gold (GNU Binutils 2.24) 1.11 app-shells/bash: 4.2_p47 dev-lang/python: 2.7.6-r1, 3.2.5-r3, 3.3.5, 3.4.0 dev-util/cmake: 2.8.12.2-r1 dev-util/pkgconfig: 0.28-r1 sys-apps/baselayout: 2.2 sys-apps/openrc: 0.12.4 sys-apps/sandbox: 2.6-r1 sys-devel/autoconf: 2.13, 2.69 sys-devel/automake: 1.9.6-r3, 1.11.6, 1.12.6, 1.13.4, 1.14.1 sys-devel/binutils: 2.24-r2 sys-devel/gcc: 4.8.2 sys-devel/gcc-config: 1.8 sys-devel/libtool: 2.4.2 sys-devel/make: 4.0-r1 sys-kernel/linux-headers: 3.14 (virtual/os-headers) sys-libs/glibc: 2.19 Repositories: gentoo location: /home/ssuominen/gentoo-x86 sync-type: rsync sync-uri: rsync://rsync.gentoo.org/gentoo-portage priority: -1000 local location: /usr/local/portage masters: gentoo priority: 0 ABI="amd64" ABI_X86="32 64" ACCEPT_KEYWORDS="amd64 ~amd64" ACCEPT_LICENSE="*" ACCEPT_PROPERTIES="*" ACCEPT_RESTRICT="*" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ARCH="amd64" AUTOCLEAN="yes" BC_ENV_ARGS="-l" BOOTSTRAP_USE="cxx unicode internal-glib python_targets_python3_3 python_targets_python2_7 multilib" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump author" CAMERAS="ptp2" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-O2 -pipe -march=native -frecord-gcc-switches -Wimplicit-function-declaration" CFLAGS_amd64="-m64" CFLAGS_x32="-mx32" CFLAGS_x86="-m32" CHOST="x86_64-pc-linux-gnu" CHOST_amd64="x86_64-pc-linux-gnu" CHOST_x32="x86_64-pc-linux-gnux32" CHOST_x86="i686-pc-linux-gnu" CLEAN_DELAY="0" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" COLLISION_IGNORE="/lib/modules/* *.py[co] *$py.class */dropin.cache" COLORTERM="xfce4-terminal" CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c" CVSROOT=":ext:ssuominen@cvs.gentoo.org:/var/cvsroot" CVS_RSH="ssh" CXXFLAGS="-O2 -pipe -march=native -frecord-gcc-switches" DBUS_SESSION_BUS_ADDRESS="unix:abstract=/tmp/dbus-9DVg9jdWLu,guid=5eefb67b86d71bf701713f35537eeaa1" DEFAULT_ABI="amd64" DESKTOP_SESSION="xfce" DISPLAY=":0.0" DISTDIR="/home/ssuominen/gentoo-x86/distfiles" ECHANGELOG_USER="Samuli Suominen <ssuominen@gentoo.org>" EDITOR="/bin/nano" ELIBC="glibc" EMERGE_DEFAULT_OPTS="--quiet-build=n --verbose --tree" EMERGE_WARNING_DELAY="0" EPREFIX="" EROOT="/" FCFLAGS="-O2 -pipe -march=native -frecord-gcc-switches -Wimplicit-function-declaration" FEATURES="assume-digests binpkg-logs collision-protect config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync multilib-strict news parallel-fetch preserve-libs protect-owned sandbox sfperms sign strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync" FETCHCOMMAND="wget -t 3 -T 60 --passive-ftp -O "${DISTDIR}/${FILE}" "${URI}"" FETCHCOMMAND_RSYNC="rsync -avP "${URI}" "${DISTDIR}/${FILE}"" FETCHCOMMAND_SFTP="bash -c "x=\${2#sftp://} ; host=\${x%%/*} ; port=\${host##*:} ; host=\${host%:*} ; [[ \${host} = \${port} ]] && port=22 ; eval \"declare -a ssh_opts=(\${3})\" ; exec sftp -P \${port} \"\${ssh_opts[@]}\" \"\${host}:/\${x#*/}\" \"\$1\"" sftp "${DISTDIR}/${FILE}" "${URI}" "${PORTAGE_SSH_OPTS}"" FETCHCOMMAND_SSH="bash -c "x=\${2#ssh://} ; host=\${x%%/*} ; port=\${host##*:} ; host=\${host%:*} ; [[ \${host} = \${port} ]] && port=22 ; exec rsync --rsh=\"ssh -p\${port} \${3}\" -avP \"\${host}:/\${x#*/}\" \"\$1\"" rsync "${DISTDIR}/${FILE}" "${URI}" "${PORTAGE_SSH_OPTS}"" FFLAGS="-O2 -pipe -march=native -frecord-gcc-switches -Wimplicit-function-declaration" FLTK_DOCDIR="/usr/share/doc/fltk-1.3.2_p10088/html" GCC_SPECS="" GENTOO_MIRRORS="http://distfiles.gentoo.org" GLADE_CATALOG_PATH=":" GLADE_MODULE_PATH=":" GLADE_PIXMAP_PATH=":" GPG_AGENT_INFO="/tmp/gpg-wj4HY2/S.gpg-agent:1680:1" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ublox ubx" GRUB_PLATFORMS="" GSETTINGS_BACKEND="gconf" GUILE_LOAD_PATH="/usr/share/guile/1.8" HG="/usr/bin/hg" HOME="/home/ssuominen" HUSHLOGIN="FALSE" INFOPATH="/usr/share/info:/usr/share/gcc-data/x86_64-pc-linux-gnu/4.8.2/info:/usr/share/binutils-data/x86_64-pc-linux-gnu/2.24/info" INPUT_DEVICES="evdev" IUSE_IMPLICIT="prefix" I_KNOW_WHAT_I_AM_DOING="yes" KERNEL="linux" LADSPA_PATH="/usr/lib64/ladspa" LANG="en_US.UTF-8" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LC_CTYPE="fi_FI.UTF-8" LC_MESSAGES="C" LC_TIME="en_GB.UTF-8" LDFLAGS="-Wl,-O1 -Wl,--as-needed -Wl,--hash-style=gnu" LDFLAGS_amd64="-m elf_x86_64" LDFLAGS_x32="-m elf32_x86_64" LDFLAGS_x86="-m elf_i386" LESS="-R -M --shift 5" LESSOPEN="|lesspipe %s" LIBDIR_amd64="lib64" LIBDIR_amd64_fbsd="lib64" LIBDIR_arm="lib" LIBDIR_arm64="lib64" LIBDIR_n32="lib32" LIBDIR_n64="lib64" LIBDIR_o32="lib" LIBDIR_ppc="lib32" LIBDIR_ppc64="lib64" LIBDIR_s390="lib32" LIBDIR_s390x="lib64" LIBDIR_sparc32="lib32" LIBDIR_sparc64="lib64" LIBDIR_x32="libx32" LIBDIR_x86="lib32" LIBDIR_x86_fbsd="lib32" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" LINGUAS="en" LOGNAME="ssuominen" LS_COLORS="rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=01;05;37;41:mi=01;05;37;41:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arc=01;31:*.arj=01;31:*.taz=01;31:*.lha=01;31:*.lz4=01;31:*.lzh=01;31:*.lzma=01;31:*.tlz=01;31:*.txz=01;31:*.tzo=01;31:*.t7z=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.dz=01;31:*.gz=01;31:*.lrz=01;31:*.lz=01;31:*.lzo=01;31:*.xz=01;31:*.bz2=01;31:*.bz=01;31:*.tbz=01;31:*.tbz2=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.war=01;31:*.ear=01;31:*.sar=01;31:*.rar=01;31:*.alz=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.cab=01;31:*.jpg=01;35:*.jpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.webm=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.yuv=01;35:*.cgm=01;35:*.emf=01;35:*.axv=01;35:*.anx=01;35:*.ogv=01;35:*.ogx=01;35:*.pdf=00;32:*.ps=00;32:*.txt=00;32:*.patch=00;32:*.diff=00;32:*.log=00;32:*.tex=00;32:*.doc=00;32:*.aac=00;36:*.au=00;36:*.flac=00;36:*.mid=00;36:*.midi=00;36:*.mka=00;36:*.mp3=00;36:*.mpc=00;36:*.ogg=00;36:*.ra=00;36:*.wav=00;36:*.axa=00;36:*.oga=00;36:*.spx=00;36:*.xspf=00;36:" MAIL="/var/mail/ssuominen" MAKEOPTS="-j9" MANPATH="/usr/local/share/man:/usr/share/man:/usr/share/gcc-data/x86_64-pc-linux-gnu/4.8.2/man:/usr/share/binutils-data/x86_64-pc-linux-gnu/2.24/man" MULTILIB_ABIS="amd64 x86" MULTILIB_STRICT_DENY="64-bit.*shared object" MULTILIB_STRICT_DIRS="/lib32 /lib /usr/lib32 /usr/lib /usr/kde/*/lib32 /usr/kde/*/lib /usr/qt/*/lib32 /usr/qt/*/lib /usr/X11R6/lib32 /usr/X11R6/lib" MULTILIB_STRICT_EXEMPT="(perl5|gcc|gcc-lib|binutils|eclipse-3|debug|portage|udev|systemd|clang|python-exec)" NETBEANS="apisupport cnd groovy gsf harness ide identity j2ee java mobility nb php profiler soa visualweb webcommon websvccommon xml" OFFICE_IMPLEMENTATION="libreoffice" OLDPWD="/tmp" OPENCL_PROFILE="nvidia" OPENGL_PROFILE="xorg-x11" PAGER="/usr/bin/less" PATH="/usr/local/bin:/usr/bin:/bin:/opt/bin:/usr/x86_64-pc-linux-gnu/gcc-bin/4.8.2:/usr/games/bin:/opt/ucsc-genome-browser/bin" PHP_TARGETS="php5-5" PKGDIR="/usr/portage/packages" PORTAGE_ARCHLIST="x86-winnt alpha sparc x64-macos ppc-macos amd64 ppc ppc-openbsd x86-macos hppa-hpux x86-linux arm64 x64-openbsd sparc-fbsd x86-openbsd x64-freebsd arm-linux sparc-solaris s390 x86-freebsd amd64-fbsd sh ppc64 arm ia64-linux ia64 x86-netbsd x86-cygwin x86-interix ppc-aix m68k x86-solaris hppa ia64-hpux sparc64-solaris m68k-mint x64-solaris mips x86-fbsd ppc64-linux sparc64-freebsd amd64-linux x86" PORTAGE_BIN_PATH="/usr/lib64/portage/bin" PORTAGE_COMPRESS="xz" PORTAGE_COMPRESS_EXCLUDE_SUFFIXES="css gif htm[l]? jp[e]?g js pdf png" PORTAGE_CONFIGROOT="/" PORTAGE_DEBUG="0" PORTAGE_DEPCACHEDIR="/var/cache/edb/dep" PORTAGE_ELOG_CLASSES="log warn error qa" PORTAGE_ELOG_MAILFROM="portage@localhost" PORTAGE_ELOG_MAILSUBJECT="[portage] ebuild log for ${PACKAGE} on ${HOST}" PORTAGE_ELOG_MAILURI="root" PORTAGE_ELOG_SYSTEM="save_summary:log,warn,error,qa echo" PORTAGE_FETCH_CHECKSUM_TRY_MIRRORS="5" PORTAGE_FETCH_RESUME_MIN_SIZE="350K" PORTAGE_GID="250" PORTAGE_GPG_DIR="/home/ssuominen/.gnupg" PORTAGE_GPG_KEY="4868F14D" PORTAGE_GPG_SIGNING_COMMAND="gpg --sign --digest-algo SHA256 --clearsign --yes --default-key "${PORTAGE_GPG_KEY}" --homedir "${PORTAGE_GPG_DIR}" "${FILE}"" PORTAGE_INST_GID="0" PORTAGE_INST_UID="0" PORTAGE_INTERNAL_CALLER="1" PORTAGE_OVERRIDE_EPREFIX="" PORTAGE_PYM_PATH="/usr/lib64/portage/pym" PORTAGE_PYTHONPATH="/usr/lib64/portage/pym" PORTAGE_REPOSITORIES="[DEFAULT] main-repo = gentoo [gentoo] location = /home/ssuominen/gentoo-x86 masters = priority = -1000 sync-type = rsync sync-uri = rsync://rsync.gentoo.org/gentoo-portage [local] location = /usr/local/portage masters = gentoo priority = 0 " PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_RSYNC_RETRIES="-1" PORTAGE_SYNC_STALE="30" PORTAGE_TMPDIR="/var/tmp" PORTAGE_VERBOSE="1" PORTAGE_WORKDIR_MODE="0700" PORTAGE_XATTR_EXCLUDE="security.* system.nfs4_acl" PORTDIR="/home/ssuominen/gentoo-x86" PORTDIR_OVERLAY="/usr/local/portage" PORT_LOGDIR="/var/log/portage" PORT_LOGDIR_CLEAN="find "${PORT_LOGDIR}" -type f ! -name "summary.log*" -mtime +7 -delete" PRELINK_PATH_MASK="/usr/lib64/libfreebl3.so:/usr/lib64/libnssdbm3.so:/usr/lib64/libsoftokn3.so" PROFILE_ONLY_VARIABLES="ARCH ELIBC IUSE_IMPLICIT KERNEL USERLAND USE_EXPAND_IMPLICIT USE_EXPAND_UNPREFIXED USE_EXPAND_VALUES_ARCH USE_EXPAND_VALUES_ELIBC USE_EXPAND_VALUES_KERNEL USE_EXPAND_VALUES_USERLAND" PWD="/tmp/libffi-3.1" PYTHONDONTWRITEBYTECODE="1" PYTHON_SINGLE_TARGET="python3_3" PYTHON_TARGETS="python2_7 python3_3" QT_GRAPHICSSYSTEM="raster" RESUMECOMMAND="wget -c -t 3 -T 60 --passive-ftp -O "${DISTDIR}/${FILE}" "${URI}"" RESUMECOMMAND_RSYNC="rsync -avP "${URI}" "${DISTDIR}/${FILE}"" RESUMECOMMAND_SSH="bash -c "x=\${2#ssh://} ; host=\${x%%/*} ; port=\${host##*:} ; host=\${host%:*} ; [[ \${host} = \${port} ]] && port=22 ; exec rsync --rsh=\"ssh -p\${port} \${3}\" -avP \"\${host}:/\${x#*/}\" \"\$1\"" rsync "${DISTDIR}/${FILE}" "${URI}" "${PORTAGE_SSH_OPTS}"" ROOT="/" ROOTPATH="/opt/bin:/usr/x86_64-pc-linux-gnu/gcc-bin/4.8.2" RPMDIR="/usr/portage/rpm" RUBYOPT="-rauto_gem" RUBY_TARGETS="ruby19 ruby20" SESSION_MANAGER="local/null:@/tmp/.ICE-unix/1809,unix/null:/tmp/.ICE-unix/1809" SHELL="/bin/bash" SHLVL="4" SSH_AGENT_PID="1655" SSH_AUTH_SOCK="/tmp/ssh-0tKOFacOSFiM/agent.1654" SYMLINK_LIB="yes" SYNC="cvs://ssuominen@cvs.gentoo.org:/var/cvsroot" TERM="xterm" UNINSTALL_IGNORE="/lib/modules/*" [ .. snip .. ]
If you take a look at the main level Makefile.am, you find that if X86 nodist_libffi_la_SOURCES += src/x86/ffi.c src/x86/sysv.S src/x86/win32.S endif so win32.S is compiled and linked in. But win32.S doesn't have #if defined __ELF__ && defined __linux__ .section .note.GNU-stack,"",@progbits #endif If you add it, the problem is solved.
(In reply to Anthony Basile from comment #1) > If you take a look at the main level Makefile.am, you find that > > if X86 > nodist_libffi_la_SOURCES += src/x86/ffi.c src/x86/sysv.S src/x86/win32.S > endif > > so win32.S is compiled and linked in. But win32.S doesn't have > > #if defined __ELF__ && defined __linux__ > .section .note.GNU-stack,"",@progbits > #endif > > If you add it, the problem is solved. It fix the problem. The fix should go upstream.
Fixed by libffi-3.1-r1 with libffi-3.1-execstack.patch: $ cat files/libffi-3.1-execstack.patch http://bugs.gentoo.org/511634 --- src/x86/win32.S +++ src/x86/win32.S @@ -1304,3 +1304,6 @@ #endif /* !_MSC_VER */ +#if defined __ELF__ && defined __linux__ + .section .note.GNU-stack,"",@progbits +#endif
And reported to libffi-discuss@sourceware.org ML where patches go for upstream inclusion.
