After upgrading the compiler to GCC 4.9.2 (stock 64-bit profile/not hardened), I noted that support for libvtv was by default compiled in. However, when attempting to utilize it I was met with a host of symbol resolution related errors all tying back to the files vtv_start.o, vtv_start_preinit.o, vtv_end.o and vtv_end_preinit.o. The problem appears to be related to the absence of the flag "--enable-vtable-verify=yes" during compilation despite having "--enable-libvtv" specified. This results in the required files not being included after installation. I would happily provide a dump of the resolution errors, however, I have fixed the compiler and sitting through another recompile is just not what I'd like to be doing at present. Locally, I was able to fix this issue by via by the EXTRA_ECONF variable and passing "--enable-vtable-verify=yes". I would expect that changing the build process to specify this option would rectify the issue. vtable verification is actually fairly important from a security perspective. Reproducible: Always Steps to Reproduce: 1. emerge =sys-devel/gcc-4.9.2 && gcc-config ... 2. echo 'int main(void) {}' > example.cpp 3. g++ -o example example.cpp -fvtable-verify=std Actual Results: A litany of symbol resolution errors Expected Results: A compiled program linked against libvtv
While writing a patch to GCC to address this issue, I forgot to run autoreconf and ended up with a toolchain that exactly emulates the issue: $ ./usr/x86_64-pc-linux-gnu/gcc-bin/4.9.2/g++ -o tmp tmp.cpp -fvtable-verify=yes /usr/bin/ld: cannot find vtv_start.o: No such file or directory $ find /var/tmp/chroot-work/ -name vtv_start.o $
i'll add a USE=vtv flag to control libvtv and the the vtable-verify configure flags and default it to on -- the build overhead should be trivial and the runtime overhead (when not using vtable) should be non-existent. looks like we'll want to mask it on non-x86 targets just so users don't get confused.
should be all set now: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0f4dd949d7671bd86610836d5ac270430be37a4c
Is it intentional that the USE flag 'vtv' is masked on amd64 hardened profile (more precisely hardened/linux/amd64/selinux)? If not, please remove the masking. Here is the list of profiles included/parented for a selection of different hardened profiles on amd64. Note that the profile 'default/linux/amd64', which unmasks the USE flag 'vtv', is not amongst them. /usr/portage/profiles/hardened/linux/amd64/selinux -> /usr/portage/profiles/base /usr/portage/profiles/default/linux /usr/portage/profiles/arch/base /usr/portage/profiles/features/multilib /usr/portage/profiles/features/multilib/lib32 /usr/portage/profiles/arch/amd64 /usr/portage/profiles/releases /usr/portage/profiles/releases/13.0 /usr/portage/profiles/hardened/linux /usr/portage/profiles/hardened/linux/amd64 /usr/portage/profiles/features/selinux /usr/portage/profiles/hardened/linux/amd64/selinux /usr/portage/profiles/hardened/linux/amd64 -> /usr/portage/profiles/base /usr/portage/profiles/default/linux /usr/portage/profiles/arch/base /usr/portage/profiles/features/multilib /usr/portage/profiles/features/multilib/lib32 /usr/portage/profiles/arch/amd64 /usr/portage/profiles/releases /usr/portage/profiles/releases/13.0 /usr/portage/profiles/hardened/linux /usr/portage/profiles/hardened/linux/amd64 /usr/portage/profiles/hardened/linux/musl/amd64 -> /usr/portage/profiles/base /usr/portage/profiles/default/linux /usr/portage/profiles/hardened/linux/musl /usr/portage/profiles/hardened/linux/musl/amd64 /usr/portage/profiles/hardened/linux/amd64/no-multilib/selinux -> /usr/portage/profiles/base /usr/portage/profiles/default/linux /usr/portage/profiles/arch/base /usr/portage/profiles/features/multilib /usr/portage/profiles/features/multilib/lib32 /usr/portage/profiles/arch/amd64 /usr/portage/profiles/releases /usr/portage/profiles/releases/13.0 /usr/portage/profiles/hardened/linux /usr/portage/profiles/hardened/linux/amd64 /usr/portage/profiles/features/64bit-native /usr/portage/profiles/hardened/linux/amd64/no-multilib /usr/portage/profiles/features/selinux /usr/portage/profiles/hardened/linux/amd64/no-multilib/selinux
Fixed in the hardened profile https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=851733e06b7240fe71c08374135c362bebed495d