Summary: | pycrypto causes a problem with ssp & inline functions | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Mike Auty (RETIRED) <ikelos> |
Component: | Hardened | Assignee: | Python Gentoo Team <python> |
Status: | RESOLVED FIXED | ||
Severity: | major | CC: | castan.o, eibarbu, gentoobugs, gurligebis, hardened, infobox.oleg, uberlord |
Priority: | High | ||
Version: | 2005.1 | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- | |
Attachments: | testcase |
Description
Mike Auty (RETIRED)
2006-01-29 11:21:18 UTC
I can confirm this also. Though I see it when trying to emerge the lastest hardened kernel, sys-kernel/hardened-sources-2.6.14-r4. Portage 2.1_pre4 (default-linux/x86/2005.0, gcc-3.4.5, glibc-2.3.6-r2, 2.6.11-hardened-r15 i686) ================================================================= System uname: 2.6.11-hardened-r15 i686 Pentium II (Deschutes) Gentoo Base System version 1.12.0_pre15 dev-lang/python: 2.3.5, 2.4.2 sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.59-r7 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r1 sys-devel/binutils: 2.16.1-r1 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.11-r3 ACCEPT_KEYWORDS="x86 ~x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-O3 -march=pentium2 -mtune=pentium2 -fomit-frame-pointer -pipe -mmmx -funroll-all-loops" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config /usr/share/config /var/bind /var/qmail/control" CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/terminfo /etc/env.d" CXXFLAGS="-O3 -march=pentium2 -mtune=pentium2 -fomit-frame-pointer -pipe -mmmx -funroll-all-loops" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig candy ccache distlocks fixpackages loadpolicy sandbox sfperms strict" GENTOO_MIRRORS="http://gentoo.osuosl.org/ http://distro.ibiblio.org/pub/linux/distributions/gentoo/ http://mirror.gentoo.no/ http://pandemonium.tiscali.de/pub/gentoo/ http://mirror.espri.arizona.edu/gentoo/ http://ftp.easynet.nl/mirror/gentoo/ http://gentoo.mirror.solnet.ch http://cudlug.cudenver.edu/gentoo/ http://ds.thn.htu.se/linux/gentoo http://modzer0.cs.uaf.edu/public/gentoo/ http://gentoo.ccccom.com http://mir.zyrianes.net/gentoo/ http://ftp-stud.fht-esslingen.de/pub/Mirrors/gentoo/ http://gentoo.mirrors.tds.net/gentoo http://gentoo.arcticnetwork.ca/ http://gentoo.chem.wisc.edu/gentoo/ http://linux.rz.ruhr-uni-bochum.de/download/gentoo-mirror/ http://open-systems.ufl.edu/mirrors/gentoo http://gentoo.ynet.sk/pub http://lug.mtu.edu/gentoo http://gentoo.blueyonder.co.uk http://mirror.datapipe.net/gentoo http://gentoo.ITDNet.net/gentoo http://www.die.unipd.it/pub/Linux/distributions/gentoo-sources/ http://mirror.datapipe.net/gentoo http://gentoo.prz.rzeszow.pl http://mirrors.acm.cs.rpi.edu/gentoo/ http://mirror.usu.edu/mirrors/gentoo/ http://gentoo.mirrors.easynews.com/linux/gentoo/ http://gentoo.math.bme.hu http://mirror.pudas.net/gentoo http://gentoo.netnitco.net http://gentoo.seren.com/gentoo http://prometheus.cs.wmich.edu/gentoo" LANG="en_US.utf8" LC_ALL="en_US.utf8" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="x86 acl acpi alsa apache2 apm arts avi bash-completion berkdb bzip2 bzlib crypt dba directfb doc eds emboss encode fbcon foomaticdb fortran gd gdbm gif gpm gstreamer hardened hardenedphp imlib ipv6 ithreads jpeg kerberos libg++ libwww mad madwifi md5sum mikmod mmx motif mp3 mpeg mysql ncurses nls nptl nptlonly offensive ogg oggvorbis oss pam pcntl pcre pdflib perl php png postgres python quicktime readline samba sasl session sockets spell ssl sysfs tcpd threads udev unicode userlocales vorbis xml2 xmms xsl zlib elibc_glibc kernel_linux userland_GNU" Unset: ASFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, LDFLAGS, LINGUAS Using FEATURES="-strict" has allowed me to pass pax-utils and portage, but I'm now running into difficulties with xorg-x11-7.0-r1. What version of pycrypto? Everybody thats hitting this is using -O3 ? wireless ~ # esearch pycrypto [ Results for search key : pycrypto ] [ Applications found : 1 ] * dev-python/pycrypto Latest version available: 2.0.1 Latest version installed: 2.0.1 Size of downloaded files: 150 kB Homepage: http://www.amk.ca/python/code/crypto.html Description: Python Cryptography Toolkit License: freedist And yes, I'm using -O3 * sys-apps/portage Latest version available: 2.1_pre4-r1 Latest version installed: 2.1_pre4-r1 Size of downloaded files: 731 kB Homepage: http://www.gentoo.org/ Description: The Portage Package Management System. The primary package management and distribution system for Gentoo. License: GPL-2 Upgrade of portage did not change outcome of emerging hardened-sources, but I did find that I could start the emerge of postgresql without issue, emerging now. Wow, I'd never noticed that, I'd always thought I only ever used -O2, but sure enough, yep, I'm using -O3 as well. I've moving down to -O2 and see if that helps. I'll report back here. I've got the same portage/pycrypto versions but I'm using -Os and uClibc and dont hit this bug. Can you try backing the CFLAGS down to '-Os -pipe' for the sake of testing If it helps, I've had three other machines all work fine (emerging pax-utils etc), and I've just checked them. They're all running -O2. After recompiling pycrypto with -O2, I'm no longer having problems emerging pax-utils. Looks like this was the problem... In normal python there was a call to this. use hardened && replace-flags -O3 -O2 We probably need todo the same for pycrypto. Created attachment 78502 [details]
testcase
portage-independent testcase that crashes when pycrypto is compiled with ssp and -finline-functions.
The problem is triggered by -finline-functions and ssp: I crashed with CFLAGS="-O1 -finline-functions -ggdb" and a hardened gcc-3.4.5. (and -O3 implies -finline-functions). I just committed pycrypto-2.0.1-r1 which adds -fno-inline-functions to CFLAGS when ssp is used. Can people please test this one? I will probably add it to the stable pycrypto in a bit if it at least works around the problem. *** Bug 121009 has been marked as a duplicate of this bug. *** (In reply to comment #12) > The problem is triggered by -finline-functions and ssp: I crashed with > CFLAGS="-O1 -finline-functions -ggdb" and a hardened gcc-3.4.5. (and -O3 > implies -finline-functions). I just committed pycrypto-2.0.1-r1 which adds > -fno-inline-functions to CFLAGS when ssp is used. Can people please test this > one? I will probably add it to the stable pycrypto in a bit if it at least > works around the problem. Works for me :) work here as well. thanx! :) Same here. I'm just using -O2 (and no -finline-functions in CFLAGS!). doing FEATURES="-strict" emerge pcyrypto fixed it. *** Bug 121904 has been marked as a duplicate of this bug. *** Ok, so, is this bug fixed then? I'm no longer suffering the issues, there have been many positive results at the end of this bug, and it refers to an (at least) two version old copy of portage, so I'm going to close the bug. If anyone feels it should stay open, or is still suffering problems, please post here and I'll reopen it again. Thanks... (In reply to comment #14) > (In reply to comment #12) > > The problem is triggered by -finline-functions and ssp: I crashed with > > CFLAGS="-O1 -finline-functions -ggdb" and a hardened gcc-3.4.5. (and -O3 > > implies -finline-functions). I just committed pycrypto-2.0.1-r1 which adds > > -fno-inline-functions to CFLAGS when ssp is used. Can people please test this > > one? I will probably add it to the stable pycrypto in a bit if it at least > > works around the problem. > > Works for me :) > Worked for me. Did: CFLAGS="-fno-inline-functions" FEATURES="-strict" emerge -v =pycrypto-2.0.1-r5 compiled fine. Then did: CFLAGS="-fno-inline-functions" emerge -v =pycrypto-2.0.1-r5 compiled fine as well. and no more stack smashing attacks when emerging packages. Can we hard code this CFLAG into the ebuild so this works for everybody? |