I'm using the hardened profile and the hardened Use-flag. When I tried to upgrade from 4.0.25-r2 to 4.1.14 I first failed at the tests with (yes I read the upgrade instructions): | mysqld: stack smashing attack in function int mysql_prepare_table(THD*, | HA_CREATE_INFO*, List<create_field>&, List<Key>&, bool, uint&, handler*, | KEY*&, uint*, int)() Then I decided to emerge without testing and sandboxing, ie FEATURES="". It compiled, but I failed when it comes to emerge --config mysql (sorry I can't remember the exact error message). Then I tried to do the things by hand. And I failed at mysql_install_db: | spitzing mysql # mysql_install_db | Installing all prepared tables | /usr/bin/mysql_install_db: line 217: 28549 Abgebrochen And the mysqld.err hat the known lines: | mysqld: stack smashing attack in function int mysql_prepare_table(THD*, | HA_CREATE_INFO*, List<create_field>&, List<Key>&, bool, uint&, handler*, | KEY*&, uint*, int)() I have to say that it was possible to start the daemon with --skip-grant, but when inserting some rows I got always the mentioned error message. Finnally I could emerge mysql 4.1 by changing to i686-pc-linux-gnu-3.3.6-vanilla by gcc-config -P 5. But mylsql < 4.1 was running perfectly without switching the compiler. Reproducible: Always Steps to Reproduce: # emerge >=mysql-4.1 # emerge --config mysql spitzing mysql # cat /proc/version Linux version 2.6.11-hardened-r15 (root@livecd) (gcc version 3.3.5-20050130 (Gentoo Hardened 3.3.5.20050130-r1, ssp-3.3.5.20050130-1, pie-8.7.7.1)) #1 SMP Mon Oct 17 01:12:53 CEST 2005 spitzing mysql # gcc -v Lese Spezifikationen von /usr/lib/gcc-lib/i686-pc-linux-gnu/3.3.6/specs Konfiguriert mit: /var/tmp/portage/gcc-3.3.6/work/gcc-3.3.6/configure --prefix=/usr --bindir=/usr/i686-pc-linux-gnu/gcc-bin/3.3.6 --includedir=/usr/lib/gcc-lib/i686-pc-linux-gnu/3.3.6/include --datadir=/usr/share/gcc-data/i686-pc-linux-gnu/3.3.6 --mandir=/usr/share/gcc-data/i686-pc-linux-gnu/3.3.6/man --infodir=/usr/share/gcc-data/i686-pc-linux-gnu/3.3.6/info --with-gxx-include-dir=/usr/lib/gcc-lib/i686-pc-linux-gnu/3.3.6/include/g++-v3 --host=i686-pc-linux-gnu --build=i686-pc-linux-gnu --disable-altivec --enable-nls --without-included-gettext --with-system-zlib --disable-checking --disable-werror --disable-libunwind-exceptions --disable-multilib --disable-libgcj --enable-languages=c,c++,objc --enable-shared --enable-threads=posix --enable-__cxa_atexit --enable-clocale=gnu Thread-Modell: posix gcc-Version 3.3.6 (Gentoo Hardened 3.3.6, ssp-3.3.6-1.0, pie-8.7.8) spitzing mysql # emerge info Portage 2.0.51.22-r3 (hardened/x86/2.6, gcc-3.3.6, glibc-2.3.5-r2, 2.6.11-hardened-r15 i686) ================================================================= System uname: 2.6.11-hardened-r15 i686 Intel(R) Pentium(R) 4 CPU 3.00GHz Gentoo Base System version 1.6.13 dev-lang/python: 2.3.5, 2.4.2 sys-apps/sandbox: 1.2.12 sys-devel/autoconf: 2.13, 2.59-r6 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r1 sys-devel/binutils: 2.15.92.0.2-r10 sys-devel/libtool: 1.5.20 virtual/os-headers: 2.6.11-r2 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-march=prescott -O0 -pipe" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config /usr/share/config /var/qmail/control" CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d" CXXFLAGS="-march=prescott -O0 -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig distlocks fixpackages maketest sandbox sfperms strict test userpriv usersandbox" GENTOO_MIRRORS="ftp://ftp.snt.utwente.nl/pub/os/linux/gentoo ftp://ftp.join.uni-muenster.de/pub/linux/distributions/gentoo ftp://ftp.join.uni-muenster.de/pub/linux/distributions/gentoo ftp://ftp.tu-clausthal.de/pub/linux/gentoo/ ftp://ftp-stud.fht-esslingen.de/pub/Mirrors/gentoo/ ftp://pandemonium.tiscali.de/pub/gentoo/ ftp://mirror.scarlet-internet.nl/pub/gentoo ftp://mirror.ovh.net/gentoo-distfiles/ ftp://mirror.switch.ch/mirror/gentoo/ ftp://mirror.nutsmaas.nl/gentoo/" LANG="de_DE@euro" LC_ALL="de_DE@euro" MAKEOPTS="-j3" PKGDIR="/usr/portage//packages/x86/" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage/" SYNC="rsync://rsync.de.gentoo.org/gentoo-portage" USE="X509 acl apache2 bash-completion berkdb bzip2 chroot crypt dlloader exif gd hardened idn ithreads logrotate memlimit mysql ncurses nls no-old-linux nomac nptl objc pam pcre perl pic png posix python readline sasl slp ssl symlink syslog tcpd test threads tiff udev userlocales vhosts x86 xml2 zlib userland_GNU kernel_linux elibc_glibc" Unset: ASFLAGS, CTARGET, LDFLAGS, LINGUAS, PORTDIR_OVERLAY spitzing mysql # gcc-config -l [1] i686-pc-linux-gnu-3.3.6 * [2] i686-pc-linux-gnu-3.3.6-hardenednopie [3] i686-pc-linux-gnu-3.3.6-hardenednopiessp [4] i686-pc-linux-gnu-3.3.6-hardenednossp [5] i686-pc-linux-gnu-3.3.6-vanilla
I can't reproduce this one. tinderbox ~ # emerge info Portage 2.0.51.22-r3 (hardened/x86/2.6, gcc-3.3.6, glibc-2.3.5-r2, 2.6.11-hardened-r15 i686) ================================================================= System uname: 2.6.11-hardened-r15 i686 Intel(R) Pentium(R) 4 CPU 2.60GHz Gentoo Base System version 1.6.13 dev-lang/python: 2.4.2 sys-apps/sandbox: 1.2.12 sys-devel/autoconf: 2.13, 2.59-r6 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r1 sys-devel/binutils: 2.15.92.0.2-r10 sys-devel/libtool: 1.5.20 virtual/os-headers: 2.6.11-r2 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-O2 -pipe" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config /usr/lib/X11/xkb /usr/lib/mozilla/defaults/pref /usr/share/config /usr/share/texmf/dvipdfm/config/ /usr/share/texmf/dvips/config/ /usr/share/texmf/tex/generic/config/ /usr/share/texmf/tex/platex/config/ /usr/share/texmf/xdvi/ /var/qmail/control" CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d" CXXFLAGS="-O2 -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig distlocks sandbox sfperms strict" GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/Linux/distributions/gentoo" MAKEOPTS="-j4" PKGDIR="/usr/portage/local/packages/hardened" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage/" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="berkdb crypt dlloader hardened nls pam pic readline ssl tcpd userlocales x86 zlib userland_GNU kernel_linux elibc_glibc" Unset: ASFLAGS, CTARGET, LANG, LC_ALL, LDFLAGS, LINGUAS, PORTDIR_OVERLAY
It won't help to solve the problem, but I have a second system with a similar configuration and can reproduce it there. Only switching with gcc-config -P 5 compiles a running mysqld (in fact it's also not perfect as the func_encrypt test fails). sziget tmp # emerge info Portage 2.0.51.22-r3 (default-linux/x86/2005.1, gcc-3.3.6, glibc-2.3.5-r2, 2.6.13-gentoo-r3 i686) ================================================================= System uname: 2.6.13-gentoo-r3 i686 Pentium II (Deschutes) Gentoo Base System version 1.6.13 dev-lang/python: 2.3.5-r2, 2.4.1-r1 sys-apps/sandbox: 1.2.12 sys-devel/autoconf: 2.13, 2.59-r6 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r1 sys-devel/binutils: 2.15.92.0.2-r10 sys-devel/libtool: 1.5.20 virtual/os-headers: 2.6.11-r2 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-O0 -march=pentium2 -pipe" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config /usr/share/config /var/bind /var/qmail/control" CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d" CXXFLAGS="-O0 -march=pentium2 -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig distlocks sandbox sfperms strict" GENTOO_MIRRORS="ftp://ftp.snt.utwente.nl/pub/os/linux/gentoo ftp://ftp.join.uni-muenster.de/pub/linux/distributions/gentoo ftp://ftp.join.uni-muenster.de/pub/linux/distributions/gentoo ftp://ftp.tu-clausthal.de/pub/linux/gentoo/ ftp://ftp-stud.fht-esslingen.de/pub/Mirrors/gentoo/ ftp://pandemonium.tiscali.de/pub/gentoo/ ftp://mirror.scarlet-internet.nl/pub/gentoo ftp://mirror.ovh.net/gentoo-distfiles/ ftp://mirror.switch.ch/mirror/gentoo/ ftp://mirror.nutsmaas.nl/gentoo/" LANG="de_DE.utf8" LC_ALL="de_DE.utf8" MAKEOPTS="-j3" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://rsync.de.gentoo.org/gentoo-portage" USE="x86 X509 acl apache2 apm avi bash-completion berkdb bitmap-fonts bzip2 chroot crypt cups curl eds emboss encode exif foomaticdb fortran gd gdbm gif gstreamer gtk2 hardened idn imlib ipv6 ithreads jpeg libg++ libwww logrotate mad memlimit mikmod motif mp3 mpeg ncurses nls no-old-linux nomac nptl objc oggoggvorbis opengl oss pam pcre pdflib perl pic png posix python qt quicktime readline samba sasl slp spell ssl symlink tcpd test threads tiff truetype truetype-fonts type1-fonts udev unicode vorbis xml2 xmms xv zlib fritzcapi_cards_fcpci userland_GNU kernel_linux elibc_glibc" Unset: ASFLAGS, CTARGET, LDFLAGS, LINGUAS, PORTDIR_OVERLAY sziget tmp # cat /proc/version Linux version 2.6.13-gentoo-r3 (root@sziget) (gcc-Version 3.3.6 (Gentoo Hardened 3.3.6, ssp-3.3.6-1.0, pie-8.7.8)) #4 SMP Mon Oct 10 15:26:50 CEST 2005 sziget tmp # gcc -v Lese Spezifikationen von /usr/lib/gcc-lib/i686-pc-linux-gnu/3.3.6/specs Konfiguriert mit: /var/tmp/portage/gcc-3.3.6/work/gcc-3.3.6/configure --prefix=/usr --bindir=/usr/i686-pc-linux-gnu/gcc-bin/3.3.6 --includedir=/usr/lib/gcc-lib/i686-pc-linux-gnu/3.3.6/include --datadir=/usr/share/gcc-data/i686-pc-linux-gnu/3.3.6 --mandir=/usr/share/gcc-data/i686-pc-linux-gnu/3.3.6/man --infodir=/usr/share/gcc-data/i686-pc-linux-gnu/3.3.6/info --with-gxx-include-dir=/usr/lib/gcc-lib/i686-pc-linux-gnu/3.3.6/include/g++-v3 --host=i686-pc-linux-gnu --build=i686-pc-linux-gnu --disable-altivec --enable-nls --without-included-gettext --with-system-zlib --disable-checking --disable-werror --disable-libunwind-exceptions --disable-multilib --disable-libgcj --enable-languages=c,c++,objc,f77 --enable-shared --enable-threads=posix --enable-__cxa_atexit --enable-clocale=gnu Thread-Modell: posix gcc-Version 3.3.6 (Gentoo Hardened 3.3.6, ssp-3.3.6-1.0, pie-8.7.8) sziget tmp # gcc-config -l [1] i686-pc-linux-gnu-3.3.6 * [2] i686-pc-linux-gnu-3.3.6-hardenednopie [3] i686-pc-linux-gnu-3.3.6-hardenednopiessp [4] i686-pc-linux-gnu-3.3.6-hardenednossp [5] i686-pc-linux-gnu-3.3.6-vanilla
Does it only happen with -O0 ?
> Does it only happen with -O0 ? Yes! I removed mysql (emerge -C mysql && rm -rf /var/lib/mysql/ /var/log/mysql) and reemerged it with -O2 successfully (even all tests passed). I used the gcc which failed with -O0. That's interesting, I thought that I have the most chances to get a solid system which passes most tests by using -O0 rather than using optimizations. spitzing ~ # emerge info Portage 2.0.51.22-r3 (hardened/x86/2.6, gcc-3.3.6, glibc-2.3.5-r2, 2.6.11-hardened-r15 i686) ================================================================= System uname: 2.6.11-hardened-r15 i686 Intel(R) Pentium(R) 4 CPU 3.00GHz Gentoo Base System version 1.6.13 dev-lang/python: 2.3.5, 2.4.2 sys-apps/sandbox: 1.2.12 sys-devel/autoconf: 2.13, 2.59-r6 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r1 sys-devel/binutils: 2.15.92.0.2-r10 sys-devel/libtool: 1.5.20 virtual/os-headers: 2.6.11-r2 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-march=prescott -O2 -pipe" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config /usr/share/config /var/qmail/control" CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d" CXXFLAGS="-march=prescott -O2 -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig distlocks fixpackages maketest sandbox sfperms strict test userpriv usersandbox" GENTOO_MIRRORS="ftp://ftp.snt.utwente.nl/pub/os/linux/gentoo ftp://ftp.join.uni-muenster.de/pub/linux/distributions/gentoo ftp://ftp.join.uni-muenster.de/pub/linux/distributions/gentoo ftp://ftp.tu-clausthal.de/pub/linux/gentoo/ ftp://ftp-stud.fht-esslingen.de/pub/Mirrors/gentoo/ ftp://pandemonium.tiscali.de/pub/gentoo/ ftp://mirror.scarlet-internet.nl/pub/gentoo ftp://mirror.ovh.net/gentoo-distfiles/ ftp://mirror.switch.ch/mirror/gentoo/ ftp://mirror.nutsmaas.nl/gentoo/" LANG="de_DE@euro" LC_ALL="de_DE@euro" MAKEOPTS="-j3" PKGDIR="/usr/portage//packages/x86/" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage/" SYNC="rsync://rsync.de.gentoo.org/gentoo-portage" USE="X509 acl apache2 bash-completion berkdb bzip2 chroot crypt dlloader exif gd hardened idn ithreads logrotate memlimit ncurses nls no-old-linux nomac nptl objc pam pcre perl pic png posix python readline sasl slp ssl symlink syslog tcpd test threads tiff udev userlocales vhosts x86 xml2 zlib userland_GNU kernel_linux elibc_glibc" Unset: ASFLAGS, CTARGET, LDFLAGS, LINGUAS, PORTDIR_OVERLAY spitzing ~ # gcc -v Lese Spezifikationen von /usr/lib/gcc-lib/i686-pc-linux-gnu/3.3.6/specs Konfiguriert mit: /var/tmp/portage/gcc-3.3.6/work/gcc-3.3.6/configure --prefix=/usr --bindir=/usr/i686-pc-linux-gnu/gcc-bin/3.3.6 --includedir=/usr/lib/gcc-lib/i686-pc-linux-gnu/3.3.6/include --datadir=/usr/share/gcc-data/i686-pc-linux-gnu/3.3.6 --mandir=/usr/share/gcc-data/i686-pc-linux-gnu/3.3.6/man --infodir=/usr/share/gcc-data/i686-pc-linux-gnu/3.3.6/info --with-gxx-include-dir=/usr/lib/gcc-lib/i686-pc-linux-gnu/3.3.6/include/g++-v3 --host=i686-pc-linux-gnu --build=i686-pc-linux-gnu --disable-altivec --enable-nls --without-included-gettext --with-system-zlib --disable-checking --disable-werror --disable-libunwind-exceptions --disable-multilib --disable-libgcj --enable-languages=c,c++,objc --enable-shared --enable-threads=posix --enable-__cxa_atexit --enable-clocale=gnu Thread-Modell: posix gcc-Version 3.3.6 (Gentoo Hardened 3.3.6, ssp-3.3.6-1.0, pie-8.7.8) spitzing ~ # gcc-config -l [1] i686-pc-linux-gnu-3.3.6 * [2] i686-pc-linux-gnu-3.3.6-hardenednopie [3] i686-pc-linux-gnu-3.3.6-hardenednopiessp [4] i686-pc-linux-gnu-3.3.6-hardenednossp [5] i686-pc-linux-gnu-3.3.6-vanilla
It's a fallacy to assume -O0 is more reliable than -O2. In fact -O2 is more reliable than -O0, even though -O2 is a more complex compilation task than -O0. The reason is that almost no-one uses -O0 to build production code, so the compiler output is not exercised at -O0 anywhere near the amount it is at -O2. This means it is quite likely there are many undiscovered compiler bugs at -O0 that do not occur at -O2. Since SSP implementation in GCC has been taken over by RedHat for GCC 4.x, there's no point trying to fix the 3.x implementation to support -O0, so I'm marking this 'WONTFIX'. We recommend -O2 if you're using the hardened compiler.
Anyway -O -Os -O1 will be filtered in the newer ebuilds, after some time it may be backported to previous ones.
vivo, Please do not filter optimization -Os unless it is known to cause bugs (read not speed) related on all libs and processors. A few CPU's depend on -Os