I've emerged net-p2p/mldonkey-2.9.4 on a hardened enabled box and a QA notice appear telling me that there is text relocation in some executables of mldonkey and a second notice tell me that there is executable stacks. I can't provide the scanelf-textrel.log and scanelf-execstack.log files since they have been cleaned up by emerge. Reproducible: Always Steps to Reproduce: 1. emerge =net-p2p/mldonkey-2.9.4 * QA Notice: The following files contain runtime text relocations * Text relocations force the dynamic linker to perform extra * work at startup, waste system resources, and may pose a security * risk. On some architectures, the code may not even function * properly, if at all. * For more information, see http://hardened.gentoo.org/pic-fix-guide.xml * Please include this file in your report: * /var/tmp/portage/net-p2p/mldonkey-2.9.4/temp/scanelf-textrel.log * TEXTREL usr/bin/mlnet TEXTREL usr/bin/get_range TEXTREL usr/bin/subconv TEXTREL usr/bin/make_torrent TEXTREL usr/bin/mld_hash TEXTREL usr/bin/copysources * QA Notice: The following files contain executable stacks * Files with executable stacks will not work properly (or at all!) * on some architectures/operating systems. A bug should be filed * at http://bugs.gentoo.org/ to make sure the file is fixed. * For more information, see http://hardened.gentoo.org/gnu-stack.xml * Please include this file in your report: * /var/tmp/portage/net-p2p/mldonkey-2.9.4/temp/scanelf-execstack.log * RWX --- --- usr/bin/mlnet RWX --- --- usr/bin/get_range RWX --- --- usr/bin/subconv RWX --- --- usr/bin/make_torrent RWX --- --- usr/bin/mld_hash RWX --- --- usr/bin/copysources
I have a similar issue on a x86 hardened box, using dev-lang/ocaml-3.10.2 and mldonkey-2.9.4 My emerge --info: Portage 2.1.5.4 (selinux/2007.0/x86/hardened, gcc-3.4.6, glibc-2.6.1-r0, 2.6.24-hardened-r2 i686) ================================================================= System uname: 2.6.24-hardened-r2 i686 Intel(R) Pentium(R) 4 CPU 2.20GHz Timestamp of tree: Sun, 08 Jun 2008 12:18:01 +0000 app-shells/bash: 3.2_p33 dev-lang/python: 2.4.4-r13 dev-python/pycrypto: 2.0.1-r6 sys-apps/baselayout: 2.0.0 sys-apps/openrc: 0.2.5 sys-apps/sandbox: 1.2.18.1-r2 sys-devel/autoconf: 2.61-r1 sys-devel/automake: 1.7.9-r1, 1.9.6-r2, 1.10.1 sys-devel/binutils: 2.18-r1 sys-devel/gcc-config: 1.4.0-r4 sys-devel/libtool: 1.5.26 virtual/os-headers: 2.6.23-r3 ACCEPT_KEYWORDS="x86" CBUILD="i686-pc-linux-gnu" CFLAGS="-O2 -march=pentium4 -msse2 -mfpmath=sse -pipe -fomit-frame-pointer" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /var/bind" CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/terminfo /etc/udev/rules.d" CXXFLAGS="-O2 -march=pentium4 -msse2 -mfpmath=sse -pipe -fomit-frame-pointer" DISTDIR="/usr/portage/distfiles" FEATURES="distlocks loadpolicy nodoc noinfo parallel-fetch sandbox selinux sesandbox sfperms strict unmerge-orphans userfetch" GENTOO_MIRRORS="http://mirror.ing.unibo.it/gentoo/ ftp://ftp.unina.it/pub/linux/distributions/gentoo" LANG="en_US.UTF-8" LC_ALL="en_US.UTF-8" LDFLAGS="" LINGUAS="en en_US" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_EXTRA_OPTS="--exclude-from=/etc/portage/rsync_excludes --prune-empty-dirs" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage" USE="bash-completion berkdb bzip2 caps cli cracklib crypt dbus dri fam gmp gnutls hardened iconv idn isdnlog kerberos ldap mailwrapper mbox midi mmx mudflap ncurses nls nptl nptlonly openmp pam pcre pic png pppd python readline reflection samba sasl selinux session snmp socks5 spl sqlite sse sse2 ssl tcpd threads truetype unicode x86 xorg zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1 emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en en_US" USERLAND="GNU" VIDEO_CARDS="apm ark chips cirrus cyrix dummy fbdev glint i128 i740 i810 imstt mach64 mga neomagic nsc nv r128 radeon rendition s3 s3virge savage siliconmotion sis sisusb tdfx tga trident tseng v4l vesa vga via vmware voodoo" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTDIR_OVERLAY
Created attachment 155947 [details] /var/tmp/portage/net-p2p/mldonkey-2.9.4/temp/scanelf-execstack.log
Created attachment 155951 [details] /var/tmp/portage/net-p2p/mldonkey-2.9.4/temp/scanelf-textrel.log
This is expected behavior for all ocaml based programs (call it a design flaw). Nothing more hardened can do with it (removing hardened from CC). ocamlc itself needs a redesign.
hmm ocaml > 3.09.3 shouldnt generate execstacks anymore; what is your ocaml version ? the textrels one should be "fixed" with bug #219282
(In reply to comment #5) > hmm ocaml > 3.09.3 shouldnt generate execstacks anymore; what is your ocaml > version ? > % ocaml -version The Objective Caml toplevel, version 3.10.2 % ocamlc -version 3.10.2
(In reply to comment #6) > (In reply to comment #5) > > hmm ocaml > 3.09.3 shouldnt generate execstacks anymore; what is your ocaml > > version ? > > > > % ocaml -version > The Objective Caml toplevel, version 3.10.2 > % ocamlc -version > 3.10.2 > weird, what do you get with today's mldonkey 2.9.5 ? Can you check if ocaml produces wrong executables ? $ cat foo.ml Printf.printf "Hello\n" $ ocamlopt -o foo foo.ml $ ./foo Hello $ scanelf -e foo TYPE STK/REL/PTL FILE ET_EXEC RW- R-- RW- foo
Emerging net-p2p/mldonkey-2.9.5 still give me warnings : * QA Notice: The following files contain executable stacks * Files with executable stacks will not work properly (or at all!) * on some architectures/operating systems. A bug should be filed * at http://bugs.gentoo.org/ to make sure the file is fixed. * For more information, see http://hardened.gentoo.org/gnu-stack.xml * Please include this file in your report: * /var/tmp/portage/net-p2p/mldonkey-2.9.5/temp/scanelf-execstack.log * RWX --- --- usr/bin/mlnet RWX --- --- usr/bin/get_range RWX --- --- usr/bin/subconv RWX --- --- usr/bin/make_torrent RWX --- --- usr/bin/mld_hash RWX --- --- usr/bin/copysources And, at the and of merging, the ebuild prints the following message : * Ocaml generates its own native asm, you're using a PIE compiler * We have appended -nopie to ocaml build options * because linking an executable with pie while the objects are not pic will not work dev-lang/ocaml is version 3.10.2 Here is `emerge --info`` Portage 2.1.4.4 (hardened/x86/2.6, gcc-3.4.6, glibc-2.6.1-r0, 2.6.23-hardened-r12 i686) ================================================================= System uname: 2.6.23-hardened-r12 i686 AMD Athlon(tm) processor Timestamp of tree: Tue, 17 Jun 2008 00:45:01 +0000 distcc 2.18.3 i686-pc-linux-gnu (protocols 1 and 2) (default port 3632) [disabled] app-shells/bash: 3.2_p33 dev-lang/python: 2.4.4-r13 dev-python/pycrypto: 2.0.1-r6 sys-apps/baselayout: 1.12.11.1 sys-apps/sandbox: 1.2.18.1-r2 sys-devel/autoconf: 2.13, 2.61-r1 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10.1 sys-devel/binutils: 2.18-r1 sys-devel/gcc-config: 1.4.0-r4 sys-devel/libtool: 1.5.26 virtual/os-headers: 2.6.23-r3 ACCEPT_KEYWORDS="x86" CBUILD="i686-pc-linux-gnu" CFLAGS="-O2 -march=athlon -pipe" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc" CONFIG_PROTECT_MASK="/etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/terminfo /etc/udev/rules.d" CXXFLAGS="-O2 -march=athlon -pipe" DISTDIR="/usr/portage/distfiles" EMERGE_DEFAULT_OPTS="--with-bdeps y" FEATURES="distlocks metadata-transfer sandbox sfperms strict unmerge-orphans userfetch" GENTOO_MIRRORS="ftp://ftp.free.fr/mirrors/ftp.gentoo.org http://mirror.ovh.net/gentoo-distfiles/ http://linux.rz.ruhr-uni-bochum.de/download/gentoo-mirror/ http://ftp.uni-erlangen.de/pub/mirrors/gentoo" LANG="fr_FR.utf8" LC_ALL="fr_FR.utf8" LINGUAS="fr en" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://rsync.fr.gentoo.org/gentoo-portage" USE="3dnow 3dnowext alsa apache2 berkdb bzip2 cracklib crypt ctype cups dvd exif fontconfig gd geoip hardened hddtemp imagemagick imap ipv6 jpeg jpeg2k logrotate mbrola midi mmx mmxext mysql ncurses nls nptl nptlonly oss pam pcre php pic png ppds readline sasl session simplexml snmp sockets spell spl ssl suhosin syslog tcpd threads tiff truetype unicode urandom usb vhosts x86 xattr xml xorg zlib" ALSA_CARDS="intel8x0" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linearmeter mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="mouse keyboard" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="fr en" USERLAND="GNU" VIDEO_CARDS="apm ark chips cirrus cyrix dummy fbdev glint i128 i740 i810 imstt mach64 mga neomagic nsc nv r128 radeon rendition s3 s3virge savage siliconmotion sis sisusb tdfx tga trident tseng v4l vesa vga vmware voodoo" Unset: CPPFLAGS, CTARGET, INSTALL_MASK, LDFLAGS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY
(In reply to comment #7) > Can you check if ocaml produces wrong executables ? > > $ cat foo.ml > Printf.printf "Hello\n" > $ ocamlopt -o foo foo.ml > $ ./foo > Hello > $ scanelf -e foo > TYPE STK/REL/PTL FILE > ET_EXEC RW- R-- RW- foo > $ echo 'Printf.printf "Hello\n"' > foo.ml $ ocamlopt -o foo foo.ml $ ./foo Hello $ scanelf -e foo TYPE STK/REL/PTL FILE ET_EXEC RW- R-- RW- foo
(In reply to comment #8) > * RWX --- --- usr/bin/mlnet > RWX --- --- usr/bin/get_range > RWX --- --- usr/bin/subconv > RWX --- --- usr/bin/make_torrent > RWX --- --- usr/bin/mld_hash > RWX --- --- usr/bin/copysources > [...] > $ echo 'Printf.printf "Hello\n"' > foo.ml > $ ocamlopt -o foo foo.ml > $ ./foo > Hello > $ scanelf -e foo > TYPE STK/REL/PTL FILE > ET_EXEC RW- R-- RW- foo > so whats wrong here ? ocamlopt doesnt seem to mark stacks as executable but they are reported as such while merging mldonkey ?
The following may be interesting: sirius ~ # ebuild /usr/portage/net-p2p/mldonkey/mldonkey-2.9.5.ebuild compile [...] sirius ~ # cd /var/tmp/portage/net-p2p/mldonkey-2.9.5/work/mldonkey-2.9.5 sirius mldonkey-2.9.5 # find . -type f -name "*.o" | while read file; do scanelf -e ${file}; done | grep "RWX" sirius mldonkey-2.9.5 # find . -type f -name "*.o" | while read file; do [[ -z "$(readelf -S ${file} | grep "\.note\.GNU-stack")" ]] && echo ${file} ; done ./src/utils/lib/md4_as.o ./src/utils/lib/md4_comp.o sirius mldonkey-2.9.5 # Exec stacks may be there because during linking those 2 files don't have a .note.GNU-stack ELF section. It seems that mldonkey uses some hand-written assembly routines for md4 (in src/utils/lib/md4_i{3,4,5,6}86.s), which probably lack a .note.GNU-stack section.
(In reply to comment #11) > The following may be interesting: > > sirius ~ # ebuild /usr/portage/net-p2p/mldonkey/mldonkey-2.9.5.ebuild compile > [...] > sirius ~ # cd /var/tmp/portage/net-p2p/mldonkey-2.9.5/work/mldonkey-2.9.5 > sirius mldonkey-2.9.5 # find . -type f -name "*.o" | while read file; do > scanelf -e ${file}; done | grep "RWX" > sirius mldonkey-2.9.5 # find . -type f -name "*.o" | while read file; do [[ -z > "$(readelf -S ${file} | grep "\.note\.GNU-stack")" ]] && echo ${file} ; done > ./src/utils/lib/md4_as.o > ./src/utils/lib/md4_comp.o > sirius mldonkey-2.9.5 # > > Exec stacks may be there because during linking those 2 files don't have a > .note.GNU-stack ELF section. It seems that mldonkey uses some hand-written > assembly routines for md4 (in src/utils/lib/md4_i{3,4,5,6}86.s), which probably > lack a .note.GNU-stack section. > Indeed! That's why I didn't have executable stacks on my amd64, those are x86 specific assembly. Sorry Raul, reassigning as there is nothing ml specific there anymore ;)
A simple fix is to append the following lines: #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits #endif to src/utils/lib/md4_i{3,4,5,6}86.s I could only test on i686 and it does work! sirius mldonkey-2.9.5 # scanelf -e mlnet TYPE STK/REL/PTL FILE ET_EXEC RW- R-- RW- mlnet I'm not sure if the files should be renamed from .s to .S too (to allow pre-processing)...
spiralvoice: can you please fix this? I'll apply a patch meanwhile
Fixed in 2.9.5
(In reply to comment #14) > spiralvoice: can you please fix this? I'll apply a patch meanwhile > Patch committed upstream
AFAIK those files should be preprocessed (their extension changed from .s to .S), and the Makefile adjusted to call gcc on them and let it do the right thing (preprocessing and assembling).
