glibc-2.5-hardened-pie.patch fail to applay to glibc-2.11 Reproducible: Always Steps to Reproduce: 1.emerge glibc-2.11 on hardeneed profile 2. 3. Actual Results: * Applying glibc-2.5-hardened-pie.patch ... * Failed Patch: glibc-2.5-hardened-pie.patch ! * ( /usr/portage/sys-libs/glibc/files/2.5/glibc-2.5-hardened-pie.patch ) * * Include in your bugreport the contents of: * * /var/tmp/portage/sys-libs/glibc-2.11/temp/glibc-2.5-hardened-pie.patch-11176.out * ERROR: sys-libs/glibc-2.11 failed: * Failed Patch: glibc-2.5-hardened-pie.patch! Expected Results: It should emerge fine.
laptop1 hardened-dev # emerge --info Portage 2.2_rc46 (hardened/linux/amd64/10.0, gcc-4.4.2, glibc-2.10.1-r0, 2.6.31-gentoo x86_64) ================================================================= System uname: Linux-2.6.31-gentoo-x86_64-Intel-R-_Core-TM-2_Duo_CPU_T7700_@_2.40GHz-with-gentoo-2.0.1 Timestamp of tree: Fri, 06 Nov 2009 14:45:01 +0000 ccache version 2.4 [disabled] app-shells/bash: 4.0_p33 dev-java/java-config: 2.1.9-r1 dev-lang/python: 2.5.4-r3, 2.6.3, 3.1.1-r1 dev-util/ccache: 2.4-r8 dev-util/cmake: 2.6.4-r3 sys-apps/baselayout: 2.0.1 sys-apps/openrc: 0.5.1-r1 sys-apps/sandbox: 2.1 sys-devel/autoconf: 2.13, 2.63-r1 sys-devel/automake: 1.5, 1.8.5-r3, 1.9.6-r2, 1.10.2, 1.11 sys-devel/binutils: 2.19.1-r1 sys-devel/gcc-config: 1.4.1 sys-devel/libtool: 2.2.6a virtual/os-headers: 2.6.30-r1 ABI="amd64" ACCEPT_KEYWORDS="amd64 ~amd64" ACCEPT_LICENSE="* -@EULA" ACCEPT_PROPERTIES="*" ALSA_CARDS="hda-intel intel8x0 intel8x0m" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" ANT_HOME="/usr/share/ant" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ARCH="amd64" ASFLAGS_x86="--32" AUTOCLEAN="yes" CBUILD="x86_64-pc-linux-gnu" CCACHE_DIR="/var/tmp/ccache" CCACHE_SIZE="2G" CDEFINE_amd64="__x86_64__" CDEFINE_x86="__i386__" CFLAGS="-march=core2 -O2 -pipe" CFLAGS_x86="-m32" CHOST="x86_64-pc-linux-gnu" CHOST_amd64="x86_64-pc-linux-gnu" CHOST_x86="i686-pc-linux-gnu" CLASSPATH="." CLEAN_DELAY="5" COLLISION_IGNORE="/lib/modules" CONFIG_PROTECT="/etc /usr/share/X11/xkb /usr/share/config" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/splash /etc/terminfo /etc/udev/rules.d" CVS_RSH="ssh" CXXFLAGS="-march=core2 -O2 -pipe" DEFAULT_ABI="amd64" DISPLAY=":0.0" DISTDIR="/usr/portage/distfiles" EDITOR="/bin/nano" ELIBC="glibc" EMERGE_DEFAULT_OPTS="-av" EMERGE_WARNING_DELAY="10" FEATURES="assume-digests distlocks fixpackages news parallel-fetch preserve-libs protect-owned sandbox sfperms strict unmerge-logs unmerge-orphans userfetch" FETCHCOMMAND="/usr/bin/wget -t 5 -T 60 --passive-ftp -O "${DISTDIR}/${FILE}" "${URI}"" GCC_SPECS=""
/me waits for a patch from the hardened expert. hmm, isnt that you ? :p
Created attachment 209522 [details] glibc-2.5-hardened-pie.patch Updated the patch to apply cleanly with glibc-2.11. All patched lines where the same, just three additional lines in the "matching" content that made the patch fail. I'm no hardened expert so some review would be nice.
I'm no expert either but from looking at the "code" (e.g. in the file Makeconfig) upstream now seems to support PIE so some or most of those patches which enable support for PIE are not needed anymore: ifeq ($(elf),yes) +preinit = $(addprefix $(csu-objpfx),crti.o) +postinit = $(addprefix $(csu-objpfx),crtn.o) +prector = `$(CC) --print-file-name=crtbegin.o` +postctor = `$(CC) --print-file-name=crtend.o` # Variants of the two previous definitions for linking PIE programs. +prectorS = `$(CC) --print-file-name=crtbeginS.o` +postctorS = `$(CC) --print-file-name=crtendS.o` +interp = $(addprefix $(elf-objpfx),interp.os) endif csu-objpfx = $(common-objpfx)csu/ elf-objpfx = $(common-objpfx)elf/
I test-compiled glibc with that patch (glibc-2.5-hardened-pie.patch) removed and it of course failed ;) what is more interesting: it is compiled with the following flags connections.c -c -std=gnu99 -fgnu89-inline -O2 -Wall -Winline -Wwrite-strings -fmerge-all-constants -fno-stack-protector -fno-strict-aliasing -Wstrict-prototypes -mpreferred-stack-boundary=2 -g0 -O99 -fomit-frame-pointer -D__USE_STRING_INLINES -DHAVE_EPOLL -DHAVE_SENDFILE -DHAVE_INOTIFY -DIS_IN_nscd=1 -D_FORTIFY_SOURCE=2 -fpie -fstack-protector-all if it helps the error message was: x86_64-pc-linux-gnu-gcc -nostdlib -nostartfiles -o /var/tmp/portage/sys-libs/glibc-2.11/work/build-amd64-x86_64-pc-linux-gnu-nptl/sunrpc/rpcgen -Wl,-dynamic-linker=/lib64/ld-linux-x86-64.so.2 -Wl,-O1 -Wl,--hash-style=both -Wl,--sort-common -Wl,--enable-new-dtags -Wl,-z,now -Wl,-z,relro -Wl,--as-needed -Wl,-z,combreloc -Wl,-z,relro -Wl,--hash-style=both /var/tmp/portage/sys-libs/glibc-2.11/work/build-amd64-x86_64-pc-linux-gnu-nptl/csu/crt1.o /var/tmp/portage/sys-libs/glibc-2.11/work/build-amd64-x86_64-pc-linux-gnu-nptl/csu/crti.o `x86_64-pc-linux-gnu-gcc --print-file-name=crtbegin.o` /var/tmp/portage/sys-libs/glibc-2.11/work/build-amd64-x86_64-pc-linux-gnu-nptl/sunrpc/rpc_main.o /var/tmp/portage/sys-libs/glibc-2.11/work/build-amd64-x86_64-pc-linux-gnu-nptl/sunrpc/rpc_hout.o /var/tmp/portage/sys-libs/glibc-2.11/work/build-amd64-x86_64-pc-linux-gnu-nptl/sunrpc/rpc_cout.o /var/tmp/portage/sys-libs/glibc-2.11/work/build-amd64-x86_64-pc-linux-gnu-nptl/sunrpc/rpc_parse.o /var/tmp/portage/sys-libs/glibc-2.11/work/build-amd64-x86_64-pc-linux-gnu-nptl/sunrpc/rpc_scan.o /var/tmp/portage/sys-libs/glibc-2.11/work/build-amd64-x86_64-pc-linux-gnu-nptl/sunrpc/rpc_util.o /var/tmp/portage/sys-libs/glibc-2.11/work/build-amd64-x86_64-pc-linux-gnu-nptl/sunrpc/rpc_svcout.o /var/tmp/portage/sys-libs/glibc-2.11/work/build-amd64-x86_64-pc-linux-gnu-nptl/sunrpc/rpc_clntout.o /var/tmp/portage/sys-libs/glibc-2.11/work/build-amd64-x86_64-pc-linux-gnu-nptl/sunrpc/rpc_tblout.o /var/tmp/portage/sys-libs/glibc-2.11/work/build-amd64-x86_64-pc-linux-gnu-nptl/sunrpc/rpc_sample.o -Wl,-rpath-link=/var/tmp/portage/sys-libs/glibc-2.11/work/build-amd64-x86_64-pc-linux-gnu-nptl:/var/tmp/portage/sys-libs/glibc-2.11/work/build-amd64-x86_64-pc-linux-gnu-nptl/math:/var/tmp/portage/sys-libs/glibc-2.11/work/build-amd64-x86_64-pc-linux-gnu-nptl/elf:/var/tmp/portage/sys-libs/glibc-2.11/work/build-amd64-x86_64-pc-linux-gnu-nptl/dlfcn:/var/tmp/portage/sys-libs/glibc-2.11/work/build-amd64-x86_64-pc-linux-gnu-nptl/nss:/var/tmp/portage/sys-libs/glibc-2.11/work/build-amd64-x86_64-pc-linux-gnu-nptl/nis:/var/tmp/portage/sys-libs/glibc-2.11/work/build-amd64-x86_64-pc-linux-gnu-nptl/rt:/var/tmp/portage/sys-libs/glibc-2.11/work/build-amd64-x86_64-pc-linux-gnu-nptl/resolv:/var/tmp/portage/sys-libs/glibc-2.11/work/build-amd64-x86_64-pc-linux-gnu-nptl/crypt:/var/tmp/portage/sys-libs/glibc-2.11/work/build-amd64-x86_64-pc-linux-gnu-nptl/nptl /var/tmp/portage/sys-libs/glibc-2.11/work/build-amd64-x86_64-pc-linux-gnu-nptl/libc.so.6 /var/tmp/portage/sys-libs/glibc-2.11/work/build-amd64-x86_64-pc-linux-gnu-nptl/libc_nonshared.a -lgcc -Wl,--as-needed -lgcc_s -Wl,--no-as-needed `x86_64-pc-linux-gnu-gcc --print-file-name=crtend.o` /var/tmp/portage/sys-libs/glibc-2.11/work/build-amd64-x86_64-pc-linux-gnu-nptl/csu/crtn.o CPP='x86_64-pc-linux-gnu-gcc -E -x c-header' /var/tmp/portage/sys-libs/glibc-2.11/work/build-amd64-x86_64-pc-linux-gnu-nptl/elf/ld-linux-x86-64.so.2 --library-path /var/tmp/portage/sys-libs/glibc-2.11/work/build-amd64-x86_64-pc-linux-gnu-nptl:/var/tmp/portage/sys-libs/glibc-2.11/work/build-amd64-x86_64-pc-linux-gnu-nptl/math:/var/tmp/portage/sys-libs/glibc-2.11/work/build-amd64-x86_64-pc-linux-gnu-nptl/elf:/var/tmp/portage/sys-libs/glibc-2.11/work/build-amd64-x86_64-pc-linux-gnu-nptl/dlfcn:/var/tmp/portage/sys-libs/glibc-2.11/work/build-amd64-x86_64-pc-linux-gnu-nptl/nss:/var/tmp/portage/sys-libs/glibc-2.11/work/build-amd64-x86_64-pc-linux-gnu-nptl/nis:/var/tmp/portage/sys-libs/glibc-2.11/work/build-amd64-x86_64-pc-linux-gnu-nptl/rt:/var/tmp/portage/sys-libs/glibc-2.11/work/build-amd64-x86_64-pc-linux-gnu-nptl/resolv:/var/tmp/portage/sys-libs/glibc-2.11/work/build-amd64-x86_64-pc-linux-gnu-nptl/crypt:/var/tmp/portage/sys-libs/glibc-2.11/work/build-amd64-x86_64-pc-linux-gnu-nptl/nptl /var/tmp/portage/sys-libs/glibc-2.11/work/build-amd64-x86_64-pc-linux-gnu-nptl/sunrpc/rpcgen -Y ../scripts -c rpcsvc/bootparam_prot.x -o /var/tmp/portage/sys-libs/glibc-2.11/work/build-amd64-x86_64-pc-linux-gnu-nptl/sunrpc/xbootparam_prot.T make[2]: *** [/var/tmp/portage/sys-libs/glibc-2.11/work/build-amd64-x86_64-pc-linux-gnu-nptl/sunrpc/xbootparam_prot.stmp] Error 139 make[2]: *** Waiting for unfinished jobs.... make[2]: Leaving directory `/var/tmp/portage/sys-libs/glibc-2.11/work/glibc-2.11/sunrpc' make[1]: *** [sunrpc/others] Error 2 make[1]: Leaving directory `/var/tmp/portage/sys-libs/glibc-2.11/work/glibc-2.11' make: *** [all] Error 2
Created attachment 209550 [details, diff] glibc-2.11-hardened-pie.patch so i think the change should now be to set +link to +link-pie by default
(In reply to comment #6) > Created an attachment (id=209550) [details] > glibc-2.11-hardened-pie.patch > > so i think the change should now be to set +link to +link-pie by default > It fail with mv -f /var/tmp/portage/sys-libs/glibc-2.11/work/build-x86-x86_64-pc-linux-gnu-nptl/libc.so.6.new /var/tmp/portage/sys-libs/glibc-2.11/work/build-x86-x86_64-pc-linux-gnu-nptl/libc.so.6 link-pie make[2]: link-pie: Kommandot hittades inte make[2]: *** [/var/tmp/portage/sys-libs/glibc-2.11/work/build-x86-x86_64-pc-linux-gnu-nptl/iconv/iconvconfig] Fel 127 commando link-pie not found.
Created attachment 209558 [details, diff] Updated hardened-pie patch to work on glibc-2.11 The patch is committed to the hardened-dev overlay for testing.
if you're changing everything to use $(postctorS) over $(postctor), is there anything left that uses $(postctor) ? in other words, might be simpler to change the value of $(postctor) and friends: postctor = $(postctorS)
emerged fine and system booted up it works fine so far - thanks ! Portage 2.2_rc48 (default/linux/amd64/10.0, gcc-4.4.2, glibc-2.11-r0, 2.6.31-zen7_sqlb x86_64) ================================================================= System uname: Linux-2.6.31-zen7_sqlb-x86_64-Intel-R-_Core-TM-2_CPU_6600_@_2.40GHz-with-gentoo-2.0.1 Timestamp of tree: Sat, 07 Nov 2009 17:20:01 +0000 app-shells/bash: 3.2_p48-r1 dev-java/java-config: 1.3.7-r1, 2.1.9-r1 dev-lang/python: 2.5.4-r3, 2.6.4, 3.1.1-r1 dev-python/pycrypto: 2.0.1-r8 dev-util/cmake: 2.6.4-r3 sys-apps/baselayout: 2.0.1 sys-apps/openrc: 0.5.2-r1 sys-apps/sandbox: 2.2 sys-devel/autoconf: 2.13, 2.63-r1 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10.2, 1.11 sys-devel/binutils: 2.19.51.0.10, 2.19.51.0.11, 2.19.51.0.13, 2.19.51.0.14, 2.20, 2.20.51.0.1, 2.20.51.0.2 sys-devel/gcc-config: 1.4.1 sys-devel/libtool: 2.2.6a virtual/os-headers: 2.6.30-r1 ACCEPT_KEYWORDS="amd64 ~amd64" CBUILD="x86_64-pc-linux-gnu"
Created attachment 209630 [details, diff] New revision of the patch
latest patch now in the tree. thanks !