Comment 1 SpanKY 2010-09-30 03:24:35 UTC

post actual build logs as attachments

Created attachment 255477 [details]
build log

Attached build log from hardened/linux/amd64/no-multilib system

Portage 2.1.8.3 (hardened/linux/amd64/no-multilib, gcc-4.4.4, glibc-2.11.2-r3, 2.6.35-gentoo-r2-domU x86_64)
=================================================================
System uname: Linux-2.6.35-gentoo-r2-domU-x86_64-Intel-R-_Xeon-R-_CPU_X3323_@_2.50GHz-with-gentoo-1.12.14
Timestamp of tree: Fri, 26 Nov 2010 09:30:01 +0000
app-shells/bash:     4.1_p7
dev-lang/python:     2.6.5-r3, 3.1.2-r4
sys-apps/baselayout: 1.12.14-r1
sys-apps/sandbox:    2.3-r1
sys-devel/autoconf:  2.65-r1
sys-devel/automake:  1.10.3, 1.11.1
sys-devel/binutils:  2.20.1-r1
sys-devel/gcc:       4.4.4-r2
sys-devel/gcc-config: 1.4.1
sys-devel/libtool:   2.2.10
sys-devel/make:      3.81-r2
virtual/os-headers:  2.6.35
ACCEPT_KEYWORDS="amd64"
ACCEPT_LICENSE="* -@EULA"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-pipe -O2 -march=nocona"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/openvpn/easy-rsa"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo"
CXXFLAGS="-pipe -O2 -march=nocona"
DISTDIR="/usr/portage/distfiles"
FEATURES="assume-digests distlocks fixpackages news parallel-fetch protect-owned sandbox sfperms strict test unmerge-logs unmerge-orphans userfetch"
GENTOO_MIRRORS="http://distfiles.gentoo.org"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
MAKEOPTS="-j1"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/var/lib/layman/sunrise /usr/local/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="acl amd64 apache2 augeas bash-completion bcmath berkdb bzip2 cgi cli cracklib crypt ctype cups curl cxx diskio dri filter gd gdbm hardened iconv iproute2 ipv6 justify mfd-rewrites mmx modules mudflap mysql mysqli ncurses nethack nls nptl nptlonly offensive openmp pam pcre perl pic pppd python readline rrdtool rss ruby session snmp sockets sse sse2 ssl subversion suhosin svg sysfs unicode urandom vhosts vim-syntax xml xorg zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="alias auth_basic authn_file authz_host autoindex cgi dav dav_fs deflate dir env filter headers log_config logio mime mime_magic proxy proxy_http setenvif so status unique_id" APACHE2_MPMS="prefork" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" PHP_TARGETS="php5-2" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="fbdev glint intel mach64 mga neomagic nouveau nv r128 radeon savage sis tdfx trident vesa via vmware voodoo" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" 
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LANG, LC_ALL, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS

Also tested on a default/linux/hppa/10.0 system and there it actually emerges correctly with FEATURES=test

-fstack-protector is the issue here. When you are on hardened, most of the SPECS profiles automatically include it. However, -fstack-protector has two components. There is the code generation component that makes the calls to do the check. There is also a library component to do the checking. As a result, items built during the tests are compiled wanting to be linked to the magic library functions, but they aren't objects that link to something that supplies those functions. If you put -fno-stack-protector in your CFLAGS, I bet you'll build and pass tests fine.

That was my experience (manually having -fstack-protector in CFLAGS). I looked at the test log and there were linking issues with __stack_chk symbols not being found.

Created attachment 255673 [details]
log of ld tests

(In reply to comment #4)
> -fstack-protector is the issue here.
seems not?

Emerging with the default hardened gcc profile (PIE and SSP enabled) but with -fno-stack-protector in C[XX]FLAGS, will _not_ pass the test suite

Emerging with the x86_64-pc-linux-gnu-4.4.4-hardenednopie (PIE disabled, but SSP enabled!) and with -fstack-protector in C[XX]FLAGS, _does_ pass the test suite

Luca, try adding the log of tests as I did. You'll find it somewhere like /var/tmp/portage/sys-devel/binutils-(version)/work/build/ld/ld.log

(In reply to comment #6)
> Emerging with the default hardened gcc profile (PIE and SSP enabled) but with
> -fno-stack-protector in C[XX]FLAGS, will _not_ pass the test suite
> 

That is because the testsuit does not care about *FLAGS.

The problem is in short the following:
By design the testcase compiles a object and then uses ld on the object, but without linking in anything. And by design the testcase does not pass C[XX]FLAGS, LDFLAGS and friends so they will not disturb the testing of the newly compiled ld.

The problem is that hardened gcc always compiles with -fstack-protect-all and and on such a low level that it gets added to the compile command any way and for anything to work with SSP it needs symbols from libc.
That means when gcc compiles the object file it makes references to the stack guard, but when ld touches it it fails since it does not link in libc containing those symbols.

Ways to confirm is to edit the files creating the testcase and either add "-lc" to the linker, or add -fno-stack-protector (-fstack-protector does work since it apparently does not try to protect the functions in the test-suite) to the gcc command.

So I think the correct way to handle is adding in -fno-stack-protector into the gcc command directly in the testsuite, preferebly with a logic upstream think they can add without breaking anything other.


Make sure by switching with gcc-config that stuff really dies with SSP and not with PIE.
If it for binutils is with SSP, then it is most likely due to this, and nothing to be afraid of as long as the installed binutils is using SSP.
However we have had some testcases (like the ones for objcopy) which turned out to be a real problem with objcopy and its handling of pic code (now fixed).

Thanks for the explanation Xake. That makes sense to me. Are you gonna pursue an upstream solution?

Created attachment 255763 [details]
ld.log test results

ok guys, here it is an ld.log.

These are the gcc profiles I can choose:
 [1] x86_64-pc-linux-gnu-4.4.4
 [2] x86_64-pc-linux-gnu-4.4.4-hardenednopie
 [3] x86_64-pc-linux-gnu-4.4.4-hardenednopiessp
 [4] x86_64-pc-linux-gnu-4.4.4-hardenednossp *
 [5] x86_64-pc-linux-gnu-4.4.4-vanilla

So far I tested 1, 4 (fails tests) and 2 (passes tests). The build log is from #4.

Okay, that log shows only one failure, and it's not one that appears to be -fstack-protector related. I don't know about PIE sort of stuff, but I would imagine it's the same underlying issue. The binutils tests assume a vanilla SPECS so they aren't including things like -fno-stack-protector or -fno-PIE. However, I don't know enough about how PIE works to verify that explains the failure you are seeing. Thanks for attaching the log.

(In reply to comment #11)
> Okay, that log shows only one failure, and it's not one that appears to be
> -fstack-protector related. I don't know about PIE sort of stuff, but I would
> imagine it's the same underlying issue. The binutils tests assume a vanilla
> SPECS so they aren't including things like -fno-stack-protector or -fno-PIE.
> However, I don't know enough about how PIE works to verify that explains the
> failure you are seeing. Thanks for attaching the log.
> 

On the other hand the linker should handle PIC code, so this is not a "just add -nopie" untill we know it is such.
I may not have time to investigate this right now, if anyone else has plans feel free.

Still an issue with binutils-2.24 on hardened/musl. I'm not sure where to post that though, bugs #477262, #439476, #414567, #391793, and #379105 appear to be similar to this.

Results with the default hardened compiler (gcc-4.7.4):

 === ld Summary ===

# of expected passes            891
# of unexpected failures        54
# of expected failures          61
# of unresolved testcases       5
# of untested testcases         1

Results with 'vanilla' gcc:

 === ld Summary ===

# of expected passes            912
# of unexpected failures        38
# of expected failures          61
# of untested testcases         1

Seems to be also an issue on hardened/linux/uclibc/amd64 profile with binutils-2.24-r3 which was stabilized recently.

That might now hit non-hardened installs as upstream GCC 4.8.3, also stable (on amd64 at least) has -fstack-protector enabled by default.