... make[1]: Leaving directory '/var/tmp/portage/sys-boot/grub-2.02_beta2-r7/work/grub-2.02~beta2-pc' >>> Completed installing grub-2.02_beta2-r7 into /var/tmp/portage/sys-boot/grub-2.02_beta2-r7/image/ * QA Notice: The following files contain writable and executable sections * Files with such sections will not work properly (or at all!) on some * architectures/operating systems. A bug should be filed at * http://bugs.gentoo.org/ to make sure the issue is fixed. * For more information, see http://hardened.gentoo.org/gnu-stack.xml * Please include the following list of files in your report: * Note: Bugs should be filed for the respective maintainers * of the package in question and not hardened@g.o. * --X --- --- usr/lib/grub/i386-pc/gdb.module * --X --- --- usr/lib/grub/i386-pc/mmap.module * --X --- --- usr/lib/grub/i386-pc/relocator.module * --X --- --- usr/lib/grub/i386-pc/reboot.module * --X --- --- usr/lib/grub/i386-pc/drivemap.module * ERROR: sys-boot/grub-2.02_beta2-r7::gentoo failed: * Aborting due to QA concerns: execstacks * * Call stack: * misc-functions.sh, line 558: Called install_qa_check * misc-functions.sh, line 181: Called source 'install_symlink_html_docs' * 10executable-issues, line 137: Called elf_check * 10executable-issues, line 132: Called die * The specific snippet of code: * die "Aborting due to QA concerns: ${die_msg}" * ... # emerge --info '=sys-boot/grub-2.02_beta2-r7::gentoo' Portage 2.2.14 (python 2.7.9-final-0, hardened/linux/amd64/no-multilib, gcc-4.8.3, glibc-2.19-r1, 3.16.5-gentoo x86_64) ================================================================= System Settings ================================================================= System uname: Linux-3.16.5-gentoo-x86_64-AMD_A6-3400M_APU_with_Radeon-tm-_HD_Graphics-with-gentoo-2.2 KiB Mem: 8185076 total, 2758048 free KiB Swap: 0 total, 0 free Timestamp of tree: Tue, 10 Feb 2015 00:45:01 +0000 ld GNU ld (Gentoo 2.24 p1.4) 2.24 ccache version 3.2.1 [enabled] app-shells/bash: 4.3_p33-r1 dev-lang/perl: 5.18.2-r2 dev-lang/python: 2.7.9-r1, 3.3.5-r1 dev-util/ccache: 3.2.1-r1 dev-util/pkgconfig: 0.28-r1 sys-apps/baselayout: 2.2 sys-apps/openrc: 0.12.4 sys-apps/sandbox: 2.6-r1 sys-devel/autoconf: 2.69 sys-devel/automake: 1.13.4 sys-devel/binutils: 2.24-r3 sys-devel/gcc: 4.8.3 sys-devel/gcc-config: 1.7.3 sys-devel/libtool: 2.4.2-r1 sys-devel/make: 4.0-r1 sys-kernel/linux-headers: 3.16 (virtual/os-headers) sys-libs/glibc: 2.19-r1 Repositories: gentoo ACCEPT_KEYWORDS="amd64 ~amd64" ACCEPT_LICENSE="* -@EULA" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-O2 -pipe -march=native -Wstack-protector -fstack-protector-all" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo" CXXFLAGS="-O2 -pipe -march=native -Wstack-protector -fstack-protector-all" DISTDIR="/usr/portage/distfiles" FCFLAGS="-O2 -pipe" FEATURES="assume-digests binpkg-logs ccache cgroup collision-protect config-protect-if-modified distlocks downgrade-backup ebuild-locks fakeroot fixlafiles force-mirror ipc-sandbox merge-sync multilib-strict network-sandbox news parallel-fetch parallel-install prelink-checksums preserve-libs sandbox sfperms split-elog split-log strict stricter unknown-features-warn unmerge-backup unmerge-logs userfetch userpriv usersandbox webrsync-gpg" FFLAGS="-O2 -pipe" GENTOO_MIRRORS="ftp://ftp.spline.inf.fu-berlin.de/mirrors/gentoo/" INSTALL_MASK="/lib/systemd /lib32/systemd /lib64/systemd /usr/lib/systemd /usr/lib32/systemd /usr/lib64/systemd /etc/systemd" LANG="en_US.utf8" LDFLAGS="-Wl,-O1 -Wl,--as-needed" MAKEOPTS="-j4" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="" SYNC="rsync://127.0.0.3/" USE="3dnow 3dnowext X acl amd64 berkdb bindist btrfs bzip2 cli cracklib crypt cryptsetup cscope cxx dri gdbm gpm hardened iconv justify libav mmx mmxext modules mosh-hardening ncurses nptl openmp pam pax_kernel pcre pie readline session sse sse2 sse3 ssl ssp strong-security tcpd urandom xattr xtpax zlib" ABI_X86="64" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump author" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CPU_FLAGS_X86="3dnow 3dnowext mmx mmxext sse sse2 sse3" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ublox ubx" GRUB_PLATFORMS="pc" INPUT_DEVICES="keyboard virtualbox evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php5-5" PYTHON_SINGLE_TARGET="python2_7" PYTHON_TARGETS="python2_7 python3_3" RUBY_TARGETS="ruby19 ruby20" USERLAND="GNU" VIDEO_CARDS="virtualbox" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, USE_PYTHON Reproducible: Always Steps to Reproduce: 1. # emerge -av grub:2 2. 3. Expected Results: emerge will succeed (even with stricter FEATURE) tested versions: stable: 2.02_beta2-r3:2: amd64 unstable: 2.02_beta2-r7:2: ~amd64 unsure why only 5 files are reported, since all *.module are the same
I found out who's package maintainer with equery m grub , but I can't change Assigned To...
Created attachment 396078 [details] the complete build log # emerge -pqv '=sys-boot/grub-2.02_beta2-r7::gentoo' [ebuild N ] sys-boot/grub-2.02_beta2-r7 USE="fonts multislot themes -debug -device-mapper -doc -efiemu -libzfs -mount -nls -sdl -static {-test} -truetype" GRUB_PLATFORMS="pc -coreboot -efi-32 -efi-64 -emu -ieee1275 -loongson -multiboot -qemu -qemu-mips -xen" * IMPORTANT: 10 news items need reading for repository 'gentoo'. * Use eselect news to read news items.
(In reply to EmanueL Czirai from comment #2) > Created attachment 396078 [details] > the complete build log > > > # emerge -pqv '=sys-boot/grub-2.02_beta2-r7::gentoo' > [ebuild N ] sys-boot/grub-2.02_beta2-r7 USE="fonts multislot themes > -debug -device-mapper -doc -efiemu -libzfs -mount -nls -sdl -static {-test} > -truetype" GRUB_PLATFORMS="pc -coreboot -efi-32 -efi-64 -emu -ieee1275 > -loongson -multiboot -qemu -qemu-mips -xen" > > * IMPORTANT: 10 news items need reading for repository 'gentoo'. > * Use eselect news to read news items. The QA messages in this case don't bother me. My understanding is that these grub modules are executed at boot time, when there is no supervision of a kernel and when the only execution thread on the cpu is the boot loader itself. Its hard to see how you'd exploit an executable stack in this situation. You might be able to inject something thorugh the config file, but if you have that kind of access you don't need to exploit. Or through the grub command line? Not sure. Anyhow, we can turn of the executable stack and see what happens. If it written in asm then you can set the progbits. @maintainers, you've probably seen this before. Is the execuable stack needed?
(In reply to EmanueL Czirai from comment #0) > * ERROR: sys-boot/grub-2.02_beta2-r7::gentoo failed: > * Aborting due to QA concerns: execstacks > * > * Call stack: > * misc-functions.sh, line 558: Called install_qa_check > * misc-functions.sh, line 181: Called source > 'install_symlink_html_docs' > * 10executable-issues, line 137: Called elf_check > * 10executable-issues, line 132: Called die > * The specific snippet of code: > * die "Aborting due to QA concerns: ${die_msg}" > * Oh I failed to mention, why is this dying? We shouldn't die on these QA warnings. Just warn. It installed fine for me (modulo the QA warnings of course).
I think it's dying because FEATURES="stricter" because it works ok with FEATURES="-stricter" As I can tell, QA warnings always make things die with stricter.
By the way, are those *.module actually needed to be installed? Because looking at a Manjaro Linux installation I see only the *.mod files(and no trace of *.module files), but on Gentoo it's both *.mod and *.module in that same folder. I was under the impression that *.mod files were created from *.module files and the latter aren't needed anymore. Thoughts? The extra files (beside *.mod) in Manjaro are: $ ls -1 /boot/grub/i386-pc/|grep -v \.mod boot.img command.lst core.img crypto.lst efiemu32.o efiemu64.o fs.lst moddep.lst modinfo.sh partmap.lst parttool.lst terminal.lst video.lst
oops, I listed wrong folder, here's the right one: $ ls -1 /usr/lib/grub/i386-pc|grep -v \.mod boot_hybrid.img boot.img cdboot.img command.lst config.h crypto.lst diskboot.img efiemu32.o efiemu64.o fs.lst kernel.img lnxboot.img lzma_decompress.img moddep.lst modinfo.sh partmap.lst parttool.lst pxeboot.img terminal.lst video.lst
(In reply to Anthony Basile from comment #3) > @maintainers, you've probably seen this before. Is the execuable stack > needed? Probably. If you notice, the ebuild sets QA_EXECSTACK, and QA_WX_LOAD, but this does not seem to work with recent portage releases.
(In reply to Mike Gilbert from comment #8) At Arfrever's suggestion, I tried to reproduce the warnings with different versions of pax-utils installed. With pax-utils-0.8.2 and pax-utils-0.9.2, the QA_EXECSTACK variable seems to be ineffective. With pax-utils-0.7, it works fine and the warnings are ignored. Copying pax-utils and portage maintainers.
(In reply to Mike Gilbert from comment #9) > (In reply to Mike Gilbert from comment #8) > > At Arfrever's suggestion, I tried to reproduce the warnings with different > versions of pax-utils installed. > > With pax-utils-0.8.2 and pax-utils-0.9.2, the QA_EXECSTACK variable seems to > be ineffective. > > With pax-utils-0.7, it works fine and the warnings are ignored. > > Copying pax-utils and portage maintainers. Are the warnings ignored or are the exec stack actually removed?
(In reply to Anthony Basile from comment #10) > Are the warnings ignored or are the exec stack actually removed? How would that work? I'm building with the same toolchain and settings. I would guess that the newer scanelf is ignoring QA_EXECSTACK, at least for some of the files.
looks like it's due to: http://git.overlays.gentoo.org/gitweb/?p=proj/pax-utils.git;a=commitdiff;h=9d00494c3bee3097c723702daf9814b7c5969a18 Author: Mike Frysinger <vapier@gentoo.org> Date: Wed Aug 14 21:09:57 2013 +0000 scanelf: flag object files that have a +x stack (even if it is -w) since its almost assured the final ELF will add +w automatically this makes a difference too -- see bug 445962 where dvdauthor produced a mpeg2desc.o that had a +x w/gcc-4.8 and a nested function, but the output only flagged the final mpeg2desc binary as that included +w stack markings
hmm, not exactly a regression ... if you had an object that was writable & executable, you'd get a warning regardless of the QA_EXECSTACK setting. that change improved things so it'd warn against executable-but-not-writable which means this bug shows the logic clearly works :). at any rate, updated the section walking logic to respect QA_EXECSTACK: http://git.overlays.gentoo.org/gitweb/?p=proj/pax-utils.git;a=commitdiff;h=52d761bc07f59eed70b71c862bdf8a389172e294 this will be in 1.0.2 which i should have out soonish ... got another regression i need to fix first
(In reply to SpanKY from comment #13) > hmm, not exactly a regression ... if you had an object that was writable & > executable, you'd get a warning regardless of the QA_EXECSTACK setting. > that change improved things so it'd warn against executable-but-not-writable > which means this bug shows the logic clearly works :). > > at any rate, updated the section walking logic to respect QA_EXECSTACK: > http://git.overlays.gentoo.org/gitweb/?p=proj/pax-utils.git;a=commitdiff; > h=52d761bc07f59eed70b71c862bdf8a389172e294 > > this will be in 1.0.2 which i should have out soonish ... got another > regression i need to fix first Ah so it revealed a change in scanelf. Nonetheless, I'm not terribly worried about an +x stack on grub (irrespective of whether its + or -w).
