614896 – net-firewall/ipset-6.30[modules]: constified variable 'so_set' placed into writable section

Bug 614896 - net-firewall/ipset-6.30[modules]: constified variable 'so_set' placed into writable section

Summary: net-firewall/ipset-6.30[modules]: constified variable 'so_set' placed into wr...

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Hardened (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	The Gentoo Linux Hardened Team

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2017-04-07 01:51 UTC by Khumba
Modified:	2017-11-30 20:36 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Failed build log (build.log,30.58 KB, text/plain) 2017-04-07 01:51 UTC, Khumba	Details
emerge --info net-firewall/ipset (emerge-info.txt,6.40 KB, text/plain) 2017-04-07 01:53 UTC, Khumba	Details
grep CONFIG_PAX /usr/src/linux-4.8.17-hardened-r2/.config (config-4.8.17-hardened-r2-pax,1.07 KB, text/plain) 2017-04-07 01:55 UTC, Khumba	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Khumba 2017-04-07 01:51:00 UTC

Created attachment 469370 [details]
Failed build log

net-firewall/ipset-6.30[modules] doesn't build against a hardened-sources-4.8.17-r2 that has CONFIG_PAX_CONSTIFY_PLUGIN=y, failing with:

make[1]: Entering directory '/usr/src/linux-4.8.17-hardened-r2'
  CC [M]  /var/tmp/portage/net-firewall/ipset-6.30/work/ipset-6.30/kernel/net/netfilter/xt_set.o
  CC [M]  /var/tmp/portage/net-firewall/ipset-6.30/work/ipset-6.30/kernel/net/netfilter/ipset/ip_set_core.o
  CC [M]  /var/tmp/portage/net-firewall/ipset-6.30/work/ipset-6.30/kernel/net/netfilter/ipset/ip_set_getport.o
  CC [M]  /var/tmp/portage/net-firewall/ipset-6.30/work/ipset-6.30/kernel/net/netfilter/ipset/pfxlen.o
/var/tmp/portage/net-firewall/ipset-6.30/work/ipset-6.30/kernel/net/netfilter/ipset/ip_set_core.c:2042:30: error: constified variable ‘so_set’ placed into writable section ".data..read_mostly"
 static struct nf_sockopt_ops so_set __read_mostly = {
                              ^
make[4]: *** [scripts/Makefile.build:290: /var/tmp/portage/net-firewall/ipset-6.30/work/ipset-6.30/kernel/net/netfilter/ipset/ip_set_core.o] Error 1

Setting CONFIG_PAX_CONSTIFY_PLUGIN=n or building ipset with USE=-modules works.

Comment 1 Khumba 2017-04-07 01:53:51 UTC

Created attachment 469372 [details]
emerge --info net-firewall/ipset

Comment 2 Khumba 2017-04-07 01:55:24 UTC

Created attachment 469374 [details]
grep CONFIG_PAX /usr/src/linux-4.8.17-hardened-r2/.config

Comment 3 Robin Johnson archtester

2017-11-30 20:31:46 UTC

Hardened sources is being discontinued, but I'll block CONFIG_PAX_CONSTIFY_PLUGIN for now; please report upstream as well so they can actually fix the constified variables.

Comment 4 Larry the Git Cow gentoo-dev

2017-11-30 20:36:01 UTC

The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=07380791d1f4739ba21be6bcc986b575c6fb8b27

commit 07380791d1f4739ba21be6bcc986b575c6fb8b27
Author:     Robin H. Johnson <robbat2@gentoo.org>
AuthorDate: 2017-11-30 20:33:14 +0000
Commit:     Robin H. Johnson <robbat2@gentoo.org>
CommitDate: 2017-11-30 20:35:50 +0000

    net-firewall/ipset: block modules & CONFIG_PAX_CONSTIFY_PLUGIN
    
    Closes: https://bugs.gentoo.org/614896
    Package-Manager: Portage-2.3.16, Repoman-2.3.6
    Signed-off-by: Robin H. Johnson <robbat2@gentoo.org>

 net-firewall/ipset/ipset-6.34.ebuild | 2 ++
 1 file changed, 2 insertions(+)