Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 765442 - app-portage/eix: gcc -fcf-protection flag (endbr32 opcodes) unsupported on earlier (i386, i486, maybe i586) processors
Summary: app-portage/eix: gcc -fcf-protection flag (endbr32 opcodes) unsupported on ea...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: x86 Linux
: Normal normal (vote)
Assignee: Mikle Kolyada (RETIRED)
URL:
Whiteboard:
Keywords: PATCH
Depends on:
Blocks:
 
Reported: 2021-01-14 16:51 UTC by tedheadster
Modified: 2021-03-27 14:37 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
eix-0.34.11-fix-disable-security.patch (eix-0.34.11-fix-disable-security.patch,890 bytes, patch)
2021-01-15 08:29 UTC, Ionen Wolkens 		Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description tedheadster 2021-01-14 16:51:01 UTC 
In the eix-0.34.11 package, the configure script has this code fragment:

        for mv_currflag in  \
                        -mretpoline \
                        -mcet \
                        -fcf-protection=full \
                        -fstack-clash-protection \
                        -D_FORTIFY_SOURCE=2 \

        do

This resulted in:

PREPEND_CXXFLAGS: -fdata-sections -ffunction-sections -fcf-protection=full -fstack-clash-protection -D_FORTIFY_SOURCE=2


The '-fcf-protection=full' option is not supported in earlier processors (certainly i386 and i486; maybe i586) because it generates endbr32 opcodes. Those are are undefined until, I believe, PentiumPro (i686).

The end result was an illegal instruction signal and eix died.
Comment 1 Ionen Wolkens gentoo-dev 2021-01-15 08:29:35 UTC 
Created attachment 682987 [details, diff]
eix-0.34.11-fix-disable-security.patch

I'm under the impression this was meant to be disabled alongside --disable-security (used by ebuild), but isn't.
Comment 2 tedheadster 2021-01-15 11:18:09 UTC 
This patch worked for me, 'objdump -D /usr/bin/eix | grep endbr32' showed no endbr32 opcodes.
Comment 3 Martin Väth 2021-01-15 18:27:34 UTC 
Thanks for the report and spotting the wrong brace. This is fixed in eix-0.34.12
Comment 4 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2021-03-27 14:37:57 UTC 
(In reply to Martin Väth from comment #3)
> Thanks for the report and spotting the wrong brace. This is fixed in
> eix-0.34.12

Which is now stable