binutils-2.39 seems to have added a warning "has a LOAD segment with RWX permissions" that on sparc, apparently is emitted unconditionally: $ echo 'int main(void) { return 0; }' > test.c $ make -B test cc test.c -o test /usr/lib/gcc/sparc64-unknown-linux-gnu/12.2.0/../../../../sparc64-unknown-linux-gnu/bin/ld: warning: test has a LOAD segment with RWX permissions I didn't report this as a separate bug because it seems like a harmless warning with minor security implications at worst. However...x11-libs/cairo does not use the standard autotools macros for detecting features, instead it defines its own, namely CAIRO_CC_TRY_LINK_WITH_ENV_SILENT, that do not just check the return code but also asserts that there is no text in stderr: https://github.com/freedesktop/cairo/blob/master/build/aclocal.cairo.m4#L78 This seems to be intentional and not an accident. Anyway, because all linking now emits this warning on stderr, all configure tests that involve linking return a "no" result. The one that actually blocks the build is pthread detection, where cairo assumes the system does not have pthreads, this is fatal at compile-time. Besides this fatal issue the behavior may affect the configure phase in other, more subtle ways, that I haven't investigated since it will think pretty much no features are available. Reproducible: Always
Portage 3.0.36 (python 3.10.7-final-0, default/linux/sparc/17.0/64ul, gcc-12.2.0, glibc-2.35-r8, 5.19.8-gentoo-sparc64 sparc64) ================================================================= System uname: Linux-5.19.8-gentoo-sparc64-sparc64-sun4v-with-glibc2.35 KiB Mem: 32650344 total, 28841792 free KiB Swap: 0 total, 0 free Timestamp of repository gentoo: Mon, 12 Sep 2022 12:57:33 +0000 Head commit of repository gentoo: 5cbf735fe8766f20c555436e8969945cfcb3af83 sh bash 5.1_p16-r2 ld GNU ld (Gentoo 2.39 p4) 2.39.0 app-misc/pax-utils: 1.3.5::gentoo app-shells/bash: 5.1_p16-r2::gentoo dev-lang/perl: 5.36.0::gentoo dev-lang/python: 3.10.7::gentoo, 3.11.0_rc2::gentoo dev-lang/rust-bin: 1.62.1::gentoo dev-util/cmake: 3.24.1::gentoo dev-util/meson: 0.63.2-r1::gentoo sys-apps/baselayout: 2.8-r2::gentoo sys-apps/openrc: 0.45.2::gentoo sys-apps/sandbox: 2.29::gentoo sys-devel/autoconf: 2.71-r2::gentoo sys-devel/automake: 1.16.5::gentoo sys-devel/binutils: 2.38-r2::gentoo, 2.39-r2::gentoo sys-devel/binutils-config: 5.4.1::gentoo sys-devel/gcc: 12.2.0::gentoo sys-devel/gcc-config: 2.5-r1::gentoo sys-devel/libtool: 2.4.7::gentoo sys-devel/make: 4.3::gentoo sys-kernel/linux-headers: 5.19::gentoo (virtual/os-headers) sys-libs/glibc: 2.35-r8::gentoo Repositories: gentoo location: /var/db/repos/gentoo sync-type: git sync-uri: https://github.com/gentoo-mirror/gentoo sync-user: portage:portage priority: -1000 sync-git-verify-commit-signature: yes guru location: /var/lib/layman/guru sync-type: laymansync sync-uri: https://anongit.gentoo.org/git/repo/proj/guru.git masters: gentoo priority: 50 ACCEPT_KEYWORDS="sparc ~sparc" ACCEPT_LICENSE="@FREE" CBUILD="sparc64-unknown-linux-gnu" CFLAGS="-O3 -mcpu=native -mtune=native -pipe" CHOST="sparc64-unknown-linux-gnu" CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo" CXXFLAGS="-O3 -mcpu=native -mtune=native -pipe" DISTDIR="/var/cache/distfiles" EMERGE_DEFAULT_OPTS="--usepkg --autounmask=n --complete-graph --keep-going --with-bdeps=y" ENV_UNSET="CARGO_HOME DBUS_SESSION_BUS_ADDRESS DISPLAY GOBIN GOPATH PERL5LIB PERL5OPT PERLPREFIX PERL_CORE PERL_MB_OPT PERL_MM_OPT XAUTHORITY XDG_CACHE_HOME XDG_CONFIG_HOME XDG_DATA_HOME XDG_RUNTIME_DIR" FCFLAGS="" FEATURES="assume-digests binpkg-docompress binpkg-dostrip binpkg-logs buildpkg buildpkg-live compress-build-logs compressdebug config-protect-if-modified distlocks ebuild-locks fixlafiles ipc-sandbox merge-sync network-sandbox news parallel-install pid-sandbox preserve-libs protect-owned qa-unresolved-soname-deps sandbox sfperms splitdebug strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr" FFLAGS="-O3 -mcpu=native -mtune=native -pipe" GENTOO_MIRRORS="https://gentoo.osuosl.org/ https://mirror.leaseweb.com/gentoo/ https://mirror.rackspace.com/gentoo/" LANG="en_US.utf8" LDFLAGS="-Wl,-O1 -Wl,--as-needed" MAKEOPTS="-j36" PKGDIR="/var/cache/binpkgs" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --exclude=/.git" PORTAGE_TMPDIR="/var/tmp" SHELL="/bin/bash" USE="acl bash-completion big-endian bzip2 caps cli crypt dri elogind fortran gdbm gentoo-vm graphite headless-awt iconv ipv6 libbsd libglvnd libtirpc llvm-libunwind lto ncurses nls nptl openmp pam pcre pgo readline sparc split-usr ssl symlink threads udev unicode verify-sig vhosts vim-syntax xattr zlib" ADA_TARGET="gnat_2020" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="karbon sheets words" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock greis isync itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf skytraq superstar2 timing tsip tripmate tnt ublox ubx" INPUT_DEVICES="libinput" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" LUA_SINGLE_TARGET="lua5-1" LUA_TARGETS="lua5-1" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php7-4 php8-0" POSTGRES_TARGETS="postgres12 postgres13" PYTHON_SINGLE_TARGET="python3_10" PYTHON_TARGETS="python3_10" RUBY_TARGETS="ruby26 ruby27 ruby30 ruby31" USERLAND="GNU" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq proto steal rawnat logmark ipmark dhcpmac delude chaos account" Unset: ADDR2LINE, AR, ARFLAGS, AS, ASFLAGS, CC, CCLD, CONFIG_SHELL, CPP, CPPFLAGS, CTARGET, CXX, CXXFILT, ELFEDIT, EXTRA_ECONF, F77FLAGS, FC, GCOV, GPROF, INSTALL_MASK, LC_ALL, LD, LEX, LFLAGS, LIBTOOL, LINGUAS, MAKE, MAKEFLAGS, NM, OBJCOPY, OBJDUMP, PORTAGE_BINHOST, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, RANLIB, READELF, RUSTFLAGS, SIZE, STRINGS, STRIP, YACC, YFLAGS
Created attachment 804853 [details] build.log
Created attachment 804856 [details] config.log Notice how the return code of the link commands is 0, but the test still fails because of the warning on stderr. configure:36258: checking for cairo's pthread feature configure:36369: sparc64-unknown-linux-gnu-gcc -o conftest -O2 -mcpu=native -mtune=native -pipe -D_REENTRANT -Wl,-O1 -Wl,--as-needed conftest.c -lrt -lm -lpthread >&5 /usr/lib/gcc/sparc64-unknown-linux-gnu/12.2.0/../../../../sparc64-unknown-linux-gnu/bin/ld: warning: conftest has a LOAD segment with RWX permissions configure:36369: $? = 0 configure:36489: sparc64-unknown-linux-gnu-gcc -o conftest -O2 -mcpu=native -mtune=native -pipe -pthread -Wl,-O1 -Wl,--as-needed conftest.c -lrt -lm >&5 /usr/lib/gcc/sparc64-unknown-linux-gnu/12.2.0/../../../../sparc64-unknown-linux-gnu/bin/ld: warning: conftest has a LOAD segment with RWX permissions configure:36489: $? = 0 configure:36571: sparc64-unknown-linux-gnu-gcc -o conftest -O2 -mcpu=native -mtune=native -pipe -D_REENTRANT -Wl,-O1 -Wl,--as-needed conftest.c -lrt -lm >&5 /usr/lib/gcc/sparc64-unknown-linux-gnu/12.2.0/../../../../sparc64-unknown-linux-gnu/bin/ld: warning: conftest has a LOAD segment with RWX permissions configure:36571: $? = 0 configure:36627: checking whether cairo's pthread feature could be enabled configure:36629: result: no (can't link with -lpthread or -pthread)
This is fixed upstream in https://sourceware.org/bugzilla/show_bug.cgi?id=29411 and backported to 2.39 branch, a new binutils patchset should fix this for us.
(In reply to matoro from comment #4) > This is fixed upstream in > https://sourceware.org/bugzilla/show_bug.cgi?id=29411 and backported to 2.39 > branch, a new binutils patchset should fix this for us. Then toolchain@ should be CC'd ;)
commit 8db889827661b38cfbe74f335e095a4288a83ff7 (HEAD -> master, origin/master, origin/HEAD) Author: Sam James <sam@gentoo.org> Date: Mon Oct 17 01:56:55 2022 +0100 sys-devel/binutils: drop forced exec stack warnings for alt-arches This keeps them on by default, but it doesn't override the build system disabling them for MIPS and so on. I've asked upstream about the unexpected/counterintuitive behaviour: https://sourceware.org/bugzilla/show_bug.cgi?id=29592#c10. Bug: https://sourceware.org/bugzilla/show_bug.cgi?id=29592 Signed-off-by: Sam James <sam@gentoo.org>
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=86ac5c16e3149458710b691e1cad81c50be8d661 commit 86ac5c16e3149458710b691e1cad81c50be8d661 Author: Sam James <sam@gentoo.org> AuthorDate: 2023-07-30 16:26:38 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-07-30 16:42:29 +0000 sys-devel/binutils: add various hardening options to 2.41 Newer Binutils has its several configure arguments we can use: * --enable-textrel-check={warning,error} * --enable-warn-execstack=yes (*) * --enable-warn-rwx-segments=yes (*) * --enable-default-execstack=no We chuck these in now unconditionally (with some stricter changes for USE=hardened, as described below) except for those marked with (*) where we whitelist certain arches (amd64/arm64/x86 for now) because the autoconf logic is broken, see https://sourceware.org/bugzilla/show_bug.cgi?id=29592 (it both needs --enable...=no rather than --disable, but it also breaks arches where executable stacks are unavoidable.) In the past (see 47b8db23ff55dd29992198dfbadda53984a4ab2d, e4b8746852919960969944904c59334cecddfe25 in binutils-patches.git), we patched Binutils to always warn on textrels opt-out on a per-build basis with '--no-warn-shared-textrel'). From >= Binutils 2.35, upstream has a '--enable-textrel-check=warning' configure option we use. For USE=hardened, our new changes for TEXTRELs are equivalent to `-z text` which make TEXTRELs fatal. Now, while at it, also make TEXTRELs fatal on musl unconditionally because musl doesn't support them and they explode at runtime. Yet another reason to get rid of them entirely. So, in summary: there's several changes here: * Make textrels fatal for USE=hardened (we've warned about them for a while on all profiles) * Make textrels fatal for musl (they don't work there at all, bug #707660) * Disable implicit/automatic executable stacks for USE=hardened (plan to do this in general later on) * Warn on executable stacks in general * Warn on RWX segments in general See also https://www.redhat.com/en/blog/linkers-warnings-about-executable-stacks-and-segments for more information. All of this came to mind again after reading the Qualys writeup for the recent OpenSSH bug (bug #910553): https://www.qualys.com/2023/07/19/cve-2023-38408/rce-openssh-forwarded-ssh-agent.txt. (Note their use of various gadgets involving these.) Bug: https://sourceware.org/bugzilla/show_bug.cgi?id=29592 Bug: https://bugs.gentoo.org/707660 Bug: https://bugs.gentoo.org/869881 Bug: https://bugs.gentoo.org/871150 Bug: https://bugs.gentoo.org/910553 Signed-off-by: Sam James <sam@gentoo.org> sys-devel/binutils/binutils-2.41.ebuild | 43 +++++++++++++++++++++++------- sys-devel/binutils/binutils-9999.ebuild | 47 ++++++++++++++++++++++++--------- 2 files changed, 68 insertions(+), 22 deletions(-)
