Comment 1 Agostino Sarubbo 2022-11-06 08:06:28 UTC

Created attachment 827967 [details]
build.log

build log and emerge --info

Hi,

First off: thanks, this is an excellent check and I fully agree with the base premise:  anything that's executable should not be writeable, and anything that's writeable should not be executable.

 * QA Notice: The following files contain writable and executable sections
 *  Files with such sections will not work properly (or at all!) on some
 *  architectures/operating systems.  A bug should be filed at
 *  https://bugs.gentoo.org/ to make sure the issue is fixed.
 *  For more information, see:
 * 
 *    https://wiki.gentoo.org/wiki/Hardened/GNU_stack_quickstart
 * 
 *  Please include the following list of files in your report:
 *  Note: Bugs should be filed for the respective maintainers
 *  of the package in question and not hardened@gentoo.org.
 * RWX --- --- usr/lib64/asterisk/modules/res_geolocation.so

Based on that I'm expecting to find a section marked CODE but without READONLY ... from the development repo for asterisk I'm not seeing anything that I believe should trigger the above (installed looks identical, barring the stripped debug sections):

jkroon@plastiekpoot ~/projects/asterisk/res ((HEAD detached at origin/18.15)) $ objdump -h res_geolocation.so 
Sections:
Idx Name          Size      VMA               LMA               File off  Algn
  0 .gnu.hash     000000ec  0000000000000200  0000000000000200  00000200  2**3
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  1 .dynsym       00000f18  00000000000002f0  00000000000002f0  000002f0  2**3
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  2 .dynstr       00000e5e  0000000000001208  0000000000001208  00001208  2**0
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  3 .gnu.version  00000142  0000000000002066  0000000000002066  00002066  2**1
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  4 .gnu.version_r 00000090  00000000000021a8  00000000000021a8  000021a8  2**3
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  5 .rela.dyn     000013b0  0000000000002238  0000000000002238  00002238  2**3
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  6 .rela.plt     00000d20  00000000000035e8  00000000000035e8  000035e8  2**3
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  7 .init         00000017  0000000000005000  0000000000005000  00005000  2**2
                  CONTENTS, ALLOC, LOAD, READONLY, CODE
  8 .plt          000008d0  0000000000005020  0000000000005020  00005020  2**4
                  CONTENTS, ALLOC, LOAD, READONLY, CODE
  9 .plt.got      00000008  00000000000058f0  00000000000058f0  000058f0  2**3
                  CONTENTS, ALLOC, LOAD, READONLY, CODE
 10 .text         0000e1d3  0000000000005900  0000000000005900  00005900  2**4
                  CONTENTS, ALLOC, LOAD, READONLY, CODE
 11 .fini         00000009  0000000000013ad4  0000000000013ad4  00013ad4  2**2
                  CONTENTS, ALLOC, LOAD, READONLY, CODE
 12 .rodata       00004330  0000000000014000  0000000000014000  00014000  2**5
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
 13 .eh_frame_hdr 000007a4  0000000000018330  0000000000018330  00018330  2**2
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
 14 .eh_frame     00002420  0000000000018ad8  0000000000018ad8  00018ad8  2**3
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
 15 .init_array   000000d0  000000000001c500  000000000001c500  0001b500  2**3
                  CONTENTS, ALLOC, LOAD, DATA
 16 .fini_array   000000d0  000000000001c5d0  000000000001c5d0  0001b5d0  2**3
                  CONTENTS, ALLOC, LOAD, DATA
 17 .data.rel.ro  00000720  000000000001c6a0  000000000001c6a0  0001b6a0  2**5
                  CONTENTS, ALLOC, LOAD, DATA
 18 .dynamic      000001e0  000000000001cdc0  000000000001cdc0  0001bdc0  2**3
                  CONTENTS, ALLOC, LOAD, DATA
 19 .got          00000050  000000000001cfa0  000000000001cfa0  0001bfa0  2**3
                  CONTENTS, ALLOC, LOAD, DATA
 20 .got.plt      00000478  000000000001d000  000000000001d000  0001c000  2**3
                  CONTENTS, ALLOC, LOAD, DATA
 21 .data         000048a9  000000000001d480  000000000001d480  0001c480  2**5
                  CONTENTS, ALLOC, LOAD, DATA
 22 .bss          000000d8  0000000000021d30  0000000000021d30  00020d29  2**3
                  ALLOC
 23 .comment      0000001f  0000000000000000  0000000000000000  00020d29  2**0
                  CONTENTS, READONLY
 24 .debug_aranges 000004b0  0000000000000000  0000000000000000  00020d48  2**0
                  CONTENTS, READONLY, DEBUGGING, OCTETS
 25 .debug_info   00021c93  0000000000000000  0000000000000000  000211f8  2**0
                  CONTENTS, READONLY, DEBUGGING, OCTETS
 26 .debug_abbrev 00002b0f  0000000000000000  0000000000000000  00042e8b  2**0
                  CONTENTS, READONLY, DEBUGGING, OCTETS
 27 .debug_line   0000aaad  0000000000000000  0000000000000000  0004599a  2**0
                  CONTENTS, READONLY, DEBUGGING, OCTETS
 28 .debug_str    000370ea  0000000000000000  0000000000000000  00050447  2**0
                  CONTENTS, READONLY, DEBUGGING, OCTETS
 29 .debug_line_str 00000c0a  0000000000000000  0000000000000000  00087531  2**0
                  CONTENTS, READONLY, DEBUGGING, OCTETS
 30 .debug_loclists 0000d32d  0000000000000000  0000000000000000  0008813b  2**0
                  CONTENTS, READONLY, DEBUGGING, OCTETS
 31 .debug_macro  0000ef53  0000000000000000  0000000000000000  00095468  2**0
                  CONTENTS, READONLY, DEBUGGING, OCTETS
 32 .debug_rnglists 00001403  0000000000000000  0000000000000000  000a43bb  2**0
                  CONTENTS, READONLY, DEBUGGING, OCTETS

Installed:

/usr/lib64/asterisk/modules/res_geolocation.so:     file format elf64-x86-64

Sections:
Idx Name          Size      VMA               LMA               File off  Algn
  0 .gnu.hash     00000184  0000000000000200  0000000000000200  00000200  2**3
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  1 .dynsym       00000f30  0000000000000388  0000000000000388  00000388  2**3
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  2 .dynstr       00000e24  00000000000012b8  00000000000012b8  000012b8  2**0
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  3 .gnu.version  00000144  00000000000020dc  00000000000020dc  000020dc  2**1
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  4 .gnu.version_r 00000070  0000000000002220  0000000000002220  00002220  2**3
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  5 .rela.dyn     00001410  0000000000002290  0000000000002290  00002290  2**3
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  6 .rela.plt     00000d38  00000000000036a0  00000000000036a0  000036a0  2**3
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  7 .init         00000017  0000000000005000  0000000000005000  00005000  2**2
                  CONTENTS, ALLOC, LOAD, READONLY, CODE
  8 .plt          000008e0  0000000000005020  0000000000005020  00005020  2**4
                  CONTENTS, ALLOC, LOAD, READONLY, CODE
  9 .plt.got      00000008  0000000000005900  0000000000005900  00005900  2**3
                  CONTENTS, ALLOC, LOAD, READONLY, CODE
 10 .text         000151a6  0000000000005910  0000000000005910  00005910  2**4
                  CONTENTS, ALLOC, LOAD, READONLY, CODE
 11 .fini         00000009  000000000001aab8  000000000001aab8  0001aab8  2**2
                  CONTENTS, ALLOC, LOAD, READONLY, CODE
 12 .rodata       000049dc  000000000001b000  000000000001b000  0001b000  2**5
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
 13 .eh_frame_hdr 000008bc  000000000001f9dc  000000000001f9dc  0001f9dc  2**2
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
 14 .eh_frame     00002368  0000000000020298  0000000000020298  00020298  2**3
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
 15 .init_array   000000d0  0000000000023c00  0000000000023c00  00022c00  2**3
                  CONTENTS, ALLOC, LOAD, DATA
 16 .fini_array   000000d0  0000000000023cd0  0000000000023cd0  00022cd0  2**3
                  CONTENTS, ALLOC, LOAD, DATA
 17 .data.rel.ro  00000040  0000000000023da0  0000000000023da0  00022da0  2**5
                  CONTENTS, ALLOC, LOAD, DATA
 18 .dynamic      000001c0  0000000000023de0  0000000000023de0  00022de0  2**3
                  CONTENTS, ALLOC, LOAD, DATA
 19 .got          00000050  0000000000023fa0  0000000000023fa0  00022fa0  2**3
                  CONTENTS, ALLOC, LOAD, DATA
 20 .got.plt      00000480  0000000000024000  0000000000024000  00023000  2**3
                  CONTENTS, ALLOC, LOAD, DATA
 21 .data         00004f91  0000000000024480  0000000000024480  00023480  2**5
                  CONTENTS, ALLOC, LOAD, DATA
 22 .bss          00000128  0000000000029418  0000000000029418  00028411  2**3
                  ALLOC
 23 .gnu_debuglink 00000020  0000000000000000  0000000000000000  00028414  2**2
                  CONTENTS, READONLY

Comment 3 Agostino Sarubbo 2022-11-07 15:24:32 UTC

Hi Jaco,

do you see the qa warning in your build log?

Did you check the related bash script that hits the qa notice to check which command exactly you have to type for reproduction?

(In reply to Agostino Sarubbo from comment #3)
> Hi Jaco,
> 
> do you see the qa warning in your build log?

Not at the time when I submitted the ebuild no.  I have managed to reproduce now and a fix has been submitted upstream.

> Did you check the related bash script that hits the qa notice to check which
> command exactly you have to type for reproduction?

Yea, the referenced wiki entry from the QA warning also helps, the gentoo-tinderbox blog entry, not so much.

Anyway, came right, thanks for the excellent work on finding these issues and helping us sort them out.

Comment 5 Agostino Sarubbo 2022-11-07 19:23:22 UTC

(In reply to Jaco Kroon from comment #4)
> the gentoo-tinderbox blog entry, not so much.

The tinderbox job is to catch the issue and copy-paste. Afterall the qa notice is emitted by portage and the tinderbox has nothing to do with it :)

(In reply to Agostino Sarubbo from comment #5)
> (In reply to Jaco Kroon from comment #4)
> > the gentoo-tinderbox blog entry, not so much.
> 
> The tinderbox job is to catch the issue and copy-paste. Afterall the qa
> notice is emitted by portage and the tinderbox has nothing to do with it :)

I think I realised what frustrated me.

It would be really, really nice if you could extract the QA warning/error and get that into the actual bug report itself (you already use patterns to set the subject, so I know this is probably not the simplest thing as you extract it using pattern matching from the build.log file most likely).  Not sure how easy/hard that would be, but literally just this portion:

 * QA Notice: The following files contain writable and executable sections
 *  Files with such sections will not work properly (or at all!) on some
 *  architectures/operating systems.  A bug should be filed at
 *  https://bugs.gentoo.org/ to make sure the issue is fixed.
 *  For more information, see:
 * 
 *    https://wiki.gentoo.org/wiki/Hardened/GNU_stack_quickstart
 * 
 *  Please include the following list of files in your report:
 *  Note: Bugs should be filed for the respective maintainers
 *  of the package in question and not hardened@gentoo.org.
 * RWX --- --- usr/lib64/asterisk/modules/res_geolocation.so

And I suspect it would be best to order it such that this is above the link to the blog entry, and I'd "title" that with something like "For more information about tinderbox itself, please refer to ...."

Again, really appreciate the work you do, so this is just a "if/when you have time/willpower/looking for something to do" thing which would make this excellent work marginally better.

I've submitted this upstream, I don't think this issue is worth a new version in portage, would it be OK for me to close this bug once the patch has been accepted upstream?

Comment 7 Larry the Git Cow 2022-12-13 05:27:41 UTC

The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6365009d6b2dad0945e875cde7f1592ffa7f4275

commit 6365009d6b2dad0945e875cde7f1592ffa7f4275
Author:     Jaco Kroon <jaco@uls.co.za>
AuthorDate: 2022-12-04 21:58:29 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-12-13 05:24:40 +0000

    net-misc/asterisk: add 20.0.1, drop 20.0.0
    
    Bug: https://bugs.gentoo.org/884797
    Closes: https://bugs.gentoo.org/880003
    Signed-off-by: Jaco Kroon <jaco@uls.co.za>
    Signed-off-by: Sam James <sam@gentoo.org>

 net-misc/asterisk/Manifest                                           | 2 +-
 net-misc/asterisk/{asterisk-20.0.0.ebuild => asterisk-20.0.1.ebuild} | 3 ++-
 2 files changed, 3 insertions(+), 2 deletions(-)

Additionally, it has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=838265303fe808653fe86bf8e9da6bebc765a4bf

commit 838265303fe808653fe86bf8e9da6bebc765a4bf
Author:     Jaco Kroon <jaco@uls.co.za>
AuthorDate: 2022-12-04 21:57:55 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-12-13 05:24:39 +0000

    net-misc/asterisk: add 18.15.1
    
    Bug: https://bugs.gentoo.org/884797
    Bug: https://bugs.gentoo.org/880003
    Signed-off-by: Jaco Kroon <jaco@uls.co.za>
    Signed-off-by: Sam James <sam@gentoo.org>

 net-misc/asterisk/Manifest                |   1 +
 net-misc/asterisk/asterisk-18.15.1.ebuild | 376 ++++++++++++++++++++++++++++++
 2 files changed, 377 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a5715660f692bb8e4e8b171193bd761ae32497c3

commit a5715660f692bb8e4e8b171193bd761ae32497c3
Author:     Jaco Kroon <jaco@uls.co.za>
AuthorDate: 2022-12-04 20:48:57 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-12-13 05:24:39 +0000

    net-misc/asterisk: add 16.29.1
    
    Bug: https://bugs.gentoo.org/884797
    Bug: https://bugs.gentoo.org/880003
    Signed-off-by: Jaco Kroon <jaco@uls.co.za>
    Signed-off-by: Sam James <sam@gentoo.org>

 net-misc/asterisk/Manifest                         |   1 +
 net-misc/asterisk/asterisk-16.29.1.ebuild          | 378 +++++++++++++++++++++
 ...erisk-16.29.1_18.15.1_20.0.1-noexec_stack.patch |  39 +++
 3 files changed, 418 insertions(+)