Bug 208331

Summary:	sys-kernel/hardened-sources-2.6.23-hardened-r6 build failure if CONFIG_IA32_EMULATION=y and CONFIG_PAX_HOOK_ACL_FLAGS=y
Product:	Gentoo Linux	Reporter:	Michael Carns <mike>
Component:	Hardened	Assignee:	The Gentoo Linux Hardened Team <hardened>
Status:	RESOLVED FIXED
Severity:	normal	CC:	gengor, kang, kfm, pageexec, radu_benea2002
Priority:	High
Version:	unspecified
Hardware:	AMD64
OS:	Linux
Whiteboard:
Package list:		Runtime testing required:	---
Bug Depends on:
Bug Blocks:	210026

Description Michael Carns 2008-01-31 18:33:29 UTC

2.6.23-hardened-r6 fails to link.

The build fails while linking .tmp_vmlinux1:

fs/built-in.o:(.bss+0x1640): multiple definition of `pax_set_initial_flags_func'
arch/x86_64/ia32/built-in.o:(.bss+0x10): first defined here
fs/built-in.o: In function `__crc_pax_set_initial_flags_func':
(*ABS*+0x259a843b): multiple definition of `__crc_pax_set_initial_flags_func'
make: *** [.tmp_vmlinux1] Error 1


I dug through the source a bit and here's what I found:

1) On line 52 of fs/binfmt_elf.c:
#ifdef CONFIG_PAX_HOOK_ACL_FLAGS                                                                 
void (*pax_set_initial_flags_func)(struct linux_binprm *bprm);                                   
EXPORT_SYMBOL(pax_set_initial_flags_func);                                                       
#endif                                                                                           

This exports pax_set_initial_flags_func if CONFIG_PAX_HOOK_ACL_FLAGS is enabled.

2) In arch/ia64/ia32/binfmt_elf32.c on line 56:
#include "../../../fs/binfmt_elf.c"                                                              

This causes the duplicate symbol if CONFIG_IA32_EMULATION is enabled.



Reproducible: Always

Steps to Reproduce:
1. Configure on arch x86_64.  Enable CONFIG_IA32_EMULATION and CONFIG_PAX_HOOK_ACL_FLAGS.
2. make
3.

Comment 1 kfm 2008-02-25 02:55:43 UTC

Please try adjusting the #ifdef statement to:

#if defined(CONFIG_PAX_HOOK_ACL_FLAGS) && !((defined(ELF_CLASS) && ELF_CLASS == ELFCLASS32) || (defined(elf_format) && elf_format == elf32_format))

It seems to resolve the problem for x86_64 but I am unable to test ia64. What I'm looking for is twofold:

1) For the build failure to no longer occur (naturally)
2) For the pax_set_initial_flags_func symbol to be exported, both when IA32_EMULATION is enabled and disabled.

You can check for the presence of the symbol in System.map after compilation. I'm looking to push a new release into the tree so I'd be grateful if you were to test this as at your earliest convenience.

Comment 2 kfm 2008-02-25 03:05:40 UTC

Hmm, just realised that you're also a x86_64 user (I saw the reference to arch/ia64/ia32 which threw me). Nonetheless, a confirmation that it resolves the problem would be appreciated. I'll try to seek out someone with ia64 hardware as I've no idea if it works as planned in that case.

Comment 3 Michael Carns 2008-02-25 07:41:17 UTC

The fix worked on x86_64 both with and without ia32 emulation.    Unfortunately I don't have any ia64 systems to test on, nor does crossdev want to build an ia64 toolchain for me tonight.

Comment 4 kfm 2008-02-25 11:04:40 UTC

OK, that's good enough for me. Thank you for reporting back so quickly.

Comment 5 kfm 2008-02-27 16:36:38 UTC

Fixed in 2.6.23-r8. I'm leaving the bug open though as I suspect it will be an issue in 2.6.24 also.

Comment 6 kfm 2008-02-29 18:06:36 UTC

*** Bug 211847 has been marked as a duplicate of this bug. ***

Comment 7 PaX Team 2008-03-08 01:37:12 UTC

1. why's -hardened setting PAX_HOOK_ACL_FLAGS? it's for RSBAC users, is that part of -hardened?

2. the better fix is to move the #ifdef out of binfmt_elf to exec.c, which is what my next patch will also do.

Comment 8 kfm 2008-03-22 19:06:39 UTC

Re: Comment 7

1. No. The "Hardened [Gentoo]" security level selects PAX_HAVE_ACL_FLAGS.

2. Thanks. I reworked the patch accordingly for 2.6.23-r9.

No need to keep this open anymore ... closing.