Bug 392261

Summary:	app-emulation/dosemu -fno-pic causes build failure when using hardened compiler with PIE
Product:	Gentoo Linux	Reporter:	Daniel Keyhani <daniel>
Component:	[OLD] Unspecified	Assignee:	Hanno Böck <hanno>
Status:	RESOLVED FIXED
Severity:	normal	CC:	flameeyes, hardened, slyfox, stefan.kuhn
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:
Package list:		Runtime testing required:	---
Attachments:	Prposed fix for the ebuild output of emerge --info dosemu log of unmodified ebuild log with -nopie log with -nopie and my fix for the QA warning

Description Daniel Keyhani 2011-11-28 11:58:30 UTC

Emerging dosemu fails on Hardened Gentoo due to an invalid relocation when building with a PIE-enabled compiler profile. Switching the compiler to a nopie-Profile (or setting LDFLAGS="-nopie") fixes the issue.

Reproducible: Always

Steps to Reproduce:
1. Install Hardened Gentoo
2. emerge -av "=app-emulation/dosemu-1.4.1_pre20091009"
Actual Results:  
x86_64-pc-linux-gnu-gcc -Wl,-O1 -Wl,--as-needed -Wl,-warn-common -rdynamic tools86.o -o tools86
/usr/lib/gcc/x86_64-pc-linux-gnu/4.4.5/../../../../x86_64-pc-linux-gnu/bin/ld: tools86.o: relocation R_X86_64_32 against `.rodata.str1.1' can not be used when making a shared object; recompile with -fPIC
tools86.o: could not read symbols: Bad value
collect2: ld returned 1 exit status


Expected Results:  
Build succeeds. Maybe just add -nopie to LDLAGS?

Portage 2.1.10.11 (hardened/linux/amd64, gcc-4.4.5, glibc-2.12.2-r0, 2.6.37-hardened-r7 x86_64)
=================================================================
System uname: Linux-2.6.37-hardened-r7-x86_64-AMD_Opteron-tm-_Processor_4122-with-gentoo-2.0.3
Timestamp of tree: Mon, 28 Nov 2011 10:45:01 +0000
app-shells/bash:          4.1_p9
dev-java/java-config:     2.1.11-r3
dev-lang/python:          2.6.6-r2, 2.7.1-r1, 3.1.3-r1
dev-util/cmake:           2.8.4-r1
dev-util/pkgconfig:       0.26
sys-apps/baselayout:      2.0.3
sys-apps/openrc:          0.8.3-r1
sys-apps/sandbox:         2.4
sys-devel/autoconf:       2.68
sys-devel/automake:       1.10.3, 1.11.1
sys-devel/binutils:       2.21.1-r1
sys-devel/gcc:            4.4.5
sys-devel/gcc-config:     1.4.1-r1
sys-devel/libtool:        2.4-r1
sys-devel/make:           3.82-r1
sys-kernel/linux-headers: 2.6.39 (virtual/os-headers)
sys-libs/glibc:           2.12.2
Repositories: gentoo Local-Overlay
ACCEPT_KEYWORDS="amd64"
ACCEPT_LICENSE="* -@EULA"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=opteron -O2 -pipe -mmmx -msse -msse2 -msse4a -m3dnow -mabm -mfpmath=sse"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt /var/bind"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php5.3/ext-active/ /etc/php/cgi-php5.3/ext-active/ /etc/php/cli-php5.3/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c"
CXXFLAGS="-march=opteron -O2 -pipe -mmmx -msse -msse2 -msse4a -m3dnow -mabm -mfpmath=sse"
DISTDIR="/usr/portage/distfiles"
EMERGE_DEFAULT_OPTS="--keep-going"
FEATURES="assume-digests binpkg-logs distlocks ebuild-locks fixlafiles fixpackages news parallel-fetch protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch"
FFLAGS=""
GENTOO_MIRRORS="http://distfiles.gentoo.org"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
MAKEOPTS="-j5"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage"
SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage"
USE="3dnow acl acpi amd64 apache2 bash-completion berkdb bzip2 calendar caps cli cracklib crypt cups curl cxx dri gd gdbm gnutls gpm hardened icap-client iconv imap jpeg justify kerberos kolab ldap logrotate mmx modules mudflap multilib mysql mysqli ncurses nls nptl nptlonly openmp pam pax_kernel pcre pppd readline sasl session snmp sse sse2 ssl sysfs syslog tcpd unicode urandom vhosts xml xmlrpc xorg zip zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic auth_digest authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan stage tables krita karbon braindump" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" PHP_TARGETS="php5-3" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="fbdev glint intel mach64 mga neomagic nouveau nv r128 radeon savage sis tdfx trident vesa via vmware dummy v4l" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"
Unset:  CPPFLAGS, CTARGET, INSTALL_MASK, LANG, LC_ALL, LINGUAS, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS

Comment 1 wuodan 2012-12-23 17:19:09 UTC

I can confirme the issue, see attached log file "original.log".
The package compiles with -nopie (append-ldflags -nopie), see attachement "with-nopie.log".

But then it throws this:
* QA Notice: Package triggers severe warnings which indicate that it
*            may exhibit random runtime failures.
* /usr/include/bits/stdio2.h:285:2: warning: call to '__fread_chk_warn' declared with attribute warning: fread called with bigger size * nmemb than length of destination buffer

This originates from the first 'fread' statement in src/tools/tools86.c.

I think it should be:
  if (fread(&bsd,sizeof(bsd),1,f) != 1 ) {
instead of:
  if (fread(&bsd,sizeof(gnu),1,f) != 1 ) {

Attachement "with-nopie-and-fread-fix.log" contains the final log.
Attachement "dosemu-1.4.1_pre20091009.ebuild.patch" contains my fix for the ebuild.

Comment 2 wuodan 2012-12-23 17:19:50 UTC

Created attachment 333148 [details, diff]
Prposed fix for the ebuild

Comment 3 wuodan 2012-12-23 17:20:26 UTC

Created attachment 333150 [details]
output of emerge --info dosemu

Comment 4 wuodan 2012-12-23 17:20:56 UTC

Created attachment 333152 [details]
log of unmodified ebuild

Comment 5 wuodan 2012-12-23 17:21:13 UTC

Created attachment 333154 [details]
log with -nopie

Comment 6 wuodan 2012-12-23 17:21:38 UTC

Created attachment 333156 [details]
log with -nopie and my fix for the QA warning

Comment 7 wuodan 2012-12-23 17:38:30 UTC

Opened bug for the severe warning at upstream:
https://sourceforge.net/p/dosemu/bugs/466/

Comment 8 Sergei Trofimovich (RETIRED) gentoo-dev

2013-08-05 09:53:26 UTC

It's a gentoo bug. Proper way to filter PIC flags is to use

    inherit flag-o-matic

    filter-flags -pic


filter-flags has special meaning on hardend toolchains and should add proper flags.

But current dosemu does not seem to need non-pic at all (at least here on amd64).
Although needs MPROTECT and RANDMMAP PaX features disables.

I've pushed the changes as:
>*dosemu-1.4.1_pre20130107-r2 (05 Aug 2013)
> 
>  05 Aug 2013; Sergei Trofimovich <slyfox@gentoo.org>
>  +dosemu-1.4.1_pre20130107-r2.ebuild, -dosemu-1.4.1_pre20130107-r1.ebuild:
>  Added basic hardened support (bug #392261 by Daniel Keyhani).

Please, give it a try. Thanks!

Comment 9 Sergei Trofimovich (RETIRED) gentoo-dev

2013-08-06 17:04:06 UTC

*** Bug 426540 has been marked as a duplicate of this bug. ***