Summary: | python doesn't work with -fstack-protector-all (smtplib) | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Jens Gutzeit <jens> |
Component: | Current packages | Assignee: | Python Gentoo Team <python> |
Status: | VERIFIED TEST-REQUEST | ||
Severity: | critical | CC: | adam, askwar, hardened, mike, sam, sandino |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | x86 | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- | |
Attachments: | python-2.3.4.ebuild.diff |
Description
Jens Gutzeit
2004-05-06 20:37:11 UTC
I can confirm that "-fstack-protector" compiler flag seems to hurt the python executable extremely. I have my own python program which started to crash the python interpreter after i compiled python with "-fstack-protector". I tried some combinations, and finally the program is working fine again after recompiling python (2.3.3) without "-fstack-protector". So it should be better to remove all stack-protector flags when compiling python to protect the users from itself. But because if someone is playing with these compiler flags he should know what he is doing, i would rate this bug minor :-) For completeness: Portage 2.0.50-r6 (default-x86-1.4, gcc-3.3.2, glibc-2.3.2-r9, 2.4.25-gentoo-r2) ================================================================= System uname: 2.4.25-gentoo-r2 i686 AMD Athlon(TM) XP 1900+ Gentoo Base System version 1.4.10 distcc 2.13 i686-pc-linux-gnu (protocols 1 and 2) (default port 3632) [enabled] Autoconf: sys-devel/autoconf-2.59-r3 Automake: sys-devel/automake-1.8.3 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CFLAGS="-mcpu=athlon-xp -O3 -pipe -fomit-frame-pointer" CHOST="i686-pc-linux-gnu" COMPILER="gcc3" CONFIG_PROTECT="/etc /usr/X11R6/lib/X11/xkb /usr/kde/2/share/config /usr/kde/3.2/share/config /usr/kde/3/share/config /usr/share/config /usr/share/texmf/dvipdfm/config/ /usr/share/texmf/dvips/config/ /usr/share/texmf/tex/generic/config/ /usr/share/texmf/tex/platex/config/ /usr/share/texmf/xdvi/ /var/qmail/control" CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d" CXXFLAGS="-mcpu=athlon-xp -O3 -pipe -fomit-frame-pointer" DISTDIR="/alderan/distfiles" FEATURES="autoaddcvs ccache distcc fixpackages sandbox" GENTOO_MIRRORS="ftp://ftp.freenet.de/pub/ftp.snt.utwente.nl/pub/os/linux/gentoo http://ftp.easynet.nl/mirror/gentoo/ http://www.mirror.ac.uk/sites/www.ibiblio.org/gentoo/" MAKEOPTS="-j4" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://rsync.ohlmeier.home/gentoo-portage" USE="3dnow X X509 aalib acpi acpi4linux adns alsa arts artswrappersuid avi berkdb cdr crypt cscope cups dga directfb doc dvb dvd encode ethereal fbcon flash foomaticdb gdbm gif gimpprint gphoto2 gpm gstreamer gtk gtk2 guile hardened hbci idea imap imlib innodb irda java jpeg kde libg++ libwww lirc mad maildir matroska matrox mbox mikmod mmx motif mozilla mpeg mysql nas ncurses nls odbc ofx oggvorbis opengl oss pam pda pdflib perl pic png ppds python qt qtmt quicktime readline samba sasl scanner sdl skey slang slp speex spell sse ssl svga tcltk tcpd tetex theora tiff truetype usb v4l v4l2 wmf x86 xinerama xml xml2 xmms xv zlib" is the stack protector stuff managed by hardended? i don't have a pax enabled kernel so i can't reproduce. what negative affects are there for filtering this cflag? Hey.... python works just fine with -fstack-protector and -fstack-protector-all Don't filter it! The problem is that function has an array that can be overflowed. Fix the python core code instead of filtering it. good, as long as someone knows whats going on here. anyone with a patch? *** Bug 59603 has been marked as a duplicate of this bug. *** *** Bug 59604 has been marked as a duplicate of this bug. *** The gentoo python herd/maintainer should take care of patching her/his package and/or make arrangements/get advice with/from upstream as/if needed. well, what are the requirements to reproduce this? i have no hardened stuff running at all, so i'm not even sure what it involves? the closest thing i've seen is this openbsd bug where they use stack protector, but they seem to have figured it out? http://cvs.openbsd.org/cgi-bin/query-pr-wrapper?full=yes&numbers=3622 For whoever's still looking into this: I believe the simplest example of something pythonic that doesn't work with -fstack-protector* is "idle," the basic python development environment that comes with python (tcltk must be in USE, of course). I am running no grsec, no pax, no hardened kernel. I don't know if this is going to be considered an upstream problem or not, but as it stands, even some things that come with python and are integral to it fail. IMHO, -fstack-protector should be filtered at least for the time-being. # emerge info Portage 2.0.50-r9 (default-x86-2004.2, gcc-3.3.3, glibc-2.3.3.20040420-r1, 2.6.8-gentoo) ================================================================= System uname: 2.6.8-gentoo i686 Pentium III (Coppermine) Gentoo Base System version 1.4.16 distcc 2.13 i686-pc-linux-gnu (protocols 1 and 2) (default port 3632) [enabled] Autoconf: sys-devel/autoconf-2.59-r4 Automake: sys-devel/automake-1.8.3 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CFLAGS="-O3 -march=pentium3 -pipe -fomit-frame-pointer -fstack-protector" CHOST="i686-pc-linux-gnu" COMPILER="gcc3" CONFIG_PROTECT="/etc /usr/X11R6/lib/X11/xkb /usr/kde/2/share/config /usr/kde/3/share/config /usr/lib/mozilla/defaults/pref /usr/share/config /var/qmail/control" CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d" CXXFLAGS="-O3 -march=pentium3 -pipe -fomit-frame-pointer -fstack-protector" DISTDIR="/usr/portage/distfiles" FEATURES="autoaddcvs ccache distcc fixpackages sandbox" GENTOO_MIRRORS="http://mirror.datapipe.net/gentoo http://mirrors.tds.net/gentoo ftp://linux.thai.net/pub/mirrors/gentoo" MAKEOPTS="-j4" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="X aalib alsa apache2 apm avi crypt cups encode flash foomaticdb gd gnome gtk gtk2 imagemagick imap imlib jpeg lcms libg++ libwww mad mcal memlimit mikmod mmap mmx motif mozilla mpeg mysql ncurses nls nntp oggvorbis opengl pam pdflib perl png postgres ppds python quicktime readline samba sasl sdl slang slp spell sse ssl svga tcltk threads tiff truetype usb vhosts x86 xml xml2 xmms xv zlib" Test box #1 (solar@toucan:~)$ python Python 2.3.3 (#1, May 15 2004, 21:11:00) [GCC 3.3.2 20031218 (Gentoo Linux 3.3.2-r5, propolice-3.3-7)] on linux2 Type "help", "copyright", "credits" or "license" for more information. >>> import smtplib; >>> server = smtplib.SMTP("localhost"); >>> -------------------------------------------------------------- Test Box #2 echo 'import smtplib; server = smtplib.SMTP("smtp.gentoo.org");' | python - ; echo $? 0 Python 2.3.3 (#1, Jan 14 2004, 15:32:05) [GCC 3.3.2 20031218 (Gentoo Linux 3.3.2-r5, propolice-3.3-7)] on linux2 ---------------------------------------------------------------------- Test Box #3 echo 'import smtplib; server = smtplib.SMTP("smtp.gentoo.org");' | python - ; echo $? 0 Python 2.3.4 (#1, Aug 17 2004, 05:55:33) [GCC 3.4.1 20040803 (Gentoo Hardened Linux 3.4.1-r2, ssp-3.4-2, pie-8.7.6.5)] on linux2 Type "help", "copyright", "credits" or "license" for more information. ----------------------------------------------------------------------------- Test Box #4 echo 'import smtplib; server = smtplib.SMTP("smtp.gentoo.org");' | python - ; echo $? 0 Python 2.3.3 (#1, Apr 18 2004, 02:20:33) [GCC 3.3.3 20040217 (Gentoo PaX Linux 3.3.3-r1, ssp-3.3-7, pie-0.8.5.3)] on linux2 Type "help", "copyright", "credits" or "license" for more information. >>> ----------------------------------------------------------------------------- I can't even reproduce this on the 4 boxes I've tested on. All of them use the hardened toolchain and or -fstack-protector{,-all} via CFLAGS. I've talked with some others. It does seem that this might only happen when -O3 is in use. Testing Yes, I can confirm that. Just tried recompiling python with -O2 instead of -O3 (all other options the same), and the problem dissapears. So it seems it might be a bug in GCC. Either it's a problem of the stack protector patches, or the bug is already there and stack protector only makes it visible. Created attachment 37582 [details, diff] python-2.3.4.ebuild.diff Yep.. Just confirmed this only happens at O3 ------------------------------------------------------------------- echo 'import smtplib; server = smtplib.SMTP("localhost");' | python - ; echo $? python: stack smashing attack in function call_function() Aborted 134 Python 2.3.4 (#1, Aug 17 2004, 07:05:07) [GCC 3.3.3 20040412 (Gentoo Hardened Linux 3.3.3-r5, ssp-3.3-7, pie-8.7.5.3)] on linux2 Type "help", "copyright", "credits" or "license" for more information. >>> I'll attach a patch shortly for your testing pleasure. Confirmed for the "idle" case as well. The bug is only triggered with -O3. Note: Bug #54856 (an evms bug) appears to be the same bug (same behavior). Reassign to toolchain? No need to reassign to toolchain@ The bug is with python, and python maintainer is given a chance to update his ebuild. If no objections or if Alastair is fine with it I can add the work around it to the ebuild. I don't understand why you consider this a python bug. It is triggered by a compiler optimization option and affects at least two completely different packages (python and evms - see comment #14). It seems to me that this is a compiler issue. Of course, I've now learned that using any optimizations higher than -O2 with ProPolice is not recommended anyway, apparently because it can optimize away some of the protection. 15:57:09 [/space/chroots/chroot001:24976.pts-49.papillon]papillon ~ # rm -rf /var/tmp/portage/python-2.3.*; FEATURES="debug nostrip keeptemp keepwork" ACCEPT_KEYWORDS="~x86" CFLAGS="-g -ggdb -O3" emerge -v python 2>&1 | tee /tmp/python.txt # cat /root/bug.py #!/usr/bin/python import smtplib; smtplib.SMTP("smtp.gentoo.org"); 15:59:38 [/space/chroots/chroot001:24976.pts-49.papillon]papillon ~ # ./bug.py Killed Aug 18 15:59:55 papillon PAX: execution attempt in: /usr/lib/libpython2.3.so.1.0, 2156c000-21664000 00000000 Aug 18 15:59:55 papillon PAX: terminating task: /usr/bin/python2.3(bug.py):5860, uid/euid: 0/0, PC: 21630b58, SP: 581e1a50 Aug 18 15:59:55 papillon PAX: bytes at PC: 8b 72 0c 89 72 08 8b 12 39 fa 75 f4 39 f9 89 ce 74 2a 8d 8b Aug 18 15:59:55 papillon PAX: bytes at SP: 215850f6 00000000 0000001a 2167fe00 215c068e 153e82ec 00000000 581e1918 21847000 153e82ec 21823060 21812824 215b851a 2167fe28 00000000 00000000 624a7f12 2165dda9 581e1ab8 2162a383 Aug 18 15:59:55 papillon grsec: attempted resource overstep by requesting 4096 for RLIMIT_CORE against limit 0 by /space/chroots/chroot001/root/bug.py[bug.py:5860] uid/euid:0/0 gid/egid:0/0, parent /space/chroots/chroot001/bin/bash[bash:29065] uid/euid:0/0 gid/egid:0/0 does not happen with -O2 or leaving out optimization. -O3 seems to have more issues with python than you expected, and apparently my pax kernel stops the show way before your problems with SSP would make it bite the dust. and no, i will not chpax and paxctl it, because i hate overoptimizing security- oriented technology. And please, next time you try to embarrass devs with making them bounce bugs back and forth between teams: dont do it. Test with -O2 and do not use -O3 and SSP together. TIA; Alex I still say that since the bug only occurs with -O3, as you've proven, it is an optimization issue, not a bug in python. If it is an unavoidable tradeoff due to overoptimization, then I can accept that. I wasn't attempting to embarrass anybody (unlike you). I merely wanted to have an opposing viewpoint explained to me. As for not using -O3, I believe I said that in my previous comment. other than that, the ebuild sucks hard. # rm -rf /var/tmp/portage/python-2.3.*; FEATURES="debug nostrip keeptemp keepwork" ACCEPT_KEYWORDS="~x86" CFLAGS="-O3" emerge -v python 2>&1 | tee /tmp/python.txt; python-updater; paxctl -pemrxs -v $(which python2.3); paxctl -pemrxs -v /usr/lib/libpython2.3.so.1.0 gives an other result as # rm -rf /var/tmp/portage/python-2.3.*; FEATURES="debug nostrip keeptemp keepwork" ACCEPT_KEYWORDS="~x86" CC="gcc -O3" emerge -v python 2>&1 | tee /tmp/python.txt; python-updater; paxctl -pemrxs -v $(which python2.3); paxctl -pemrxs -v /usr/lib/libpython2.3.so.1.0 You can try building python with CC="gcc -O3 -fstack-protector -fstack-protector-all" and see what it yields. there is only one more thing i have to say: this would have not happened with a CFLAGS wrapper. have a nice day! Alex Tested with a hardened toolchain (emits -fstack-protector-all by default) Portage 2.0.51_pre18 (hardened/x86, gcc-3.4.1, glibc-2.3.4.20040619-r1, ... CC="gcc -O3" CFLAGS="-pipe -fforce-addr -fomit-frame-pointer" Package works as pappy has described. echo 'import smtplib; server = smtplib.SMTP("smtp.gentoo.org");' | python - ; echo $? 0 Again... this is a python and not a toolchain bug. solar, can you please motivate *why* you think this is not a toolchain issue but a python bug? 1) I'm on the toolchain herd and I know when something is and is not a toolchain bug and who should handle said bugs for pkgs. I'm also aware of the fundamentals around ssp. 2) This problem only happens with python. 3) Forcing the -O3 logic via CC= (ie force it across the board for all compile object files) fixes the problem at hand. i'm fine with applying this to python, if no one else does it, i'll apply it. but it would be interesting to know which bit of code is triggering the -O3 problem, i still reckon its a toolchain bug, but I agree we should put a workaround in python for this. in my opinion, rather than just adding a "bandaid", you should find out where the reason is. i wrote a simple DEBUG wrapper for gcc-config that lists "malformed" CFLAGS when the gcc is run. solar: please test and paste output here. my chroots are out of order because i am preparing a new version of dev-util/devel-chroots thanks in advance, Alex Well great that you wrote a wrapper but I'm not a mind reader I have nfc how to use your tool. How about you use it and paste the output here. emerge -gK ./gcc-3.3.3-r6.tbz2 # cat /tmp/build-python.sh #!/bin/bash cd /root CC="gcc -g3 -ggdb3" CFLAGS="-O3 -fstack-protector-all" ACCEPT_KEYWORDS="x86" FEATURES="keeptemp keepwork nostrip debug" emerge -v python 2>&1 | tee /tmp/python.txt python-updater ldconfig this produces: Python 2.3.3 (#1, Aug 20 2004, 12:42:50) [GCC 3.3.3 20040412 (Gentoo Linux 3.3.3-r6, ssp-3.3.2-2, pie-8.7.6)] on linux2 Type "help", "copyright", "credits" or "license" for more information. >>> after running the test script, the output is okay # /tmp/bug.py; echo $? 0 17:59:17 [/space/chroots/chroot001:2332.pts-4.papillon]papillon ~ # cat /tmp/bug.py #!/usr/bin/python ## http://bugs.gentoo.org/show_bug.cgi?id=50309 import smtplib; server = smtplib.SMTP("smtp.gentoo.org"); but after doing this: # cat /tmp/bug.py #!/usr/bin/python -i ## http://bugs.gentoo.org/show_bug.cgi?id=50309 import smtplib; server = smtplib.SMTP("smtp.gentoo.org"); (remember the -i is interactive mode) starting the script, attaching with gdb and exiting python, it gives the following results: 18:00:03 [/space/chroots/chroot001:2332.pts-4.papillon]papillon ~ # /tmp/bug.py >>> papillon root # gdb -q /space/chroots/chroot001/usr/bin/python2.3 $(ps axufwww | grep python | grep "bug.py" | awk '{ print $2 }') Loaded symbols for /lib/libresolv.so.2 0x40141af8 in thread_self () at descr.h:260 260 return (pthread_descr)(((unsigned long)sp | (STACK_SIZE-1))+1) - 1; (gdb) c Continuing. # /tmp/bug.py >>> ((pressing CTRL-D)) the gdb says: Program received signal SIGSEGV, Segmentation fault. 0x400db904 in eval_doc () from /usr/lib/libpython2.3.so.1.0 (gdb) where #0 0x400db904 in eval_doc () from /usr/lib/libpython2.3.so.1.0 #1 0x40131d7c in ?? () #2 0x0804a258 in ?? () #3 0x0d409294 in ?? () #4 0x4012ae00 in ?? () #5 0x40016000 in ?? () #6 0x400217f6 in ?? () from /usr/lib/libpython2.3.so.1.0 (gdb) quit The program is running. Quit anyway (and detach it)? (y or n) y Detaching from program: /space/chroots/chroot001/usr/bin/python2.3 Unfortunately i could not reproduce the SSP error, but maybe you can give me the information if the problem goes away if you would use gcc-3.3.3-r6. thanks, Alex additionally, these last tests have been done on a nonPAX kernel (happens on pax kernel too though) 18:04:16 [/space/chroots/chroot001:2332.pts-4.papillon]papillon ~ # uname -a Linux papillon 2.6.7 #1 Thu Aug 19 19:10:57 CEST 2004 i686 Mobile Intel(R) Pentium(R) 4 - M CPU 1.80GHz GenuineIntel GNU/Linux The patch mitigates the problem while further investigation can be done by pappy and or others. Alistair: please add this peace to all pythons "in the wild". + if is-flag -O3 ; then + is-flag -fstack-protector-all && replace-flags -O3 -O2 + use hardened && replace-flags -O3 -O2 TIA, Alex (closing bug) committed for all 2.3* pythons, thanks alex! I think this can be closed now. closing I think the fix is not complete. The mentioned problem still exists when compiling python with -fstack-protector -O3 and that will not be catched by the modified ebuild. Steps to reproduce: 1. Compile python with -fstack-protector -O3 2. Start pydoc -p 8080 3. Open a web browser at http://localhost:8080/ Actual results: henryk@gleam henryk $ pydoc -p 8080 pydoc server ready at http://localhost:8080/ python: stack smashing attack in function fast_function() Aborted Expected results: Shouldn't abort. Simple fix: Change + if is-flag -O3 ; then + is-flag -fstack-protector-all && replace-flags -O3 -O2 + use hardened && replace-flags -O3 -O2 to + if is-flag -O3 ; then + is-flag -fstack-protector-all && replace-flags -O3 -O2 + is-flag -fstack-protector && replace-flags -O3 -O2 + use hardened && replace-flags -O3 -O2 tip. Don't use -O3 with ssp. That is a good tip. Too many people are unaware of this ssp/-O3 incompatibility (as you can see above, I was bitten by this about eight months ago). Perhaps portage should be made to automatically warn about this situation when it sees it? The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5f58c0be83b23be42aa2e6452c4b4bfd875fcbbb commit 5f58c0be83b23be42aa2e6452c4b4bfd875fcbbb Author: Sam James <sam@gentoo.org> AuthorDate: 2022-06-07 08:02:54 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-06-07 08:04:59 +0000 dev-lang/python: drop long-obsolete SSP / -O3 workaround Everyone in Gentoo (unless they unforce defaults) had, for years now, -fstack-protector-all on, or nowadays, -fstack-protector-strong. This means that it won't have been explicitly in *FLAGS and hence the replacement won't have been triggered anyway. Plus, the hardened conditional is irrelevant given the above (it uses no more SSP than the default, because the default is what hardened used to be, many years ago). Bug: https://bugs.gentoo.org/50309 Signed-off-by: Sam James <sam@gentoo.org> dev-lang/python/python-2.7.18_p15.ebuild | 6 ------ dev-lang/python/python-3.10.5.ebuild | 6 ------ dev-lang/python/python-3.11.0_beta3.ebuild | 6 ------ dev-lang/python/python-3.8.13_p2.ebuild | 6 ------ dev-lang/python/python-3.9.13.ebuild | 6 ------ 5 files changed, 30 deletions(-) |