Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 511634

Summary: =dev-libs/libffi-3.1[abi_x86_32]: /usr/lib32/libffi.so.6 built with execstacks
Product: Gentoo Linux Reporter: Samuli Suominen (RETIRED) <ssuominen>
Component: Current packagesAssignee: Gentoo Toolchain Maintainers <toolchain>
Status: RESOLVED FIXED    
Severity: normal CC: hardened
Priority: High    
Version: unspecified   
Hardware: AMD64   
OS: Linux   
URL: https://sourceware.org/ml/libffi-discuss/2014/msg00058.html
Whiteboard:
Package list:
Runtime testing required: ---
Attachments: build.log

Description Samuli Suominen (RETIRED) gentoo-dev 2014-05-27 17:19:40 UTC 
Created attachment 377726 [details]
build.log

I'm not sure if it's OK to append-cflags -Wa,--no-execstack type of solution here or not, or why this is happening at all, since I'm seeing the GNU stack markings in the code and this only happens to the 32bit library, not the 64bit one, when building on a multilib amd64

Some advise from the hardened@g.o would be welcome here. Thanks!

 * QA Notice: The following files contain writable and executable sections
 *  Files with such sections will not work properly (or at all!) on some
 *  architectures/operating systems.  A bug should be filed at
 *  http://bugs.gentoo.org/ to make sure the issue is fixed.
 *  For more information, see http://hardened.gentoo.org/gnu-stack.xml
 *  Please include the following list of files in your report:
 *  Note: Bugs should be filed for the respective maintainers
 *  of the package in question and not hardened@g.o.
 * RWX --- --- usr/lib32/libffi.so.6.0.2

Portage 2.2.10 (default/linux/amd64/13.0/developer, gcc-4.8.2, glibc-2.19, 3.13.4 x86_64)
=================================================================
System uname: Linux-3.13.4-x86_64-Intel-R-_Core-TM-_i5-2400_CPU_@_3.10GHz-with-gentoo-2.2
KiB Mem:    16417644 total,    206680 free
KiB Swap:     524284 total,    524284 free
Timestamp of tree: Unknown
ld GNU gold (GNU Binutils 2.24) 1.11
app-shells/bash:          4.2_p47
dev-lang/python:          2.7.6-r1, 3.2.5-r3, 3.3.5, 3.4.0
dev-util/cmake:           2.8.12.2-r1
dev-util/pkgconfig:       0.28-r1
sys-apps/baselayout:      2.2
sys-apps/openrc:          0.12.4
sys-apps/sandbox:         2.6-r1
sys-devel/autoconf:       2.13, 2.69
sys-devel/automake:       1.9.6-r3, 1.11.6, 1.12.6, 1.13.4, 1.14.1
sys-devel/binutils:       2.24-r2
sys-devel/gcc:            4.8.2
sys-devel/gcc-config:     1.8
sys-devel/libtool:        2.4.2
sys-devel/make:           4.0-r1
sys-kernel/linux-headers: 3.14 (virtual/os-headers)
sys-libs/glibc:           2.19
Repositories:

gentoo
    location: /home/ssuominen/gentoo-x86
    sync-type: rsync
    sync-uri: rsync://rsync.gentoo.org/gentoo-portage
    priority: -1000

local
    location: /usr/local/portage
    masters: gentoo
    priority: 0

ABI="amd64"
ABI_X86="32 64"
ACCEPT_KEYWORDS="amd64 ~amd64"
ACCEPT_LICENSE="*"
ACCEPT_PROPERTIES="*"
ACCEPT_RESTRICT="*"
ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci"
APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias"
ARCH="amd64"
AUTOCLEAN="yes"
BC_ENV_ARGS="-l"
BOOTSTRAP_USE="cxx unicode internal-glib python_targets_python3_3 python_targets_python2_7 multilib"
CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump author"
CAMERAS="ptp2"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-O2 -pipe -march=native -frecord-gcc-switches -Wimplicit-function-declaration"
CFLAGS_amd64="-m64"
CFLAGS_x32="-mx32"
CFLAGS_x86="-m32"
CHOST="x86_64-pc-linux-gnu"
CHOST_amd64="x86_64-pc-linux-gnu"
CHOST_x32="x86_64-pc-linux-gnux32"
CHOST_x86="i686-pc-linux-gnu"
CLEAN_DELAY="0"
COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog"
COLLISION_IGNORE="/lib/modules/* *.py[co] *$py.class */dropin.cache"
COLORTERM="xfce4-terminal"
CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c"
CVSROOT=":ext:ssuominen@cvs.gentoo.org:/var/cvsroot"
CVS_RSH="ssh"
CXXFLAGS="-O2 -pipe -march=native -frecord-gcc-switches"
DBUS_SESSION_BUS_ADDRESS="unix:abstract=/tmp/dbus-9DVg9jdWLu,guid=5eefb67b86d71bf701713f35537eeaa1"
DEFAULT_ABI="amd64"
DESKTOP_SESSION="xfce"
DISPLAY=":0.0"
DISTDIR="/home/ssuominen/gentoo-x86/distfiles"
ECHANGELOG_USER="Samuli Suominen <ssuominen@gentoo.org>"
EDITOR="/bin/nano"
ELIBC="glibc"
EMERGE_DEFAULT_OPTS="--quiet-build=n --verbose --tree"
EMERGE_WARNING_DELAY="0"
EPREFIX=""
EROOT="/"
FCFLAGS="-O2 -pipe -march=native -frecord-gcc-switches -Wimplicit-function-declaration"
FEATURES="assume-digests binpkg-logs collision-protect config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync multilib-strict news parallel-fetch preserve-libs protect-owned sandbox sfperms sign strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync"
FETCHCOMMAND="wget -t 3 -T 60 --passive-ftp -O "${DISTDIR}/${FILE}" "${URI}""
FETCHCOMMAND_RSYNC="rsync -avP "${URI}" "${DISTDIR}/${FILE}""
FETCHCOMMAND_SFTP="bash -c "x=\${2#sftp://} ; host=\${x%%/*} ; port=\${host##*:} ; host=\${host%:*} ; [[ \${host} = \${port} ]] && port=22 ; eval \"declare -a ssh_opts=(\${3})\" ; exec sftp -P \${port} \"\${ssh_opts[@]}\" \"\${host}:/\${x#*/}\" \"\$1\"" sftp "${DISTDIR}/${FILE}" "${URI}" "${PORTAGE_SSH_OPTS}""
FETCHCOMMAND_SSH="bash -c "x=\${2#ssh://} ; host=\${x%%/*} ; port=\${host##*:} ; host=\${host%:*} ; [[ \${host} = \${port} ]] && port=22 ; exec rsync --rsh=\"ssh -p\${port} \${3}\" -avP \"\${host}:/\${x#*/}\" \"\$1\"" rsync "${DISTDIR}/${FILE}" "${URI}" "${PORTAGE_SSH_OPTS}""
FFLAGS="-O2 -pipe -march=native -frecord-gcc-switches -Wimplicit-function-declaration"
FLTK_DOCDIR="/usr/share/doc/fltk-1.3.2_p10088/html"
GCC_SPECS=""
GENTOO_MIRRORS="http://distfiles.gentoo.org"
GLADE_CATALOG_PATH=":"
GLADE_MODULE_PATH=":"
GLADE_PIXMAP_PATH=":"
GPG_AGENT_INFO="/tmp/gpg-wj4HY2/S.gpg-agent:1680:1"
GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ublox ubx"
GRUB_PLATFORMS=""
GSETTINGS_BACKEND="gconf"
GUILE_LOAD_PATH="/usr/share/guile/1.8"
HG="/usr/bin/hg"
HOME="/home/ssuominen"
HUSHLOGIN="FALSE"
INFOPATH="/usr/share/info:/usr/share/gcc-data/x86_64-pc-linux-gnu/4.8.2/info:/usr/share/binutils-data/x86_64-pc-linux-gnu/2.24/info"
INPUT_DEVICES="evdev"
IUSE_IMPLICIT="prefix"
I_KNOW_WHAT_I_AM_DOING="yes"
KERNEL="linux"
LADSPA_PATH="/usr/lib64/ladspa"
LANG="en_US.UTF-8"
LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text"
LC_CTYPE="fi_FI.UTF-8"
LC_MESSAGES="C"
LC_TIME="en_GB.UTF-8"
LDFLAGS="-Wl,-O1 -Wl,--as-needed -Wl,--hash-style=gnu"
LDFLAGS_amd64="-m elf_x86_64"
LDFLAGS_x32="-m elf32_x86_64"
LDFLAGS_x86="-m elf_i386"
LESS="-R -M --shift 5"
LESSOPEN="|lesspipe %s"
LIBDIR_amd64="lib64"
LIBDIR_amd64_fbsd="lib64"
LIBDIR_arm="lib"
LIBDIR_arm64="lib64"
LIBDIR_n32="lib32"
LIBDIR_n64="lib64"
LIBDIR_o32="lib"
LIBDIR_ppc="lib32"
LIBDIR_ppc64="lib64"
LIBDIR_s390="lib32"
LIBDIR_s390x="lib64"
LIBDIR_sparc32="lib32"
LIBDIR_sparc64="lib64"
LIBDIR_x32="libx32"
LIBDIR_x86="lib32"
LIBDIR_x86_fbsd="lib32"
LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer"
LINGUAS="en"
LOGNAME="ssuominen"
LS_COLORS="rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=01;05;37;41:mi=01;05;37;41:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arc=01;31:*.arj=01;31:*.taz=01;31:*.lha=01;31:*.lz4=01;31:*.lzh=01;31:*.lzma=01;31:*.tlz=01;31:*.txz=01;31:*.tzo=01;31:*.t7z=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.dz=01;31:*.gz=01;31:*.lrz=01;31:*.lz=01;31:*.lzo=01;31:*.xz=01;31:*.bz2=01;31:*.bz=01;31:*.tbz=01;31:*.tbz2=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.war=01;31:*.ear=01;31:*.sar=01;31:*.rar=01;31:*.alz=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.cab=01;31:*.jpg=01;35:*.jpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.webm=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.yuv=01;35:*.cgm=01;35:*.emf=01;35:*.axv=01;35:*.anx=01;35:*.ogv=01;35:*.ogx=01;35:*.pdf=00;32:*.ps=00;32:*.txt=00;32:*.patch=00;32:*.diff=00;32:*.log=00;32:*.tex=00;32:*.doc=00;32:*.aac=00;36:*.au=00;36:*.flac=00;36:*.mid=00;36:*.midi=00;36:*.mka=00;36:*.mp3=00;36:*.mpc=00;36:*.ogg=00;36:*.ra=00;36:*.wav=00;36:*.axa=00;36:*.oga=00;36:*.spx=00;36:*.xspf=00;36:"
MAIL="/var/mail/ssuominen"
MAKEOPTS="-j9"
MANPATH="/usr/local/share/man:/usr/share/man:/usr/share/gcc-data/x86_64-pc-linux-gnu/4.8.2/man:/usr/share/binutils-data/x86_64-pc-linux-gnu/2.24/man"
MULTILIB_ABIS="amd64 x86"
MULTILIB_STRICT_DENY="64-bit.*shared object"
MULTILIB_STRICT_DIRS="/lib32 /lib /usr/lib32 /usr/lib /usr/kde/*/lib32 /usr/kde/*/lib /usr/qt/*/lib32 /usr/qt/*/lib /usr/X11R6/lib32 /usr/X11R6/lib"
MULTILIB_STRICT_EXEMPT="(perl5|gcc|gcc-lib|binutils|eclipse-3|debug|portage|udev|systemd|clang|python-exec)"
NETBEANS="apisupport cnd groovy gsf harness ide identity j2ee java mobility nb php profiler soa visualweb webcommon websvccommon xml"
OFFICE_IMPLEMENTATION="libreoffice"
OLDPWD="/tmp"
OPENCL_PROFILE="nvidia"
OPENGL_PROFILE="xorg-x11"
PAGER="/usr/bin/less"
PATH="/usr/local/bin:/usr/bin:/bin:/opt/bin:/usr/x86_64-pc-linux-gnu/gcc-bin/4.8.2:/usr/games/bin:/opt/ucsc-genome-browser/bin"
PHP_TARGETS="php5-5"
PKGDIR="/usr/portage/packages"
PORTAGE_ARCHLIST="x86-winnt alpha sparc x64-macos ppc-macos amd64 ppc ppc-openbsd x86-macos hppa-hpux x86-linux arm64 x64-openbsd sparc-fbsd x86-openbsd x64-freebsd arm-linux sparc-solaris s390 x86-freebsd amd64-fbsd sh ppc64 arm ia64-linux ia64 x86-netbsd x86-cygwin x86-interix ppc-aix m68k x86-solaris hppa ia64-hpux sparc64-solaris m68k-mint x64-solaris mips x86-fbsd ppc64-linux sparc64-freebsd amd64-linux x86"
PORTAGE_BIN_PATH="/usr/lib64/portage/bin"
PORTAGE_COMPRESS="xz"
PORTAGE_COMPRESS_EXCLUDE_SUFFIXES="css gif htm[l]? jp[e]?g js pdf png"
PORTAGE_CONFIGROOT="/"
PORTAGE_DEBUG="0"
PORTAGE_DEPCACHEDIR="/var/cache/edb/dep"
PORTAGE_ELOG_CLASSES="log warn error qa"
PORTAGE_ELOG_MAILFROM="portage@localhost"
PORTAGE_ELOG_MAILSUBJECT="[portage] ebuild log for ${PACKAGE} on ${HOST}"
PORTAGE_ELOG_MAILURI="root"
PORTAGE_ELOG_SYSTEM="save_summary:log,warn,error,qa echo"
PORTAGE_FETCH_CHECKSUM_TRY_MIRRORS="5"
PORTAGE_FETCH_RESUME_MIN_SIZE="350K"
PORTAGE_GID="250"
PORTAGE_GPG_DIR="/home/ssuominen/.gnupg"
PORTAGE_GPG_KEY="4868F14D"
PORTAGE_GPG_SIGNING_COMMAND="gpg --sign --digest-algo SHA256 --clearsign --yes --default-key "${PORTAGE_GPG_KEY}" --homedir "${PORTAGE_GPG_DIR}" "${FILE}""
PORTAGE_INST_GID="0"
PORTAGE_INST_UID="0"
PORTAGE_INTERNAL_CALLER="1"
PORTAGE_OVERRIDE_EPREFIX=""
PORTAGE_PYM_PATH="/usr/lib64/portage/pym"
PORTAGE_PYTHONPATH="/usr/lib64/portage/pym"
PORTAGE_REPOSITORIES="[DEFAULT]
main-repo = gentoo

[gentoo]
location = /home/ssuominen/gentoo-x86
masters = 
priority = -1000
sync-type = rsync
sync-uri = rsync://rsync.gentoo.org/gentoo-portage

[local]
location = /usr/local/portage
masters = gentoo
priority = 0
"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_RSYNC_RETRIES="-1"
PORTAGE_SYNC_STALE="30"
PORTAGE_TMPDIR="/var/tmp"
PORTAGE_VERBOSE="1"
PORTAGE_WORKDIR_MODE="0700"
PORTAGE_XATTR_EXCLUDE="security.* system.nfs4_acl"
PORTDIR="/home/ssuominen/gentoo-x86"
PORTDIR_OVERLAY="/usr/local/portage"
PORT_LOGDIR="/var/log/portage"
PORT_LOGDIR_CLEAN="find "${PORT_LOGDIR}" -type f ! -name "summary.log*" -mtime +7 -delete"
PRELINK_PATH_MASK="/usr/lib64/libfreebl3.so:/usr/lib64/libnssdbm3.so:/usr/lib64/libsoftokn3.so"
PROFILE_ONLY_VARIABLES="ARCH ELIBC IUSE_IMPLICIT KERNEL USERLAND USE_EXPAND_IMPLICIT USE_EXPAND_UNPREFIXED USE_EXPAND_VALUES_ARCH USE_EXPAND_VALUES_ELIBC USE_EXPAND_VALUES_KERNEL USE_EXPAND_VALUES_USERLAND"
PWD="/tmp/libffi-3.1"
PYTHONDONTWRITEBYTECODE="1"
PYTHON_SINGLE_TARGET="python3_3"
PYTHON_TARGETS="python2_7 python3_3"
QT_GRAPHICSSYSTEM="raster"
RESUMECOMMAND="wget -c -t 3 -T 60 --passive-ftp -O "${DISTDIR}/${FILE}" "${URI}""
RESUMECOMMAND_RSYNC="rsync -avP "${URI}" "${DISTDIR}/${FILE}""
RESUMECOMMAND_SSH="bash -c "x=\${2#ssh://} ; host=\${x%%/*} ; port=\${host##*:} ; host=\${host%:*} ; [[ \${host} = \${port} ]] && port=22 ; exec rsync --rsh=\"ssh -p\${port} \${3}\" -avP \"\${host}:/\${x#*/}\" \"\$1\"" rsync "${DISTDIR}/${FILE}" "${URI}" "${PORTAGE_SSH_OPTS}""
ROOT="/"
ROOTPATH="/opt/bin:/usr/x86_64-pc-linux-gnu/gcc-bin/4.8.2"
RPMDIR="/usr/portage/rpm"
RUBYOPT="-rauto_gem"
RUBY_TARGETS="ruby19 ruby20"
SESSION_MANAGER="local/null:@/tmp/.ICE-unix/1809,unix/null:/tmp/.ICE-unix/1809"
SHELL="/bin/bash"
SHLVL="4"
SSH_AGENT_PID="1655"
SSH_AUTH_SOCK="/tmp/ssh-0tKOFacOSFiM/agent.1654"
SYMLINK_LIB="yes"
SYNC="cvs://ssuominen@cvs.gentoo.org:/var/cvsroot"
TERM="xterm"
UNINSTALL_IGNORE="/lib/modules/*"
[ .. snip .. ]
Comment 1 Anthony Basile gentoo-dev 2014-05-27 20:57:50 UTC 
If you take a look at the main level Makefile.am, you find that

if X86
nodist_libffi_la_SOURCES += src/x86/ffi.c src/x86/sysv.S src/x86/win32.S
endif

so win32.S is compiled and linked in.  But win32.S doesn't have

#if defined __ELF__ && defined __linux__
        .section        .note.GNU-stack,"",@progbits
#endif

If you add it, the problem is solved.
Comment 2 Magnus Granberg gentoo-dev 2014-05-27 21:25:51 UTC 
(In reply to Anthony Basile from comment #1)
> If you take a look at the main level Makefile.am, you find that
> 
> if X86
> nodist_libffi_la_SOURCES += src/x86/ffi.c src/x86/sysv.S src/x86/win32.S
> endif
> 
> so win32.S is compiled and linked in.  But win32.S doesn't have
> 
> #if defined __ELF__ && defined __linux__
>         .section        .note.GNU-stack,"",@progbits
> #endif
> 
> If you add it, the problem is solved.
It fix the problem. The fix should go upstream.
Comment 3 Samuli Suominen (RETIRED) gentoo-dev 2014-05-28 13:33:43 UTC 
Fixed by libffi-3.1-r1 with libffi-3.1-execstack.patch:

$ cat files/libffi-3.1-execstack.patch 
http://bugs.gentoo.org/511634

--- src/x86/win32.S
+++ src/x86/win32.S
@@ -1304,3 +1304,6 @@
 
 #endif /* !_MSC_VER */
 
+#if defined __ELF__ && defined __linux__
+	.section        .note.GNU-stack,"",@progbits
+#endif
Comment 4 Samuli Suominen (RETIRED) gentoo-dev 2014-05-28 13:34:02 UTC 
And reported to libffi-discuss@sourceware.org ML where patches go for upstream inclusion.