Summary: | www-client/firefox-52.0.1: relocation R_X86_64_PC32 against undefined symbol `__stack_chk_fail@@GLIBC_2.4' can not be used when making a shared object; recompile with -fPIC | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Toralf Förster <toralf> |
Component: | Current packages | Assignee: | Mozilla Gentoo Team <mozilla> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | atoth, bryan.egan, jaak, miro.rovis, moltonel, powerman-asdf |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- |
Description
Toralf Förster
2017-03-20 18:49:42 UTC
same happened to me: checking for PIE support... no configure: error: --enable-pie requires PIE support from the linker. DEBUG: <truncated - see config.log for full output> DEBUG: configure:5332: checking if toolchain supports -mssse3 option DEBUG: configure:5344: /usr/lib64/ccache/bin/x86_64-pc-linux-gnu-gcc -std=gnu99 -c -march=native -pipe -fno-strict-aliasing -mssse3 conftest.c 1>&5 DEBUG: configure:5359: checking if toolchain supports -msse4.1 option DEBUG: configure:5371: /usr/lib64/ccache/bin/x86_64-pc-linux-gnu-gcc -std=gnu99 -c -march=native -pipe -fno-strict-aliasing -msse4.1 conftest.c 1>&5 DEBUG: configure:5387: checking for x86 AVX2 asm support in compiler DEBUG: configure:5396: /usr/lib64/ccache/bin/x86_64-pc-linux-gnu-gcc -std=gnu99 -c -march=native -pipe -fno-strict-aliasing conftest.c 1>&5 DEBUG: configure:6567: checking for PIE support DEBUG: configure:6578: /usr/lib64/ccache/bin/x86_64-pc-linux-gnu-gcc -std=gnu99 -o conftest -fno-lifetime-dse -march=native -pipe -fno-strict-aliasing -fno-math-errno -Wl,-O1 -Wl,--as-needed -Wl,-rpath=/usr/lib64/firefox,--enable-new-dtags -Wl,-z,relro,-z,now -Wl,-z,noexecstack -Wl,-z,text -pie conftest.c 1>&5 DEBUG: /usr/lib/gcc/x86_64-pc-linux-gnu/5.4.0/../../../../x86_64-pc-linux-gnu/bin/ld: /var/tmp/portage/www-client/firefox-52.0.1/temp/ccWvzKBa.o: warning: relocation against `__stack_chk_fail@@GLIBC_2.4' in readonly section `.text' DEBUG: /usr/lib/gcc/x86_64-pc-linux-gnu/5.4.0/../../../../x86_64-pc-linux-gnu/bin/ld: /var/tmp/portage/www-client/firefox-52.0.1/temp/ccWvzKBa.o: relocation R_X86_64_PC32 against symbol `__stack_chk_fail@@GLIBC_2.4' can not be used when making a shared object; recompile with -fPIC DEBUG: /usr/lib/gcc/x86_64-pc-linux-gnu/5.4.0/../../../../x86_64-pc-linux-gnu/bin/ld: final link failed: Bad value DEBUG: collect2: error: ld returned 1 exit status DEBUG: configure: failed program was: DEBUG: #line 6571 "configure" DEBUG: #include "confdefs.h" DEBUG: DEBUG: int main() { DEBUG: DEBUG: ; return 0; } DEBUG: configure: error: --enable-pie requires PIE support from the linker. ERROR: old-configure failed Portage 2.3.5 (python 3.5.3-final-0, hardened/linux/amd64/no-multilib, gcc-5.4.0, glibc-2.23-r3, 4.9.13-hardened x86_64) ================================================================= System Settings ================================================================= System uname: Linux-4.9.13-hardened-x86_64-Intel-R-_Core-TM-_i7-2630QM_CPU_@_2.00GHz-with-gentoo-2.3 KiB Mem: 8064084 total, 1158868 free KiB Swap: 0 total, 0 free sh bash 4.4_p12 ld GNU ld (Gentoo 2.27 p1.0) 2.27 ccache version 3.3.4 [enabled] app-shells/bash: 4.4_p12::gentoo dev-java/java-config: 2.2.0-r3::gentoo dev-lang/perl: 5.24.1-r1::gentoo dev-lang/python: 2.7.13::gentoo, 3.5.3::gentoo dev-util/ccache: 3.3.4::gentoo dev-util/cmake: 3.7.2::gentoo dev-util/pkgconfig: 0.29.1::gentoo sys-apps/baselayout: 2.3::gentoo sys-apps/openrc: 0.24.1::gentoo sys-apps/sandbox: 2.10-r3::gentoo sys-devel/autoconf: 2.13::gentoo, 2.69-r2::gentoo sys-devel/automake: 1.11.6-r2::gentoo, 1.13.4-r1::gentoo, 1.14.1-r1::gentoo, 1.15-r2::gentoo sys-devel/binutils: 2.26.1::gentoo, 2.27::gentoo sys-devel/gcc: 5.4.0-r3::gentoo sys-devel/gcc-config: 1.8-r1::gentoo sys-devel/libtool: 2.4.6-r3::gentoo sys-devel/make: 4.2.1::gentoo sys-kernel/linux-headers: 4.9::gentoo (virtual/os-headers) sys-libs/glibc: 2.23-r3::gentoo I can confirm. I suppose this happens because python in virtualenv needs some paxmarking before compiling: 2017-03-21_13:04:33.69411 kern.alert: grsec: denied RWX mmap of <anonymous mapping> by /var/tmp/portage/www-client/firefox-52.0.1/work/firefox-52.0.1/ff/_virtualenv/bin/python2.7[python2.7:31311] uid/euid:250/250 gid/egid:250/250, parent /usr/bin/python2.7[python2.7:31309] uid/euid:250/250 gid/egid:250/250 2017-03-21_13:04:34.88715 kern.alert: grsec: denied RWX mmap of <anonymous mapping> by /var/tmp/portage/www-client/firefox-52.0.1/work/firefox-52.0.1/ff/_virtualenv/bin/python2.7[python:31321] uid/euid:250/250 gid/egid:250/250, parent /var/tmp/portage/www-client/firefox-52.0.1/work/firefox-52.0.1/ff/_virtualenv/bin/python2.7[python:31320] uid/euid:250/250 gid/egid:250/250 2017-03-21_13:04:34.97315 kern.alert: grsec: denied RWX mmap of <anonymous mapping> by /var/tmp/portage/www-client/firefox-52.0.1/work/firefox-52.0.1/ff/_virtualenv/bin/python2.7[python:31324] uid/euid:250/250 gid/egid:250/250, parent /usr/bin/python2.7[python2.7:31297] uid/euid:250/250 gid/egid:250/250 2017-03-21_13:04:35.06915 kern.alert: grsec: denied RWX mmap of <anonymous mapping> by /var/tmp/portage/www-client/firefox-52.0.1/work/firefox-52.0.1/ff/_virtualenv/bin/python2.7[python:31331] uid/euid:250/250 gid/egid:250/250, parent /bin/bash[sh:31330] uid/euid:250/250 gid/egid:250/250 2017-03-21_13:04:35.11113 kern.alert: grsec: denied RWX mmap of <anonymous mapping> by /var/tmp/portage/www-client/firefox-52.0.1/work/firefox-52.0.1/ff/_virtualenv/bin/python2.7[python:31339] uid/euid:250/250 gid/egid:250/250, parent /bin/bash[sh:31330] uid/euid:250/250 gid/egid:250/250 2017-03-21_13:04:37.38715 kern.alert: grsec: more alerts, logging disabled for 10 seconds (In reply to Alex Efros from comment #4) > I suppose this happens because python in virtualenv needs some paxmarking > before compiling: > > 2017-03-21_13:04:33.69411 kern.alert: grsec: denied RWX mmap of <anonymous > mapping> by > /var/tmp/portage/www-client/firefox-52.0.1/work/firefox-52.0.1/ff/ > _virtualenv/bin/python2.7[python2.7:31311] uid/euid:250/250 > gid/egid:250/250, parent /usr/bin/python2.7[python2.7:31309] > uid/euid:250/250 gid/egid:250/250 I don't think so. The current problem addressed by the bug happens early during the configure phase, while your issue kicks in later. BTW, I use this user patch, to take care of most of these message (although not all of them): diff -urN orig/build/moz.configure/init.configure dwok/build/moz.configure/init.configure --- orig/build/moz.configure/init.configure 2016-10-31 21:15:27.000000000 +0100 +++ dwok/build/moz.configure/init.configure 2016-12-28 17:08:49.607881648 +0100 @@ -219,6 +219,8 @@ log.info('Creating Python environment') manager.build(python) + os.system('/usr/sbin/paxctl-ng -E /var/tmp/portage/www-client/firefox-52.0.1/work/firefox-52.0.1/ff/_virtualenv/bin/python2.7') + python = normsep(manager.python_path) if python != normsep(sys.executable): Note, that such virtualenv python stuff also pollutes thunderbird's and recent versions of spidermonkey compiles... Solution of the problem: While firefox-51.0.1 ebuild uses a patch to take core of this very problem: "${FILESDIR}"/fix_hardened_pie_detection.patch firefox-52.0.1 ebuild dropped this patch for no apparent reasons I know of. Reintroducing this patch solves the problem. Message to the maintainer: Readd this patch to the ebuild, please! Dropping java applet support (many KVMs use them) and leaving alsa makes me look for an alternative to replace firefox. Why they are pushing pulseaudio on linux if it can hack without it on other platforms? Thx: Dw. (In reply to Attila Tóth from comment #6) > Solution of the problem: > While firefox-51.0.1 ebuild uses a patch to take core of this very problem: > > "${FILESDIR}"/fix_hardened_pie_detection.patch > > firefox-52.0.1 ebuild dropped this patch for no apparent reasons I know of. > Reintroducing this patch solves the problem. > THANK YOU for tracing this! That patch was supposed to remain in the patchset for 52 until such time as it had been integrated upstream. I will re-add it immediately. FYI, the general recommendation on Java for KVMs etc is to use JavaWebStart directly, but you can get it back directly-embedded in Firefox by enabling USE="nsplugin" for now. commit beb8ff05aaea7677df4b072716d3c0d6b41f9319 Author: Ian Stakenvicius <axs@gentoo.org> Date: Tue Mar 21 15:34:35 2017 -0400 www-client/firefox: re-add fix_hardened_pie_detection to 52.x patchset This patch was dropped in the migration from 51 to 52 by maintainer error, it has been added to the patchset to address and prevent future occurrences of errors such as those in bug 613340 *** Bug 613452 has been marked as a duplicate of this bug. *** |