Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 890004

Summary: sys-apps/systemd-252.4 fails to build if clang has default-stack-clash-protection enabled (also automagic dev-util/bpftool dep?)
Product: Gentoo Linux Reporter: Reuben Martin <reuben.m>
Component: Current packagesAssignee: Gentoo systemd Team <systemd>
Status: RESOLVED FIXED    
Severity: normal CC: dlan, holger, jsmolic, sam
Priority: Normal Keywords: PATCH
Version: unspecified   
Hardware: All   
OS: Linux   
See Also: https://bugs.gentoo.org/show_bug.cgi?id=889561
https://github.com/systemd/systemd/pull/26050
https://bugs.gentoo.org/show_bug.cgi?id=917228
Whiteboard:
Package list:
Runtime testing required: ---
Attachments: Build log
systemd-bpf.patch

Description Reuben Martin 2023-01-07 04:53:22 UTC 
The build failure happens when trying to compile bpf related code.

If I add "-fno-stack-protector" to bpf_clang_flags and bpf_gcc_flags within ${workdir}/systemd-stable-252.4/src/core/bpf/meson.build the build will complete.

Reproducible: Always
Comment 1 Reuben Martin 2023-01-07 04:54:29 UTC 
Created attachment 847750 [details]
Build log
Comment 2 Reuben Martin 2023-01-07 04:55:17 UTC 
sys-devel/gcc-12.2.1_p20221231
sys-devel/clang-15.0.6
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2023-01-07 05:06:59 UTC 
FAILED: src/core/bpf/socket_bind/socket-bind.bpf.unstripped.o 
/usr/lib/llvm/15/bin/clang -std=gnu11 -Wno-compare-distinct-pointer-types -O2 -target bpf -g -c -D__x86_64__ -I. -isystem /usr/include/x86_64-pc-linux-gnu -idirafter /usr/include ../systemd-stable-252.4/src/core/bpf/socket_bind/socket-bind.bpf.c -o src/core/bpf/socket_bind/socket-bind.bpf.unstripped.o
../systemd-stable-252.4/src/core/bpf/socket_bind/socket-bind.bpf.c:96:5: error: A call to built-in function '__stack_chk_fail' is not supported.
int sd_bind4(struct bpf_sock_addr *ctx) {
    ^
../systemd-stable-252.4/src/core/bpf/socket_bind/socket-bind.bpf.c:104:5: error: A call to built-in function '__stack_chk_fail' is not supported.
int sd_bind6(struct bpf_sock_addr *ctx) {
    ^
2 errors generated.
[462/2324] /usr/lib/llvm/15/bin/clang -std=gnu11 -Wno-compare-distinct-pointer-types -O2 -target bpf -g -c -D__x86_64__ -I. -isystem /usr/include/x86_64-pc-linux-gnu -idirafter /usr/include ../systemd-stable-252.4/src/core/bpf/restrict_ifaces/restrict-ifaces.bpf.c -o src/core/bpf/restrict_ifaces/restrict-ifaces.bpf.unstripped.o
FAILED: src/core/bpf/restrict_ifaces/restrict-ifaces.bpf.unstripped.o 
/usr/lib/llvm/15/bin/clang -std=gnu11 -Wno-compare-distinct-pointer-types -O2 -target bpf -g -c -D__x86_64__ -I. -isystem /usr/include/x86_64-pc-linux-gnu -idirafter /usr/include ../systemd-stable-252.4/src/core/bpf/restrict_ifaces/restrict-ifaces.bpf.c -o src/core/bpf/restrict_ifaces/restrict-ifaces.bpf.unstripped.o
../systemd-stable-252.4/src/core/bpf/restrict_ifaces/restrict-ifaces.bpf.c:43:5: error: A call to built-in function '__stack_chk_fail' is not supported.
int sd_restrictif_e(const struct __sk_buff *sk) {
    ^
../systemd-stable-252.4/src/core/bpf/restrict_ifaces/restrict-ifaces.bpf.c:48:5: error: A call to built-in function '__stack_chk_fail' is not supported.
int sd_restrictif_i(const struct __sk_buff *sk) {
    ^
2 errors generated.
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2023-01-07 05:07:12 UTC 
Note that this isn't GCC, it's Clang.
Comment 5 Reuben Martin 2023-01-07 05:10:37 UTC 
would that then be getting set by USE=hardened for the clang-common package?
Comment 6 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2023-01-07 05:19:52 UTC 
(In reply to Reuben Martin from comment #5)
> would that then be getting set by USE=hardened for the clang-common package?

Yeah, exactly. Would you mind filing a bug upstream (possibly even sending a PR)? It should be pretty straightforward like you said, it's fine to do this unconditionally.
Comment 7 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2023-01-08 01:02:57 UTC 
*** Bug 890164 has been marked as a duplicate of this bug. ***
Comment 8 Yixun Lan archtester gentoo-dev 2023-01-08 11:37:46 UTC 
Created attachment 847942 [details, diff]
systemd-bpf.patch

when compiling the bpf code, try to disable clang's stack-protector would fix the problem.

I've tested on unmatched board (riscv64 machine), and solved my problem.

also it would be great if we can avoid these bpf automagic issue, how about introducing an USE=bpf?
Comment 9 Larry the Git Cow gentoo-dev 2023-01-13 05:33:58 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=036c5283994e19f567c9c674a8567a8b49879aa1

commit 036c5283994e19f567c9c674a8567a8b49879aa1
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2023-01-13 05:33:07 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-01-13 05:33:07 +0000

    sys-apps/systemd: fix build w/ clang+ssp
    
    Bug: https://bugs.gentoo.org/890004
    Signed-off-by: Sam James <sam@gentoo.org>

 .../systemd/files/252-no-stack-protector-bpf.patch | 26 ++++++++++++++++++++++
 sys-apps/systemd/systemd-252.4-r1.ebuild           |  1 +
 2 files changed, 27 insertions(+)
Comment 10 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2023-01-13 05:35:18 UTC 
Thanks. Leaving open for the automagic bpf dep/usage.
Comment 11 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2023-11-12 07:19:22 UTC 
(In reply to Sam James from comment #10)
> Thanks. Leaving open for the automagic bpf dep/usage.

Let's close and handle it in the dedicated bug I just filed: bug 917228.