394757 – x11-drivers/xf86-video-virtualbox-4.1.4 fails to load if compiled with hardened gcc

Bug 394757 - x11-drivers/xf86-video-virtualbox-4.1.4 fails to load if compiled with hardened gcc

Summary: x11-drivers/xf86-video-virtualbox-4.1.4 fails to load if compiled with harden...

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Hardened (show other bugs)
Hardware:	x86 Linux

Importance:	Normal normal
Assignee:	The Gentoo Linux Hardened Team

URL:
Whiteboard:
Keywords:

Duplicates (1):	352843 (view as bug list)
Depends on:	332285
Blocks:	350475
	Show dependency tree

Reported:	2011-12-14 23:20 UTC by Faustus
Modified:	2013-12-16 22:36 UTC (History)
CC List:	2 users (show)

See Also:	332285 352843
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Faustus 2011-12-14 23:20:28 UTC

Most (all?) X11 video drivers's ebuilds inherit from xorg-2 or x-modular, which take care of fixing LDFLAGS for hardened compiles. Namely, "-Wl,-z,lazy" is added to LDFLAGS, which is necessary for X11 drivers (in hardened, the default is "-Wl,-z,now").

Since xf86-video-virtualbox uses kBuild, it doesn't inherit from xorg-2, and LDFLAGS are not fixed. Not that it would help (see bug #332285). I experience the following error in Xorg.0.log: "vboxvideo_drv.so: undefined symbol: DRICreatePCIBusID".


The following fix works for me: in files/xf86-video-virtualbox-3-localconfig, add the following line:
TEMPLATE_VBOXGUESTR3EXE_LDFLAGS += -Wl,-z,lazy

Note that appending to just TEMPLATE_VBOXGUESTR3XORGMOD_LDFLAGS is not enough, since the dri libraries (/usr/lib/VBoxOGL*.so) are not influenced by that variable, and not even by TEMPLATE_VBOXGUESTR3DLL_LDFLAGS. So virtualbox_drv would load, but OpenGL would fail.

A couple of side notes:
1. For USE=-dri, installing /usr/lib/VBoxOGL*.so is apparently unnecessary.
2. /usr/lib/xorg/modules/drivers/vboxvideo_drv.so is installed with mode 644 instead of 755, like the other drivers.
3. It would be nice if the ebuild passed CFLAGS/CXXFLAGS/LDFLAGS to the kBuild system, although that would likely necessitate filtering some flags (-fomit-frame-pointer?)
4. With the above fix, OpenGL programs (glxinfo, glxgears) still require MPROTECT being disabled for them.

Comment 1 Faustus 2012-02-16 16:01:30 UTC

Any comment? This seems like a necessary and simple fix on hardened.

Comment 2 Magnus Granberg gentoo-dev

2012-02-16 17:57:20 UTC

*** Bug 352843 has been marked as a duplicate of this bug. ***

Comment 3 Hugo Mildenberger 2012-02-24 08:54:47 UTC

Faustus, I'd like thank you very much for this analysis. I've successfully tested your proposals with xf86-video-virtualbox-4.1.8 (together with the still masked virtualbox-guest-additions-4.1.8 and xorg-server-1.11.4) on amd64. Apart from fancy desktop effects, Gentoo Hardened was then running very smoothly within a Vista host machine. 

For others to find this bug, the xorg message on that particular system was "undefined symbol: vgaHWFreeHWRec". There is a somewhat related report at  https://bugs.freedesktop.org/show_bug.cgi?id=41208. Therein, the author found a workaround consisting in  preloading modules in a certain sequence, which may be also an option if recompilation of xf86-video-virtualbox-4.1.8 can't be done for some reasons.

Comment 4 Magnus Granberg gentoo-dev

2012-02-26 12:52:29 UTC

Have updated xf86-video-virtualbox-4.1.8 with a patch for link with lazy

Comment 5 Faustus 2012-07-11 11:01:25 UTC

The patch is in stable for a long time now, so closing.

Comment 6 Christopher Jones 2013-12-16 06:45:44 UTC

this patch causes users with non-hardened gcc to fail in emerging this package at the prepare phase. I had to comment out this patch in the .ebulld file and update the digest to emerge this package. Again im not using a hardened kernel or hardened gcc and this caused my emerge of the x11-drivers/xf86-video-virtualbox-4.3.4 to fail in the prepare phase when it got to applying the patches. The other patches were successful but link-lazy.patch wasn't. So I saw that patch was for hardened-kernels. I commented out that code to apply it and now it compiles.

Comment 7 Magnus Granberg gentoo-dev

2013-12-16 20:01:28 UTC

(In reply to Christopher Jones from comment #6)
> this patch causes users with non-hardened gcc to fail in emerging this
> package at the prepare phase. I had to comment out this patch in the .ebulld
> file and update the digest to emerge this package. Again im not using a
> hardened kernel or hardened gcc and this caused my emerge of the
> x11-drivers/xf86-video-virtualbox-4.3.4 to fail in the prepare phase when it
> got to applying the patches. The other patches were successful but
> link-lazy.patch wasn't. So I saw that patch was for hardened-kernels. I
> commented out that code to apply it and now it compiles.
Open a new bug
The patch need a update to work on 4.3.4
The patch is for the hardened toolchain and it needed else will the
virtualbox video driver fail to load as in this bug.

Comment 8 Christopher Jones 2013-12-16 22:36:22 UTC

(In reply to Magnus Granberg from comment #7)
> (In reply to Christopher Jones from comment #6)
> > this patch causes users with non-hardened gcc to fail in emerging this
> > package at the prepare phase. I had to comment out this patch in the .ebulld
> > file and update the digest to emerge this package. Again im not using a
> > hardened kernel or hardened gcc and this caused my emerge of the
> > x11-drivers/xf86-video-virtualbox-4.3.4 to fail in the prepare phase when it
> > got to applying the patches. The other patches were successful but
> > link-lazy.patch wasn't. So I saw that patch was for hardened-kernels. I
> > commented out that code to apply it and now it compiles.
> Open a new bug
> The patch need a update to work on 4.3.4
> The patch is for the hardened toolchain and it needed else will the
> virtualbox video driver fail to load as in this bug.

Bug #494478