Comment 1 Anthony Basile 2013-05-15 13:43:16 UTC

cilly, we need to see emerge --info, particularly since it makes a difference if it is x86 or amd64.

Created attachment 348396 [details]
emerge --info

emerge --info

Log while building:


May 15 15:02:05 pluto portage[20565]: sys-apps/rng-tools-4-r5: setup: Package:    sys-apps/rng-tools-4-r5
May 15 15:02:05 pluto portage[20565]: sys-apps/rng-tools-4-r5: setup: Repository: gentoo
May 15 15:02:05 pluto portage[20565]: sys-apps/rng-tools-4-r5: setup: Maintainer: base-system@gentoo.org
May 15 15:02:05 pluto portage[20565]: sys-apps/rng-tools-4-r5: setup: USE:        abi_x86_32 elibc_glibc kernel_linux userland_GNU x86
May 15 15:02:05 pluto portage[20565]: sys-apps/rng-tools-4-r5: setup: FEATURES:   sandbox suidctl
May 15 15:02:05 pluto portage[20565]: sys-apps/rng-tools-4-r5: prepare: Applying test-for-argp.patch ...
May 15 15:02:05 pluto portage[20565]: sys-apps/rng-tools-4-r5: prepare: Running eautoreconf in '/var/tmp/portage/sys-apps/rng-tools-4-r5/work/rng-tools-4' ...
May 15 15:02:05 pluto portage[20565]: sys-apps/rng-tools-4-r5: prepare: Running aclocal ...
May 15 15:02:05 pluto portage[20565]: sys-apps/rng-tools-4-r5: prepare: Running autoconf ...
May 15 15:02:05 pluto portage[20565]: sys-apps/rng-tools-4-r5: prepare: Running autoheader ...
May 15 15:02:05 pluto portage[20565]: sys-apps/rng-tools-4-r5: prepare: Running automake --add-missing --copy ...
May 15 15:02:05 pluto portage[20565]: sys-apps/rng-tools-4-r5: other: QA Notice: The following files contain runtime text relocations
May 15 15:02:05 pluto portage[20565]: sys-apps/rng-tools-4-r5: other:  Text relocations force the dynamic linker to perform extra
May 15 15:02:05 pluto portage[20565]: sys-apps/rng-tools-4-r5: other:  work at startup, waste system resources, and may pose a security
May 15 15:02:05 pluto portage[20565]: sys-apps/rng-tools-4-r5: other:  risk.  On some architectures, the code may not even function
May 15 15:02:05 pluto portage[20565]: sys-apps/rng-tools-4-r5: other:  properly, if at all.
May 15 15:02:05 pluto portage[20565]: sys-apps/rng-tools-4-r5: other:  For more information, see http://hardened.gentoo.org/pic-fix-guide.xml
May 15 15:02:05 pluto portage[20565]: sys-apps/rng-tools-4-r5: other:  Please include the following list of files in your report:
May 15 15:02:05 pluto portage[20565]: sys-apps/rng-tools-4-r5: other: TEXTREL usr/sbin/rngd

Log of grsec:

May 15 15:07:05 pluto kernel: [432922.835167] grsec: From 172.16.17.6: denied RWX mprotect of /usr/sbin/rngd by /usr/sbin/rngd[rngd:9782] uid/euid:0/0 gid/egid:0/0, parent /sbin/rc[start-stop-daem:9781] uid/euid:0/0 gid/egid:0/0
May 15 15:07:29 pluto kernel: [432946.671751] grsec: From 172.16.17.6: denied RWX mprotect of /usr/sbin/rngd by /usr/sbin/rngd[rngd:9858] uid/euid:0/0 gid/egid:0/0, parent /sbin/rc[start-stop-daem:9857] uid/euid:0/0 gid/egid:0/0

Created attachment 348398 [details]
scanelf -lptg

scanelf -lptg

Comment 6 SpanKY 2013-05-15 16:16:01 UTC

building executables as PIEs are generally a hardened-specific issue, and as such, we don't typically expect maintainers to "fix" their package.  it's up to the hardened team to triage/post patches/ideas, and then upstream/maintainers to investigate merging.

Comment 7 SpanKY 2013-05-15 16:16:10 UTC

Comment on attachment 348398 [details]
scanelf -lptg

this log is useless/pointless

Comment 8 SpanKY 2013-05-15 16:16:42 UTC

post the full build log as an attachment, not random snippts from syslog

Comment 9 Anthony Basile 2013-05-15 16:18:02 UTC

(In reply to comment #8)
> post the full build log as an attachment, not random snippts from syslog

Is due to rdrand_asm.S which is not x86 pic friendly.

Comment 10 Francisco Blas Izquierdo Riera 2013-05-15 16:58:24 UTC

Created attachment 348408 [details, diff]
Patch adding propper PIC support to the rdrand code.

There is a patch for the issue, if you intend to upstream it please add a small note marking me as the writer and blueness as the tester of said patch. Other than that consider it released under GPLv2 or higher as the original software.

Comment 11 SpanKY 2013-05-15 17:10:43 UTC

(In reply to comment #10)

nice, code looks good to me.  feel free to commit once you add some details to the top of the file:
http://dev.gentoo.org/~vapier/clean-patches

Comment 12 Francisco Blas Izquierdo Riera 2013-05-15 18:46:51 UTC

Created attachment 348418 [details, diff]
Same patch but making vapier happy after (c|p)utting a smile on his face :P

Comment 13 Francisco Blas Izquierdo Riera 2013-05-15 19:01:46 UTC

Created attachment 348420 [details, diff]
Small style fixes with tabulators... damned kate

Comment 14 Francisco Blas Izquierdo Riera 2013-05-15 19:10:07 UTC

In case you are interested I mailed this patch to upstream too, we'll see what they answer :)

@base-system, can we get an -r6 with the patch for now?

Comment 15 SpanKY 2013-05-15 19:56:39 UTC

(In reply to comment #14)

in comment #11 i gave blessing to revbump & commit the patch if you want to do it.  otherwise someone on base-system will get around to it.

Comment 16 Francisco Blas Izquierdo Riera 2013-05-15 20:47:15 UTC

(In reply to comment #15)
> (In reply to comment #14)
> 
> in comment #11 i gave blessing to revbump & commit the patch if you want to
> do it.  otherwise someone on base-system will get around to it.

No tree access for me until I do the dev quizzes, so I'll reassign it back to them :)

Comment 17 Anthony Basile 2013-05-15 22:52:06 UTC

*rng-tools-4-r6 (15 May 2013)

  15 May 2013; Anthony G. Basile <blueness@gentoo.org>
  +files/fix-textrels-on-PIC-x86.patch, +rng-tools-4-r6.ebuild:
  Fix assemby textrels on rdrand_asm.S on PIC x86, bug #469962

Thx!

sys-apps/rng-tools-4-r6 solves this issue, no TEXTRELs anymore. Tested on x86.

Comment 19 SpanKY 2013-05-22 05:14:02 UTC

(In reply to comment #17)

for future reference, patches should follow the standard naming convention of being prefixed with ${P}