Bug 1657912

Summary: gaps errors reported in rpmdiff - annocheck
Product: Red Hat Enterprise Linux 8 Reporter: Michal Hlavinka <mhlavink>
Component: annobinAssignee: Nick Clifton <nickc>
Status: CLOSED ERRATA QA Contact: Martin Cermak <mcermak>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 8.1CC: fweimer, jmarchan, kdudka, law, mcermak, nickc
Target Milestone: rc   
Target Release: 8.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: annobin-8.73-1.el8 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-11-05 20:54:32 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1679669    
Bug Blocks: 1684553    

Description Michal Hlavinka 2018-12-10 17:32:22 UTC 
Description of problem:
annocheck reports gaps errors

Version-Release number of selected component (if applicable):
dovecot-2.2.36-5.el8

How reproducible:
always

Steps to Reproduce:
1.download and install dovecot\*rpm 
2.annocheck -v /usr/lib64/dovecot/libdovecot.so.0.0.0


Actual results:
annocheck: Version 8.63.
Hardened: /usr/lib64/dovecot/libdovecot.so.0.0.0: gap:  (36410..368ec probable component: /usr/src/debug/dovecot-2.2.36-5.el8.x86_64/src/lib-program-client/program-client.c) in annobin notes.
Hardened: /usr/lib64/dovecot/libdovecot.so.0.0.0: gap:  (36910..37567 probable component: /usr/src/debug/dovecot-2.2.36-5.el8.x86_64/src/lib-program-client/program-client-remote.c) in annobin notes.
Hardened: /usr/lib64/dovecot/libdovecot.so.0.0.0: gap:  (375a0..37b9f probable component: /usr/src/debug/dovecot-2.2.36-5.el8.x86_64/src/lib-master/master-service-settings.c) in annobin notes.
Hardened: /usr/lib64/dovecot/libdovecot.so.0.0.0: gap:  (37bd0..38616 probable component: /usr/src/debug/dovecot-2.2.36-5.el8.x86_64/src/lib-settings/settings-parser.c) in annobin notes.
Hardened: /usr/lib64/dovecot/libdovecot.so.0.0.0: gap:  (38640..38da1 probable component: /usr/src/debug/dovecot-2.2.36-5.el8.x86_64/src/lib-http/http-request-parser.c) in annobin notes.
Hardened: /usr/lib64/dovecot/libdovecot.so.0.0.0: gap:  (38e30..394a5 probable component: /usr/src/debug/dovecot-2.2.36-5.el8.x86_64/src/lib-http/http-client-connection.c) in annobin notes.
Hardened: /usr/lib64/dovecot/libdovecot.so.0.0.0: gap:  (394d0..39768 probable component: http_client_peer_disconnect.part.10.cold.14) in annobin notes.
Hardened: /usr/lib64/dovecot/libdovecot.so.0.0.0: gap:  (397a0..3acd5 probable component: /usr/src/debug/dovecot-2.2.36-5.el8.x86_64/src/lib-http/http-server-response.c) in annobin notes.
Hardened: /usr/lib64/dovecot/libdovecot.so.0.0.0: gap:  (3ad00..3aff3 probable component: /usr/src/debug/dovecot-2.2.36-5.el8.x86_64/src/lib-fs/fs-randomfail.c) in annobin notes.
Hardened: /usr/lib64/dovecot/libdovecot.so.0.0.0: gap:  (3b020..3baeb probable component: /usr/src/debug/dovecot-2.2.36-5.el8.x86_64/src/lib-fs/istream-metawrap.c) in annobin notes.
Hardened: /usr/lib64/dovecot/libdovecot.so.0.0.0: gap:  (3bb20..3bc64 probable component: /usr/src/debug/dovecot-2.2.36-5.el8.x86_64/src/lib-dict/dict-memcached.c) in annobin notes.
Hardened: /usr/lib64/dovecot/libdovecot.so.0.0.0: gap:  (3bca0..3be25 probable component: /usr/src/debug/dovecot-2.2.36-5.el8.x86_64/src/lib-dict/dict-memcached-ascii.c) in annobin notes.
Hardened: /usr/lib64/dovecot/libdovecot.so.0.0.0: gap:  (3be90..3c1b4 probable component: /usr/src/debug/dovecot-2.2.36-5.el8.x86_64/src/lib-dict/dict-redis.c) in annobin notes.
Hardened: /usr/lib64/dovecot/libdovecot.so.0.0.0: gap:  (3c1f0..3c62e probable component: /usr/src/debug/dovecot-2.2.36-5.el8.x86_64/src/lib-dns/dns-lookup.c) in annobin notes.
Hardened: /usr/lib64/dovecot/libdovecot.so.0.0.0: gap:  (3c660..3cc94 probable component: /usr/src/debug/dovecot-2.2.36-5.el8.x86_64/src/lib-imap/imap-quote.c) in annobin notes.
Hardened: /usr/lib64/dovecot/libdovecot.so.0.0.0: gap:  (3ccc0..3cd14 probable component: /usr/src/debug/dovecot-2.2.36-5.el8.x86_64/src/lib-mail/istream-dot.c) in annobin notes.
Hardened: /usr/lib64/dovecot/libdovecot.so.0.0.0: gap:  (3cd80..3d191 probable component: /usr/src/debug/dovecot-2.2.36-5.el8.x86_64/src/lib-mail/istream-header-filter.c) in annobin notes.
Hardened: /usr/lib64/dovecot/libdovecot.so.0.0.0: gap:  (3d1c0..3d55e probable component: message_decoder_decode_next_block.cold.10) in annobin notes.
Hardened: /usr/lib64/dovecot/libdovecot.so.0.0.0: gap:  (3d590..3d8f0 probable component: /usr/src/debug/dovecot-2.2.36-5.el8.x86_64/src/lib-mail/message-part-data.c) in annobin notes.
Hardened: /usr/lib64/dovecot/libdovecot.so.0.0.0: gap:  (3d920..3dcde probable component: /usr/src/debug/dovecot-2.2.36-5.el8.x86_64/src/lib-mail/message-part-data.c) in annobin notes.
Hardened: /usr/lib64/dovecot/libdovecot.so.0.0.0: gap:  (3dd10..3df4a probable component: /usr/src/debug/dovecot-2.2.36-5.el8.x86_64/src/lib-auth/auth-client.c) in annobin notes.
Hardened: /usr/lib64/dovecot/libdovecot.so.0.0.0: gap:  (3df90..3e1c8 probable component: /usr/src/debug/dovecot-2.2.36-5.el8.x86_64/src/lib-auth/auth-master.c) in annobin notes.
Hardened: /usr/lib64/dovecot/libdovecot.so.0.0.0: gap:  (3e200..3f0a2 probable component: /usr/src/debug/dovecot-2.2.36-5.el8.x86_64/src/lib-charset/charset-iconv.c) in annobin notes.
Hardened: /usr/lib64/dovecot/libdovecot.so.0.0.0: gap:  (3f0d0..3f320 probable component: /usr/src/debug/dovecot-2.2.36-5.el8.x86_64/src/lib/aqueue.c) in annobin notes.
Hardened: /usr/lib64/dovecot/libdovecot.so.0.0.0: gap:  (3f350..3fa2c probable component: /usr/src/debug/dovecot-2.2.36-5.el8.x86_64/src/lib/buffer.c) in annobin notes.
Hardened: /usr/lib64/dovecot/libdovecot.so.0.0.0: gap:  (3fb30..3fb5c probable component: /usr/src/debug/dovecot-2.2.36-5.el8.x86_64/src/lib/failures.c) in annobin notes.
Hardened: /usr/lib64/dovecot/libdovecot.so.0.0.0: gap:  (3fcf0..3fd43 probable component: /usr/src/debug/dovecot-2.2.36-5.el8.x86_64/src/lib/failures.c) in annobin notes.
Hardened: /usr/lib64/dovecot/libdovecot.so.0.0.0: gap:  (3fe20..40be6 probable component: /usr/src/debug/dovecot-2.2.36-5.el8.x86_64/src/lib/failures.c) in annobin notes.
Hardened: /usr/lib64/dovecot/libdovecot.so.0.0.0: gap:  (40c20..4323d probable component: hash2_remove.cold.8) in annobin notes.
Hardened: /usr/lib64/dovecot/libdovecot.so.0.0.0: gap:  (43260..440ed probable component: /usr/src/debug/dovecot-2.2.36-5.el8.x86_64/src/lib/mempool-system.c) in annobin notes.
Hardened: /usr/lib64/dovecot/libdovecot.so.0.0.0: gap:  (44120..45024 probable component: /usr/src/debug/dovecot-2.2.36-5.el8.x86_64/src/lib/seq-range-array.c) in annobin notes.
Hardened: /usr/lib64/dovecot/libdovecot.so.0.0.0: gap:  (45050..45204 probable component: /usr/src/debug/dovecot-2.2.36-5.el8.x86_64/src/lib/var-expand.c) in annobin notes.
Hardened: /usr/lib64/dovecot/libdovecot.so.0.0.0: gap:  (45230..452b0 probable component: /usr/src/debug/dovecot-2.2.36-5.el8.x86_64/src/lib/data-stack.c) in annobin notes.
Hardened: /usr/lib64/dovecot/libdovecot.so.0.0.0: FAIL: Gaps were detected in the annobin coverage.
Hardened: /usr/lib64/dovecot/libdovecot.so.0.0.0: PASS: Linked with -Wl,-z,now.
Hardened: /usr/lib64/dovecot/libdovecot.so.0.0.0: PASS: Compiled with -fcf-protection.
Hardened: /usr/lib64/dovecot/libdovecot.so.0.0.0: PASS: One dynamic section/segment found.
Hardened: /usr/lib64/dovecot/libdovecot.so.0.0.0: skip: Entry point instruction.  (Not an executable).
Hardened: /usr/lib64/dovecot/libdovecot.so.0.0.0: PASS: Compiled with -D_FORTIFY_SOURCE=2.
Hardened: /usr/lib64/dovecot/libdovecot.so.0.0.0: PASS: Compiled with -D_GLIBCXX_ASSERTIONS.
Hardened: /usr/lib64/dovecot/libdovecot.so.0.0.0: PASS: Linked with -Wl,-z,relro.
Hardened: /usr/lib64/dovecot/libdovecot.so.0.0.0: PASS: Stack not executable.
Hardened: /usr/lib64/dovecot/libdovecot.so.0.0.0: PASS: Compiled with sufficient optimization.
Hardened: /usr/lib64/dovecot/libdovecot.so.0.0.0: PASS: Compiled with PIC/PIE.
Hardened: /usr/lib64/dovecot/libdovecot.so.0.0.0: PASS: Compiled as a position independent binary.
Hardened: /usr/lib64/dovecot/libdovecot.so.0.0.0: PASS: Good GNU Property note.
Hardened: /usr/lib64/dovecot/libdovecot.so.0.0.0: PASS: DT_RPATH/DT_RUNPATH absent or rooted at /usr.
Hardened: /usr/lib64/dovecot/libdovecot.so.0.0.0: PASS: No RWX segments found.
Hardened: /usr/lib64/dovecot/libdovecot.so.0.0.0: PASS: Consistent use of the -fshort-enum option.
Hardened: /usr/lib64/dovecot/libdovecot.so.0.0.0: PASS: Compiled with -fstack-clash-protection.
Hardened: /usr/lib64/dovecot/libdovecot.so.0.0.0: PASS: Compiled with sufficient stack protection.
Hardened: /usr/lib64/dovecot/libdovecot.so.0.0.0: skip: Test for stack realignment support.  (Only needed on i686 binaries).
Hardened: /usr/lib64/dovecot/libdovecot.so.0.0.0: PASS: No text relocations found.
Hardened: /usr/lib64/dovecot/libdovecot.so.0.0.0: PASS: No thread cancellation problems.
Hardened: /usr/lib64/dovecot/libdovecot.so.0.0.0: PASS: GOT/PLT relocations are read only.


Expected results:
no gap errors

Additional info:
Comment 1 Nick Clifton 2018-12-11 11:03:58 UTC 
These FAIL results are due to a bug in the annobin plugin.  It has code
to handle gcc's hot/cold partitioning, but it had only ever been tested
on a file containing only one cold function.  When multiple cold functions
are created in the same object file, gcc creates multiple sections for each.
The problem was that annobin tried to create a symbol to indicate the end
of the cold section, but it was only attached to the first such section.
The others were missed, and so they showed up as gaps in the notes.

Fixed with annobibn-8.65.  Currently waiting on the correct flags to commit.
Comment 4 Nick Clifton 2018-12-11 16:54:11 UTC 
Postoning to 8.1 as there is no urgency to have the bug fixed now,
and there is the potential to break other builds if my patch contains a
bug.
Comment 9 Nick Clifton 2019-04-26 12:55:30 UTC 
Fixed in: annobin-8.73-1.el8
Comment 12 Kamil Dudka 2019-08-29 08:48:10 UTC 
This bug seem to trigger new false positives on RHEL-8.0.0.z builds of nghttp2:

https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=23232399

$ annocheck -v /usr/bin/nghttpx
annocheck: Version 8.73.
Hardened: /usr/bin/nghttpx: gap:  (15300..15ffa probable component: /usr/src/debug/nghttp2-1.33.0-1.el8_0.x86_64/src/shrpx_http2_upstream.cc) in annobin notes.
Hardened: /usr/bin/nghttpx: gap:  (16030..16a48 probable component: /usr/src/debug/nghttp2-1.33.0-1.el8_0.x86_64/src/shrpx_http2_session.cc) in annobin notes.
Hardened: /usr/bin/nghttpx: gap:  (16aa0..17f36 probable component: /usr/include/c++/8/bits/std_function.h) in annobin notes.
Hardened: /usr/bin/nghttpx: gap:  (17f90..1828c probable component: /usr/src/debug/nghttp2-1.33.0-1.el8_0.x86_64/src/shrpx_worker_process.cc) in annobin notes.
Hardened: /usr/bin/nghttpx: gap:  (182d0..19270 probable component: /usr/include/c++/8/bits/stl_vector.h) in annobin notes.
Hardened: /usr/bin/nghttpx: gap:  (192a0..199c0 probable component: /usr/src/debug/nghttp2-1.33.0-1.el8_0.x86_64/src/shrpx.cc) in annobin notes.
Hardened: /usr/bin/nghttpx: FAIL: Gaps were detected in the annobin coverage.
Hardened: /usr/bin/nghttpx: PASS: Linked with -Wl,-z,now.
Hardened: /usr/bin/nghttpx: PASS: Compiled with -fcf-protection.
Hardened: /usr/bin/nghttpx: PASS: One dynamic section/segment found.
Hardened: /usr/bin/nghttpx: PASS: Entry point instruction is ENDBR.
Hardened: /usr/bin/nghttpx: PASS: Compiled with -D_FORTIFY_SOURCE=2.
Hardened: /usr/bin/nghttpx: PASS: Compiled with -D_GLIBCXX_ASSERTIONS.
Hardened: /usr/bin/nghttpx: PASS: Linked with -Wl,-z,relro.
Hardened: /usr/bin/nghttpx: PASS: Stack not executable.
Hardened: /usr/bin/nghttpx: PASS: Compiled with sufficient optimization.
Hardened: /usr/bin/nghttpx: PASS: Compiled with PIC/PIE.
Hardened: /usr/bin/nghttpx: PASS: Compiled as a position independent binary.
Hardened: /usr/bin/nghttpx: PASS: Good GNU Property note.
Hardened: /usr/bin/nghttpx: PASS: DT_RPATH/DT_RUNPATH absent or rooted at /usr.
Hardened: /usr/bin/nghttpx: PASS: No RWX segments found.
Hardened: /usr/bin/nghttpx: PASS: Consistent use of the -fshort-enum option.
Hardened: /usr/bin/nghttpx: PASS: Compiled with -fstack-clash-protection.
Hardened: /usr/bin/nghttpx: PASS: Compiled with sufficient stack protection.
Hardened: /usr/bin/nghttpx: skip: Test for stack realignment support.  (Only needed on i686 binaries).
Hardened: /usr/bin/nghttpx: PASS: No text relocations found.
Hardened: /usr/bin/nghttpx: PASS: No thread cancellation problems.
Hardened: /usr/bin/nghttpx: PASS: GOT/PLT relocations are read only.


How can one easily decide what is safe to waive and what not?
Comment 13 Florian Weimer 2019-08-29 08:58:10 UTC 
GDB shows this for the address:

Address range 0x152fd to 0x1530d:
   0x00000000000152fd <-193139>:	mov    %rbx,%rdi
   0x0000000000015300 <-193136>:	callq  0x6a120 <shrpx::Log::~Log()>
   0x0000000000015305 <-193131>:	mov    %rbp,%rdi
   0x0000000000015308 <-193128>:	callq  0x13a90 <_Unwind_Resume@plt>
End of assembler dump.
(gdb) info symb 0x15300
shrpx::(anonymous namespace)::settings_timeout_cb(ev_loop*, ev_timer*, int) [clone .cold.158] + 3 in section .text of /usr/bin/nghttpx

This could be an annobin plugin problem in the creation of the annotation for the cold partition of the function.
Comment 14 Nick Clifton 2019-08-29 10:27:48 UTC 
(In reply to Florian Weimer from comment #13)
> This could be an annobin plugin problem in the creation of the annotation
> for the cold partition of the function.

Entirely likely.  The logs show that the build was done using annobin 8.64.  
Version 8.65 includes a patch specifically designed to address cold functions
(in the .text.unlikely section).


(In reply to Kamil Dudka from comment #12)
> This bug seem to trigger new false positives on RHEL-8.0.0.z builds of
> nghttp2:
> 
> How can one easily decide what is safe to waive and what not?

It is safe to waive these results.

Ideally it would be nice to have a newer version of annobin in the RHEL-8
buildroot, but I do not see this as being worthy of a z-stream exception.
Comment 15 Kamil Dudka 2019-08-29 10:48:39 UTC 
Thanks for the quick reply on this!
Comment 19 errata-xmlrpc 2019-11-05 20:54:32 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:3356