Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1666823

Summary: annobin: Proper build flags do not result in annocheck-clean builds
Product: Red Hat Enterprise Linux 8 Reporter: Florian Weimer <fweimer>
Component: annobinAssignee: Nick Clifton <nickc>
Status: CLOSED ERRATA QA Contact: Martin Cermak <mcermak>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 8.1CC: cstratak, fweimer, law, mcermak, nickc
Target Milestone: rcFlags: pm-rhel: mirror+
Target Release: 8.0   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: annobin-8.73-1.el8 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-11-05 20:54:32 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1679669    
Bug Blocks: 1684553    
Attachments:
Description Flags
readelf -nW output none

Description Florian Weimer 2019-01-16 16:47:23 UTC 
Created attachment 1521087 [details]
readelf -nW output

This minimal example:

$ cat t.c
#include <stdio.h>

int
main (void)
{
  puts ("Hello, world!");
}

When compiled like this:

$ gcc `rpm --eval "%{build_cflags} %{build_ldflags}"` t.c

results in an annocheck error:

$ annocheck -v ./a.out 
annocheck: Version 8.64.
Hardened: ./a.out: PASS: No gaps found.
Hardened: ./a.out: PASS: Linked with -Wl,-z,now.
Hardened: ./a.out: PASS: Compiled with -fcf-protection.
Hardened: ./a.out: PASS: One dynamic section/segment found.
Hardened: ./a.out: PASS: Entry point instruction is ENDBR.
Hardened: ./a.out: MAYB: The -D_FORTIFY_SOURCE=2 option was not seen.
Hardened: ./a.out: MAYB: The -D_GLIBCXX_ASSERTIONS option was not seen.
Hardened: ./a.out: PASS: Linked with -Wl,-z,relro.
Hardened: ./a.out: PASS: Stack not executable.
Hardened: ./a.out: PASS: Compiled with sufficient optimization.
Hardened: ./a.out: PASS: Compiled with PIC/PIE.
Hardened: ./a.out: PASS: Compiled as a position independent binary.
Hardened: ./a.out: PASS: Good GNU Property note.
Hardened: ./a.out: PASS: DT_RPATH/DT_RUNPATH absent or rooted at /usr.
Hardened: ./a.out: PASS: No RWX segments found.
Hardened: ./a.out: PASS: Consistent use of the -fshort-enum option.
Hardened: ./a.out: PASS: Compiled with -fstack-clash-protection.
Hardened: ./a.out: PASS: Compiled with sufficient stack protection.
Hardened: ./a.out: skip: Test for stack realignment support.  (Only needed on i686 binaries).
Hardened: ./a.out: PASS: No text relocations found.
Hardened: ./a.out: PASS: No thread cancellation problems.
Hardened: ./a.out: PASS: GOT/PLT relocations are read only.
$ echo $?
1

readelf -nW output suggests that *some* information is there.

Package versions:

annobin-8.64-1.el8.x86_64
gcc-8.2.1-3.5.el8.x86_64
redhat-rpm-config-115-1.el8.noarch
binutils-2.30-49.el8.x86_64
glibc-2.28-42.el8.x86_64

I'm at loss what's going on here.  Obviously, this has worked before.
Comment 3 Nick Clifton 2019-01-16 17:15:05 UTC 
(In reply to Florian Weimer from comment #0)

Hi Florian,

> $ annocheck -v ./a.out 
> annocheck: Version 8.64.
[...]
> Hardened: ./a.out: MAYB: The -D_FORTIFY_SOURCE=2 option was not seen.
> Hardened: ./a.out: MAYB: The -D_GLIBCXX_ASSERTIONS option was not seen.

Looks like a bug in annocheck:

$ readelf --wide --notes a.out | grep -e FORTIFY -e GLIBCXX

  GA+GLIBCXX_ASSERTIONS:true   0x00000000	OPEN	    Applies to region from 0x61f
  GA*FORTIFY:0xff              0x00000000	OPEN	    Applies to region from 0x61f
  GA+GLIBCXX_ASSERTIONS:true   0x00000000	OPEN	    Applies to region from 0x6d9
  GA*FORTIFY:0x2               0x00000000	OPEN	    Applies to region from 0x6d9
  GA*FORTIFY:0x2               0x00000000	func	    Applies to region from 0
  GA+GLIBCXX_ASSERTIONS:true   0x00000000	func	    Applies to region from 0
  GA*FORTIFY:0x2               0x00000000	OPEN	    Applies to region from 0x6e0 to 0x755
  GA+GLIBCXX_ASSERTIONS:true   0x00000000	OPEN	    Applies to region from 0x6e0 to 0x755

Investigating....
Comment 4 Nick Clifton 2019-01-16 17:43:48 UTC 
Hi Florian,

Right - the problem is that annocheck thinks that the FORTIFY and GLIBCXX
notes cover the __libc_csu_init function (and others beyond that).  Unfortunately
__libc_csu_init is considered to be a special case because its compilation does
not have the normal stack protection options enabled and so annocheck skips
tests for this function.  But the bug is that annocheck skips *all* the tests
for __libc_csu_init, not just the stack protection related ones.  So it skips
the FORTIFY and GLIBCXX tests.

Now for reasons I have not investigated annocheck thinks that all of the FORTIFY
and GLIBCXX notes start at __libc_csu_init, and so it ignores them all, and then
reports a MAYBE result because it did not find any notes that it could process.

I am currently pondering the best way to fix this.  The obvious solution would
be to have the skip_check() function only skip tests for special functions if 
the test is one that is known to be a problem for that function.  But I am 
worried that if I do this I will introduce new annocheck failures if I do not
get the list of known exceptions right.

An alternative would be to not skip checks if the test is going to record
a pass result.  This would be safer, and it is the solution I am currently
testing.

More to follow...

Cheers
  Nick
Comment 5 Nick Clifton 2019-01-17 10:28:57 UTC 
Hi Florian,

  Well that did not work.  So I have gone back to the original
  idea of only skipping specific checks for specific symbols.
  This works, but I suspect that I will have to tweak the list
  of skipped checks once more annocheck results come in.

  In the meantime the fixed code is now in Fedora rawhide, as
  part of annobin 8.67.  Once RHEL 8.1 opens up for development
  I will include the fix there.

Cheers
  Nick
Comment 8 Nick Clifton 2019-04-26 12:54:50 UTC 
Fixed in: annobin-8.73-1.el8
Comment 10 Martin Cermak 2019-06-24 07:32:50 UTC 
Verified with annobin-8.76-2.el8.
Comment 12 errata-xmlrpc 2019-11-05 20:54:32 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:3356