Bug 1956988

Summary: annocheck reports that kernel-tools is compiled without -fstack-protector-strong, -D_FORTIFY_SOURCE=2, and -fPIE/-fPIC
Product: Red Hat Enterprise Linux 9 Reporter: Jan Pazdziora <jpazdziora>
Component: kernelAssignee: Herton R. Krzesinski <hkrzesin>
kernel sub component: Packaging QA Contact: Linqing Lu <lilu>
Status: CLOSED CURRENTRELEASE Docs Contact:
Severity: unspecified    
Priority: unspecified CC: dhoward, jjaburek, jpazdziora, lilu, rlemosor
Version: 9.0Keywords: TestOnly
Target Milestone: beta   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: kernel-5.14.0-0.rc4.35.el9 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-12-02 21:19:45 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2044387    

Description Jan Pazdziora 2021-05-04 19:46:35 UTC 
Description of problem:

Running annocheck on kernel-tools reports that binaries in /usr/bin were compiled without stack protector and without position independent code.

Version-Release number of selected component (if applicable):

kernel-tools-5.12.0-1.el9.x86_64

How reproducible:

Deterministic.

Steps to Reproduce:
1. rpm -ql kernel-tools | xargs annocheck -v --ignore-gaps | grep FAIL:

Actual results:

Hardened: /usr/bin/lsiio: FAIL: pie test because not linked with -Wl,-pie 
Hardened: /usr/bin/lsiio: FAIL: bind-now test because not linked with -Wl,-z,now 
Hardened: /usr/bin/lsiio: FAIL: stack-prot test because stack protection deliberately disabled (addr range: 0x401620..0x401625) 
Hardened: /usr/bin/lsgpio: FAIL: pie test because not linked with -Wl,-pie 
Hardened: /usr/bin/lsgpio: FAIL: bind-now test because not linked with -Wl,-z,now 
Hardened: /usr/bin/lsgpio: FAIL: stack-prot test because stack protection deliberately disabled (addr range: 0x401270..0x401275) 
Hardened: /usr/bin/iio_generic_buffer: FAIL: pie test because not linked with -Wl,-pie 
Hardened: /usr/bin/iio_generic_buffer: FAIL: bind-now test because not linked with -Wl,-z,now 
Hardened: /usr/bin/iio_generic_buffer: FAIL: stack-prot test because stack protection deliberately disabled (addr range: 0x401d90..0x401d95) 
Hardened: /usr/bin/iio_event_monitor: FAIL: pie test because not linked with -Wl,-pie 
Hardened: /usr/bin/iio_event_monitor: FAIL: bind-now test because not linked with -Wl,-z,now 
Hardened: /usr/bin/iio_event_monitor: FAIL: stack-prot test because stack protection deliberately disabled (addr range: 0x4015a0..0x4015a5) 
Hardened: /usr/bin/gpio-watch: FAIL: pie test because not linked with -Wl,-pie 
Hardened: /usr/bin/gpio-watch: FAIL: bind-now test because not linked with -Wl,-z,now 
Hardened: /usr/bin/gpio-watch: FAIL: stack-prot test because stack protection deliberately disabled (addr range: 0x4012b0..0x4012b5) 
Hardened: /usr/bin/gpio-hammer: FAIL: pie test because not linked with -Wl,-pie 
Hardened: /usr/bin/gpio-hammer: FAIL: bind-now test because not linked with -Wl,-z,now 
Hardened: /usr/bin/gpio-hammer: FAIL: stack-prot test because stack protection deliberately disabled (addr range: 0x4012a0..0x4012a5) 
Hardened: /usr/bin/gpio-event-mon: FAIL: pie test because not linked with -Wl,-pie 
Hardened: /usr/bin/gpio-event-mon: FAIL: bind-now test because not linked with -Wl,-z,now 
Hardened: /usr/bin/gpio-event-mon: FAIL: stack-prot test because stack protection deliberately disabled (addr range: 0x4013a0..0x4013a5) 
Hardened: /usr/bin/cpupower: FAIL: optimization test because level too low (addr range: 0x3f39..0xd326) 

Expected results:

No FAILs reported by annocheck.

Additional info: