Bug 2026296

Summary: rpminspect report invalid-looking DT_RPATH for binutils binaries
Product: Red Hat Enterprise Linux 9 Reporter: Miloš Prchlík <mprchlik>
Component: binutilsAssignee: Nick Clifton <nickc>
binutils sub component: system-version QA Contact: Miloš Prchlík <mprchlik>
Status: CLOSED ERRATA Docs Contact:
Severity: unspecified    
Priority: unspecified CC: dcantrell, fweimer, mprchlik, nickc, ohudlick
Version: 9.0Keywords: Bugfix, Triaged
Target Milestone: rcFlags: pm-rhel: mirror+
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: binutils-2.35.2-13.el9 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-05-17 15:58:36 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Miloš Prchlík 2021-11-24 10:14:16 UTC 
Description of problem:

Seems to be spread over all architectures and several binaries.


rpminspect version: 1.7-0.1.202110111942git.el9 (with data package: 1.5)
rpminspect profile: rhel-9-devel
new build: binutils-2.35.2-10.el9
old build: not found (in rhel-9.0.0-pending brew tag)

Test description:
Check for forbidden paths in both the DT_RPATH and DT_RUNPATH settings in ELF shared objects.

======================================== Test Output ========================================

runpath:
--------

1) /usr/bin/addr2line has an invalid-looking DT_RPATH on aarch64: /usr/lib64

Result: VERIFY
Waiver Authorization: Anyone

Suggested Remedy:
Either DT_RPATH or DT_RUNPATH properties were found on ELF shared objects in this package.  The use of DT_RPATH and DT_RUNPATH is discouraged except in certain situations.  Check to see that you a disabling rpath during the %build stage of the spec file.  If you are unable to do this easily, you can try using a program such as patchelf to remove these properties from the ELF files.


2) /usr/bin/ar has an invalid-looking DT_RPATH on aarch64: /usr/lib64

Result: VERIFY
Waiver Authorization: Anyone

Suggested Remedy:
Either DT_RPATH or DT_RUNPATH properties were found on ELF shared objects in this package.  The use of DT_RPATH and DT_RUNPATH is discouraged except in certain situations.  Check to see that you a disabling rpath during the %build stage of the spec file.  If you are unable to do this easily, you can try using a program such as patchelf to remove these properties from the ELF files.


3) /usr/bin/as has an invalid-looking DT_RPATH on aarch64: /usr/lib64

Result: VERIFY
Waiver Authorization: Anyone

Suggested Remedy:
Either DT_RPATH or DT_RUNPATH properties were found on ELF shared objects in this package.  The use of DT_RPATH and DT_RUNPATH is discouraged except in certain situations.  Check to see that you a disabling rpath during the %build stage of the spec file.  If you are unable to do this easily, you can try using a program such as patchelf to remove these properties from the ELF files.


4) /usr/bin/c++filt has an invalid-looking DT_RPATH on aarch64: /usr/lib64

Result: VERIFY
Waiver Authorization: Anyone

Suggested Remedy:
Either DT_RPATH or DT_RUNPATH properties were found on ELF shared objects in this package.  The use of DT_RPATH and DT_RUNPATH is discouraged except in certain situations.  Check to see that you a disabling rpath during the %build stage of the spec file.  If you are unable to do this easily, you can try using a program such as patchelf to remove these properties from the ELF files.


5) /usr/bin/gprof has an invalid-looking DT_RPATH on aarch64: /usr/lib64

Result: VERIFY
Waiver Authorization: Anyone

Suggested Remedy:
Either DT_RPATH or DT_RUNPATH properties were found on ELF shared objects in this package.  The use of DT_RPATH and DT_RUNPATH is discouraged except in certain situations.  Check to see that you a disabling rpath during the %build stage of the spec file.  If you are unable to do this easily, you can try using a program such as patchelf to remove these properties from the ELF files.


6) /usr/bin/ld.bfd has an invalid-looking DT_RPATH on aarch64: /usr/lib64

Result: VERIFY
Waiver Authorization: Anyone

Suggested Remedy:
Either DT_RPATH or DT_RUNPATH properties were found on ELF shared objects in this package.  The use of DT_RPATH and DT_RUNPATH is discouraged except in certain situations.  Check to see that you a disabling rpath during the %build stage of the spec file.  If you are unable to do this easily, you can try using a program such as patchelf to remove these properties from the ELF files.


7) /usr/bin/nm has an invalid-looking DT_RPATH on aarch64: /usr/lib64

Result: VERIFY
Waiver Authorization: Anyone

Suggested Remedy:
Either DT_RPATH or DT_RUNPATH properties were found on ELF shared objects in this package.  The use of DT_RPATH and DT_RUNPATH is discouraged except in certain situations.  Check to see that you a disabling rpath during the %build stage of the spec file.  If you are unable to do this easily, you can try using a program such as patchelf to remove these properties from the ELF files.


8) /usr/bin/objcopy has an invalid-looking DT_RPATH on aarch64: /usr/lib64

Result: VERIFY
Waiver Authorization: Anyone

Suggested Remedy:
Either DT_RPATH or DT_RUNPATH properties were found on ELF shared objects in this package.  The use of DT_RPATH and DT_RUNPATH is discouraged except in certain situations.  Check to see that you a disabling rpath during the %build stage of the spec file.  If you are unable to do this easily, you can try using a program such as patchelf to remove these properties from the ELF files.


9) /usr/bin/objdump has an invalid-looking DT_RPATH on aarch64: /usr/lib64

Result: VERIFY
Waiver Authorization: Anyone

Suggested Remedy:
Either DT_RPATH or DT_RUNPATH properties were found on ELF shared objects in this package.  The use of DT_RPATH and DT_RUNPATH is discouraged except in certain situations.  Check to see that you a disabling rpath during the %build stage of the spec file.  If you are unable to do this easily, you can try using a program such as patchelf to remove these properties from the ELF files.


10) /usr/bin/ranlib has an invalid-looking DT_RPATH on aarch64: /usr/lib64

Result: VERIFY
Waiver Authorization: Anyone

Suggested Remedy:
Either DT_RPATH or DT_RUNPATH properties were found on ELF shared objects in this package.  The use of DT_RPATH and DT_RUNPATH is discouraged except in certain situations.  Check to see that you a disabling rpath during the %build stage of the spec file.  If you are unable to do this easily, you can try using a program such as patchelf to remove these properties from the ELF files.


11) /usr/bin/readelf has an invalid-looking DT_RPATH on aarch64: /usr/lib64

Result: VERIFY
Waiver Authorization: Anyone

Suggested Remedy:
Either DT_RPATH or DT_RUNPATH properties were found on ELF shared objects in this package.  The use of DT_RPATH and DT_RUNPATH is discouraged except in certain situations.  Check to see that you a disabling rpath during the %build stage of the spec file.  If you are unable to do this easily, you can try using a program such as patchelf to remove these properties from the ELF files.


12) /usr/bin/size has an invalid-looking DT_RPATH on aarch64: /usr/lib64

Result: VERIFY
Waiver Authorization: Anyone

Suggested Remedy:
Either DT_RPATH or DT_RUNPATH properties were found on ELF shared objects in this package.  The use of DT_RPATH and DT_RUNPATH is discouraged except in certain situations.  Check to see that you a disabling rpath during the %build stage of the spec file.  If you are unable to do this easily, you can try using a program such as patchelf to remove these properties from the ELF files.


13) /usr/bin/strings has an invalid-looking DT_RPATH on aarch64: /usr/lib64

Result: VERIFY
Waiver Authorization: Anyone

Suggested Remedy:
Either DT_RPATH or DT_RUNPATH properties were found on ELF shared objects in this package.  The use of DT_RPATH and DT_RUNPATH is discouraged except in certain situations.  Check to see that you a disabling rpath during the %build stage of the spec file.  If you are unable to do this easily, you can try using a program such as patchelf to remove these properties from the ELF files.


14) /usr/bin/strip has an invalid-looking DT_RPATH on aarch64: /usr/lib64

Result: VERIFY
Waiver Authorization: Anyone

Suggested Remedy:
Either DT_RPATH or DT_RUNPATH properties were found on ELF shared objects in this package.  The use of DT_RPATH and DT_RUNPATH is discouraged except in certain situations.  Check to see that you a disabling rpath during the %build stage of the spec file.  If you are unable to do this easily, you can try using a program such as patchelf to remove these properties from the ELF files.


15) /usr/lib64/libopcodes-2.35.2-10.el9.so has an invalid-looking DT_RPATH on aarch64: /usr/lib64

Result: VERIFY
Waiver Authorization: Anyone

Suggested Remedy:
Either DT_RPATH or DT_RUNPATH properties were found on ELF shared objects in this package.  The use of DT_RPATH and DT_RUNPATH is discouraged except in certain situations.  Check to see that you a disabling rpath during the %build stage of the spec file.  If you are unable to do this easily, you can try using a program such as patchelf to remove these properties from the ELF files.


16) /usr/bin/ld.bfd has an invalid-looking DT_RPATH on ppc64le: /usr/lib64

Result: VERIFY
Waiver Authorization: Anyone

Suggested Remedy:
Either DT_RPATH or DT_RUNPATH properties were found on ELF shared objects in this package.  The use of DT_RPATH and DT_RUNPATH is discouraged except in certain situations.  Check to see that you a disabling rpath during the %build stage of the spec file.  If you are unable to do this easily, you can try using a program such as patchelf to remove these properties from the ELF files.


17) /usr/bin/ld.bfd has an invalid-looking DT_RPATH on x86_64: /usr/lib64

Result: VERIFY
Waiver Authorization: Anyone

Suggested Remedy:
Either DT_RPATH or DT_RUNPATH properties were found on ELF shared objects in this package.  The use of DT_RPATH and DT_RUNPATH is discouraged except in certain situations.  Check to see that you a disabling rpath during the %build stage of the spec file.  If you are unable to do this easily, you can try using a program such as patchelf to remove these properties from the ELF files.


18) /usr/bin/ld.bfd has an invalid-looking DT_RPATH on s390x: /usr/lib64

Result: VERIFY
Waiver Authorization: Anyone

Suggested Remedy:
Either DT_RPATH or DT_RUNPATH properties were found on ELF shared objects in this package.  The use of DT_RPATH and DT_RUNPATH is discouraged except in certain situations.  Check to see that you a disabling rpath during the %build stage of the spec file.  If you are unable to do this easily, you can try using a program such as patchelf to remove these properties from the ELF files.


Version-Release number of selected component (if applicable):

binutils-2.35.2-10.el9


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 1 Nick Clifton 2021-11-24 12:39:01 UTC 
(In reply to Miloš Prchlík from comment #0)

> 1) /usr/bin/addr2line has an invalid-looking DT_RPATH on aarch64: /usr/lib64

I think that this *might* actually be a bug in rpminspect.  The path /usr/lib64
should be valid, although arguably redundant.  The code in 
/usr/lib/rpm/check-rpaths-worker however appears to only accept /usr/lib64/  ie
with a trailing forward slash:

	    case "$j" in
	        (/lib/*|/usr/lib/*|/usr/X11R6/lib/*|/usr/local/lib/*)
		    badness=0;;
	        (/lib64/*|/usr/lib64/*|/usr/X11R6/lib64/*|/usr/local/lib64/*)
		    badness=0;;

So I am going to set a needinfo from David to see if he agrees...
Comment 2 David Cantrell 2021-11-24 15:16:40 UTC 
I don't think this is a bug in rpminspect, but just a policy configuration change for the appropriate rpminspect data package.  By default there are no allowed paths specified for the runpath inspection, so if we want to allow the above in DT_RPATH or DT_RUNPATH, they have to be added to the configuration file so rpminspect knows they are permitted.  Easy enough to change.

I assume the above applies to Fedora, CentOS, and RHEL?  Because we would need to adjust the configuration file in each vendor package.
Comment 3 Nick Clifton 2021-11-25 10:24:33 UTC 
(In reply to David Cantrell from comment #2)
> I don't think this is a bug in rpminspect, but just a policy configuration
> change for the appropriate rpminspect data package. 

Ah, OK, I must have misread the rpminspect code.  I do not want to make a policy change.  At least not via this mechanism.
So I will try setting QA_RPATH in the binutils spec file instead.
Comment 4 Florian Weimer 2021-11-26 12:46:15 UTC 
Isn't the proper fix to remove /usr/lib64 from the binaries?

RUNPATH/RPATH add a tiny bit of extra startup overhead because they disable the use of /etc/ld.so.cache:

# strace -eopenat /usr/bin/ld
openat(AT_FDCWD, "/usr/lib64/glibc-hwcaps/x86-64-v3/libbfd-2.35.2-10.el9.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib64/glibc-hwcaps/x86-64-v2/libbfd-2.35.2-10.el9.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib64/tls/haswell/x86_64/libbfd-2.35.2-10.el9.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib64/tls/haswell/libbfd-2.35.2-10.el9.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib64/tls/x86_64/libbfd-2.35.2-10.el9.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib64/tls/libbfd-2.35.2-10.el9.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib64/haswell/x86_64/libbfd-2.35.2-10.el9.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib64/haswell/libbfd-2.35.2-10.el9.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib64/x86_64/libbfd-2.35.2-10.el9.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib64/libbfd-2.35.2-10.el9.so", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/usr/lib64/libctf.so.0", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/usr/lib64/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/usr/lib64/libz.so.1", O_RDONLY|O_CLOEXEC) = 3
[…]
/usr/bin/ld: no input files

glibc caches path non-existence, but if something is installed that populates these alternative paths, more failing openat calls for the other shared objects (libctf.so.0, libc.so.6, libz.so.1) would be present.
Comment 5 Nick Clifton 2021-11-26 13:12:03 UTC 
(In reply to Florian Weimer from comment #4)
> Isn't the proper fix to remove /usr/lib64 from the binaries?

Yes - but that is going to need an upstream fix.  Adding QA_RPATH to the binutils.spec file allows the build to complete now and gives me more time to investigate a proper upstream change.
Comment 6 Nick Clifton 2021-11-26 13:24:51 UTC 
Fixed (or rather worked around) in binutils-2.35.2-12.el9.
Comment 17 Miloš Prchlík 2021-12-13 13:44:01 UTC 
Verified with binutils-2.35.2-13.el9
Comment 19 errata-xmlrpc 2022-05-17 15:58:36 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (new packages: binutils), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:3985