Bug 2070137
| Summary: | Unable to build openssh with sanitizer flags enabled | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | gkamathe |
| Component: | openssh | Assignee: | Dmitry Belyavskiy <dbelyavs> |
| Status: | CLOSED WONTFIX | QA Contact: | BaseOS QE Security Team <qe-baseos-security> |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | 8.0 | CC: | jjelen, mhavrila |
| Target Milestone: | rc | Keywords: | MoveUpstream, Triaged |
| Target Release: | --- | Flags: | gkamathe:
needinfo-
|
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-06-08 06:28:28 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
I had some help on this from elsewhere: Seem that the configuration test misbehaves because; basically setting rlimit to zero prevents the address sanitizer from accessing its own files, potentially causing the hang. When run standalone it gives this error: ==112437==Can't open /proc/112436/task for reading. ==112436==LeakSanitizer has encountered a fatal error. ==112436==HINT: For debugging, try setting environment variable LSAN_OPTIONS=verbosity=1:log_threads=1 ==112436==HINT: LeakSanitizer does not work under ptrace (strace, gdb, etc) Marek, thanks, reported upstream Upstream provided explanation why such build is hardly possible and will give us a result significantly different from what we ship. https://bugzilla.mindrot.org/show_bug.cgi?id=3441 Dear Gaurav, having this information - do you consider worth persuading this goal? @dmitry thank you for pursuing this upstream, I think I'll drop this for now (use workarounds that are available), closing issue Dear Gaurav, JFYI - upstream is updated, so probably you now have everything for your purposes Thanks Dmitry for working with upstream |
Description of problem: I am trying to build openssh (from source RPM on brew) with address sanitizer enabled Version-Release number of selected component (if applicable): openssh-8.0p1 How reproducible: Step 1 - Download openssh source rpm from brew (RHEL8 version used openssh-8.0p1) Step 2 - extract RPM, tar.gz Step 3 - Run configure within extracted source directory with following options $ ./configure --with-cflags="-fsanitize=address" --with-ldflags="-fsanitize=address" # or $ ./configure CFLAGS=-fsanitize=address LDFLAGS=-fsanitize=address Above command stuck at this stage checking for arc4random_stir... no checking for arc4random_uniform... no checking for ia_openinfo in -liaf... no checking whether OpenSSL's PRNG is internally seeded... yes checking whether SECCOMP_MODE_FILTER is declared... yes checking kernel for seccomp_filter support... yes checking if select works with descriptor rlimit... <<<<<<<<< Background shows configure running currently at conftest $ ps -ef | grep configure root 233731 223357 0 03:23 pts/1 00:00:01 /bin/sh ./configure CFLAGS=-fsanitize=address LDFLAGS=-fsanitize=address root 241481 233731 0 03:23 pts/1 00:00:00 /bin/sh ./configure CFLAGS=-fsanitize=address LDFLAGS=-fsanitize=address root 241568 223376 0 03:26 pts/0 00:00:00 grep --color=auto configure $ $ pstree -pa 223357 bash,223357 └─configure,233731 ./configure CFLAGS=-fsanitize=address LDFLAGS=-fsanitize=address └─configure,241481 ./configure CFLAGS=-fsanitize=address LDFLAGS=-fsanitize=address └─conftest,241482 └─conftest,241483 $ $ ps -ef | grep conftest root 241482 241481 98 03:23 pts/1 00:03:16 ./conftest root 241483 241482 99 03:23 pts/1 00:03:17 ./conftest root 241577 223376 0 03:27 pts/0 00:00:00 grep --color=auto conftest $ $ pwd /root/OSSH/openssh-8.0p1 $ $ find . | grep -i conftest ./conftest.sslincver ./conftest.ssllibver ./conftest.c ./conftest $ $ file ./conftest ./conftest: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=957aa86d3c79a9400d57fbf6d423dfdc4f4e800c, with debug_info, not stripped $ $ strace -f -p 249471 strace: Process 249471 attached sched_yield() = 0 sched_yield() = 0 sched_yield() = 0 sched_yield() = 0 sched_yield() = 0 sched_yield() = 0 sched_yield() = 0 sched_yield() = 0 sched_yield() = 0 sched_yield() = 0 << snip >> $ This seems to be related to the following test within configure.ac # Some platforms (seems to be the ones that have a kernel poll(2)-type # function with which they implement select(2)) use an extra file descriptor # when calling select(2), which means we can't use the rlimit sandbox. AC_MSG_CHECKING([if select works with descriptor rlimit]) AC_RUN_IFELSE( [AC_LANG_PROGRAM([[ If I remove the above test from configure.ac then ./configure with above flags succeeds, however make runs into following errors << snip >> cc -o ssh ssh.o readconf.o clientloop.o sshtty.o sshconnect.o sshconnect2.o mux.o -L. -Lopenbsd-compat/ -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -fstack-protector-strong -fsanitize=address -pie -lssh -lopenbsd-compat -lcrypto -lutil -lz -lcrypt -lresolv /usr/bin/ld: ./libssh.a(ssh-pkcs11.o): undefined reference to symbol 'dlsym@@GLIBC_2.2.5' //usr/lib64/libdl.so.2: error adding symbols: DSO missing from command line collect2: error: ld returned 1 exit status make: *** [Makefile:173: ssh] Error 1 $ Actual results: ./configure hangs Expected results: ./configure should complete, allowing me to "make" the project Additional info: $ cat /etc/redhat-release Red Hat Enterprise Linux release 8.5 (Ootpa) $ $ uname -r 4.18.0-348.el8.x86_64 $