Bug 2144509

Summary: annocheck reports that no compiled code found in /usr/bin and /usr/sbin
Product: Red Hat Enterprise Linux 9 Reporter: Jan Pazdziora (Red Hat) <jpazdziora>
Component: iputilsAssignee: Jan Macku <jamacku>
Status: CLOSED ERRATA QA Contact: Frantisek Sumsal <fsumsal>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 9.0CC: fsumsal, jamacku, jpazdziora, msekleta, nickc
Target Milestone: rcKeywords: Triaged, ZStream
Target Release: ---Flags: pm-rhel: mirror+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: iputils-20210202-8.el9 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 2147538 2147539 2148430 (view as bug list) Environment:
Last Closed: 2023-05-09 08:21:38 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2147538, 2147539, 2148430    

Description Jan Pazdziora (Red Hat) 2022-11-21 14:12:14 UTC 
Description of problem:

Attempting to test if iputils' binaries were properly built with stack protection via -fstack-protector-strong yields skip: stack-prot test because no compiled code found.

Version-Release number of selected component (if applicable):

iputils-20210202-7.el9.x86_64
annobin-annocheck-10.54-2.el9.x86_64

How reproducible:

Deterministic.

Steps to Reproduce:
1. dnf install -y annobin-annocheck iputils
2. dnf debuginfo-install -y iputils
3. rpm -ql iputils | grep -E '/usr/s?bin/' | while read f ; do test -L $f || echo $f ; done | xargs -- annocheck --verbose --skip-all --test-stack-prot

Actual results:

annocheck: Version 10.54.
Hardened: arping: warn: Failed to parse separate debug file '/usr/lib/debug/.build-id/e9/ab54d4fb989b0cc43f866ed4d49bc989de8464.debug', (no DWARF information).
Hardened: arping: warn: Failed to parse separate debug file '/usr/lib/debug/.build-id/e9/ab54d4fb989b0cc43f866ed4d49bc989de8464.debug', (no DWARF information).
Hardened: arping: warn: Failed to parse separate debug file '/usr/lib/debug/.build-id/e9/ab54d4fb989b0cc43f866ed4d49bc989de8464.debug', (no DWARF information).
Hardened: /usr/bin/arping: skip: stack-prot test because no compiled code found 
Hardened: /usr/bin/arping: Overall: PASS.
Hardened: clockdiff: warn: Failed to parse separate debug file '/usr/lib/debug/.build-id/38/5882c5e6e87b7a80657bcd365911503ddf5c76.debug', (no DWARF information).
Hardened: clockdiff: warn: Failed to parse separate debug file '/usr/lib/debug/.build-id/38/5882c5e6e87b7a80657bcd365911503ddf5c76.debug', (no DWARF information).
Hardened: clockdiff: warn: Failed to parse separate debug file '/usr/lib/debug/.build-id/38/5882c5e6e87b7a80657bcd365911503ddf5c76.debug', (no DWARF information).
Hardened: /usr/bin/clockdiff: skip: stack-prot test because no compiled code found 
Hardened: /usr/bin/clockdiff: Overall: PASS.
Hardened: ping: warn: Failed to parse separate debug file '/usr/lib/debug/.build-id/ce/7da925332635272b8b80d4a6c9969a0f3f1a6c.debug', (no DWARF information).
Hardened: ping: warn: Failed to parse separate debug file '/usr/lib/debug/.build-id/ce/7da925332635272b8b80d4a6c9969a0f3f1a6c.debug', (no DWARF information).
Hardened: ping: warn: Failed to parse separate debug file '/usr/lib/debug/.build-id/ce/7da925332635272b8b80d4a6c9969a0f3f1a6c.debug', (no DWARF information).
Hardened: /usr/bin/ping: skip: stack-prot test because no compiled code found 
Hardened: /usr/bin/ping: Overall: PASS.
Hardened: tracepath: warn: Failed to parse separate debug file '/usr/lib/debug/.build-id/df/065e14e16543a328c3e4c4ec04a364adf3fa9e.debug', (no DWARF information).
Hardened: tracepath: warn: Failed to parse separate debug file '/usr/lib/debug/.build-id/df/065e14e16543a328c3e4c4ec04a364adf3fa9e.debug', (no DWARF information).
Hardened: tracepath: warn: Failed to parse separate debug file '/usr/lib/debug/.build-id/df/065e14e16543a328c3e4c4ec04a364adf3fa9e.debug', (no DWARF information).
Hardened: /usr/bin/tracepath: skip: stack-prot test because no compiled code found 
Hardened: /usr/bin/tracepath: Overall: PASS.
Hardened: /usr/sbin/ifenslave: PASS: stack-prot test 
Hardened: /usr/sbin/ifenslave: Overall: PASS.
Hardened: rdisc: warn: Failed to parse separate debug file '/usr/lib/debug/.build-id/82/ddd78cb7108bbecb438759e440afb887b688c1.debug', (no DWARF information).
Hardened: rdisc: warn: Failed to parse separate debug file '/usr/lib/debug/.build-id/82/ddd78cb7108bbecb438759e440afb887b688c1.debug', (no DWARF information).
Hardened: rdisc: warn: Failed to parse separate debug file '/usr/lib/debug/.build-id/82/ddd78cb7108bbecb438759e440afb887b688c1.debug', (no DWARF information).
Hardened: /usr/sbin/rdisc: skip: stack-prot test because no compiled code found 
Hardened: /usr/sbin/rdisc: Overall: PASS.

Expected results:

No "skip: stack-prot test because no compiled code found" on binaries.

Additional info:

Adding Nick to Cc in case this turns out to be an issue in annocheck itself.
Comment 3 Nick Clifton 2022-11-21 15:57:35 UTC 
Hi Jan,

  I think that this might be a build issue with iputils, but I am willing to be
  persuaded otherwise.  Here are some things that I found:
 
> Hardened: arping: warn: Failed to parse separate debug file
> '/usr/lib/debug/.build-id/e9/ab54d4fb989b0cc43f866ed4d49bc989de8464.debug',
> (no DWARF information).

  This does indeed appear to be true.  That is the debug info files
  do not actually appear to contain DWARF debug information.  I suspect
  that this is because there was no debug information in the binary before
  it was split into a stripped file and a separate debuginfo file.


> Hardened: /usr/bin/arping: skip: stack-prot test because no compiled code
> found 

  This is happening because there are no annobin notes in the binary apart 
  from one which came from an assembler source file.  Hence annocheck is
  unable to prove that the binary was actually produced by a compiler.

  Annocheck does look to see if there is a .comment section in the binary,
  which can sometimes help determine which tool was used to create the
  program, but this is also missing.  It also checks the DW_AT_producer
  tag in the DWARF debug info, but since that info is missing, annocheck
  is at a loss for any other way to determine how the program was made.

 
Checking the build.log for the x86_64 build of iputils-20210202-7.el9.x86_64
I found this for the production of the clockdiff executable:

  [22/29] gcc -Iclockdiff.p -I. -I.. -fdiagnostics-color=always -pipe -D_FILE_OFFSET_BITS=64 -Wall -Winvalid-pch -Wextra -Wpedantic -std=c99 -include config.h -include git-version.h '-DGETTEXT_PACKAGE="iputils"' -DUSE_IDN -fpie -MD -MQ clockdiff.p/clockdiff.c.o -MF clockdiff.p/clockdiff.c.o.d -o clockdiff.p/clockdiff.c.o -c ../clockdiff.c

So it looks like it is being compiled without any security options, without
debugging and without the annobin plugin.  Hence the weird results from 
annocheck.

The same appears to be true for arping, ping and the other executables. :-(

Cheers
  Nick
Comment 8 Jan Pazdziora (Red Hat) 2022-11-22 18:47:25 UTC 
Checking with

readelf -Ws /usr/bin/arping | grep '__stack_chk_fail'
or
readelf -Ws /usr/bin/tracepath | grep '__stack_chk_fail'

does not find anything, meaning the function to be called when the stack protection detects a corrupted stack is not referenced. So it seems to suggest -fstack-protector-strong was indeed not used.
Comment 14 Jan Macku 2022-11-25 12:46:30 UTC 
The new build (iputils-20210202-8.el9) should fix the current issue.

[root@ci-vm-10-0-138-43 ~]# rpm -ql iputils | grep -E '/usr/s?bin/' | while read f ; do test -L $f || echo $f ; done | xargs -- annocheck --verbose --skip-all --test-stack-prot
annocheck: Version 10.73.
Hardened: /usr/bin/arping: PASS: stack-prot test 
Hardened: /usr/bin/arping: Overall: PASS.
Hardened: /usr/bin/clockdiff: PASS: stack-prot test 
Hardened: /usr/bin/clockdiff: Overall: PASS.
Hardened: /usr/bin/ping: PASS: stack-prot test 
Hardened: /usr/bin/ping: Overall: PASS.
Hardened: /usr/bin/tracepath: PASS: stack-prot test 
Hardened: /usr/bin/tracepath: Overall: PASS.
Hardened: /usr/sbin/ifenslave: PASS: stack-prot test 
Hardened: /usr/sbin/ifenslave: Overall: PASS.
Hardened: /usr/sbin/rdisc: PASS: stack-prot test 
Hardened: /usr/sbin/rdisc: Overall: PASS.

[root@ci-vm-10-0-138-43 ~]# rpm -qa iputils
iputils-20210202-8.el9.x86_64
Comment 19 errata-xmlrpc 2023-05-09 08:21:38 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (iputils bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:2526