Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2144520

Summary: annocheck reports that no compiled C/C++ code in /usr/lib64/libefi*.so.1.38
Product: Red Hat Enterprise Linux 9 Reporter: Jan Pazdziora (Red Hat) <jpazdziora>
Component: efivarAssignee: Bootloader engineering team <bootloader-eng-team>
Status: CLOSED ERRATA QA Contact: Release Test Team <release-test-team-automation>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 9.0CC: bootloader-eng-team, jpazdziora, mhaicman, mlewando, nickc, raravind
Target Milestone: rcKeywords: Bugfix, Triaged, ZStream
Target Release: ---Flags: pm-rhel: mirror+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: efivar-38-3.el9 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of:
: 2160441 2160442 (view as bug list) Environment:
Last Closed: 2023-05-09 08:25:12 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2160441, 2160442    

Description Jan Pazdziora (Red Hat) 2022-11-21 14:52:56 UTC 
Description of problem:

Attempting to test if efivar-libs libraries were properly built with stack protection via -fstack-protector-strong yields skip: stack-prot test because not compiled C/C++ code.

Version-Release number of selected component (if applicable):

efivar-libs-38-2.el9.x86_64
annobin-annocheck-10.54-2.el9.x86_64

How reproducible:

Deterministic.

Steps to Reproduce:
1. dnf install -y annobin-annocheck efivar-libs
2. dnf debuginfo-install -y efivar-libs
3. rpm -ql efivar-libs | grep /usr/lib64/ | while read f ; do test -L $f || echo $f ; done | xargs -- annocheck --verbose --skip-all --test-stack-prot

Actual results:

annocheck: Version 10.54.
Hardened: /usr/lib64/libefiboot.so.1.38: skip: stack-prot test because not compiled C/C++ code 
Hardened: /usr/lib64/libefiboot.so.1.38: Overall: PASS.
Hardened: /usr/lib64/libefisec.so.1.38: PASS: stack-prot test 
Hardened: /usr/lib64/libefisec.so.1.38: Overall: PASS.
Hardened: /usr/lib64/libefivar.so.1.38: skip: stack-prot test because not compiled C/C++ code 
Hardened: /usr/lib64/libefivar.so.1.38: Overall: PASS.

Expected results:

Since efivar-38-2.el9.src.rpm seems to have C code in it, annocheck should be able to find it in the libraries. Note that for libefisec.so.1.38 it seems to work.

Additional info:
Comment 1 Nick Clifton 2022-11-21 17:25:20 UTC 
Hi Jan,

  This appears to be happening because the affected binaries do not contain any
  annobin notes (apart from a single one from an assembler source file, probably
  crt1.S).  In addition the DWARF information in the separate debug info file 
  appears to be incomplete.  (It contains links to other debuginfo files which
  are not part of the debuginfo rpm).  So even if the debug information was being 
  provided to annocheck, it would not help it identify the tool that produced the
  binary.

  Basically the issue is that annocheck cannot determine how the binaries were
  built.  If they were not compiled from C/C++ then there is no need to check for
  the use of the -fstack-protector option.  Since the annobin notes are missing
  and there is no .comment section and no DWARF debug information available, 
  annocheck has to assume that the binary might not be compiled and hence it PASSes
  the test.

  Note - when I looked in the build.log for efivar I found that the libraries
  concerned appear to be built *three* times, once with annobin annotation enabled
  and then twice more without it.  I am not sure why this is done.

Cheers
  Nick
Comment 2 Jan Pazdziora (Red Hat) 2022-11-22 07:31:14 UTC 
Thanks Nick. So do you reckon this is an issue in annobin, or a bug in the efivar build process? In other words, if we assume that those .so objects were built from a C/C++ code, should this be an annobin bugzilla, or an efivar bugzilla?
Comment 3 Nick Clifton 2022-11-22 13:39:34 UTC 
(In reply to Jan Pazdziora from comment #2)
> So do you reckon this is an issue in annobin, or a bug in the
> efivar build process? 

I think the efivar build process, but it may not be the process that is at fault, but one of the tools used by the process.  Eg if there is a bug in strip or gdb-add-index, then this might be causing the problems.

> In other words, if we assume that those .so objects
> were built from a C/C++ code, should this be an annobin bugzilla, or an
> efivar bugzilla?

Lets leave it with annobin for now, and I will investigate how efivar builds.  If I can show that it is another tool that is at fault then we can change the BZ.
Comment 4 Nick Clifton 2022-11-22 14:35:16 UTC 
Hmmm, this is interesting.  I checked out the efivar sources on the rhel-9.0.0 branch.  If I build the rpms locally, using "rhpkg local" then I end up with rpms which pass the stack-prot test, rather than skipping it.  If I build the same sources using brew ("rhpkg scratch-build") I end up with rpms which skip the stack-prot test, rather than passing it.

The difference is that the rpms which work still contain annobin notes (in the .gnu.build.attributes section) whereas the rpms which do not are devoid of annobin notes.#

Looking in the build logs for the two builds also shows an interesting difference.  The libefiboot library is built three times.  (The same is probably true for the other libraries in the efivar-libs rpm, but I did not check).  In the local build, all three compilations use the security hardening options and enable annobin notes.  In the brew scratch build only the first compilation does this.  The second two compilations run without security options and without annobin notes being created.

I am now looking into why this happens....
Comment 5 Nick Clifton 2022-11-22 15:02:02 UTC 
Right, so I have found a fix for the problem, but I do not know who is really to blame.

The issue is that the efivar.spec file builds the binaries three times, once in the %build stage using this command:

  make LIBDIR=%{_libdir} BINDIR=%{_bindir} CFLAGS="$RPM_OPT_FLAGS" LDFLAGS="$RPM_LD_FLAGS"

and then again in the %install stage using this command:

  %makeinstall

and then finally in the %check stage using this command:

  make abicheck

The %check build can be ignored - it does not get into the rpms - although it does increase the overall build time.  It is the %install build that is the issue.  This rebuilds all of the binaries, and without the security hardening options that are in RPM_OPT_FLAGS and RPM_LD_FLAGS.  

I found that if I changed the %install step to:

  %makeinstall CFLAGS="$RPM_OPT_FLAGS" LDFLAGS="$RPM_LD_FLAGS"

The final rpms worked, contained annobin notes, were built with the proper security options and passed annocheck's stack-prot test.

The thing I do not know is whether %makeinstall is supposed to correctly set CFLAGS and LDFLAGS itself, or if this is a bug in efivar.spec file.  Does anyone know ?
Comment 6 Jan Pazdziora (Red Hat) 2022-11-22 18:46:00 UTC 
Checking with

readelf -Ws /usr/lib64/libefiboot.so.1.38 | grep '__stack_chk_fail'
readelf -Ws /usr/lib64/libefivar.so.1.38 | grep '__stack_chk_fail'

does not find anything, meaning the function to be called when the stack protection detects a corrupted stack is not referenced. So it seems to suggest -fstack-protector-strong was indeed not used.
Comment 7 Jan Pazdziora (Red Hat) 2022-11-22 18:49:20 UTC 
Let me move this bugzilla to the efivar component since the suspicion of missing compiler flags is real.
Comment 11 Marta Lewandowska 2023-01-16 10:48:00 UTC 
Reproduced with efivar 38-2.el9 

# rpm -ql efivar-libs | grep /usr/lib64/ | while read f ; do test -L $f || echo $f ; done | xargs -- annocheck --verbose --skip-all --test-stack-prot
annocheck: Version 11.04.
Hardened: using profile: none.
Hardened: /usr/lib64/libefiboot.so.1.38: skip: stack-prot test because no code present - therefore no stack protection needed 
Hardened: /usr/lib64/libefiboot.so.1.38: Overall: PASS.
Hardened: /usr/lib64/libefisec.so.1.38: PASS: stack-prot test because option found in DW_AT_producer string 
Hardened: /usr/lib64/libefisec.so.1.38: Overall: PASS.
Hardened: /usr/lib64/libefivar.so.1.38: skip: stack-prot test because no code present - therefore no stack protection needed 
Hardened: /usr/lib64/libefivar.so.1.38: Overall: PASS.

Verified with efivar 38-3.el9

# rpm -ql efivar-libs | grep /usr/lib64/ | while read f ; do test -L $f || echo $f ; done | xargs -- annocheck --verbose --skip-all --test-stack-prot
annocheck: Version 11.04.
Hardened: using profile: none.
Hardened: /usr/lib64/libefiboot.so.1.38: PASS: stack-prot test because option found in DW_AT_producer string 
Hardened: /usr/lib64/libefiboot.so.1.38: Overall: PASS.
Hardened: /usr/lib64/libefisec.so.1.38: PASS: stack-prot test because option found in DW_AT_producer string 
Hardened: /usr/lib64/libefisec.so.1.38: Overall: PASS.
Hardened: /usr/lib64/libefivar.so.1.38: PASS: stack-prot test because option found in DW_AT_producer string 
Hardened: /usr/lib64/libefivar.so.1.38: Overall: PASS.

# rpm -qa efivar\* annobin-annocheck\*
annobin-annocheck-11.04-1.el9.x86_64
efivar-libs-38-3.el9.x86_64
efivar-debugsource-38-3.el9.x86_64
efivar-debuginfo-38-3.el9.x86_64
efivar-libs-debuginfo-38-3.el9.x86_64
Comment 14 Marta Lewandowska 2023-01-23 11:48:39 UTC 
efivar-38-3.el9 is in nightly RHEL-9.2.0-20230123.13
and works as in comment#11

Moving to VERIFIED
Comment 17 errata-xmlrpc 2023-05-09 08:25:12 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (efivar bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:2565