Bug 2148430

Summary: annocheck reports that no compiled code found in /usr/bin and /usr/sbin
Product: [Fedora] Fedora Reporter: Jan Macku <jamacku>
Component: iputilsAssignee: Kevin Fenzi <kevin>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: fsumsal, jamacku, jaskalnik, jpazdziora, kevin, msekleta, nickc, qe-baseos-daemons
Target Milestone: ---Keywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 2144509 Environment:
Last Closed: 2022-11-28 08:02:18 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2144509    
Bug Blocks: 2147538, 2147539    

Description Jan Macku 2022-11-25 12:14:03 UTC 
+++ This bug was initially created as a clone of Bug #2144509 +++

Description of problem:

Attempting to test if iputils' binaries were properly built with stack protection via -fstack-protector-strong yields skip: stack-prot test because no compiled code found.

Version-Release number of selected component (if applicable):

iputils-20210202-7.el9.x86_64
annobin-annocheck-10.54-2.el9.x86_64

How reproducible:

Deterministic.

Steps to Reproduce:
1. dnf install -y annobin-annocheck iputils
2. dnf debuginfo-install -y iputils
3. rpm -ql iputils | grep -E '/usr/s?bin/' | while read f ; do test -L $f || echo $f ; done | xargs -- annocheck --verbose --skip-all --test-stack-prot

Actual results:

annocheck: Version 10.54.
Hardened: arping: warn: Failed to parse separate debug file '/usr/lib/debug/.build-id/e9/ab54d4fb989b0cc43f866ed4d49bc989de8464.debug', (no DWARF information).
Hardened: arping: warn: Failed to parse separate debug file '/usr/lib/debug/.build-id/e9/ab54d4fb989b0cc43f866ed4d49bc989de8464.debug', (no DWARF information).
Hardened: arping: warn: Failed to parse separate debug file '/usr/lib/debug/.build-id/e9/ab54d4fb989b0cc43f866ed4d49bc989de8464.debug', (no DWARF information).
Hardened: /usr/bin/arping: skip: stack-prot test because no compiled code found 
Hardened: /usr/bin/arping: Overall: PASS.
Hardened: clockdiff: warn: Failed to parse separate debug file '/usr/lib/debug/.build-id/38/5882c5e6e87b7a80657bcd365911503ddf5c76.debug', (no DWARF information).
Hardened: clockdiff: warn: Failed to parse separate debug file '/usr/lib/debug/.build-id/38/5882c5e6e87b7a80657bcd365911503ddf5c76.debug', (no DWARF information).
Hardened: clockdiff: warn: Failed to parse separate debug file '/usr/lib/debug/.build-id/38/5882c5e6e87b7a80657bcd365911503ddf5c76.debug', (no DWARF information).
Hardened: /usr/bin/clockdiff: skip: stack-prot test because no compiled code found 
Hardened: /usr/bin/clockdiff: Overall: PASS.
Hardened: ping: warn: Failed to parse separate debug file '/usr/lib/debug/.build-id/ce/7da925332635272b8b80d4a6c9969a0f3f1a6c.debug', (no DWARF information).
Hardened: ping: warn: Failed to parse separate debug file '/usr/lib/debug/.build-id/ce/7da925332635272b8b80d4a6c9969a0f3f1a6c.debug', (no DWARF information).
Hardened: ping: warn: Failed to parse separate debug file '/usr/lib/debug/.build-id/ce/7da925332635272b8b80d4a6c9969a0f3f1a6c.debug', (no DWARF information).
Hardened: /usr/bin/ping: skip: stack-prot test because no compiled code found 
Hardened: /usr/bin/ping: Overall: PASS.
Hardened: tracepath: warn: Failed to parse separate debug file '/usr/lib/debug/.build-id/df/065e14e16543a328c3e4c4ec04a364adf3fa9e.debug', (no DWARF information).
Hardened: tracepath: warn: Failed to parse separate debug file '/usr/lib/debug/.build-id/df/065e14e16543a328c3e4c4ec04a364adf3fa9e.debug', (no DWARF information).
Hardened: tracepath: warn: Failed to parse separate debug file '/usr/lib/debug/.build-id/df/065e14e16543a328c3e4c4ec04a364adf3fa9e.debug', (no DWARF information).
Hardened: /usr/bin/tracepath: skip: stack-prot test because no compiled code found 
Hardened: /usr/bin/tracepath: Overall: PASS.
Hardened: /usr/sbin/ifenslave: PASS: stack-prot test 
Hardened: /usr/sbin/ifenslave: Overall: PASS.
Hardened: rdisc: warn: Failed to parse separate debug file '/usr/lib/debug/.build-id/82/ddd78cb7108bbecb438759e440afb887b688c1.debug', (no DWARF information).
Hardened: rdisc: warn: Failed to parse separate debug file '/usr/lib/debug/.build-id/82/ddd78cb7108bbecb438759e440afb887b688c1.debug', (no DWARF information).
Hardened: rdisc: warn: Failed to parse separate debug file '/usr/lib/debug/.build-id/82/ddd78cb7108bbecb438759e440afb887b688c1.debug', (no DWARF information).
Hardened: /usr/sbin/rdisc: skip: stack-prot test because no compiled code found 
Hardened: /usr/sbin/rdisc: Overall: PASS.

Expected results:

No "skip: stack-prot test because no compiled code found" on binaries.

Additional info:

Adding Nick to Cc in case this turns out to be an issue in annocheck itself.

--- Additional comment from Nick Clifton on 2022-11-21 15:57:35 UTC ---

Hi Jan,

  I think that this might be a build issue with iputils, but I am willing to be
  persuaded otherwise.  Here are some things that I found:
 
> Hardened: arping: warn: Failed to parse separate debug file
> '/usr/lib/debug/.build-id/e9/ab54d4fb989b0cc43f866ed4d49bc989de8464.debug',
> (no DWARF information).

  This does indeed appear to be true.  That is the debug info files
  do not actually appear to contain DWARF debug information.  I suspect
  that this is because there was no debug information in the binary before
  it was split into a stripped file and a separate debuginfo file.


> Hardened: /usr/bin/arping: skip: stack-prot test because no compiled code
> found 

  This is happening because there are no annobin notes in the binary apart 
  from one which came from an assembler source file.  Hence annocheck is
  unable to prove that the binary was actually produced by a compiler.

  Annocheck does look to see if there is a .comment section in the binary,
  which can sometimes help determine which tool was used to create the
  program, but this is also missing.  It also checks the DW_AT_producer
  tag in the DWARF debug info, but since that info is missing, annocheck
  is at a loss for any other way to determine how the program was made.

 
Checking the build.log for the x86_64 build of iputils-20210202-7.el9.x86_64
I found this for the production of the clockdiff executable:

  [22/29] gcc -Iclockdiff.p -I. -I.. -fdiagnostics-color=always -pipe -D_FILE_OFFSET_BITS=64 -Wall -Winvalid-pch -Wextra -Wpedantic -std=c99 -include config.h -include git-version.h '-DGETTEXT_PACKAGE="iputils"' -DUSE_IDN -fpie -MD -MQ clockdiff.p/clockdiff.c.o -MF clockdiff.p/clockdiff.c.o.d -o clockdiff.p/clockdiff.c.o -c ../clockdiff.c

So it looks like it is being compiled without any security options, without
debugging and without the annobin plugin.  Hence the weird results from 
annocheck.

The same appears to be true for arping, ping and the other executables. :-(

Cheers
  Nick
Comment 1 Jan Macku 2022-11-25 12:16:10 UTC 
I have cloned the bug for Fedora since it has the same problem as CentOS-stream 9 currently