Bug 1197501 - Hardening of C breaks Ada.
Summary: Hardening of C breaks Ada.
Keywords:
Status: NEW
Alias: None
Product: Fedora
Classification: Fedora
Component: distribution
Version: rawhide
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Václav Pavlín
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: harden-failure
TreeView+ depends on / blocked
 
Reported: 2015-03-01 19:56 UTC by Björn Persson
Modified: 2020-10-06 23:17 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:
Type: Bug


Attachments (Terms of Use)

Description Björn Persson 2015-03-01 19:56:28 UTC
Description of problem:
Building a package of an Ada program fails in Rawhide since _hardened_build was defined globally. It seems like the modification of compiler options that _hardened_build enables doesn't work for Ada like it does for C.

Version-Release number of selected component (if applicable):
28-1.fc23

How reproducible:
It seems deterministic to me.

Steps to Reproduce:
1. Check out commit 2044cbbe536d65b859480527c24e9b448137797a of the package mine_detector.
2. Build it in Rawhide.

Actual results:
https://kojipkgs.fedoraproject.org/work/tasks/6796/9106796/build.log

"-specs=/usr/lib/rpm/redhat/redhat-hardened-cc1" is used in the compilation, and then "-specs=/usr/lib/rpm/redhat/redhat-hardened-ld" is used in the linking, but ld complains "relocation R_X86_64_32S against `.rodata' can not be used when making a shared object; recompile with -fPIC".

My best interpretation is that cc1_options affects cc1, the C frontend, but not gnat1, the Ada frontend, so that -fPIE isn't used when Ada is compiled. Then redhat-hardened-ld causes -pie to be passed to ld, and that doesn't work with code that was compiled without -fPIE.

Additional info:
This is my workaround for now:
http://pkgs.fedoraproject.org/cgit/mine_detector.git/commit/?id=4786c731aae930efca57c1782d56f69dfba5279c

The best solution would be to figure out how to make redhat-hardened-cc1 have the same effect for all languages that GCC can compile. If that isn't possible, then the hardening options should be enabled only for those languages that they work for.

(Although Ada is in theory immune to buffer overflows, enabling address space layout randomization would still be an improvement, firstly because Ada code can be linked to C code that can be defective, and secondly because some people seem to think that disabling the range checking is a good idea.)

Comment 1 Florian Festi 2015-03-09 12:52:15 UTC
I wonder if redhat-rpm-config is the proper component for this bug. But I can't make up my mind between "distribution" and "gcc-gnat".

Comment 2 Björn Persson 2015-03-12 22:58:52 UTC
Is cc1_options supposed to affect all language frontends, despite "cc1" in the name? Because otherwise I can't see how this would be a bug in GNAT.

If GNAT doesn't have a similar feature, then I suppose someone could submit a feature request to GCC upstream, but until the feature would get implemented it would still be wrong to try to use a nonexistent feature.

Comment 3 Moez Roy 2015-03-14 14:25:37 UTC
Would it be possible to fix this using the gnat-srpm-macros?

Comment 4 Björn Persson 2015-03-15 14:38:44 UTC
gnat-srpm-macros is only for things that must be present even before BuildRequires fields are processed.

If some Ada-specific file or macro is needed, and redhat-rpm-config is the wrong place for it, then it could be placed in fedora-gnat-project-common, but first I'd want to hear a good argument for why it shouldn't be in redhat-rpm-config. It would make sense to keep all the hardening trickery together in a package maintained by someone who knows the ins and outs of GCC well enough to make it work well, and that person isn't me.

Discussing *where* to fix it is premature though. First we need to find out *how* to fix it. Changing "cc1_options" to "gnat1_options" did not seem to work when I tried it.

The description of "distribution" mentions "bugs in the mechanics of how the distribution is built", which sounds like it might fit, so I'm setting it to "distribution" for now.

Comment 5 Adam Jackson 2015-03-20 15:21:20 UTC
The problem afaict is that we're not (consistently) building PIC objects.  For the C family languages we try to see if the object is destined for an executable or a shared library and pick -fPIC or -fPIE as appropriate.  I don't know what the idiomatic way to do that is for gnat, but jamming -fPIC on the end of %Ada_optflags in macros.gnat seems to make a hardened build of mine_detector compile just fine.

Comment 6 Jan Kurik 2015-07-15 14:28:16 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 23 development cycle.
Changing version to '23'.

(As we did not run this process for some time, it could affect also pre-Fedora 23 development
cycle bugs. We are very sorry. It will help us with cleanup during Fedora 23 End Of Life. Thank you.)

More information and reason for this action is here:
https://fedoraproject.org/wiki/BugZappers/HouseKeeping/Fedora23

Comment 7 Fedora End Of Life 2016-11-24 11:30:33 UTC
This message is a reminder that Fedora 23 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 23. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as EOL if it remains open with a Fedora  'version'
of '23'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 23 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

Comment 8 Fedora End Of Life 2017-11-16 19:05:35 UTC
This message is a reminder that Fedora 25 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 25. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as EOL if it remains open with a Fedora  'version'
of '25'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version'
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not
able to fix it before Fedora 25 is end of life. If you would still like
to see this bug fixed and are able to reproduce it against a later version
of Fedora, you are encouraged  change the 'version' to a later Fedora
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's
lifetime, sometimes those efforts are overtaken by events. Often a
more recent Fedora release includes newer upstream software that fixes
bugs or makes them obsolete.

Comment 9 Fedora End Of Life 2018-02-20 15:31:19 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 28 development cycle.
Changing version to '28'.

Comment 10 Ben Cotton 2019-02-19 17:08:35 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 30 development cycle.
Changing version to '30'.

Comment 11 Ben Cotton 2020-04-30 22:18:19 UTC
This message is a reminder that Fedora 30 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora 30 on 2020-05-26.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
Fedora 'version' of '30'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 30 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

Comment 12 Ben Cotton 2020-08-11 13:02:37 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 33 development cycle.
Changing version to 33.


Note You need to log in before you can comment on or make changes to this bug.