Bug 1201778 - aarch64 eu-elflint complains _GLOBAL_OFFSET_TABLE_ symbol doesn't point at .got for hardened builds
Summary: aarch64 eu-elflint complains _GLOBAL_OFFSET_TABLE_ symbol doesn't point at .g...
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: elfutils
Version: rawhide
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Mark Wielaard
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: harden-failure ARM64, F-ExcludeArch-aarch64
TreeView+ depends on / blocked
 
Reported: 2015-03-13 13:32 UTC by Peter Robinson
Modified: 2015-04-21 18:49 UTC (History)
12 users (show)

Fixed In Version: elfutils-0.161-7
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 1207799 (view as bug list)
Environment:
Last Closed: 2015-03-23 14:46:22 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description Peter Robinson 2015-03-13 13:32:34 UTC
Some tests fail for elfutils in F-23

http://arm.koji.fedoraproject.org/koji/taskinfo?taskID=2919197

First:
Making check in tests
backtrace-dwarf.c: In function 'report_pid':
backtrace-dwarf.c:50:5: warning: implicit declaration of function 'error' [-Wimplicit-function-declaration]
     error (2, 0, "dwfl_linux_proc_report: %s", dwfl_errmsg (-1));
     ^
backtrace-dwarf.c: In function 'main':
backtrace-dwarf.c:134:15: warning: implicit declaration of function 'fork' [-Wimplicit-function-declaration]
   pid_t pid = fork ();
               ^
backtrace-dwarf.c:151:15: warning: implicit declaration of function 'waitpid' [-Wimplicit-function-declaration]
   pid_t got = waitpid (pid, &status, 0);
               ^
Second:
FAIL: run-elflint-self.sh

Third:
+ cat tests/test-suite.log
==========================================
   elfutils 0.161: tests/test-suite.log
==========================================
# TOTAL: 129
# PASS:  125
# SKIP:  3
# XFAIL: 0
# FAIL:  1
# XPASS: 0
# ERROR: 0
.. contents:: :depth: 2
FAIL: run-elflint-self.sh
=========================
section [35] '.symtab': _GLOBAL_OFFSET_TABLE_ symbol value 0x1ffa0 does not match .got section address 0x1fd68
*** failure in /builddir/build/BUILD/elfutils-0.161/src/elflint --quiet --gnu-ld /builddir/build/BUILD/elfutils-0.161/src/addr2line
section [36] '.symtab': _GLOBAL_OFFSET_TABLE_ symbol value 0x1ffa0 does not match .got section address 0x1fde0
*** failure in /builddir/build/BUILD/elfutils-0.161/src/elflint --quiet --gnu-ld /builddir/build/BUILD/elfutils-0.161/src/elfcmp
section [36] '.symtab': _GLOBAL_OFFSET_TABLE_ symbol value 0x2ffa0 does not match .got section address 0x2fd20
*** failure in /builddir/build/BUILD/elfutils-0.161/src/elflint --quiet --gnu-ld /builddir/build/BUILD/elfutils-0.161/src/elflint
section [36] '.symtab': _GLOBAL_OFFSET_TABLE_ symbol value 0x1ff10 does not match .got section address 0x1fbf8
*** failure in /builddir/build/BUILD/elfutils-0.161/src/elflint --quiet --gnu-ld /builddir/build/BUILD/elfutils-0.161/src/nm
section [36] '.symtab': _GLOBAL_OFFSET_TABLE_ symbol value 0x1ff38 does not match .got section address 0x1fce8
*** failure in /builddir/build/BUILD/elfutils-0.161/src/elflint --quiet --gnu-ld /builddir/build/BUILD/elfutils-0.161/src/objdump
section [36] '.symtab': _GLOBAL_OFFSET_TABLE_ symbol value 0x3ff70 does not match .got section address 0x3fa08
*** failure in /builddir/build/BUILD/elfutils-0.161/src/elflint --quiet --gnu-ld /builddir/build/BUILD/elfutils-0.161/src/readelf
section [35] '.symtab': _GLOBAL_OFFSET_TABLE_ symbol value 0x2ffc8 does not match .got section address 0x2fe78
*** failure in /builddir/build/BUILD/elfutils-0.161/src/elflint --quiet --gnu-ld /builddir/build/BUILD/elfutils-0.161/libelf/libelf.so
section [36] '.symtab': _GLOBAL_OFFSET_TABLE_ symbol value 0x5ffa0 does not match .got section address 0x5fa50
*** failure in /builddir/build/BUILD/elfutils-0.161/src/elflint --quiet --gnu-ld /builddir/build/BUILD/elfutils-0.161/libdw/libdw.so
section [33] '.symtab': _GLOBAL_OFFSET_TABLE_ symbol value 0x1ff40 does not match .got section address 0x1fe68
*** failure in /builddir/build/BUILD/elfutils-0.161/src/elflint --quiet --gnu-ld /builddir/build/BUILD/elfutils-0.161/backends/libebl_i386.so
section [33] '.symtab': _GLOBAL_OFFSET_TABLE_ symbol value 0x1ff50 does not match .got section address 0x1fe78
*** failure in /builddir/build/BUILD/elfutils-0.161/src/elflint --quiet --gnu-ld /builddir/build/BUILD/elfutils-0.161/backends/libebl_x86_64.so
SKIP: run-backtrace-data.sh
===========================
/builddir/build/BUILD/elfutils-0.161/tests/backtrace-data: Unwinding not supported for this architecture
data: arch not supported
SKIP: run-backtrace-native-biarch.sh
====================================
SKIP: run-backtrace-native-core-biarch.sh
=========================================
+ false

Comment 1 Mark Wielaard 2015-03-13 22:57:52 UTC
The warnings are harmless, but have been fixed upstream:

commit 0a35e3ac65dfd2db4e0ae0f68fdb21493c5fbfa1
Author: Mark Wielaard <mjw>
Date:   Fri Mar 13 23:51:40 2015 +0100

    Fix -Wimplicit warnings.

I don't understand the run-elflint-self.sh yet. The error is "correct". The _GLOBAL_OFFSET_TABLE_ does not point to the .got address. I don't know why though.

Comment 2 Peter Robinson 2015-03-14 09:39:26 UTC
Can we have it pushed to F-22+ as it's blocking builds for aarch64

Comment 3 Mark Wielaard 2015-03-14 12:36:17 UTC
(In reply to Peter Robinson from comment #2)
> Can we have it pushed to F-22+ as it's blocking builds for aarch64

The warning fix wouldn't help. That really is a separate issue, and really only a warning, it doesn't impact the build or test suite.

We have to figure out why the _GLOBAL_OFFSET_TABLE_ symbol doesn't point to the .got. It has something to do with the new hardening flags. Without those things look fine.

Lets reassign to binutils to ask out why _GLOBAL_OFFSET_TABLE_ isn't pointing to the .got for hardened builds.

It looks like only ld.bfd is available for aarch64, otherwise you could have checked building with ld.gold to see if that linker acts the same.

If you want to work around it in the elfutils package on aarch64 for now feel free to disable the hardening build flags for aarch64 in the spec file.

Comment 4 Peter Robinson 2015-03-15 14:06:22 UTC
Will reassign to binutils, would prefer to get it fixed properly

Comment 5 Nick Clifton 2015-03-16 10:51:24 UTC
Hi Peter,

  Is it possible to capture how one of the broken binaries is built ?  (I could not find this in the logs).  Eg it would be really helpful to have the object files and linker command line to build, say, eu-addr2line, so that I can try to reproduce the linker's misbehaviour.  It would also be helpful if you could upload the broken binary itself (eu-addr2line) so that I can check that my local run of the linker creates the same image.

Cheers
  Nick

Comment 6 Mark Wielaard 2015-03-16 12:18:00 UTC
The relevant flags come from:
CFLAGS='-O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1'
LDFLAGS='-Wl,-z,relro -specs=/usr/lib/rpm/redhat/redhat-hardened-ld'

Where, if the aarch64 build uses the same spec files, the spec files are:

$ cat /usr/lib/rpm/redhat/redhat-hardened-cc1
*cc1_options:
+ %{!fpie:%{!fPIE:%{!fpic:%{!fPIC:%{!fno-pic:-fPIE}}}}}

$ cat /usr/lib/rpm/redhat/redhat-hardened-ld
*self_spec:
+ %{!shared:-pie}

*link:
+ -z now

Unfortunately I no longer have access to the aarch64 setup that I replicated it on, so I don't have the binaries anymore.

Comment 7 Peter Robinson 2015-03-16 22:40:14 UTC
>   Is it possible to capture how one of the broken binaries is built ?  (I
> could not find this in the logs).  Eg it would be really helpful to have the
> object files and linker command line to build, say, eu-addr2line, so that I
> can try to reproduce the linker's misbehaviour.  It would also be helpful if
> you could upload the broken binary itself (eu-addr2line) so that I can check
> that my local run of the linker creates the same image.

latest builds here:
arm.koji.fedoraproject.org/koji/packageinfo?packageID=1626

Comment 8 Nick Clifton 2015-03-19 15:03:46 UTC
Hi Peter,

(In reply to Peter Robinson from comment #7)
> latest builds here:
> arm.koji.fedoraproject.org/koji/packageinfo?packageID=1626

That does not help.  I need the object files and linker command line used to build one of the elfutils executables.  The logs only show the warnings that popped up during the build, nothing else.

What I would really like is a tarball containing the eu-addr2line executable (for aarch64 of course), plus the object files and libraries that went to make up this executable, plus the linker command line that created the executable from those object files and libraries.  Is this possible ?

Cheers
  Nick

Comment 9 Marcin Juszkiewicz 2015-03-19 18:06:43 UTC
I will provide you whole build dir.

Comment 10 Marcin Juszkiewicz 2015-03-19 18:33:08 UTC
https://hrw.fedorapeople.org/aarch64/elfutils/elfutils-0.161-6.fc23-builddir.tar.xz is whole build directory of elfutils 0.161-6.fc23 for aarch64.

Build logs inside, make was switched to not be silent so you can see how gcc/ld was called.

eu-addr2line and other tools are inside of tarball as they got built.

Comment 11 Mark Wielaard 2015-03-20 11:25:14 UTC
BTW. It seems not to depend on the specific fedora binutils and gcc version. I replicated it on another aarch64 setup with binutils-2.23.52.0.1 and gcc-4.8.3 with upstream elfutils configure with:

CFLAGS='-O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1' LDFLAGS='-Wl,-z,relro -specs=/usr/lib/rpm/redhat/redhat-hardened-ld' ./configure

Comment 12 Nick Clifton 2015-03-20 12:09:43 UTC
Hi Guys,

  The problem is the -Wl,-z,relro option in LDFLAGS.  This was recently added as a global change to the Fedora build system and it is intended to make applications more secure by prevent malicious code from interfering with the run time relocations.

  Anyway the practical result of this change, from the aarch64/elflint point of view is that the _GLOABL_OFFSET_TABLE_ pointer no longer points to the start of the .got section.  Instead it points to the start of the writable entries *inside* the .got section.  So elflint needs to be updated to take this into account.  _GLOBAL_OFFSET_TABLE_ must still point to somewhere inside the .got section, just not necessarily the start.

Cheers
  Nick

Comment 13 Mark Wielaard 2015-03-20 12:12:25 UTC
I'll create a patch for elfutils backends/aarch64_symbol.c


Note You need to log in before you can comment on or make changes to this bug.