Bug 1228570 - hardening breaks Mono 4
Summary: hardening breaks Mono 4
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: mono
Version: 23
Hardware: s390x
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Xavier Lamien
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: ZedoraTracker harden-failure
TreeView+ depends on / blocked
 
Reported: 2015-06-05 08:25 UTC by Dan Horák
Modified: 2016-03-03 11:59 UTC (History)
9 users (show)

Fixed In Version: mono-4.3.2-7.fc25
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-03-03 11:59:46 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)
Patch to support -fPIE (1.65 KB, patch)
2015-06-05 21:22 UTC, Neale Ferguson 		no flags Details | Diff
Revised patch (2.11 KB, patch)
2015-06-06 01:09 UTC, Neale Ferguson 		no flags Details | Diff
View All

Description Dan Horák 2015-06-05 08:25:13 UTC 
When Mono 4 is built with hardening enabled (https://fedoraproject.org/wiki/Changes/Harden_All_Packages), it throws a traceback when run.

from build.log
...
if test -w /home/sharkcz/mono/mono-4.0.1/mcs; then :; else chmod -R +w /home/sharkcz/mono/mono-4.0.1/mcs; fi
cd /home/sharkcz/mono/mono-4.0.1/mcs && make --no-print-directory -s NO_DIR_CHECK=1 PROFILES='binary_reference_assemblies net_4_5 xbuild_12 xbuild_14   ' CC='gcc' all-profiles
mkdir -p -- build/deps
make[6]: mcs: Command not found
build/profiles/basic.make:93: recipe for target 'build/deps/basic-profile-check.exe' failed
make[6]: *** [build/deps/basic-profile-check.exe] Error 127
*** The compiler 'mcs' doesn't appear to be usable.
*** Trying the 'monolite' directory.
Stacktrace:


Native stacktrace:

	/home/sharkcz/mono/mono-4.0.1/mono/mini/mono(+0xea8b6) [0x2aa0023f8b6]
	/home/sharkcz/mono/mono-4.0.1/mono/mini/mono(+0x48e00) [0x2aa0019de00]
	[0x3ffffb29780]
	/lib/ld64.so.1(__tls_get_addr_internal+0x34) [0x3fffd4461d4]
	/home/sharkcz/mono/mono-4.0.1/mono/mini/mono(+0x24e714) [0x2aa003a3714]
	/home/sharkcz/mono/mono-4.0.1/mono/mini/mono(+0x32d6e) [0x2aa00187d6e]
	/home/sharkcz/mono/mono-4.0.1/mono/mini/mono(+0x7aecc) [0x2aa001cfecc]
	/home/sharkcz/mono/mono-4.0.1/mono/mini/mono(+0x472b8) [0x2aa0019c2b8]
	/home/sharkcz/mono/mono-4.0.1/mono/mini/mono(+0x4b796) [0x2aa001a0796]
	/home/sharkcz/mono/mono-4.0.1/mono/mini/mono(+0x4c728) [0x2aa001a1728]
	/home/sharkcz/mono/mono-4.0.1/mono/mini/mono(mono_runtime_invoke+0x5e) [0x2aa0034b0ae]
	/home/sharkcz/mono/mono-4.0.1/mono/mini/mono(mono_runtime_exec_main+0x12a) [0x2aa0034ddc2]
	/home/sharkcz/mono/mono-4.0.1/mono/mini/mono(mono_main+0x2380) [0x2aa0020a180]
	/lib64/libc.so.6(__libc_start_main+0x112) [0x3fffd17b0a2]
	/home/sharkcz/mono/mono-4.0.1/mono/mini/mono(+0x3d8fc) [0x2aa001928fc]

Debug info from gdb:

ptrace: Operation not permitted.
No threads.

=================================================================
Got a SIGSEGV while executing native code. This usually indicates
a fatal error in the mono runtime or one of the native libraries 
used by your application.
=================================================================

build/profiles/basic.make:93: recipe for target 'build/deps/basic-profile-check.exe' failed
make[8]: *** [build/deps/basic-profile-check.exe] Aborted (core dumped)
*** The contents of your 'monolite' directory may be out-of-date
*** You may want to try 'make get-monolite-latest'


Version-Release number of selected component (if applicable):
mono-4.0.1-9.fc23
Comment 1 Dan Horák 2015-06-05 08:49:52 UTC 
rather mono-4.0.1-8.fc23, which uses mono-4.0.1.28.tar.bz2

mono-4.0.1.44.tar.bz2 looks differently ...
Comment 2 Dan Horák 2015-06-05 09:35:48 UTC 
reproduced on F-22 with

# go back 1 commit (incorrect update to 4.0.1.44)
git reset --hard HEAD^

and

diff --git a/mono.spec b/mono.spec
index 55d5d8d..48d88f9 100644
--- a/mono.spec
+++ b/mono.spec
@@ -1,4 +1,5 @@
-%global bootstrap 0
+%global _hardened_build 1
+%global bootstrap 1
 %if 0%{?rhel}%{?el6}%{?el7}
 %if 0%{?el6}
 %define mono_arches %ix86 x86_64 %{arm} sparcv9 alpha s390x ppc ppc64 ppc64le
@@ -13,7 +14,7 @@
 
 Name:           mono
 Version:        4.0.1
-Release:        8%{?dist}
+Release:        8%{?dist}.1
 Summary:        Cross-platform, Open Source, .NET development framework
 
 Group:          Development/Languages
@@ -46,7 +47,11 @@ Obsoletes:      mono-entityframework
 # need to bootstrap mono, comment out this BuildRequires
 # and don't delete the binaries in %%prep.
 
+%if 0%{bootstrap}
+# for bootstrap, use monolite insted local mono
+%else
 BuildRequires: mono-core >= 4.0
+%endif
 
 # JIT only available on these:
 ExclusiveArch: %mono_arches

[sharkcz@devel4 mono]$ fedpkg verrel
mono-4.0.1-8.fc23.1
Comment 3 Dan Horák 2015-06-05 10:01:20 UTC 
mono-4.0.1.44.tar.bz2 fails to build on F-22 even without hardening
Comment 4 Neale Ferguson 2015-06-05 14:39:42 UTC 
Does the bootstrap variable get used anywhere else? If not, the in the %build section a make get-monolite-latest may need to be done before the main make. How is_hardened_build used in the rest of the spec?
Comment 5 Dan Horák 2015-06-05 14:54:18 UTC 
The bootstrap variable controls whether mono-core package is set as BuildRequires and also whether the bundled monolite should be removed. The whole spec file is at
http://pkgs.fedoraproject.org/cgit/mono.git/tree/mono.spec?id=89b45145573e4513845502e6ab2941b08913fb5e

Hardening means evaluating http://pkgs.fedoraproject.org/cgit/redhat-rpm-config.git/tree/redhat-hardened-cc1 and http://pkgs.fedoraproject.org/cgit/redhat-rpm-config.git/tree/redhat-hardened-ld by the compiler/linker as described in https://fedoraproject.org/wiki/Changes/Harden_All_Packages#Detailed_Harden_Flags_Description

It is implemented via http://pkgs.fedoraproject.org/cgit/redhat-rpm-config.git/tree/macros#n130 - updating the global compiler/linker flags.
Comment 6 Neale Ferguson 2015-06-05 17:48:37 UTC 
I believe I have found the problem. To access thread variables in the mono runtime there is a platform-specific macro that aids in the extraction:

# if defined(PIC)
// This only works if libmono is linked into the application
#  define MONO_THREAD_VAR_OFFSET(var,offset) do { guint64 foo;                                  \
                                                __asm__ ("basr  %%r1,0\n\t"                     \
                                                         "j     0f\n\t"                         \
                                                         ".quad " #var "@TLSGD\n\t"             \
                                                         "0:\n\t"                               \
                                                         "lg    %%r2,4(%%r1)\n\t"               \
                                                         "brasl %%r14,__tls_get_offset@PLT:tls_gdcall:"#var"\n\t" \
                                                         "lgr   %0,%%r2\n\t"                    \
                                                        : "=r" (foo) :                          \
                                                        : "1", "2", "14", "cc");                \
                                                offset = foo; } while (0)
# else
#  define MONO_THREAD_VAR_OFFSET(var,offset) do { guint64 foo;                                  \
                                                __asm__ ("basr  %%r1,0\n\t"                     \
                                                         "j     0f\n\t"                         \
                                                         ".quad " #var "@NTPOFF\n"              \
                                                         "0:\n\t"                               \
                                                         "lg    %0,4(%%r1)\n\t"                 \
                                                        : "=r" (foo) : : "1");                  \
                                                offset = foo; } while (0)
# endif

As you can see, at the moment only situations where PIC and not-PIC are catered for. I have to examine the sequence required when PIE is specified to produce correct instructions.
Comment 7 Neale Ferguson 2015-06-05 21:22:35 UTC 
Created attachment 1035423 [details]
Patch to support -fPIE

Patch that I am submitting upstream to enable builds when using -fPIE.
Comment 8 Neale Ferguson 2015-06-06 01:09:05 UTC 
Created attachment 1035506 [details]
Revised patch

I attached an earlier attempt which didn't provide -fpie support and broke non-PIE/pie builds.
Comment 9 Moez Roy 2015-06-06 03:54:20 UTC 
(In reply to Neale Ferguson from comment #8)
> Created attachment 1035506 [details]
> Revised patch
> 
> I attached an earlier attempt which didn't provide -fpie support and broke
> non-PIE/pie builds.

Thanks for helping. Would this same patch be also applicable for Bug 1224945 - mono build failure on ppc64le?
Comment 10 Jan Kurik 2015-07-15 14:03:21 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 23 development cycle.
Changing version to '23'.

(As we did not run this process for some time, it could affect also pre-Fedora 23 development
cycle bugs. We are very sorry. It will help us with cleanup during Fedora 23 End Of Life. Thank you.)

More information and reason for this action is here:
https://fedoraproject.org/wiki/BugZappers/HouseKeeping/Fedora23
Note You need to log in before you can comment on or make changes to this bug.