Bug 1335863 - non-daemon ELF binaries are compiled as PIE, but without full RELRO
Summary: non-daemon ELF binaries are compiled as PIE, but without full RELRO
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: mariadb
Version: 7.2
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Jakub Dorňák
QA Contact: Jiri Jaburek
URL:
Whiteboard:
: 1092548 (view as bug list)
Depends On:
Blocks: 1343697 1092574
TreeView+ depends on / blocked
 
Reported: 2016-05-13 12:16 UTC by Jiri Jaburek
Modified: 2016-12-13 20:00 UTC (History)
5 users (show)

Fixed In Version: mariadb-5.5.47-5.el7
Doc Type: Bug Fix
Doc Text:
Cause: Not properly chosen link flags Consequence: Binaries compiled as PIE but without RELRO. Fix: Choose proper link flags, Result: Binaries compiled as Full RELRO.
Clone Of:
Environment:
Last Closed: 2016-11-03 20:48:37 UTC


Attachments (Terms of Use)
proposed patch (413 bytes, patch)
2016-06-29 10:28 UTC, Matej Mužila
no flags Details | Diff


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:2595 normal SHIPPED_LIVE Important: mariadb security and bug fix update 2016-11-03 12:11:21 UTC

Description Jiri Jaburek 2016-05-13 12:16:40 UTC
Description of problem:

At least the following binaries,

/usr/bin/mysqlimport
/usr/bin/mysqltest
/usr/bin/mysql_client_test
/usr/bin/mysql_plugin
/usr/bin/mysql_upgrade
/usr/bin/mysqlslap
/usr/bin/mysqltest_embedded
/usr/bin/mysql_waitpid
/usr/bin/mysqladmin
/usr/bin/mysql_client_test_embedded
/usr/bin/mysql_tzinfo_to_sql
/usr/bin/mysql
/usr/bin/mysqldump
/usr/bin/mysqlshow
/usr/bin/mysqlcheck
/usr/bin/mysqlbinlog

are compiled as Position Independent Executables (PIE), but with lazy binding enabled (no BIND_NOW / NOW). This not only slows the startup down (adding one layer of indirection for PIE), but also creates potential security issues.

Please compile these as either

- non-PIE, with "partial" RELRO: gcc -Wl,-z,relro
- PIE, with "full" RELRO: gcc -fPIE -pie -Wl,-z,relro,-z,now

*not* in any combination of the two (for one binary).

Generally speaking, PIE + "full" RELRO is recommended for anything that doesn't start too often (as it provides the best protection at a slight cost in startup time) such as daemons, SUID binaries or anything having extra privileges and handling unsafe user data.
For anything else, "Partial" RELRO is recommended.


Version-Release number of selected component (if applicable):
mariadb-5.5.47-1.el7_2

How reproducible:
always

Steps to Reproduce:
1. readelf -a <path-to-binary> | less
2. look for addresses, see them being relative, starting at 0
2.1. (also see ELF type at the top - should be DYN)
3. look for BIND_NOW or NOW, without success

Actual results:
binaries compiled as PIE with "partial" RELRO

Expected results:
binaries either compiled as PIE+"full" RELRO or non-PIE+"partial" RELRO

Additional info:
/usr/libexec/mysqld seems to have correctly PIE + "full" RELRO.

Comment 2 Honza Horak 2016-06-27 12:40:11 UTC
*** Bug 1092548 has been marked as a duplicate of this bug. ***

Comment 3 Matej Mužila 2016-06-29 10:28:26 UTC
Created attachment 1173765 [details]
proposed patch

Comment 8 errata-xmlrpc 2016-11-03 20:48:37 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2016-2595.html


Note You need to log in before you can comment on or make changes to this bug.