RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1934189 - hardening/annobin regression in ppc64le toolchain?
Summary: hardening/annobin regression in ppc64le toolchain?
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: annobin
Version: 8.4
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Nick Clifton
QA Contact: Martin Cermak
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-03-02 16:44 UTC by Colin Walters
Modified: 2021-11-09 20:51 UTC (History)
3 users (show)

Fixed In Version: annobin-9.65-1.el8
Doc Type: No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-11-09 17:48:32 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2021:4168 0 None None None 2021-11-09 17:48:33 UTC

Description Colin Walters 2021-03-02 16:44:23 UTC 
I didn't change anything in ostree, but 
https://rpmdiff.engineering.redhat.com/run/487474/7/
is failing *just* on ppc64le:

```
File usr/lib/systemd/system-generators/ostree-system-generator built-by changed from 'gcc (version 8.3.1 20191121)
ostree-system-generator was built by gcc (version 8.4.1 20200928)
' to 'gcc (version 8.4.1 20200928)
Hardened: ostree-system-generator: FAIL: Some parts of the binary were compiled without -D_FORTIFY_SOURCE=2 but with -D_GLIBCXX_ASSERTIONS.
Hardened: ostree-system-generator: FAIL: Parts of the binary were compiled without the proper PIC/PIE option.  Run with -v to see where.
Hardened: ostree-system-generator: FAIL: Parts of the binary were compiled without a suffcient -fstack-protector setting.  Run with -v to see where.
' on ppc64le
```

other architectures are fine.  Also, I can clearly see these flags passed in the build cmdline:

http://download.eng.bos.redhat.com/brewroot/vol/rhel-8/packages/ostree/2020.7/4.el8/data/logs/ppc64le/build.log

```
gcc -DHAVE_CONFIG_H -I.  -DDATADIR='"/usr/share"' -DLIBEXECDIR='"/usr/libexec"' -DLOCALEDIR=\"/usr/share/locale\" -DSYSCONFDIR=\"/etc\" -DTARGET_PREFIX='"/usr"' -DSHORTENED_SYSCONFDIR=\"$(echo "/etc" | sed -e 's|^/usr||' -e 's|^/||')\" -DOSTREE_FEATURES='"libcurl libsoup gpgme libarchive selinux openssl libmount systemd release p2p"' -DOSTREE_COMPILATION -DG_LOG_DOMAIN=\"OSTree\" -DOSTREE_GITREV='"5d99ea884434ea88e6c3c7ef33ffab2b0db9f5d8"' -DGLIB_VERSION_MIN_REQUIRED=GLIB_VERSION_2_40 '-DGLIB_VERSION_MAX_ALLOWED=G_ENCODE_VERSION(2,50)' -DSOUP_VERSION_MIN_REQUIRED=SOUP_VERSION_2_40 '-DSOUP_VERSION_MAX_ALLOWED=G_ENCODE_VERSION(2,48)' -I./libglnx -I./src/libostree  -std=gnu99 -fno-strict-aliasing -pipe -Wall -Werror=shadow -Werror=empty-body -Werror=strict-prototypes -Werror=missing-prototypes -Werror=implicit-function-declaration -Werror=format=2 -Werror=format-security -Werror=format-nonliteral -Werror=pointer-arith -Werror=init-self -Werror=missing-declarations -Werror=return-type -Werror=switch -Werror=overflow -Werror=int-conversion -Werror=parentheses -Werror=undef -Werror=incompatible-pointer-types -Werror=misleading-indentation -Werror=missing-include-dirs -Werror=aggregate-return -Wstrict-aliasing=2 -Werror=unused-result -I/usr/include/gio-unix-2.0/ -I/usr/include/glib-2.0 -I/usr/lib64/glib-2.0/include -pthread  -O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mcpu=power8 -mtune=power8 -funwind-tables -fstack-clash-protection -c -o src/switchroot/ostree_system_generator-ostree-system-generator.o `test -f 'src/switchroot/ostree-system-generator.c' || echo './'`src/switchroot/ostree-system-generator.c
```
for example.

Did something regress just in the ppc64le toolchain?
Comment 1 Colin Walters 2021-03-02 16:48:08 UTC 
Ah, some digging reveals that chrony hit the same thing, they just waived it: https://rpmdiff.engineering.redhat.com/run/487606/7/
Comment 2 Nick Clifton 2021-03-02 18:05:44 UTC 
Hi Colin,

> Hardened: ostree-system-generator: FAIL: Some parts of the binary were
> compiled without -D_FORTIFY_SOURCE=2 but with -D_GLIBCXX_ASSERTIONS.
> Hardened: ostree-system-generator: FAIL: Parts of the binary were compiled
> without the proper PIC/PIE option.  Run with -v to see where.
> Hardened: ostree-system-generator: FAIL: Parts of the binary were compiled
> without a suffcient -fstack-protector setting.  Run with -v to see where.
> ' on ppc64le

Feel free to waive these failures.

What is going on is that the checker is detecting these problems in the glibc 
startup code which is part of the programs.  Since the startup code executes
before a full runtime environment is ready, it cannot use security features 
like -fstack-protector nor does it make sense to use protection features like
FORTIFY_SOURCE and GLIBCXX_ASSERTIONS.

(If you are interested you can rerun annocheck with the -v option to see which
functions it is complaining about.  When I downloaded and tested the ostree
rpm the offending function was always "_start" ).

I am not sure why this is only showing up when testing ppc64le builds.  In theory
these problems should apply to all architectures.

In theory annocheck has code to skip these tests when specific functions are
detected (eg _start).  But I have just found a bug in that code which was
preventing the skip from triggering, so that is why the false FAILs were
reported.  I am going to check in the patch, but it will not make it into
RHEL-8.4, so I am hoping to target RHEL-8.5 instead.
Comment 4 Nick Clifton 2021-03-18 09:45:11 UTC 
Fixed in annobin-9.65-1.el8
Comment 14 errata-xmlrpc 2021-11-09 17:48:32 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (annobin bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:4168
Note You need to log in before you can comment on or make changes to this bug.