1959843 – annocheck fails for alegedly disabled -fstack-clash-protection flag

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1959843 - annocheck fails for alegedly disabled -fstack-clash-protection flag

Summary: annocheck fails for alegedly disabled -fstack-clash-protection flag

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Red Hat Enterprise Linux 9
Classification:	Red Hat
Component:	libtool
Sub Component:
Version:	CentOS Stream
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	beta
Target Release:	---
Assignee:	Ondrej Dubaj
QA Contact:	RHEL CS Apps Subsystem QE
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2021-05-12 13:24 UTC by Phil Sutter
Modified:	2021-07-30 13:41 UTC (History)
CC List:	16 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-07-20 11:26:05 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
latest-rpminspect.txt (1.83 MB, text/plain) 2021-07-20 09:17 UTC, Ondrej Dubaj	no flags	Details
View All

Description Phil Sutter 2021-05-12 13:24:16 UTC

CI gating fails for a recent iptables build for C9S:

https://dashboard.osci.redhat.com/#/artifact/brew-build/aid/36765851

at least one of the failures is emitted by annocheck:

http://artifacts.osci.redhat.com/testing-farm/25f37259-fd20-4912-87f3-a04832e3a99c/work-rpminspectNFARUX/rpminspect/execute/data/annocheck/output.txt

It complains about libip{4,6}tc.so* and libxtables.so*, claiming said compiler flag was not enabled during build. Though looking at the build logs here:

https://brewweb.engineering.redhat.com/brew/buildinfo?buildID=1602275

I see a call to libtool which passes the flag at least for libip4tc (this is a single source file library, so easy to follow):

libtool: compile:  gcc -DHAVE_CONFIG_H -I. -I.. -D_LARGEFILE_SOURCE=1 -D_LARGE_FILES -D_FILE_OFFSET_BITS=64 -D_REENTRANT -DXTABLES_LIBDIR=\"/usr/lib64/xtables\" -DXTABLES_INTERNAL -I../include -I../include -I/usr/include/uapi -I/usr/include -I/usr/include/uapi -I/usr/include -Wall -Waggregate-return -Wmissing-declarations -Wmissing-prototypes -Wredundant-decls -Wshadow -Wstrict-prototypes -Wlogical-op -Winline -pipe -O2 -flto=auto -ffat-lto-objects -fexceptions -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -mbranch-protection=standard -fasynchronous-unwind-tables -fstack-clash-protection -fno-strict-aliasing -c libip4tc.c  -fPIC -DPIC -o .libs/libip4tc.o

During linking, it is passed as well:

/bin/sh ../libtool  --tag=CC   --mode=link gcc -Wall -Waggregate-return -Wmissing-declarations 	-Wmissing-prototypes -Wredundant-decls -Wshadow -Wstrict-prototypes 	-Wlogical-op 	-Winline -pipe -O2 -flto=auto -ffat-lto-objects -fexceptions -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1  -mbranch-protection=standard -fasynchronous-unwind-tables -fstack-clash-protection -fno-strict-aliasing  -version-info 2:0:0 -Wl,-z,relro -Wl,--as-needed  -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld  -o libip4tc.la -rpath /usr/lib64 libip4tc.lo  -lpcap 
libtool: link: gcc -shared  -fPIC -DPIC  .libs/libip4tc.o   -lpcap -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -O2 -flto=auto -g -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -mbranch-protection=standard -Wl,-z -Wl,relro -Wl,--as-needed -Wl,-z -Wl,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld   -Wl,-soname -Wl,libip4tc.so.2 -o .libs/libip4tc.so.2.0.0

Though as you see it is missing in the actual libtool output. Might be unrelated  if the flag is not relevant for linking or a problem with libtool incorrectly stripping the flag?

FWIW, I can reproduce the check failure on my Fedora VM (Rawhide):

$ annocheck /usr/lib64/libip4tc.so.2.0.0
annocheck: Version 9.70.
Hardened: libip4tc.so.2.0.0: FAIL: stack-clash test because -fstack-clash-protection not enabled 
Hardened: Rerun annocheck with --verbose to see more information on the tests.

Is this is a bug in annocheck, iptables' spec file, libtool or gcc? ;)

Comment 1 Nick Clifton 2021-05-13 12:33:04 UTC

Hi Phil,

  I think that this is a build problem.  Possibly spec file related, although I have not checked.

  The -fstack-clash-protection flag is present when the object files are being built, but it is
  absent when the link is performed.  For example in the output you quoted in the description:

libtool: link: gcc -shared  -fPIC -DPIC  .libs/libip4tc.o   -lpcap -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -O2 -flto=auto -g -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -mbranch-protection=standard -Wl,-z -Wl,relro -Wl,--as-needed -Wl,-z -Wl,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld   -Wl,-soname -Wl,libip4tc.so.2 -o .libs/libip4tc.so.2.0.0

  Note how -fstack-clash-protection is absent from this command line.  This matters because
  the link is being performed in LTO mode, so the object files will be recompiled, and this
  time without stack clash protection enabled....

  So ... how is this libtool command line constructed ?

Cheers
  Nick

Comment 2 Christine Caulfield 2021-05-17 07:15:55 UTC

Hi, I'm seeing something similar with libknet (package kronosnet), but I can see -fstack-flash-protection on the link command-line as well as the compile commands.

Hardened: libknet.so.1.4.0: FAIL: cf-protection test because no protection enabled (function: knet_get_compress_list) 
Hardened: libknet.so.1.4.0: FAIL: stack-clash test because -fstack-clash-protection not enabled (function: knet_get_compress_list) 
Hardened: libknet.so.1.4.0: FAIL: cf-protection test because no protection enabled (function: knet_send_sync) 
Hardened: libknet.so.1.4.0: FAIL: stack-clash test because -fstack-clash-protection not enabled (function: knet_send_sync) 
Hardened: libknet.so.1.4.0: FAIL: cf-protection test because no protection enabled (function: knet_get_compress_list) 

This link command-line is from the RPM build:
/bin/sh ../libtool  --tag=CC   --mode=link gcc -O3 -ggdb3 -Werror -Wall -Wextra -Wno-unused-parameter -pthread  -pthread -DPLUGINPATH="\"/usr/lib64/kronosnet\"" -O2 -flto=auto -ffat-lto-objects -fexceptions -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1  -m64  -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -Wl,--enable-new-dtags -Wl,--as-needed -Wl,--version-script=./libknet_exported_syms -version-info 5:0:4 -Wl,-z,relro -Wl,--as-needed  -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld  -o libknet.la -rpath /usr/lib64 libknet_la-common.lo libknet_la-compat.lo libknet_la-compress.lo libknet_la-crypto.lo libknet_la-handle.lo libknet_la-handle_api.lo libknet_la-host.lo libknet_la-lib_config.lo libknet_la-links.lo libknet_la-links_acl.lo libknet_la-links_acl_ip.lo libknet_la-links_acl_loopback.lo libknet_la-logging.lo libknet_la-netutils.lo libknet_la-onwire.lo libknet_la-threads_common.lo libknet_la-threads_dsthandler.lo libknet_la-threads_heartbeat.lo libknet_la-threads_pmtud.lo libknet_la-threads_rx.lo libknet_la-threads_tx.lo libknet_la-transports.lo libknet_la-transport_common.lo libknet_la-transport_loopback.lo libknet_la-transport_udp.lo libknet_la-transport_sctp.lo  -ldl   -lm  


Oddly I Only get this with the RPM builds and not when the library is built in-tree, even though the in-tree builds actually DON'T have -fstack-clash-protection enabled.

This command-line is from the in-tree build:
libtool: compile:  gcc -DHAVE_CONFIG_H -I. -I.. -O3 -ggdb3 -Werror -Wall -Wextra -Wno-unused-parameter -pthread -pthread -MT libknet_la-threads_tx.lo -MD -MP -MF .deps/libknet_la-threads_tx.Tpo -c threads_tx.c  -fPIC -DPIC -o .libs/libknet_la-threads_tx.o
 (lots of other similar files cut)
libtool: link: gcc -shared  -fPIC -DPIC  .libs/libknet_la-common.o .libs/libknet_la-compat.o .libs/libknet_la-compress.o .libs/libknet_la-crypto.o .libs/libknet_la-handle.o .libs/libknet_la-handle_api.o .libs/libknet_la-host.o .libs/libknet_la-links.o .libs/libknet_la-links_acl.o .libs/libknet_la-links_acl_ip.o .libs/libknet_la-links_acl_loopback.o .libs/libknet_la-logging.o .libs/libknet_la-netutils.o .libs/libknet_la-onwire.o .libs/libknet_la-onwire_v1.o .libs/libknet_la-threads_common.o .libs/libknet_la-threads_dsthandler.o .libs/libknet_la-threads_heartbeat.o .libs/libknet_la-threads_pmtud.o .libs/libknet_la-threads_rx.o .libs/libknet_la-threads_tx.o .libs/libknet_la-transports.o .libs/libknet_la-transport_common.o .libs/libknet_la-transport_loopback.o .libs/libknet_la-transport_udp.o .libs/libknet_la-transport_sctp.o   -ldl -lm  -O3 -ggdb3 -pthread -pthread -Wl,--enable-new-dtags -Wl,--as-needed -Wl,--version-script=./libknet_exported_syms -Wl,-rpath=/usr/lib64/kronosnet   -pthread -Wl,-soname -Wl,libknet.so.2 -o .libs/libknet.so.2.0.0

Comment 3 Phil Sutter 2021-05-17 12:36:41 UTC

Nick,

(In reply to Nick Clifton from comment #1)
>   I think that this is a build problem.  Possibly spec file related,
> although I have not checked.
> 
>   The -fstack-clash-protection flag is present when the object files are
> being built, but it is
>   absent when the link is performed.  For example in the output you quoted
> in the description:
> 
> libtool: link: gcc -shared  -fPIC -DPIC  .libs/libip4tc.o   -lpcap
> -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -O2 -flto=auto -g
> -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1
> -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1
> -mbranch-protection=standard -Wl,-z -Wl,relro -Wl,--as-needed -Wl,-z -Wl,now
> -specs=/usr/lib/rpm/redhat/redhat-hardened-ld   -Wl,-soname
> -Wl,libip4tc.so.2 -o .libs/libip4tc.so.2.0.0

This is output from libtool itself. The call to libtool from the build system
is the line above, starting with '/bin/sh ../libtool  --tag=CC   --mode=link'.
There you see -fstack-clash-protection is indeed passed to the call. So it
looks like libtool is stripping the flag.

>   Note how -fstack-clash-protection is absent from this command line.  This
> matters because
>   the link is being performed in LTO mode, so the object files will be
> recompiled, and this
>   time without stack clash protection enabled....

Sounds like this is the culprit.

>   So ... how is this libtool command line constructed ?

In iptables.spec, there's just '%make_build' macro. In iptables sources, there's libiptc/Makefile.am which contains:

| lib_LTLIBRARIES     = libip4tc.la libip6tc.la
| libip4tc_la_SOURCES = libip4tc.c
| libip4tc_la_LDFLAGS = -version-info 2:0:0
| libip6tc_la_SOURCES = libip6tc.c
| libip6tc_la_LDFLAGS = -version-info 2:0:0

This does not look terribly wrong to me and the quoted call to libtool
indicates the flag makes it through the build system.

Comment 4 Phil Sutter 2021-05-17 12:42:30 UTC

Christine,

(In reply to Christine Caulfield from comment #2)
> Hi, I'm seeing something similar with libknet (package kronosnet), but I can
> see -fstack-flash-protection on the link command-line as well as the compile
> commands.
> 
> Hardened: libknet.so.1.4.0: FAIL: cf-protection test because no protection
> enabled (function: knet_get_compress_list) 
> Hardened: libknet.so.1.4.0: FAIL: stack-clash test because
> -fstack-clash-protection not enabled (function: knet_get_compress_list) 
> Hardened: libknet.so.1.4.0: FAIL: cf-protection test because no protection
> enabled (function: knet_send_sync) 
> Hardened: libknet.so.1.4.0: FAIL: stack-clash test because
> -fstack-clash-protection not enabled (function: knet_send_sync) 
> Hardened: libknet.so.1.4.0: FAIL: cf-protection test because no protection
> enabled (function: knet_get_compress_list) 
> 
> This link command-line is from the RPM build:
> /bin/sh ../libtool  --tag=CC   --mode=link gcc -O3 -ggdb3 -Werror -Wall
> -Wextra -Wno-unused-parameter -pthread  -pthread
> -DPLUGINPATH="\"/usr/lib64/kronosnet\"" -O2 -flto=auto -ffat-lto-objects
> -fexceptions -g -grecord-gcc-switches -pipe -Wall -Werror=format-security
> -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS
> -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong
> -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1  -m64  -mtune=generic
> -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection
> -Wl,--enable-new-dtags -Wl,--as-needed
> -Wl,--version-script=./libknet_exported_syms -version-info 5:0:4
> -Wl,-z,relro -Wl,--as-needed  -Wl,-z,now
> -specs=/usr/lib/rpm/redhat/redhat-hardened-ld  -o libknet.la -rpath
> /usr/lib64 libknet_la-common.lo libknet_la-compat.lo libknet_la-compress.lo
> libknet_la-crypto.lo libknet_la-handle.lo libknet_la-handle_api.lo
> libknet_la-host.lo libknet_la-lib_config.lo libknet_la-links.lo
> libknet_la-links_acl.lo libknet_la-links_acl_ip.lo
> libknet_la-links_acl_loopback.lo libknet_la-logging.lo
> libknet_la-netutils.lo libknet_la-onwire.lo libknet_la-threads_common.lo
> libknet_la-threads_dsthandler.lo libknet_la-threads_heartbeat.lo
> libknet_la-threads_pmtud.lo libknet_la-threads_rx.lo
> libknet_la-threads_tx.lo libknet_la-transports.lo
> libknet_la-transport_common.lo libknet_la-transport_loopback.lo
> libknet_la-transport_udp.lo libknet_la-transport_sctp.lo  -ldl   -lm  

What's the line following this one? It should be printed by libtool, starting
with "libtool: link:". Does it contain -fstack-clash-protection flag?

I'm not sure if appending your problem with libknet to this ticket is a good
idea, maybe filing a separate ticket would help prevent it from getting lost in
traffic.

Comment 5 Nick Clifton 2021-05-17 13:15:01 UTC

(In reply to Phil Sutter from comment #3)

> There you see -fstack-clash-protection is indeed passed to the call. So it
> looks like libtool is stripping the flag.
> 
> >   Note how -fstack-clash-protection is absent from this command line.  This
> > matters because
> >   the link is being performed in LTO mode, so the object files will be
> > recompiled, and this
> >   time without stack clash protection enabled....
> 
> Sounds like this is the culprit.

In which case I would like to reassign this BZ to libtool.  Is that OK with you ?

It appears as if annobin has actually picked up a real potential security problem if these executables really are being (re-)compiled without stack clash protection.

Comment 6 Nick Clifton 2021-05-17 13:17:30 UTC

(In reply to Christine Caulfield from comment #2)

> This link command-line is from the RPM build:
> /bin/sh ../libtool  --tag=CC   --mode=link gcc -O3 -ggdb3 -Werror -Wall
[...]
> -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection

If, as Phil has suggested, the -fstack-clash-protection option is also present on the following line, then please could you file a separate BZ ?  This would mean that the binaries were compiled correctly, but annocheck is wrong in saying that they were mis-built.

Comment 7 Christine Caulfield 2021-05-17 13:27:12 UTC

(In reply to Nick Clifton from comment #6)
> (In reply to Christine Caulfield from comment #2)
> 
> > This link command-line is from the RPM build:
> > /bin/sh ../libtool  --tag=CC   --mode=link gcc -O3 -ggdb3 -Werror -Wall
> [...]
> > -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection
> 
> If, as Phil has suggested, the -fstack-clash-protection option is also
> present on the following line, then please could you file a separate BZ ? 
> This would mean that the binaries were compiled correctly, but annocheck is
> wrong in saying that they were mis-built.

Thanks, I checked that and it looks like we are a victim of the same libtool bug as you, so I don't think I need to file a new BZ

Comment 8 Phil Sutter 2021-05-17 13:43:56 UTC

(In reply to Nick Clifton from comment #5)
> (In reply to Phil Sutter from comment #3)
> 
> > There you see -fstack-clash-protection is indeed passed to the call. So it
> > looks like libtool is stripping the flag.
> > 
> > >   Note how -fstack-clash-protection is absent from this command line.  This
> > > matters because
> > >   the link is being performed in LTO mode, so the object files will be
> > > recompiled, and this
> > >   time without stack clash protection enabled....
> > 
> > Sounds like this is the culprit.
> 
> In which case I would like to reassign this BZ to libtool.  Is that OK with
> you ?

Yes, perfectly fine.

> It appears as if annobin has actually picked up a real potential security
> problem if these executables really are being (re-)compiled without stack
> clash protection.

Sure, this actually proves annocheck value and correctness. :)

Comment 9 Nick Clifton 2021-05-21 10:22:27 UTC

Clearing needinfo as I think that the question has been answered.

Comment 10 Ondrej Dubaj 2021-07-20 09:16:26 UTC

Hi,

currently I am not able to reproduce the issue with rpminspect. I have used the latest build of iptables [1], ran rpminspect through it and received no error. Attaching log from rpminspect.

What comes in my mind, that previously gcc-11.0.1 was used, as currently gcc-11.1.1 is used, which can have effect on the problem.

Phil, Nick, can you please confirm the problem is not reproducible anymore ? If it is, can you please provide a reproducer ?

Thank you.

[1] https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=38200694

Comment 11 Ondrej Dubaj 2021-07-20 09:17:17 UTC

Created attachment 1803571 [details]
latest-rpminspect.txt

Comment 12 Ondrej Dubaj 2021-07-20 09:29:59 UTC

I am also unable to reproduce the problem with the specific version, which failed previously (iptables-1.8.7-11.el9). There was also a new version of rpminspect released and probably also used (currently 1.6, previously 1.5). I am checking this with rpminspect maintainer. I will keep you updated.

Comment 13 Nick Clifton 2021-07-20 10:27:40 UTC

(In reply to Ondrej Dubaj from comment #10)

> Phil, Nick, can you please confirm the problem is not reproducible anymore ?
> If it is, can you please provide a reproducer ?

I cannot reproduce it. :-}

I think that the problem was fixed by the 9.78 update of annobin, (which was created to fix #1958954).

The issue was that when compiling in LTO mode the compiler is run twice.  Once when the object files are built and then again when the final link takes place.  I mistakenly thought that security options like -fstack-clash-protection had to be specified during the second compilation, and if they were not, then the annobin plugin would record them as missing.  It turns out however that these options only need to be specified during the first compilation, not the second.  So the 9.78 annobin update fixes the plugin to handle this situation.

Comment 14 Ondrej Dubaj 2021-07-20 11:26:05 UTC

Thank you for clarification! Closing this as NOTABUG.

Comment 15 Phil Sutter 2021-07-20 12:48:06 UTC

Yes, the problem is gone.

Comment 16 Jan Pazdziora (Red Hat) 2021-07-30 13:41:18 UTC

Hello, I see the problem on RHEL 9 compose on all architectures, filed as bug 1988402.

Note You need to log in before you can comment on or make changes to this bug.