RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1988402 - annocheck reports that libltdl.so.7.3.1 deliberately disables stack protection
Summary: annocheck reports that libltdl.so.7.3.1 deliberately disables stack protection
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 9
Classification: Red Hat
Component: libtool
Version: 9.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: beta
: ---
Assignee: Filip Januš
QA Contact: Jakub Heger
URL:
Whiteboard:
Depends On:
Blocks: 2044387
TreeView+ depends on / blocked
 
Reported: 2021-07-30 13:34 UTC by Jan Pazdziora (Red Hat)
Modified: 2022-01-25 11:06 UTC (History)
10 users (show)

Fixed In Version: libtool-2.4.6-44.el9
Doc Type: No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-12-07 21:33:05 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
log-annocheck.txt (14.97 KB, text/plain)
2021-08-23 07:30 UTC, Ondrej Dubaj 		no flags Details
View All

Description Jan Pazdziora (Red Hat) 2021-07-30 13:34:53 UTC 
Description of problem:

Running annocheck --test-stack-prot on /usr/lib64/libltdl.so.* fails.

Version-Release number of selected component (if applicable):

libtool-ltdl-2.4.6-41.el9.x86_64
annobin-annocheck-9.79-1.el9.x86_64

How reproducible:

Deterministic

Steps to Reproduce:
1. rpm -qal 'libtool*' | while read f ; do if test -f "$f" -a ! -L "$f" ; then echo $f ; fi ; done | xargs -L 200 annocheck --verbose --verbose --ignore-gaps --skip-all --test-pic --test-pie --test-stack-prot | grep FAIL:

Actual results:

Hardened: /usr/lib64/libltdl.so.7.3.1: FAIL: stack-prot test because stack protection deliberately disabled (function: lt_strlcat) (source: annobin notes)
Hardened: /usr/lib64/libltdl.so.7.3.1: FAIL: stack-prot test because stack protection deliberately disabled (function: dlopen_LTX_get_vtable) (source: annobin notes)

Expected results:

No FAILs.

Additional info:
Comment 3 Florian Weimer 2021-07-30 15:21:39 UTC 
I still see this with the updated current toolchain in testing:

Hardened: ./usr/lib64/libltdl.so.7.3.1: FAIL: stack-prot test because stack protection deliberately disabled (function: lt_strlcat) 
Hardened: ./usr/lib64/libltdl.so.7.3.1: FAIL: stack-prot test because stack protection deliberately disabled (function: dlopen_LTX_get_vtable) 

I'm investigating, but downloads from Stream Koji are *slow*.
Comment 4 Florian Weimer 2021-07-30 15:47:46 UTC 
First of all, I strongly recommend to call “make -O V=1”. Whith that, we see this:

/bin/sh ./libtool  --tag=CC   --mode=compile gcc -DHAVE_CONFIG_H -I.  -DLT_CONFIG_H='<config.h>' -DLTDL -I. -I. -Ilibltdl -I./libltdl -Ilibltdl/libltdl -I./libltdl/libltdl   -O2  -fexceptions -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS  -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1  -m64 -march=x86-64-v2 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -fPIC -c -o libltdl/lt__strl.lo libltdl/lt__strl.c
libtool: compile:  gcc -DHAVE_CONFIG_H -I. "-DLT_CONFIG_H=<config.h>" -DLTDL -I. -I. -Ilibltdl -I./libltdl -Ilibltdl/libltdl -I./libltdl/libltdl -O2 -fexceptions -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -march=x86-64-v2 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -fPIC -c libltdl/lt__strl.c  -fPIC -DPIC -o libltdl/.libs/lt__strl.o
libtool: compile:  gcc -DHAVE_CONFIG_H -I. "-DLT_CONFIG_H=<config.h>" -DLTDL -I. -I. -Ilibltdl -I./libltdl -Ilibltdl/libltdl -I./libltdl/libltdl -O2 -fexceptions -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -march=x86-64-v2 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -fPIC -c libltdl/lt__strl.c -o libltdl/lt__strl.o >/dev/null 2>&1

So -fstack-protector-strong has gone missing.

This is related to:

# See the rhbz#1289759 and rhbz#1214506.  We disable hardening namely because
# that bakes the CFLAGS/LDFLAGS into installed /bin/libtool and ltmain.sh files.
# At the same time we want to have libltdl.so hardened.  Downstream-only patch.
%undefine _hardened_build
Patch3: libtool-2.4.6-hardening.patch

That patch enables:

make %{?_smp_mflags} -O V=1 \
    CUSTOM_LTDL_CFLAGS="%_hardening_cflags" \
    CUSTOM_LTDL_LDFLAGS="%_hardening_ldflags"

But these build flags are no longer the complete story. They are not part of the documented interface: https://src.fedoraproject.org/rpms/redhat-rpm-config//blob/rawhide/f/buildflags.md

I'm testing a patch.
Comment 5 Florian Weimer 2021-07-30 16:46:41 UTC 
My efforts have not been successful. The issue is that lt__strl etc. are built from LTLIBOBJ, so libltdl_libltdl_la_CPPFLAGS does not apply to them.

I tried

libltdl_libltdl_la_CPPFLAGS += $(CUSTOM_LTDL_CFLAGS)
libltdl_libltdl_la_LDFLAGS  += $(CUSTOM_LTDL_LDFLAGS)
$(LTLIBOBJS): CPPFLAGS += $(CUSTOM_LTDL_CFLAGS)

with a rule-local variable change, but that did not work for some reason.

But /usr/bin/libtool contains this today:

LTCFLAGS="-O2  -fexceptions -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS  -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1  -m64 -march=x86-64-v2 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -fPIC"

This is what bug 1289759 and bug 1214506 tried to prevent, and no one has complained, so it does not look like a problem anymore. Maybe it is time to drop %undefine _hardened_build and libtool-2.4.6-hardening.patch.

In any case, this is exclusively a libtool bug (that actually demonstrates the value of annobin checking), although it looks a lot like the annobin bugs we dealt with recently.
Comment 6 Ondrej Dubaj 2021-08-20 12:56:01 UTC 
After adding -fstack-protector-strong to CFLAGS the test passed. Florian, can you describe the reasons, why the hardening patch should be removed ? If we remove it, another test fails:

Hardened: /usr/lib64/libltdl.so.7.3.1: FAIL: bind-now test because not linked with -Wl,-z,now

Although, with adding -Wl,-z,now to CFLAGS, the test passes. I do not say removing the patch is bad, but is there any reason for it?

Thank you.
Comment 7 Florian Weimer 2021-08-20 14:00:47 UTC 
I think the main goal of the hardening patch was to avoid hard-coding downstream-specific build flags in the installed /usr/bin/libtool. But I think this hasn't worked as expected for a long time because there are many downstream-specific flags there.
Comment 8 Pavel Raiskup 2021-08-23 06:26:18 UTC 

> I think the main goal of the hardening patch was to avoid hard-coding downstream-specific build flags in the installed /usr/bin/libtool.

Not really, that's why `%_configure_libtool_hardening_hack` is set to 0.  The patch
was added to harden the libltdl.so file.
Comment 9 Ondrej Dubaj 2021-08-23 06:34:09 UTC 
Pavel, Florian, thanks for your thoughts. I prefer adding fstack-protector-strong to CFLAGS and not touching other patches, as it can lead to multiple problems with other packages during build phase. Althought, it seems libltdl.so stays hardened also with adding -Wl,-z,now to CFLAGS, we do not particulary know, if some other flags are not missing.
Comment 10 Ondrej Dubaj 2021-08-23 06:51:14 UTC 
MR:

https://gitlab.com/redhat/centos-stream/rpms/libtool/-/merge_requests/2
Comment 11 Ondrej Dubaj 2021-08-23 07:29:23 UTC 
Annocheck tests have passed. No regression spotted, moving this forward. Adding annocheck test output.
Comment 12 Ondrej Dubaj 2021-08-23 07:30:01 UTC 
Created attachment 1816710 [details]
log-annocheck.txt
Comment 13 Jan Pazdziora (Red Hat) 2021-08-23 08:36:49 UTC 
It seems we are handling the flags one-by-one depending on what we notice is missing.

Wouldn't it be possible to run make first with the non-standard flags (to avoid them leaking to the tool) and then do another make run specifically for the libltdl.so so that it gets everything that rpm macros define?
Note You need to log in before you can comment on or make changes to this bug.