Bug 2044917 - annocheck FAIL: pie test (gcc)
Summary: annocheck FAIL: pie test (gcc)
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 9
Classification: Red Hat
Component: gcc
Version: 9.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Marek Polacek
QA Contact: Václav Kadlčík
URL:
Whiteboard:
: 2044918 (view as bug list)
Depends On:
Blocks: 2044387
TreeView+ depends on / blocked
 
Reported: 2022-01-25 10:48 UTC by rlemosor
Modified: 2023-07-18 14:25 UTC (History)
4 users (show)

Fixed In Version: gcc-11.2.1-9.4.el9
Doc Type: No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-05-17 15:55:42 UTC
Type: ---
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker RHELPLAN-109556 0 None None None 2022-01-25 10:53:01 UTC
Red Hat Product Errata RHBA-2022:3966 0 None None None 2022-05-17 15:56:11 UTC

Description rlemosor 2022-01-25 10:48:20 UTC
Failed test: pie test

Test results:
\n Hardened: cpp: FAIL: pie test because not built with '-Wl'-pie' (gcc/clang) or '-buildmode pie' (go)  \n Hardened: cpp: FAIL: bind-now test because not linked with -Wl'-z'now  \n Hardened: cc1: FAIL: pie test because not built with '-Wl'-pie' (gcc/clang) or '-buildmode pie' (go)  \n Hardened: cc1: FAIL: bind-now test because not linked with -Wl'-z'now

Applicable RPMs:
cpp-11.2.1-7.4.el9.ppc64le.rpm; cpp-11.2.1-7.4.el9.s390x.rpm; cpp-11.2.1-7.4.el9.x86_64.rpm; gcc-11.2.1-7.4.el9.ppc64le.rpm; gcc-11.2.1-7.4.el9.s390x.rpm; gcc-11.2.1-7.4.el9.x86_64.rpm; gcc-c++-11.2.1-7.4.el9.ppc64le.rpm; gcc-c++-11.2.1-7.4.el9.s390x.rpm; gcc-c++-11.2.1-7.4.el9.x86_64.rpm; gcc-gfortran-11.2.1-7.4.el9.ppc64le.rpm; gcc-gfortran-11.2.1-7.4.el9.s390x.rpm; gcc-gfortran-11.2.1-7.4.el9.x86_64.rpm; gcc-offload-nvptx-11.2.1-7.4.el9.ppc64le.rpm; gcc-offload-nvptx-11.2.1-7.4.el9.x86_64.rpm; libgccjit-11.2.1-7.4.el9.i686.rpm; libgccjit-11.2.1-7.4.el9.ppc64le.rpm; libgccjit-11.2.1-7.4.el9.s390x.rpm; libgccjit-11.2.1-7.4.el9.x86_64.rpm; libstdc++-devel-11.2.1-7.4.el9.i686.rpm; libstdc++-devel-11.2.1-7.4.el9.ppc64le.rpm; libstdc++-devel-11.2.1-7.4.el9.s390x.rpm; libstdc++-devel-11.2.1-7.4.el9.x86_64.rpm; libtsan-11.2.1-7.4.el9.x86_64.rpm

Recommendation: Please fix the build system for the package or else add a skip of tests to the rpminspect.yaml file. For more details please see https://sourceware.org/annobin/annobin.html/Test-pie.html and https://sourceware.org/annobin/annobin.html/Waiving-Hardened-Results.html#Waiving-Hardened-Results.

Why this bug was filed: All packages in RHEL 9 built with gcc (g++, etc.) are required to use a common set of flags provided by the distribution. These flags turn on important security and performance features so it is critical that any package that lacks these flags be repaired. A scanning tool named annocheck, part of the annobin package, was used to scan RHEL 9 packages. This BZ was created because binary packages of this component with the mentioned NVRs were not built with the requisite flags for one or more RHEL 9 architectures.

How to reproduce the failure: You could try running annocheck locally against your builds: https://developers.redhat.com/blog/2019/02/04/annocheck-examining-the-contents-of-binary-files.

Annocheck resources:
* annobin documentation: https://sourceware.org/annobin/annobin.html/index.html
* annocheck on the customer portal: https://access.redhat.com/documentation/en-us/red_hat_developer_toolset/9/html/user_guide/chap-annobin

Contacts:
* Instant messaging: #tools on IRC
* Email: use tools for generic questions. Otherwise, use go-tools and llvm-clang-list for Go and Clang/LLVM specific questions.
* annobin-annocheck maintainer: Nick Clifton (nickc)

Comment 2 Marek Polacek 2022-01-25 17:16:59 UTC
*** Bug 2044918 has been marked as a duplicate of this bug. ***

Comment 5 Marek Polacek 2022-01-27 15:27:31 UTC
Ug.  It looks like this is the problem:

gcc/Makefile.in:
# We don't want to compile the compilers with -fPIE, it make PCH fail.
COMPILER += $(NO_PIE_CFLAGS)

# Link with -no-pie since we compile the compiler with -fno-PIE.
LINKER += $(NO_PIE_FLAG)

the PCH note is no longer true (on trunk, anyway).

I'll try --enable-default-pie.

Thanks for noticing.

Comment 6 Marek Polacek 2022-01-27 23:47:08 UTC
(In reply to Marek Polacek from comment #5)
> Ug.  It looks like this is the problem:
> 
> gcc/Makefile.in:
> # We don't want to compile the compilers with -fPIE, it make PCH fail.
> COMPILER += $(NO_PIE_CFLAGS)
> 
> # Link with -no-pie since we compile the compiler with -fno-PIE.
> LINKER += $(NO_PIE_FLAG)
> 
> the PCH note is no longer true (on trunk, anyway).
> 
> I'll try --enable-default-pie.

This is (of course) not an option here.

I've tried

sed -i 's/ @NO_PIE_FLAG@//' gcc/Makefile.in
sed -i 's/ @NO_PIE_CFLAGS@//' gcc/Makefile.in

but that still doesn't produce PIE binaries.  Not sure what to do here.

Comment 7 Marek Polacek 2022-01-31 14:40:27 UTC
Not going to be ready today.

Comment 24 errata-xmlrpc 2022-05-17 15:55:42 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (new packages: gcc), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:3966


Note You need to log in before you can comment on or make changes to this bug.