In glibc we need to workaround annobin annotations in libc_nonshared.a. We do this workaround like this: 1394 # libc_nonshared.a cannot be built with the default hardening flags 1395 # because the glibc build system is incompatible with 1396 # -D_FORTIFY_SOURCE. The object files need to be marked as to be 1397 # skipped in annobin annotations. (The -specs= variant of activating 1398 # annobin does not work here because of flag ordering issues.) 1399 # See <https://bugzilla.redhat.com/show_bug.cgi?id=1668822>. 1400 BuildFlagsNonshared="-fplugin=annobin -fplugin-arg-annobin-disable -Wa,--generate-missing-build-notes=yes" In glibc-2.34-29.el9 the build of atexit generates a correct note: annobin-10.58-1.el9.x86_64 1647268214 1077646 3a6efa6eea1bd1fab072741a5bcbae69 installed gcc-plugin-annobin-11.2.1-9.4.el9.x86_64 1644551076 53682 5f9e7264a7b89b0dd199b7497d560d8e installed In glibc-2.34-32.el9 the build of atexit generates a missing note: annobin-10.58-1.el9.x86_64 1647268214 1077646 3a6efa6eea1bd1fab072741a5bcbae69 installed gcc-plugin-annobin-11.3.1-2.el9.x86_64 1650922467 53690 9ee9f9ea07b4002cdafcd4f8635ffa3c installed The -32 build results in the following CI/CD failure: Hardened: ./atexit_strp: FAIL: fortify test because -D_FORTIFY_SOURCE=2 was not present on the command line (function: atexit) Hardened: ./atexit_strp: info: For more information visit: https://sourceware.org/annobin/annobin.html/Test-fortify.html Hardened: ./atexit_strp: PASS: glibcxx-assertions test Hardened: ./atexit_strp: PASS: pic test Hardened: ./atexit_strp: FAIL: fortify test because -D_FORTIFY_SOURCE=2 was not present on the command line (function: atexit) Hardened: ./atexit_strp: info: For more information visit: https://sourceware.org/annobin/annobin.html/Test-fortify.html Did something change between gcc-plugin-annobin-11.2.1-9.4.el9.x86_64 and gcc-plugin-annobin-11.3.1-2.el9.x86_64? The test case is fairly straight forward: cat >> atexit.c <<EOF #define _GNU_SOURCE #include <stdlib.h> #include <stdio.h> int main() { /* Print the address of the functions, to force an non-inline copy of these functions from libc_nonshared.a into the link. */ printf ("%p\n", atexit); return 0; } EOF gcc -v -O2 -g -Wl,-z,now -pie -fpie -Wa,--generate-missing-build-notes=yes -fcf-protection atexit.c -o atexit &> gcc-atexit.txt strip -g -o atexit_strp atexit annocheck -v atexit_strp | grep FAIL This worked with glibc-2.34-29.el9 build and fails now with -32, and we didn't change anything specifically in the area of libc_nonshared.a and atexit handling. The -29 libc_nonshared.a (glibc-devel) is fairly empty. While the -32 libc_nonshared.a has a lot of annobin notes present.
Fixed in annobin-10.68-1.el9
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (annobin bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2022:7957