2144509 – annocheck reports that no compiled code found in /usr/bin and /usr/sbin

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2144509 - annocheck reports that no compiled code found in /usr/bin and /usr/sbin

Summary: annocheck reports that no compiled code found in /usr/bin and /usr/sbin

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 9
Classification:	Red Hat
Component:	iputils
Sub Component:
Version:	9.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Jan Macku
QA Contact:	Frantisek Sumsal
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2147538 2147539 2148430
TreeView+	depends on / blocked

Reported:	2022-11-21 14:12 UTC by Jan Pazdziora (Red Hat)
Modified:	2023-05-09 10:32 UTC (History)
CC List:	5 users (show)
Fixed In Version:	iputils-20210202-8.el9
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Clones:	2147538 2147539 2148430 (view as bug list)
Environment:
Last Closed:	2023-05-09 08:21:38 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:
Flags:	pm-rhel: mirror+

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Gitlab	redhat/centos-stream/rpms iputils merge_requests 4	None	merged	Build iputils and ifenslave with correct flags	2022-11-25 12:02:07 UTC
Red Hat Issue Tracker	RHELPLAN-140030	None	None	None	2022-11-21 14:30:41 UTC
Red Hat Product Errata	RHBA-2023:2526	None	None	None	2023-05-09 08:21:43 UTC

Description Jan Pazdziora (Red Hat) 2022-11-21 14:12:14 UTC

Description of problem:

Attempting to test if iputils' binaries were properly built with stack protection via -fstack-protector-strong yields skip: stack-prot test because no compiled code found.

Version-Release number of selected component (if applicable):

iputils-20210202-7.el9.x86_64
annobin-annocheck-10.54-2.el9.x86_64

How reproducible:

Deterministic.

Steps to Reproduce:
1. dnf install -y annobin-annocheck iputils
2. dnf debuginfo-install -y iputils
3. rpm -ql iputils | grep -E '/usr/s?bin/' | while read f ; do test -L $f || echo $f ; done | xargs -- annocheck --verbose --skip-all --test-stack-prot

Actual results:

annocheck: Version 10.54.
Hardened: arping: warn: Failed to parse separate debug file '/usr/lib/debug/.build-id/e9/ab54d4fb989b0cc43f866ed4d49bc989de8464.debug', (no DWARF information).
Hardened: arping: warn: Failed to parse separate debug file '/usr/lib/debug/.build-id/e9/ab54d4fb989b0cc43f866ed4d49bc989de8464.debug', (no DWARF information).
Hardened: arping: warn: Failed to parse separate debug file '/usr/lib/debug/.build-id/e9/ab54d4fb989b0cc43f866ed4d49bc989de8464.debug', (no DWARF information).
Hardened: /usr/bin/arping: skip: stack-prot test because no compiled code found 
Hardened: /usr/bin/arping: Overall: PASS.
Hardened: clockdiff: warn: Failed to parse separate debug file '/usr/lib/debug/.build-id/38/5882c5e6e87b7a80657bcd365911503ddf5c76.debug', (no DWARF information).
Hardened: clockdiff: warn: Failed to parse separate debug file '/usr/lib/debug/.build-id/38/5882c5e6e87b7a80657bcd365911503ddf5c76.debug', (no DWARF information).
Hardened: clockdiff: warn: Failed to parse separate debug file '/usr/lib/debug/.build-id/38/5882c5e6e87b7a80657bcd365911503ddf5c76.debug', (no DWARF information).
Hardened: /usr/bin/clockdiff: skip: stack-prot test because no compiled code found 
Hardened: /usr/bin/clockdiff: Overall: PASS.
Hardened: ping: warn: Failed to parse separate debug file '/usr/lib/debug/.build-id/ce/7da925332635272b8b80d4a6c9969a0f3f1a6c.debug', (no DWARF information).
Hardened: ping: warn: Failed to parse separate debug file '/usr/lib/debug/.build-id/ce/7da925332635272b8b80d4a6c9969a0f3f1a6c.debug', (no DWARF information).
Hardened: ping: warn: Failed to parse separate debug file '/usr/lib/debug/.build-id/ce/7da925332635272b8b80d4a6c9969a0f3f1a6c.debug', (no DWARF information).
Hardened: /usr/bin/ping: skip: stack-prot test because no compiled code found 
Hardened: /usr/bin/ping: Overall: PASS.
Hardened: tracepath: warn: Failed to parse separate debug file '/usr/lib/debug/.build-id/df/065e14e16543a328c3e4c4ec04a364adf3fa9e.debug', (no DWARF information).
Hardened: tracepath: warn: Failed to parse separate debug file '/usr/lib/debug/.build-id/df/065e14e16543a328c3e4c4ec04a364adf3fa9e.debug', (no DWARF information).
Hardened: tracepath: warn: Failed to parse separate debug file '/usr/lib/debug/.build-id/df/065e14e16543a328c3e4c4ec04a364adf3fa9e.debug', (no DWARF information).
Hardened: /usr/bin/tracepath: skip: stack-prot test because no compiled code found 
Hardened: /usr/bin/tracepath: Overall: PASS.
Hardened: /usr/sbin/ifenslave: PASS: stack-prot test 
Hardened: /usr/sbin/ifenslave: Overall: PASS.
Hardened: rdisc: warn: Failed to parse separate debug file '/usr/lib/debug/.build-id/82/ddd78cb7108bbecb438759e440afb887b688c1.debug', (no DWARF information).
Hardened: rdisc: warn: Failed to parse separate debug file '/usr/lib/debug/.build-id/82/ddd78cb7108bbecb438759e440afb887b688c1.debug', (no DWARF information).
Hardened: rdisc: warn: Failed to parse separate debug file '/usr/lib/debug/.build-id/82/ddd78cb7108bbecb438759e440afb887b688c1.debug', (no DWARF information).
Hardened: /usr/sbin/rdisc: skip: stack-prot test because no compiled code found 
Hardened: /usr/sbin/rdisc: Overall: PASS.

Expected results:

No "skip: stack-prot test because no compiled code found" on binaries.

Additional info:

Adding Nick to Cc in case this turns out to be an issue in annocheck itself.

Comment 3 Nick Clifton 2022-11-21 15:57:35 UTC

Hi Jan,

  I think that this might be a build issue with iputils, but I am willing to be
  persuaded otherwise.  Here are some things that I found:
 
> Hardened: arping: warn: Failed to parse separate debug file
> '/usr/lib/debug/.build-id/e9/ab54d4fb989b0cc43f866ed4d49bc989de8464.debug',
> (no DWARF information).

  This does indeed appear to be true.  That is the debug info files
  do not actually appear to contain DWARF debug information.  I suspect
  that this is because there was no debug information in the binary before
  it was split into a stripped file and a separate debuginfo file.


> Hardened: /usr/bin/arping: skip: stack-prot test because no compiled code
> found 

  This is happening because there are no annobin notes in the binary apart 
  from one which came from an assembler source file.  Hence annocheck is
  unable to prove that the binary was actually produced by a compiler.

  Annocheck does look to see if there is a .comment section in the binary,
  which can sometimes help determine which tool was used to create the
  program, but this is also missing.  It also checks the DW_AT_producer
  tag in the DWARF debug info, but since that info is missing, annocheck
  is at a loss for any other way to determine how the program was made.

 
Checking the build.log for the x86_64 build of iputils-20210202-7.el9.x86_64
I found this for the production of the clockdiff executable:

  [22/29] gcc -Iclockdiff.p -I. -I.. -fdiagnostics-color=always -pipe -D_FILE_OFFSET_BITS=64 -Wall -Winvalid-pch -Wextra -Wpedantic -std=c99 -include config.h -include git-version.h '-DGETTEXT_PACKAGE="iputils"' -DUSE_IDN -fpie -MD -MQ clockdiff.p/clockdiff.c.o -MF clockdiff.p/clockdiff.c.o.d -o clockdiff.p/clockdiff.c.o -c ../clockdiff.c

So it looks like it is being compiled without any security options, without
debugging and without the annobin plugin.  Hence the weird results from 
annocheck.

The same appears to be true for arping, ping and the other executables. :-(

Cheers
  Nick

Comment 8 Jan Pazdziora (Red Hat) 2022-11-22 18:47:25 UTC

Checking with

readelf -Ws /usr/bin/arping | grep '__stack_chk_fail'
or
readelf -Ws /usr/bin/tracepath | grep '__stack_chk_fail'

does not find anything, meaning the function to be called when the stack protection detects a corrupted stack is not referenced. So it seems to suggest -fstack-protector-strong was indeed not used.

Comment 14 Jan Macku 2022-11-25 12:46:30 UTC

The new build (iputils-20210202-8.el9) should fix the current issue.

[root@ci-vm-10-0-138-43 ~]# rpm -ql iputils | grep -E '/usr/s?bin/' | while read f ; do test -L $f || echo $f ; done | xargs -- annocheck --verbose --skip-all --test-stack-prot
annocheck: Version 10.73.
Hardened: /usr/bin/arping: PASS: stack-prot test 
Hardened: /usr/bin/arping: Overall: PASS.
Hardened: /usr/bin/clockdiff: PASS: stack-prot test 
Hardened: /usr/bin/clockdiff: Overall: PASS.
Hardened: /usr/bin/ping: PASS: stack-prot test 
Hardened: /usr/bin/ping: Overall: PASS.
Hardened: /usr/bin/tracepath: PASS: stack-prot test 
Hardened: /usr/bin/tracepath: Overall: PASS.
Hardened: /usr/sbin/ifenslave: PASS: stack-prot test 
Hardened: /usr/sbin/ifenslave: Overall: PASS.
Hardened: /usr/sbin/rdisc: PASS: stack-prot test 
Hardened: /usr/sbin/rdisc: Overall: PASS.

[root@ci-vm-10-0-138-43 ~]# rpm -qa iputils
iputils-20210202-8.el9.x86_64

Comment 19 errata-xmlrpc 2023-05-09 08:21:38 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (iputils bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:2526

Note You need to log in before you can comment on or make changes to this bug.