2148430 – annocheck reports that no compiled code found in /usr/bin and /usr/sbin

Bug 2148430 - annocheck reports that no compiled code found in /usr/bin and /usr/sbin

Summary: annocheck reports that no compiled code found in /usr/bin and /usr/sbin

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	iputils
Sub Component:
Version:	rawhide
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Kevin Fenzi
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:	2144509
Blocks:	2147538 2147539
TreeView+	depends on / blocked

Reported:	2022-11-25 12:14 UTC by Jan Macku
Modified:	2022-11-28 08:02 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Clone Of:	2144509
Environment:
Last Closed:	2022-11-28 08:02:18 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Fedora Package Sources	iputils pull-request 6	0	None	None	None	2022-11-25 12:19:48 UTC

Description Jan Macku 2022-11-25 12:14:03 UTC

+++ This bug was initially created as a clone of Bug #2144509 +++

Description of problem:

Attempting to test if iputils' binaries were properly built with stack protection via -fstack-protector-strong yields skip: stack-prot test because no compiled code found.

Version-Release number of selected component (if applicable):

iputils-20210202-7.el9.x86_64
annobin-annocheck-10.54-2.el9.x86_64

How reproducible:

Deterministic.

Steps to Reproduce:
1. dnf install -y annobin-annocheck iputils
2. dnf debuginfo-install -y iputils
3. rpm -ql iputils | grep -E '/usr/s?bin/' | while read f ; do test -L $f || echo $f ; done | xargs -- annocheck --verbose --skip-all --test-stack-prot

Actual results:

annocheck: Version 10.54.
Hardened: arping: warn: Failed to parse separate debug file '/usr/lib/debug/.build-id/e9/ab54d4fb989b0cc43f866ed4d49bc989de8464.debug', (no DWARF information).
Hardened: arping: warn: Failed to parse separate debug file '/usr/lib/debug/.build-id/e9/ab54d4fb989b0cc43f866ed4d49bc989de8464.debug', (no DWARF information).
Hardened: arping: warn: Failed to parse separate debug file '/usr/lib/debug/.build-id/e9/ab54d4fb989b0cc43f866ed4d49bc989de8464.debug', (no DWARF information).
Hardened: /usr/bin/arping: skip: stack-prot test because no compiled code found 
Hardened: /usr/bin/arping: Overall: PASS.
Hardened: clockdiff: warn: Failed to parse separate debug file '/usr/lib/debug/.build-id/38/5882c5e6e87b7a80657bcd365911503ddf5c76.debug', (no DWARF information).
Hardened: clockdiff: warn: Failed to parse separate debug file '/usr/lib/debug/.build-id/38/5882c5e6e87b7a80657bcd365911503ddf5c76.debug', (no DWARF information).
Hardened: clockdiff: warn: Failed to parse separate debug file '/usr/lib/debug/.build-id/38/5882c5e6e87b7a80657bcd365911503ddf5c76.debug', (no DWARF information).
Hardened: /usr/bin/clockdiff: skip: stack-prot test because no compiled code found 
Hardened: /usr/bin/clockdiff: Overall: PASS.
Hardened: ping: warn: Failed to parse separate debug file '/usr/lib/debug/.build-id/ce/7da925332635272b8b80d4a6c9969a0f3f1a6c.debug', (no DWARF information).
Hardened: ping: warn: Failed to parse separate debug file '/usr/lib/debug/.build-id/ce/7da925332635272b8b80d4a6c9969a0f3f1a6c.debug', (no DWARF information).
Hardened: ping: warn: Failed to parse separate debug file '/usr/lib/debug/.build-id/ce/7da925332635272b8b80d4a6c9969a0f3f1a6c.debug', (no DWARF information).
Hardened: /usr/bin/ping: skip: stack-prot test because no compiled code found 
Hardened: /usr/bin/ping: Overall: PASS.
Hardened: tracepath: warn: Failed to parse separate debug file '/usr/lib/debug/.build-id/df/065e14e16543a328c3e4c4ec04a364adf3fa9e.debug', (no DWARF information).
Hardened: tracepath: warn: Failed to parse separate debug file '/usr/lib/debug/.build-id/df/065e14e16543a328c3e4c4ec04a364adf3fa9e.debug', (no DWARF information).
Hardened: tracepath: warn: Failed to parse separate debug file '/usr/lib/debug/.build-id/df/065e14e16543a328c3e4c4ec04a364adf3fa9e.debug', (no DWARF information).
Hardened: /usr/bin/tracepath: skip: stack-prot test because no compiled code found 
Hardened: /usr/bin/tracepath: Overall: PASS.
Hardened: /usr/sbin/ifenslave: PASS: stack-prot test 
Hardened: /usr/sbin/ifenslave: Overall: PASS.
Hardened: rdisc: warn: Failed to parse separate debug file '/usr/lib/debug/.build-id/82/ddd78cb7108bbecb438759e440afb887b688c1.debug', (no DWARF information).
Hardened: rdisc: warn: Failed to parse separate debug file '/usr/lib/debug/.build-id/82/ddd78cb7108bbecb438759e440afb887b688c1.debug', (no DWARF information).
Hardened: rdisc: warn: Failed to parse separate debug file '/usr/lib/debug/.build-id/82/ddd78cb7108bbecb438759e440afb887b688c1.debug', (no DWARF information).
Hardened: /usr/sbin/rdisc: skip: stack-prot test because no compiled code found 
Hardened: /usr/sbin/rdisc: Overall: PASS.

Expected results:

No "skip: stack-prot test because no compiled code found" on binaries.

Additional info:

Adding Nick to Cc in case this turns out to be an issue in annocheck itself.

--- Additional comment from Nick Clifton on 2022-11-21 15:57:35 UTC ---

Hi Jan,

  I think that this might be a build issue with iputils, but I am willing to be
  persuaded otherwise.  Here are some things that I found:
 
> Hardened: arping: warn: Failed to parse separate debug file
> '/usr/lib/debug/.build-id/e9/ab54d4fb989b0cc43f866ed4d49bc989de8464.debug',
> (no DWARF information).

  This does indeed appear to be true.  That is the debug info files
  do not actually appear to contain DWARF debug information.  I suspect
  that this is because there was no debug information in the binary before
  it was split into a stripped file and a separate debuginfo file.


> Hardened: /usr/bin/arping: skip: stack-prot test because no compiled code
> found 

  This is happening because there are no annobin notes in the binary apart 
  from one which came from an assembler source file.  Hence annocheck is
  unable to prove that the binary was actually produced by a compiler.

  Annocheck does look to see if there is a .comment section in the binary,
  which can sometimes help determine which tool was used to create the
  program, but this is also missing.  It also checks the DW_AT_producer
  tag in the DWARF debug info, but since that info is missing, annocheck
  is at a loss for any other way to determine how the program was made.

 
Checking the build.log for the x86_64 build of iputils-20210202-7.el9.x86_64
I found this for the production of the clockdiff executable:

  [22/29] gcc -Iclockdiff.p -I. -I.. -fdiagnostics-color=always -pipe -D_FILE_OFFSET_BITS=64 -Wall -Winvalid-pch -Wextra -Wpedantic -std=c99 -include config.h -include git-version.h '-DGETTEXT_PACKAGE="iputils"' -DUSE_IDN -fpie -MD -MQ clockdiff.p/clockdiff.c.o -MF clockdiff.p/clockdiff.c.o.d -o clockdiff.p/clockdiff.c.o -c ../clockdiff.c

So it looks like it is being compiled without any security options, without
debugging and without the annobin plugin.  Hence the weird results from 
annocheck.

The same appears to be true for arping, ping and the other executables. :-(

Cheers
  Nick

Comment 1 Jan Macku 2022-11-25 12:16:10 UTC

I have cloned the bug for Fedora since it has the same problem as CentOS-stream 9 currently

Note You need to log in before you can comment on or make changes to this bug.