Bug 2174301 - annocheck findings on tbb
Summary: annocheck findings on tbb
Keywords:
Status: NEW
Alias: None
Product: Fedora
Classification: Fedora
Component: tbb
Version: 39
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Jonathan Wakely
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2023-03-01 04:45 UTC by Václav Kadlčík
Modified: 2024-01-22 18:57 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description Václav Kadlčík 2023-03-01 04:45:41 UTC
Description of problem:

Latest tbb build is stuck in gating:
  https://bodhi.fedoraproject.org/updates/FEDORA-2023-4acfa3bbcc

While the reason is the tier0 test, there are other failures worth
considering. One of them is
  fedora-ci.koji-build.rpminspect.static-analysis
More specifically, annocheck reports:
  Hardened: /usr/lib/libtbb.so.2: FAIL: fortify test because -D_FORTIFY_SOURCE=[2|3] was not present on the command line (function: _ZN3tbb4task7destroyERS0_).                                                                                                                        
  Hardened: /usr/lib/libtbbmalloc.so.2: FAIL: fortify test because -D_FORTIFY_SOURCE=[2|3] was not present on the command line (function: scalable_allocation_command).
  Hardened: /usr/lib/python3.11/site-packages/tbb/_api.cpython-311-i386-linux-gnu.so: FAIL: fortify test because -D_FORTIFY_SOURCE=[2|3] was not present on the command line (function: PyInit__api).

Another way to reproduce the problem is downloading and checking the
build's RPMs:
  koji download-build --arch={x86_64,i686,noarch} tbb-2020.3-16.fc39
  annocheck --ignore-unknown --profile=rawhide *.rpm


Version-Release number of selected component (if applicable):

tbb-2020.3-16.fc39

Comment 1 Jonathan Wakely 2023-03-01 12:00:53 UTC
tbb.spec has:

# Insert --as-needed before the libraries to be linked.
sed -i "s/-fPIC/& -Wl,--as-needed/" build/linux.gcc.inc

This should probably be adding all the RPM_OPT_FLAGS not just this tweak.


It probably also makes sense to backport https://github.com/oneapi-src/oneTBB/pull/1017 and stop sed'ing the python files in the spec's %prep.

Comment 2 Václav Kadlčík 2023-03-02 06:10:32 UTC
Just adding some context. The predecessor to tbb-2020.3-16.fc39 in Rawhide
was tbb-2020.3-15.fc38.

I'm using annobin-annocheck-11.11-1.fc39.x86_64. While
  annocheck --ignore-unknown --profile=rawhide *.rpm
passes on the RPMs of tbb-2020.3-15.fc38, it fails on tbb-2020.3-16.fc39.

From the rpminspect's POV, it looks like a regression. If it's a genuine
false positive then we can try to find a way of making an exception
the rpminspect's configuration.

Comment 3 Jonathan Wakely 2023-03-02 10:32:48 UTC
Nothing changed in the sources or the build system between -15.fc38 and -16.fc39 so I'm unsure how it can have regressed.

scalable_allocation_command is defined in this translation unit:

g++ -c -MMD -O2 -g -DDO_ITT_NOTIFY -DUSE_PTHREAD -pthread -m64 -mrtm  -Wall -Wextra -O2 -flto=auto -ffat-lto-objects -fexceptions -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-U_FORTIFY_SOURCE,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1  -m64  -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -fno-omit-frame-pointer -mno-omit-leaf-frame-pointer -DUSE_PTHREAD -DTBB_SUPPRESS_DEPRECATED_MESSAGES=1 -fno-rtti -fno-exceptions -fno-strict-aliasing -D__TBBMALLOC_BUILD=1 -Wno-parentheses -Wno-sized-deallocation -fPIC -Wl,--as-needed -flifetime-dse=1 -I../../src -I../../src/rml/include -I../../include -I../../src/tbbmalloc -I../../src/tbbmalloc -I. ../../src/tbbmalloc/frontend.cpp

tbb::task::destroy is defined in this translation unit:

g++ -o task_v2.o -c -MMD -O2 -g -DDO_ITT_NOTIFY -DUSE_PTHREAD -pthread -m64 -mrtm  -fPIC -Wl,--as-needed -flifetime-dse=1 -D__TBB_BUILD=1 -Wall -Wextra -Wno-parentheses -Wno-sized-deallocation -O2 -flto=auto -ffat-lto-objects -fexceptions -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-U_FORTIFY_SOURCE,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1  -m64  -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -fno-omit-frame-pointer -mno-omit-leaf-frame-pointer -DUSE_PTHREAD -DTBB_SUPPRESS_DEPRECATED_MESSAGES=1 -std=c++14  -I../../src -I../../src/rml/include -I../../include ../../src/old/task_v2.cpp

They're both built with _FORTIFY_SOURCE=3

Comment 4 Jonathan Wakely 2023-03-02 10:33:06 UTC
That output is taken from https://kojipkgs.fedoraproject.org//packages/tbb/2020.3/16.fc39/data/logs/x86_64/build.log

Comment 6 Fedora Release Engineering 2023-08-16 07:10:28 UTC
This bug appears to have been reported against 'rawhide' during the Fedora Linux 39 development cycle.
Changing version to 39.

Comment 7 Fedora Admin user for bugzilla script actions 2023-09-01 00:48:25 UTC
This package has changed maintainer in Fedora. Reassigning to the new maintainer of this component.

Comment 8 Jonathan Wakely 2024-01-22 18:45:34 UTC
Still failing annocheck with tbb-2021.11

https://artifacts.dev.testing-farm.io/edc5e569-6b2f-4c1a-a9df-e2fce728018f/

Comment 9 Carlos O'Donell 2024-01-22 18:57:43 UTC
(In reply to Jonathan Wakely from comment #8)
> Still failing annocheck with tbb-2021.11
> 
> https://artifacts.dev.testing-farm.io/edc5e569-6b2f-4c1a-a9df-e2fce728018f/

The cause is different now and this is still a real bug:

Hardened: /usr/lib/libtbb.so.12.11: FAIL: cf-protection test because .note.gnu.property section did not contain the necessary flags 

This means that the hardware control flow integrity flags don't make it all the way down the generated binary and so we're missing some security features.

We should look into why the DSO isn't built with the flags and resolve the sisue to improve Fedora's security.


Note You need to log in before you can comment on or make changes to this bug.