On F-39: ======================================================================= <mock-chroot> sh-5.2# rpm -q bash binutils bash-5.2.15-5.fc39.ppc64le binutils-2.40-13.fc39.ppc64le <mock-chroot> sh-5.2# checksec --file=/bin/bash WARNING: 'sysctl' not found! It's required for most checks. WARNING: 'openssl' not found! It's required for most checks. WARNING: 'ps' not found! It's required for most checks. WARNING: Not all necessary commands found. Some tests might not work! RELRO STACK CANARY NX PIE RPATH RUNPATH Symbols FORTIFY Fortified Fortifiable FILE Full RELRO Canary found NX enabled PIE enabled No RPATH No RUNPATH No Symbols Yes 13 29 /bin/bash ======================================================================= On F-40: ======================================================================= <mock-chroot> sh-5.2# rpm -q bash binutils bash-5.2.15-5.fc39.ppc64le binutils-2.41-5.fc40.ppc64le <mock-chroot> sh-5.2# checksec --file=/bin/bash WARNING: 'sysctl' not found! It's required for most checks. WARNING: 'openssl' not found! It's required for most checks. WARNING: 'ps' not found! It's required for most checks. WARNING: Not all necessary commands found. Some tests might not work! RELRO STACK CANARY NX PIE RPATH RUNPATH Symbols FORTIFY Fortified Fortifiable FILE Full RELRO Canary found NX enabled PIE enabled No RPATH No RUNPATH No Symbols No 0 0 /bin/bash ======================================================================= Note that bash binary rpm is the same, but on F-40 checksec result does not catch Fortified information on ppc64le. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Looks like checksec uses readelf results, but the output format changed between these two binutils. On F-39: ======================================================================= <mock-chroot> sh-5.2# readelf -W --dyn-syms /bin/bash | head -n 10 Symbol table '.dynsym' contains 2585 entries: Num: Value Size Type Bind Vis Ndx Name 0: 0000000000000000 0 NOTYPE LOCAL DEFAULT UND 1: 0000000000030000 0 SECTION LOCAL DEFAULT 12 .init 2: 00000000001e0000 0 SECTION LOCAL DEFAULT 25 .data 3: 0000000000000000 0 FUNC GLOBAL DEFAULT UND mbrtowc (2) [<localentry>: 8] 4: 0000000000000000 0 FUNC GLOBAL DEFAULT UND memcpy (2) [<localentry>: 8] 5: 0000000000000000 0 FUNC GLOBAL DEFAULT UND endservent (2) [<localentry>: 8] 6: 0000000000000000 0 FUNC GLOBAL DEFAULT UND memmove (2) [<localentry>: 8] ======================================================================= For F-40: ======================================================================= <mock-chroot> sh-5.2# readelf -W --dyn-syms /bin/bash | head -n 10 Symbol table '.dynsym' contains 2585 entries: Num: Value Size Type Bind Vis Ndx Name 0: 0000000000000000 0 NOTYPE LOCAL DEFAULT UND 1: 0000000000030000 0 SECTION LOCAL DEFAULT 12 .init 2: 00000000001e0000 0 SECTION LOCAL DEFAULT 25 .data 3: 0000000000000000 0 FUNC GLOBAL DEFAULT [<localentry>: 8] UND mbrtowc (2) 4: 0000000000000000 0 FUNC GLOBAL DEFAULT [<localentry>: 8] UND memcpy (2) 5: 0000000000000000 0 FUNC GLOBAL DEFAULT [<localentry>: 8] UND endservent (2) 6: 0000000000000000 0 FUNC GLOBAL DEFAULT [<localentry>: 8] UND memmove (2) ======================================================================= Looks like this is because of the following change: https://src.fedoraproject.org/rpms/binutils/c/0b1c8753b9fbfe37a3a84fb06b2da6d1d44b451a with "Patch07: binutils-readelf-other-sym-info.patch" removed. The previous Patch07 comment says: "FIXME: The proper fix would be to update the scripts that are expecting a fixed output from readelf", so I guess this binutils change is intentional. "binutils-readelf-other-sym-info.patch" (which existed in binutils-2.40-13.fc39) apparently changed the position of the output "[<localentry>: 8]" to the last of the readelf output. This binutils output format change seems to affect checksec as checksec seems to expect that the function symbol is written at 8th column of the line: https://github.com/slimm609/checksec.sh/blob/2753ebb89fcdc96433ae8a4c4e5a49214a845be2/checksec#L836 ... but now with binutils-2.41-5.fc40.ppc64le function symbol appears on 10th column. !!! Note that this issue seems to appear only on ppc64le. Reproducible: Always Note that this affects ruby Koschei failure on ppc64le: https://koschei.fedoraproject.org/package/ruby?collection=f40 ruby.src checks if the rebuilt binary carries Fedora security related flags as expected using checksec: https://src.fedoraproject.org/rpms/ruby/blob/64dc6dd3e46e84ea84a142663753fa4b4a7dc29f/f/ruby.spec#_858 This is now failing on ppc64le.
@
@dhorak Could you please take a look if you possibly can direct this to the right people?
Maybe we should change the component to `binutils`?
(In reply to Vít Ondruch from comment #3) > Maybe we should change the component to `binutils`? yes that's one option, or checksec needs to be adapted to the new output
Ok, lets move to binutils and see their opinion.
(In reply to Vít Ondruch from comment #5) > Ok, lets move to binutils and see their opinion. Yes - this is my fault. I did indeed remove the Patch07, the reason being that there are some more (upstream) changes coming to readelf's symbol description output and so I wanted to make sure that Fedora rawhide was in sync with the official sources. I could restore Patch07, but I would much rather work with the the maintainers of the checksec script so that it becomes more robust and can cope with other changes to readelf's output format. What is checksec looking for ? Perhaps it would be possible to use regular expressions to match the needed information, rather than relying upon a fixed output format ?
(In reply to Nick Clifton from comment #6) > What is checksec looking for ? Perhaps it would be possible to use regular > expressions to match the needed information, rather than relying upon a > fixed output format ? Well, that is hardly question for me. I am just checksec user and I have not heard from checksec maintainer so far. However this seems to be upstream issue anyway. I am happy to open checksec upstream ticket on your behalf if it helps.
As I wrote in the original comment: https://github.com/slimm609/checksec.sh/blob/2753ebb89fcdc96433ae8a4c4e5a49214a845be2/checksec#L834-L844 checksec does: $ readelf -W --dyn-syms <the_binary_to_examine> 2> /dev/null | awk '{ print $8 }' | sed -e 's/_*//' -e 's/@.*//' -e '/^$/d' (${readelf} = "readelf -W") and check if <the_binary_to_examine> calls "XXX_chk" named functions (like sprintf_chk, memset_chk, etc)
(In reply to Mamoru TASAKA from comment #8) > As I wrote in the original comment: > > https://github.com/slimm609/checksec.sh/blob/ > 2753ebb89fcdc96433ae8a4c4e5a49214a845be2/checksec#L834-L844 > > checksec does: > > $ readelf -W --dyn-syms <the_binary_to_examine> 2> /dev/null | awk '{ print > $8 }' | sed -e 's/_*//' -e 's/@.*//' -e '/^$/d' So how about replacing that command line with this one: nm --dynamic --just-symbols <the binary to examine> That does away with the need to use awk and sed and should make the script future proof. (Note - the --just-symbols option was introduced to the binutils with the 2.37 release, so the above command would not work with versions of Fedora prior to F36).
Sorry for the late response, if we can do with nm --dynamic --just-symbols and it can work with F37+ I think we can introduce the patch, instead of reverting binutils change? Avoiding awk is always better to me since it makes things more bulletproof.
Please try https://bodhi.fedoraproject.org/updates/FEDORA-2023-a133e3c7fc to see if it is working now
(In reply to Qiyu Yan from comment #11) > Please try https://bodhi.fedoraproject.org/updates/FEDORA-2023-a133e3c7fc to > see if it is working now Hi Qiyu, I think your modification below is not correct. There is no "nm" RPM package. https://src.fedoraproject.org/rpms/checksec/c/7e260a6c3f4d6f17f02f9c40ff2308919670a50d?branch=rawhide ``` $ cat /etc/fedora-release Fedora release 38 (Thirty Eight) $ rpm -qf /usr/bin/nm binutils-2.39-9.fc38.x86_64 ``` For how to solve the issue, you can check the following email threads on devel@. https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/E3A43RFLZQFX74SY2ZUSJGGSCDO65TEK/
Okay, checksec-2.6.0-6.fc40 seems to be working, ruby koschei build is now okay: https://koji.fedoraproject.org/koji/taskinfo?taskID=105953879 + checksec --file=redhat-linux-build/libruby.so.3.2.2 + grep 'Full RELRO.*Canary found.*NX enabled.*DSO.*No RPATH.*No RUNPATH.*Yes.*\d*.*\d*.*libruby.so.3.2.2' grep: warning: stray \ before d grep: warning: stray \ before d WARNING: 'openssl' not found! It's required for most checks. WARNING: Not all necessary commands found. Some tests might not work! Full RELRO Canary found NX enabled DSO No RPATH No RUNPATH 33982 Symbols Yes 7 24 redhat-linux-build/libruby.so.3.2.2 Thank you.
@Qiyu could you please send the patch upstream please? While I am glad this was fixed, I don't think it is right to carry around downstream patch. Thx a lot.