I am builds mesa snapshot every day in mock build environment. But today after update binutils I cant build mesa anymore for i686 arch Yes, I can build mesa for x86_64 arch, but for using wine and steam i686 arch is required. Reproducible: Always Steps to Reproduce: Build mesa package for i686 arch with commad: $ mock -r fedora-rawhide-i386 --rebuild ~/rpmbuild/SRPMS/mesa-23.3.0-1.20231121.00.81387ed.fc40.src.rpm Actual Results: FAILED: src/mapi/shared-glapi/libglapi.so.0.0.0 g++ -o src/mapi/shared-glapi/libglapi.so.0.0.0 src/mapi/shared-glapi/libglapi.so.0.0.0.p/.._entry.c.o src/mapi/shared-glapi/libglapi.so.0.0.0.p/.._u_current.c.o src/mapi/shared-glapi/libglapi.so.0.0.0.p/glapi.c.o src/mapi/shared-glapi/libglapi.so.0.0.0.p/stub.c.o src/mapi/shared-glapi/libglapi.so.0.0.0.p/table.c.o -Wl,--as-needed -Wl,--no-undefined -shared -fPIC -Wl,--start-group -Wl,-soname,libglapi.so.0 -Wl,-z,relro -Wl,--as-needed -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -Wl,--build-id=sha1 -specs=/usr/lib/rpm/redhat/redhat-package-notes -O2 -fexceptions -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-U_FORTIFY_SOURCE,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m32 -march=i686 -mtune=generic -msse2 -mfpmath=sse -mstackrealign -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection src/util/libmesa_util.a src/util/libmesa_util_sse41.a src/util/blake3/libblake3.a src/c11/impl/libmesa_util_c11.a -Wl,--gc-sections -pthread /usr/lib/libselinux.so /usr/lib/libz.so -lm /usr/lib/libzstd.so /usr/lib/libunwind.so -Wl,--end-group /usr/bin/ld: error: src/mapi/shared-glapi/libglapi.so.0.0.0 has a LOAD segment with RWX permissions collect2: error: ld returned 1 exit status Expected Results: Expected successful build
Created attachment 2000747 [details] mesa.spec
Created attachment 2000748 [details] build.log
https://src.fedoraproject.org/rpms/binutils/c/00415f44d2e02114c009aa18e93a1b054f296397?branch=rawhide For ensure I reverted commit 00415f44d2e02114c009aa18e93a1b054f296397 and increase Release to 15. $ git revert -n 00415f44d2e02114c009aa18e93a1b054f296397 And after build "new" binutils I again able build mesa for i686 arch.
Proposed as a Blocker and Freeze Exception for 40-beta by Fedora user mikhail using the blocker tracking app because: Because of this bug broke build mesa for i386 arch. Without mesa for i386 arch we can't use wine and steam.
Hi Mikhail, (In reply to Mikhail from comment #0) > /usr/bin/ld: error: src/mapi/shared-glapi/libglapi.so.0.0.0 has a LOAD > segment with RWX permissions This is because of a security update to the linker. By default the linker will now refuse to create binaries with a loadable memory segment that has all three of the Read, Write and Execute permissions set. Such segments are a prime target for malicious entities and should only be created if there is a real need. It is possible to tell the linker not to complain about this rwx segment, but it would be much better to discover why it is there and remove the cause instead. I am running my own build to investigate, but if you have any ideas as to what might be causing this then I would love to hear them. I am reassigning this BZ to mesa for now. If it turns out that there is a bug in the linker and that a rwx section is not being created then I will restore the original assignment. Cheers Nick PS. For more information on the linker's change please see: https://fedoraproject.org/wiki/Changes/Linker_Error_On_Security_Issues
Hi Michail, TL;DR: Please add the "glx-read-only-text" option when building mesa for the i686. Long Version: The linker error is happening because one of the input object files has an executable, writable code section: $ readelf --sections --wide src/mapi/shared-glapi/libglapi.so.0.0.0.p/.._entry.c.o | grep wtext [ 8] wtext PROGBITS 00000000 000120 00d0e0 00 WAX 0 0 16 Given the name of the section - "wtext" - there is an implication that this is intentional. So I investigated further and found: $ cat mesa-23.3.0-rc2/src/mapi/entry_x86_tls.h [...] #ifndef GLX_X86_READONLY_TEXT __asm__(".section wtext, \"awx\", @progbits"); #endif /* GLX_X86_READONLY_TEXT */ [...] Which suggests that the GLX_X86_READONLY_TEXT define is not being set. Checking in the meson.build file shows: [...] with_glx_read_only_text = get_option('glx-read-only-text') [...] if host_machine.cpu_family() == 'x86' if system_has_kms_drm or host_machine.system() == 'gnu' with_asm_arch = 'x86' pre_args += ['-DUSE_X86_ASM'] if with_glx_read_only_text pre_args += ['-DGLX_X86_READONLY_TEXT'] endif endif [...] So it seems that either a) the glx-read-only-text option needs to be enabled (best choice imho) or b) the -Wl,--no-error-rwx-segments option needs to be added to the linker command line (preferably along with a comment explaining why it is needed). I hope that this helps. Cheers Nick
Created attachment 2000998 [details] fixed - mesa.spec > So it seems that either a) the glx-read-only-text option needs to be enabled (best choice imho) or b) the -Wl,--no-error-rwx-segments option needs to be added to the linker command line (preferably along with a comment explaining why it is needed). > > I hope that this helps. Thanks a lot. Yes it helped.
@nickc thanks a lot for you input on this issue. I tried both approaches ("-Dglx-read-only-text=true" and "-Wl,--no-error-rwx-segments") and both worked. However, the documentation of "glx-read-only-text" reads: "Disable writable .text section on x86 (decreases performance)". I'm worried about a performance regressions, so I decided to disable the linker error: https://src.fedoraproject.org/rpms/mesa/c/e2acc882a102eef4f3242f4c05729a238d04bccb?branch=rawhide This is a out of my area of expertise, so I'd appreciate your input on the fix in case you consider that disabling this warning could create issues in the future.
In what cases graphics would slower and by how much? I've been using the builded mesa with "glx-read-only-text" (for both arches i686 and x86_64) for a day, and by eye the system even works faster.
(In reply to José Expósito from comment #8) Hi José > However, the documentation of "glx-read-only-text" reads: "Disable writable > .text section on x86 (decreases performance)". I'm worried about a > performance regressions, so I decided to disable the linker error: > https://src.fedoraproject.org/rpms/mesa/c/ > e2acc882a102eef4f3242f4c05729a238d04bccb?branch=rawhide > > This is a out of my area of expertise, so I'd appreciate your input on the > fix in case you consider that disabling this warning could create issues in > the future. It definitely will create issues in the future. There are two problems: 1. If you leave the program with a writable text area then it becomes even more vulnerable to attack by malicious actors. All they will need to do is to find a way to write their own code into the text section (eg by a buffer overrun attack) and then trick the program into executing their code. 2. Since having a writable text area is a potential security risk, the mesa program may end up being banned from being included in releases to particular customers, eg governments, corporations, etc. Which would probably be a bad thing. I therefore strongly recommend that you go with the glx-read-only-text solution unless the performance regression is so bad as to render the program unusable. I should also add that in my - admittedly brief - inspection of the code it looks like enabling glx-read-only-text will only affect the i686 architecture. Other architectures, including x86_64, should be unaffected. Cheers Nick
Thanks a lot Nick, Following your advice I reverted my previous change and used "glx-read-only-text" instead: https://src.fedoraproject.org/rpms/mesa/c/61968b4cba1a7db32508870804d0e08a1d96f746?branch=rawhide Closing the issue as it is fixed on Rawhide now.