Bug 2250927 - FTBFS for i686 arch: after update binutils in build environment from 2.41-13.fc40 to 2.41-14.fc40 version
Summary: FTBFS for i686 arch: after update binutils in build environment from 2.41-13....
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: mesa
Version: rawhide
Hardware: Unspecified
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: José Expósito
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: BetaBlocker, F40BetaBlocker BetaFreezeException, F40BetaFreezeException
TreeView+ depends on / blocked
 
Reported: 2023-11-21 20:52 UTC by Mikhail
Modified: 2023-11-23 13:40 UTC (History)
17 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2023-11-23 13:40:08 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)
mesa.spec (18.50 KB, text/x-matlab)
2023-11-21 20:53 UTC, Mikhail
no flags Details
build.log (458.68 KB, text/plain)
2023-11-21 20:54 UTC, Mikhail
no flags Details
fixed - mesa.spec (18.66 KB, text/x-matlab)
2023-11-22 23:38 UTC, Mikhail
no flags Details

Description Mikhail 2023-11-21 20:52:33 UTC
I am builds mesa snapshot every day in mock build environment.
But today after update binutils I cant build mesa anymore for i686 arch
Yes, I can build mesa for x86_64 arch, but for using wine and steam i686 arch is required.

Reproducible: Always

Steps to Reproduce:
Build mesa package for i686 arch with commad:
$ mock -r fedora-rawhide-i386 --rebuild ~/rpmbuild/SRPMS/mesa-23.3.0-1.20231121.00.81387ed.fc40.src.rpm

Actual Results:  
FAILED: src/mapi/shared-glapi/libglapi.so.0.0.0 
g++  -o src/mapi/shared-glapi/libglapi.so.0.0.0 src/mapi/shared-glapi/libglapi.so.0.0.0.p/.._entry.c.o src/mapi/shared-glapi/libglapi.so.0.0.0.p/.._u_current.c.o src/mapi/shared-glapi/libglapi.so.0.0.0.p/glapi.c.o src/mapi/shared-glapi/libglapi.so.0.0.0.p/stub.c.o src/mapi/shared-glapi/libglapi.so.0.0.0.p/table.c.o -Wl,--as-needed -Wl,--no-undefined -shared -fPIC -Wl,--start-group -Wl,-soname,libglapi.so.0 -Wl,-z,relro -Wl,--as-needed -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -Wl,--build-id=sha1 -specs=/usr/lib/rpm/redhat/redhat-package-notes -O2 -fexceptions -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-U_FORTIFY_SOURCE,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m32 -march=i686 -mtune=generic -msse2 -mfpmath=sse -mstackrealign -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection src/util/libmesa_util.a src/util/libmesa_util_sse41.a src/util/blake3/libblake3.a src/c11/impl/libmesa_util_c11.a -Wl,--gc-sections -pthread /usr/lib/libselinux.so /usr/lib/libz.so -lm /usr/lib/libzstd.so /usr/lib/libunwind.so -Wl,--end-group
/usr/bin/ld: error: src/mapi/shared-glapi/libglapi.so.0.0.0 has a LOAD segment with RWX permissions
collect2: error: ld returned 1 exit status

Expected Results:  
Expected successful build

Comment 1 Mikhail 2023-11-21 20:53:39 UTC
Created attachment 2000747 [details]
mesa.spec

Comment 2 Mikhail 2023-11-21 20:54:21 UTC
Created attachment 2000748 [details]
build.log

Comment 3 Mikhail 2023-11-21 22:08:21 UTC
https://src.fedoraproject.org/rpms/binutils/c/00415f44d2e02114c009aa18e93a1b054f296397?branch=rawhide

For ensure I reverted commit 00415f44d2e02114c009aa18e93a1b054f296397 and increase Release to 15.

$ git revert -n 00415f44d2e02114c009aa18e93a1b054f296397

And after build "new" binutils I again able build mesa for i686 arch.

Comment 4 Fedora Blocker Bugs Application 2023-11-21 22:28:24 UTC
Proposed as a Blocker and Freeze Exception for 40-beta by Fedora user mikhail using the blocker tracking app because:

 Because of this bug broke build mesa for i386 arch. Without mesa for i386 arch we can't use wine and steam.

Comment 5 Nick Clifton 2023-11-22 10:47:16 UTC
Hi Mikhail,

(In reply to Mikhail from comment #0)

> /usr/bin/ld: error: src/mapi/shared-glapi/libglapi.so.0.0.0 has a LOAD
> segment with RWX permissions

This is because of a security update to the linker.  By default the
linker will now refuse to create binaries with a loadable memory 
segment that has all three of the Read, Write and Execute permissions 
set.  Such segments are a prime target for malicious entities and 
should only be created if there is a real need.

It is possible to tell the linker not to complain about this rwx 
segment, but it would be much better to discover why it is there 
and remove the cause instead.  I am running my own build to 
investigate, but if you have any ideas as to what might be
causing this then I would love to hear them.

I am reassigning this BZ to mesa for now.  If it turns out that
there is a bug in the linker and that a rwx section is not being
created then I will restore the original assignment.

Cheers
  Nick

PS. For more information on the linker's change please see:

https://fedoraproject.org/wiki/Changes/Linker_Error_On_Security_Issues

Comment 6 Nick Clifton 2023-11-22 11:16:32 UTC
Hi Michail,

TL;DR: Please add the "glx-read-only-text" option when building mesa for the i686.

Long Version:

The linker error is happening because one of the input object files has an executable, writable code section:

  $ readelf --sections --wide src/mapi/shared-glapi/libglapi.so.0.0.0.p/.._entry.c.o | grep wtext
  [ 8] wtext             PROGBITS        00000000 000120 00d0e0 00 WAX  0   0 16

Given the name of the section - "wtext" - there is an implication that this is intentional.
So I investigated further and found:

  $ cat mesa-23.3.0-rc2/src/mapi/entry_x86_tls.h
  [...]
  #ifndef GLX_X86_READONLY_TEXT
    __asm__(".section wtext, \"awx\", @progbits");
  #endif /* GLX_X86_READONLY_TEXT */
  [...]

Which suggests that the GLX_X86_READONLY_TEXT define is not being set.  Checking in the meson.build file shows:

  [...]
  with_glx_read_only_text = get_option('glx-read-only-text')
  [...]
  if host_machine.cpu_family() == 'x86'
    if system_has_kms_drm or host_machine.system() == 'gnu'
      with_asm_arch = 'x86'
      pre_args += ['-DUSE_X86_ASM']

      if with_glx_read_only_text
        pre_args += ['-DGLX_X86_READONLY_TEXT']
      endif
    endif
    [...]

So it seems that either a) the glx-read-only-text option needs to be enabled (best choice imho) or b) the -Wl,--no-error-rwx-segments option needs to be added to the linker command line (preferably along with a comment explaining why it is needed).

I hope that this helps.

Cheers
  Nick

Comment 7 Mikhail 2023-11-22 23:38:08 UTC
Created attachment 2000998 [details]
fixed - mesa.spec

> So it seems that either a) the glx-read-only-text option needs to be enabled (best choice imho) or b) the -Wl,--no-error-rwx-segments option needs to be added to the linker command line (preferably along with a comment explaining why it is needed).
>
> I hope that this helps.

Thanks a lot. Yes it helped.

Comment 8 José Expósito 2023-11-23 12:01:30 UTC
@nickc thanks a lot for you input on this issue. I tried both approaches ("-Dglx-read-only-text=true" and "-Wl,--no-error-rwx-segments") and both worked.

However, the documentation of "glx-read-only-text" reads: "Disable writable .text section on x86 (decreases performance)". I'm worried about a performance regressions, so I decided to disable the linker error:
https://src.fedoraproject.org/rpms/mesa/c/e2acc882a102eef4f3242f4c05729a238d04bccb?branch=rawhide

This is a out of my area of expertise, so I'd appreciate your input on the fix in case you consider that disabling this warning could create issues in the future.

Comment 9 Mikhail 2023-11-23 12:12:25 UTC
In what cases graphics would slower and by how much?
I've been using the builded mesa with "glx-read-only-text" (for both arches i686 and x86_64) for a day, and by eye the system even works faster.

Comment 10 Nick Clifton 2023-11-23 12:34:31 UTC
(In reply to José Expósito from comment #8)
Hi José 

> However, the documentation of "glx-read-only-text" reads: "Disable writable
> .text section on x86 (decreases performance)". I'm worried about a
> performance regressions, so I decided to disable the linker error:
> https://src.fedoraproject.org/rpms/mesa/c/
> e2acc882a102eef4f3242f4c05729a238d04bccb?branch=rawhide
> 
> This is a out of my area of expertise, so I'd appreciate your input on the
> fix in case you consider that disabling this warning could create issues in
> the future.

It definitely will create issues in the future.  There are two problems:

  1. If you leave the program with a writable text area then it becomes
     even more vulnerable to attack by malicious actors.  All they will
     need to do is to find a way to write their own code into the text
     section (eg by a buffer overrun attack) and then trick the program
     into executing their code.

  2. Since having a writable text area is a potential security risk, the
     mesa program may end up being banned from being included in releases
     to particular customers, eg governments, corporations, etc.  Which
     would probably be a bad thing.

I therefore strongly recommend that you go with the glx-read-only-text
solution unless the performance regression is so bad as to render the
program unusable.

I should also add that in my - admittedly brief - inspection of the code
it looks like enabling glx-read-only-text will only affect the i686
architecture.  Other architectures, including x86_64, should be unaffected.

Cheers
  Nick

Comment 11 José Expósito 2023-11-23 13:40:08 UTC
Thanks a lot Nick,

Following your advice I reverted my previous change and used "glx-read-only-text" instead:
https://src.fedoraproject.org/rpms/mesa/c/61968b4cba1a7db32508870804d0e08a1d96f746?branch=rawhide

Closing the issue as it is fixed on Rawhide now.


Note You need to log in before you can comment on or make changes to this bug.