* [PATCH 0/3] Fix imagetests with harderning flags
@ 2017-06-09 3:41 Khem Raj
2017-06-09 3:41 ` [PATCH 1/3] testimage.bbclass: Correct the comment to state right dir for test cases Khem Raj
` (2 more replies)
0 siblings, 3 replies; 14+ messages in thread
From: Khem Raj @ 2017-06-09 3:41 UTC (permalink / raw)
To: openembedded-core
This patchset is fixing packages to build without textrels when
security flags are turned on. When testing the image built with musl
it clearly segfaults and results in failures in imagetest
Tested with MACHINE=qemux86 TCLIBC=musl bitbake -ctestimage core-image-sato
ore-image-sato-1.0-r0 do_testimage_auto: SUMMARY:
core-image-sato-1.0-r0 do_testimage_auto: core-image-sato () - Ran 13 tests in 19.907s
core-image-sato-1.0-r0 do_testimage_auto: core-image-sato - OK - All required tests passed
core-image-sato-1.0-r0 do_testimage_auto: RESULTS:
core-image-sato-1.0-r0 do_testimage_auto: RESULTS - connman.ConnmanTest.test_connmand_help - Testcase 961: PASSED
core-image-sato-1.0-r0 do_testimage_auto: RESULTS - connman.ConnmanTest.test_connmand_running - Testcase 221: PASSED
core-image-sato-1.0-r0 do_testimage_auto: RESULTS - date.DateTest.test_date - Testcase 211: PASSED
core-image-sato-1.0-r0 do_testimage_auto: RESULTS - df.DfTest.test_df - Testcase 234: PASSED
core-image-sato-1.0-r0 do_testimage_auto: RESULTS - oe_syslog.SyslogTest.test_syslog_running - Testcase 201: PASSED
core-image-sato-1.0-r0 do_testimage_auto: RESULTS - oe_syslog.SyslogTestConfig.test_syslog_logger - Testcase 1149: PASSED
core-image-sato-1.0-r0 do_testimage_auto: RESULTS - oe_syslog.SyslogTestConfig.test_syslog_restart - Testcase 1150: PASSED
core-image-sato-1.0-r0 do_testimage_auto: RESULTS - oe_syslog.SyslogTestConfig.test_syslog_startup_config - Testcase 202: PASSED
core-image-sato-1.0-r0 do_testimage_auto: RESULTS - parselogs.ParseLogsTest.test_parselogs - Testcase 1059: PASSED
core-image-sato-1.0-r0 do_testimage_auto: RESULTS - ping.PingTest.test_ping - Testcase 964: PASSED
core-image-sato-1.0-r0 do_testimage_auto: RESULTS - scp.ScpTest.test_scp_file - Testcase 220: PASSED
core-image-sato-1.0-r0 do_testimage_auto: RESULTS - ssh.SSHTest.test_ssh - Testcase 224: PASSED
core-image-sato-1.0-r0 do_testimage_auto: RESULTS - xorg.XorgTest.test_xorg_running - Testcase 1151: PASSED
NOTE: Tasks Summary: Attempted 5732 tasks of which 5717 didn't need to be rerun and all succeeded.
The following changes since commit 186882ca62bf683b93cd7a250963921b89ba071f:
buildhistory: skip tests if GitPython module is missing (2017-06-07 16:00:43 +0100)
are available in the git repository at:
git://git.openembedded.org/openembedded-core-contrib kraj/hardening-fixes
http://cgit.openembedded.org/openembedded-core-contrib/log/?h=kraj/hardening-fixes
Khem Raj (3):
testimage.bbclass: Correct the comment to state right dir for test
cases
pulseaudio: disable PIE flags when hardened flags are enabled
rng-tools: Fix textrels on 32bit x86
meta/classes/testimage.bbclass | 2 +-
.../pulseaudio/pulseaudio_10.0.bb | 2 +
.../rng-tools-5-fix-textrels-on-PIC-x86.patch | 104 +++++++++++++++++++++
meta/recipes-support/rng-tools/rng-tools_5.bb | 1 +
4 files changed, 108 insertions(+), 1 deletion(-)
create mode 100644 meta/recipes-support/rng-tools/rng-tools/rng-tools-5-fix-textrels-on-PIC-x86.patch
--
2.13.1
^ permalink raw reply [flat|nested] 14+ messages in thread* [PATCH 1/3] testimage.bbclass: Correct the comment to state right dir for test cases 2017-06-09 3:41 [PATCH 0/3] Fix imagetests with harderning flags Khem Raj @ 2017-06-09 3:41 ` Khem Raj 2017-06-09 3:41 ` [PATCH 2/3] pulseaudio: disable PIE flags when hardened flags are enabled Khem Raj 2017-06-09 3:41 ` [PATCH 3/3] rng-tools: Fix textrels on 32bit x86 Khem Raj 2 siblings, 0 replies; 14+ messages in thread From: Khem Raj @ 2017-06-09 3:41 UTC (permalink / raw) To: openembedded-core Signed-off-by: Khem Raj <raj.khem@gmail.com> --- meta/classes/testimage.bbclass | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta/classes/testimage.bbclass b/meta/classes/testimage.bbclass index 1185593a1b..589ef5db93 100644 --- a/meta/classes/testimage.bbclass +++ b/meta/classes/testimage.bbclass @@ -13,7 +13,7 @@ # You can set (or append to) TEST_SUITES in local.conf to select the tests # which you want to run for your target. -# The test names are the module names in meta/lib/oeqa/runtime. +# The test names are the module names in meta/lib/oeqa/runtime/cases. # Each name in TEST_SUITES represents a required test for the image. (no skipping allowed) # Appending "auto" means that it will try to run all tests that are suitable for the image (each test decides that on it's own). # Note that order in TEST_SUITES is relevant: tests are run in an order such that -- 2.13.1 ^ permalink raw reply related [flat|nested] 14+ messages in thread
* [PATCH 2/3] pulseaudio: disable PIE flags when hardened flags are enabled 2017-06-09 3:41 [PATCH 0/3] Fix imagetests with harderning flags Khem Raj 2017-06-09 3:41 ` [PATCH 1/3] testimage.bbclass: Correct the comment to state right dir for test cases Khem Raj @ 2017-06-09 3:41 ` Khem Raj 2017-06-09 12:55 ` Burton, Ross 2017-06-09 3:41 ` [PATCH 3/3] rng-tools: Fix textrels on 32bit x86 Khem Raj 2 siblings, 1 reply; 14+ messages in thread From: Khem Raj @ 2017-06-09 3:41 UTC (permalink / raw) To: openembedded-core Fixes WARNING: pulseaudio-10.0-r0 do_package_qa: QA Issue: ELF binary '/mnt/a/oe/build/tmp/work/i586-bec-linux-musl/pulseaudio/10.0-r0/packages-split/pulseaudio-server/usr/bin/pulseaudio' has relocations in .text [textrel] This also makes bitbake -c testimage core-image-sato (hardened) build to pass all tests Fixes AssertionError: 1 != 0 : Log: /mnt/a/oe/build/tmp/work/qemux86-bec-linux-musl/core-image-sato/1.0-r0/dmesg_output.log ----------------------- Central error: [ 20.726960] pulseaudio[729]: segfault at 80052b6c ip b771b4fc sp bfc97940 error 7 in libc.so[b76b6000+97000] Signed-off-by: Khem Raj <raj.khem@gmail.com> --- meta/recipes-multimedia/pulseaudio/pulseaudio_10.0.bb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta/recipes-multimedia/pulseaudio/pulseaudio_10.0.bb b/meta/recipes-multimedia/pulseaudio/pulseaudio_10.0.bb index f3a85737fc..3ea35e592a 100644 --- a/meta/recipes-multimedia/pulseaudio/pulseaudio_10.0.bb +++ b/meta/recipes-multimedia/pulseaudio/pulseaudio_10.0.bb @@ -8,6 +8,8 @@ SRC_URI = "http://freedesktop.org/software/pulseaudio/releases/${BP}.tar.xz \ SRC_URI[md5sum] = "4950d2799bf55ab91f6b7f990b7f0971" SRC_URI[sha256sum] = "a3186824de9f0d2095ded5d0d0db0405dc73133983c2fbb37291547e37462f57" +SECURITY_CFLAGS = "${SECURITY_NO_PIE_CFLAGS}" + do_compile_prepend() { mkdir -p ${S}/libltdl cp ${STAGING_LIBDIR}/libltdl* ${S}/libltdl -- 2.13.1 ^ permalink raw reply related [flat|nested] 14+ messages in thread
* Re: [PATCH 2/3] pulseaudio: disable PIE flags when hardened flags are enabled 2017-06-09 3:41 ` [PATCH 2/3] pulseaudio: disable PIE flags when hardened flags are enabled Khem Raj @ 2017-06-09 12:55 ` Burton, Ross 2017-06-09 13:07 ` Khem Raj 0 siblings, 1 reply; 14+ messages in thread From: Burton, Ross @ 2017-06-09 12:55 UTC (permalink / raw) To: Khem Raj; +Cc: OE-core [-- Attachment #1: Type: text/plain, Size: 187 bytes --] On 9 June 2017 at 04:41, Khem Raj <raj.khem@gmail.com> wrote: > +SECURITY_CFLAGS = "${SECURITY_NO_PIE_CFLAGS}" > These tend to go into security-flags.inc, not the recipe. Ross [-- Attachment #2: Type: text/html, Size: 602 bytes --] ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH 2/3] pulseaudio: disable PIE flags when hardened flags are enabled 2017-06-09 12:55 ` Burton, Ross @ 2017-06-09 13:07 ` Khem Raj 2017-06-09 14:02 ` André Draszik 2017-06-09 16:38 ` Tanu Kaskinen 0 siblings, 2 replies; 14+ messages in thread From: Khem Raj @ 2017-06-09 13:07 UTC (permalink / raw) To: Burton, Ross; +Cc: OE-core [-- Attachment #1: Type: text/plain, Size: 501 bytes --] On Fri, Jun 9, 2017 at 5:56 AM Burton, Ross <ross.burton@intel.com> wrote: > > On 9 June 2017 at 04:41, Khem Raj <raj.khem@gmail.com> wrote: > >> +SECURITY_CFLAGS = "${SECURITY_NO_PIE_CFLAGS}" >> > > These tend to go into security-flags.inc, not the recipe. > I know that's been the case but I think having a global file is error prone its better to have it in recipe context since it can get attention at upgrade time to test if this has been fixed in new release etc > > Ross > [-- Attachment #2: Type: text/html, Size: 1371 bytes --] ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH 2/3] pulseaudio: disable PIE flags when hardened flags are enabled 2017-06-09 13:07 ` Khem Raj @ 2017-06-09 14:02 ` André Draszik 2017-06-09 14:07 ` Khem Raj 2017-06-09 16:38 ` Tanu Kaskinen 1 sibling, 1 reply; 14+ messages in thread From: André Draszik @ 2017-06-09 14:02 UTC (permalink / raw) To: openembedded-core On Fri, 2017-06-09 at 13:07 +0000, Khem Raj wrote: > On Fri, Jun 9, 2017 at 5:56 AM Burton, Ross <ross.burton@intel.com> wrote: > > > > > On 9 June 2017 at 04:41, Khem Raj <raj.khem@gmail.com> wrote: > > > > > +SECURITY_CFLAGS = "${SECURITY_NO_PIE_CFLAGS}" > > > > > > > These tend to go into security-flags.inc, not the recipe. > > > > I know that's been the case but I think having a global file is error > prone > its better to have it in recipe context since it can get attention at > upgrade time to test if this has been fixed in new release etc Isn't one of the main root causes really that bitbake passes -fpie -pie even when the recipe is building a shared library? (Maybe not in this case here, though). Obviously, bitbake doesn't really know about shared libraries, and yes, each recipe's build system could filter out pie flags for shared library targets, but that's probably better done at libtool level: http://lists.openembedded.org/pipermail/openembedded-devel/2016-November/110048.html Cheers, Andre' ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH 2/3] pulseaudio: disable PIE flags when hardened flags are enabled 2017-06-09 14:02 ` André Draszik @ 2017-06-09 14:07 ` Khem Raj 0 siblings, 0 replies; 14+ messages in thread From: Khem Raj @ 2017-06-09 14:07 UTC (permalink / raw) To: André Draszik; +Cc: Patches and discussions about the oe-core layer On Fri, Jun 9, 2017 at 7:02 AM, André Draszik <git@andred.net> wrote: > On Fri, 2017-06-09 at 13:07 +0000, Khem Raj wrote: >> On Fri, Jun 9, 2017 at 5:56 AM Burton, Ross <ross.burton@intel.com> wrote: >> >> > >> > On 9 June 2017 at 04:41, Khem Raj <raj.khem@gmail.com> wrote: >> > >> > > +SECURITY_CFLAGS = "${SECURITY_NO_PIE_CFLAGS}" >> > > >> > >> > These tend to go into security-flags.inc, not the recipe. >> > >> >> I know that's been the case but I think having a global file is error >> prone >> its better to have it in recipe context since it can get attention at >> upgrade time to test if this has been fixed in new release etc > > Isn't one of the main root causes really that bitbake passes -fpie -pie even > when the recipe is building a shared library? thats a different case not relevant to this one as much. here we have textrel in pulseaudio PIE executable (Maybe not in this case here, > though). Obviously, bitbake doesn't really know about shared libraries, and > yes, each recipe's build system could filter out pie flags for shared > library targets, but that's probably better done at libtool level: > > http://lists.openembedded.org/pipermail/openembedded-devel/2016-November/110048.html > > > Cheers, > Andre' > > -- > _______________________________________________ > Openembedded-core mailing list > Openembedded-core@lists.openembedded.org > http://lists.openembedded.org/mailman/listinfo/openembedded-core ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH 2/3] pulseaudio: disable PIE flags when hardened flags are enabled 2017-06-09 13:07 ` Khem Raj 2017-06-09 14:02 ` André Draszik @ 2017-06-09 16:38 ` Tanu Kaskinen 2017-06-09 17:10 ` Khem Raj 1 sibling, 1 reply; 14+ messages in thread From: Tanu Kaskinen @ 2017-06-09 16:38 UTC (permalink / raw) To: Khem Raj, Burton, Ross; +Cc: OE-core On Fri, 2017-06-09 at 13:07 +0000, Khem Raj wrote: > On Fri, Jun 9, 2017 at 5:56 AM Burton, Ross <ross.burton@intel.com> wrote: > > > > > On 9 June 2017 at 04:41, Khem Raj <raj.khem@gmail.com> wrote: > > > > > +SECURITY_CFLAGS = "${SECURITY_NO_PIE_CFLAGS}" > > > > > > > These tend to go into security-flags.inc, not the recipe. > > > > I know that's been the case but I think having a global file is error prone > its better to have it in recipe context since it can get attention at > upgrade time to test if this has been fixed in new release etc Do you mean that there's some bug in pulseaudio, and this is a workaround for it? Is the bug that there are textrels? Ross saw textrels in pulseaudio before (see the discussion starting at [1]), but I was unable to reproduce that. If you give instructions for reproducing the problem, I'll see if I can fix pulseaudio (until then I'm fine with having a workaround). [1] http://lists.openembedded.org/pipermail/openembedded-core/2017-February/133215.html -- Tanu https://www.patreon.com/tanuk ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH 2/3] pulseaudio: disable PIE flags when hardened flags are enabled 2017-06-09 16:38 ` Tanu Kaskinen @ 2017-06-09 17:10 ` Khem Raj 2019-04-22 12:33 ` Tanu Kaskinen 0 siblings, 1 reply; 14+ messages in thread From: Khem Raj @ 2017-06-09 17:10 UTC (permalink / raw) To: Tanu Kaskinen; +Cc: OE-core On Fri, Jun 9, 2017 at 9:38 AM, Tanu Kaskinen <tanuk@iki.fi> wrote: > On Fri, 2017-06-09 at 13:07 +0000, Khem Raj wrote: >> On Fri, Jun 9, 2017 at 5:56 AM Burton, Ross <ross.burton@intel.com> wrote: >> >> > >> > On 9 June 2017 at 04:41, Khem Raj <raj.khem@gmail.com> wrote: >> > >> > > +SECURITY_CFLAGS = "${SECURITY_NO_PIE_CFLAGS}" >> > > >> > >> > These tend to go into security-flags.inc, not the recipe. >> > >> >> I know that's been the case but I think having a global file is error prone >> its better to have it in recipe context since it can get attention at >> upgrade time to test if this has been fixed in new release etc > > Do you mean that there's some bug in pulseaudio, and this is a > workaround for it? Is the bug that there are textrels? Ross saw > textrels in pulseaudio before (see the discussion starting at [1]), but > I was unable to reproduce that. If you give instructions for > reproducing the problem, I'll see if I can fix pulseaudio (until then > I'm fine with having a workaround). > yes there is a bug lurking when compiling with hardening flags are turned on so you can do something like in local.conf require conf/distro/include/security_flags.inc then MACHINE=qemux86 bitbake pulseaudio it also happens on arm so qemuarm will reproduce it too. some assembly code is probably missing using GOT relative accesses > [1] http://lists.openembedded.org/pipermail/openembedded-core/2017-February/133215.html > > -- > Tanu > > https://www.patreon.com/tanuk ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH 2/3] pulseaudio: disable PIE flags when hardened flags are enabled 2017-06-09 17:10 ` Khem Raj @ 2019-04-22 12:33 ` Tanu Kaskinen 2019-04-22 20:28 ` Khem Raj 0 siblings, 1 reply; 14+ messages in thread From: Tanu Kaskinen @ 2019-04-22 12:33 UTC (permalink / raw) To: Khem Raj; +Cc: OE-core On Fri, 2017-06-09 at 10:10 -0700, Khem Raj wrote: > On Fri, Jun 9, 2017 at 9:38 AM, Tanu Kaskinen <tanuk@iki.fi> wrote: > > On Fri, 2017-06-09 at 13:07 +0000, Khem Raj wrote: > > > On Fri, Jun 9, 2017 at 5:56 AM Burton, Ross <ross.burton@intel.com> wrote: > > > > > > > On 9 June 2017 at 04:41, Khem Raj <raj.khem@gmail.com> wrote: > > > > > > > > > +SECURITY_CFLAGS = "${SECURITY_NO_PIE_CFLAGS}" > > > > > > > > > > > > > These tend to go into security-flags.inc, not the recipe. > > > > > > > > > > I know that's been the case but I think having a global file is error prone > > > its better to have it in recipe context since it can get attention at > > > upgrade time to test if this has been fixed in new release etc > > > > Do you mean that there's some bug in pulseaudio, and this is a > > workaround for it? Is the bug that there are textrels? Ross saw > > textrels in pulseaudio before (see the discussion starting at [1]), but > > I was unable to reproduce that. If you give instructions for > > reproducing the problem, I'll see if I can fix pulseaudio (until then > > I'm fine with having a workaround). > > > > yes there is a bug lurking when compiling with hardening flags are turned on > so you can do something like > > in local.conf > > require conf/distro/include/security_flags.inc > > then > > MACHINE=qemux86 bitbake pulseaudio > > it also happens on arm so qemuarm will reproduce it too. > > some assembly code is probably missing using GOT relative accesses Resurrecting this ancient thread... I finally tried to reproduce this problem with the given instructions. No success. Have you still been running into this issue? -- Tanu https://www.patreon.com/tanuk https://liberapay.com/tanuk ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH 2/3] pulseaudio: disable PIE flags when hardened flags are enabled 2019-04-22 12:33 ` Tanu Kaskinen @ 2019-04-22 20:28 ` Khem Raj 2019-04-26 12:53 ` Tanu Kaskinen 0 siblings, 1 reply; 14+ messages in thread From: Khem Raj @ 2019-04-22 20:28 UTC (permalink / raw) To: Tanu Kaskinen; +Cc: OE-core [-- Attachment #1: Type: text/plain, Size: 2207 bytes --] On Mon, Apr 22, 2019 at 6:33 AM Tanu Kaskinen <tanuk@iki.fi> wrote: > On Fri, 2017-06-09 at 10:10 -0700, Khem Raj wrote: > > On Fri, Jun 9, 2017 at 9:38 AM, Tanu Kaskinen <tanuk@iki.fi> wrote: > > > On Fri, 2017-06-09 at 13:07 +0000, Khem Raj wrote: > > > > On Fri, Jun 9, 2017 at 5:56 AM Burton, Ross <ross.burton@intel.com> > wrote: > > > > > > > > > On 9 June 2017 at 04:41, Khem Raj <raj.khem@gmail.com> wrote: > > > > > > > > > > > +SECURITY_CFLAGS = "${SECURITY_NO_PIE_CFLAGS}" > > > > > > > > > > > > > > > > These tend to go into security-flags.inc, not the recipe. > > > > > > > > > > > > > I know that's been the case but I think having a global file is > error prone > > > > its better to have it in recipe context since it can get attention at > > > > upgrade time to test if this has been fixed in new release etc > > > > > > Do you mean that there's some bug in pulseaudio, and this is a > > > workaround for it? Is the bug that there are textrels? Ross saw > > > textrels in pulseaudio before (see the discussion starting at [1]), but > > > I was unable to reproduce that. If you give instructions for > > > reproducing the problem, I'll see if I can fix pulseaudio (until then > > > I'm fine with having a workaround). > > > > > > > yes there is a bug lurking when compiling with hardening flags are > turned on > > so you can do something like > > > > in local.conf > > > > require conf/distro/include/security_flags.inc > > > > then > > > > MACHINE=qemux86 bitbake pulseaudio > > > > it also happens on arm so qemuarm will reproduce it too. > > > > some assembly code is probably missing using GOT relative accesses > > Resurrecting this ancient thread... I finally tried to reproduce this > problem with the given instructions. No success. Have you still been > running into this issue? I don’t know for sure if this still exists but we did disable assembly in few packages which addresses this issue since in assembly PIC has to be respected In hand written code You might have to check if we did something similar for pulseaudio > > > -- > Tanu > > https://www.patreon.com/tanuk > https://liberapay.com/tanuk > > [-- Attachment #2: Type: text/html, Size: 3398 bytes --] ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH 2/3] pulseaudio: disable PIE flags when hardened flags are enabled 2019-04-22 20:28 ` Khem Raj @ 2019-04-26 12:53 ` Tanu Kaskinen 2019-04-26 13:52 ` Richard Purdie 0 siblings, 1 reply; 14+ messages in thread From: Tanu Kaskinen @ 2019-04-26 12:53 UTC (permalink / raw) To: Khem Raj; +Cc: OE-core On Mon, 2019-04-22 at 14:28 -0600, Khem Raj wrote: > On Mon, Apr 22, 2019 at 6:33 AM Tanu Kaskinen <tanuk@iki.fi> wrote: > > > On Fri, 2017-06-09 at 10:10 -0700, Khem Raj wrote: > > > On Fri, Jun 9, 2017 at 9:38 AM, Tanu Kaskinen <tanuk@iki.fi> wrote: > > > > On Fri, 2017-06-09 at 13:07 +0000, Khem Raj wrote: > > > > > On Fri, Jun 9, 2017 at 5:56 AM Burton, Ross <ross.burton@intel.com> > > wrote: > > > > > > On 9 June 2017 at 04:41, Khem Raj <raj.khem@gmail.com> wrote: > > > > > > > > > > > > > +SECURITY_CFLAGS = "${SECURITY_NO_PIE_CFLAGS}" > > > > > > > > > > > > > > > > > > > These tend to go into security-flags.inc, not the recipe. > > > > > > > > > > > > > > > > I know that's been the case but I think having a global file is > > error prone > > > > > its better to have it in recipe context since it can get attention at > > > > > upgrade time to test if this has been fixed in new release etc > > > > > > > > Do you mean that there's some bug in pulseaudio, and this is a > > > > workaround for it? Is the bug that there are textrels? Ross saw > > > > textrels in pulseaudio before (see the discussion starting at [1]), but > > > > I was unable to reproduce that. If you give instructions for > > > > reproducing the problem, I'll see if I can fix pulseaudio (until then > > > > I'm fine with having a workaround). > > > > > > > > > > yes there is a bug lurking when compiling with hardening flags are > > turned on > > > so you can do something like > > > > > > in local.conf > > > > > > require conf/distro/include/security_flags.inc > > > > > > then > > > > > > MACHINE=qemux86 bitbake pulseaudio > > > > > > it also happens on arm so qemuarm will reproduce it too. > > > > > > some assembly code is probably missing using GOT relative accesses > > > > Resurrecting this ancient thread... I finally tried to reproduce this > > problem with the given instructions. No success. Have you still been > > running into this issue? > > I don’t know for sure if this still exists but we did disable assembly in > few packages which addresses this issue since in assembly PIC has to be > respected > In hand written code > > You might have to check if we did something similar for pulseaudio There seem to be no such changes to the pulseaudio recipe. Some upstream fix seems unlikely as well. The only possibly relevant change that I could find was removing a buggy implementation of reading the cpuid register (the removed code was replaced with the __get_cpuid() macro that compilers provide in cpuid.h). Oh well, if the problem reappears, let me know. -- Tanu https://www.patreon.com/tanuk https://liberapay.com/tanuk ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH 2/3] pulseaudio: disable PIE flags when hardened flags are enabled 2019-04-26 12:53 ` Tanu Kaskinen @ 2019-04-26 13:52 ` Richard Purdie 0 siblings, 0 replies; 14+ messages in thread From: Richard Purdie @ 2019-04-26 13:52 UTC (permalink / raw) To: Tanu Kaskinen, Khem Raj; +Cc: OE-core On Fri, 2019-04-26 at 15:53 +0300, Tanu Kaskinen wrote: > On Mon, 2019-04-22 at 14:28 -0600, Khem Raj wrote: > > On Mon, Apr 22, 2019 at 6:33 AM Tanu Kaskinen <tanuk@iki.fi> wrote: > > > > > On Fri, 2017-06-09 at 10:10 -0700, Khem Raj wrote: > > > > On Fri, Jun 9, 2017 at 9:38 AM, Tanu Kaskinen <tanuk@iki.fi> > > > > wrote: > > > > > On Fri, 2017-06-09 at 13:07 +0000, Khem Raj wrote: > > > > > > On Fri, Jun 9, 2017 at 5:56 AM Burton, Ross < > > > > > > ross.burton@intel.com> > > > wrote: > > > > > > > On 9 June 2017 at 04:41, Khem Raj <raj.khem@gmail.com> > > > > > > > wrote: > > > > > > > > > > > > > > > +SECURITY_CFLAGS = "${SECURITY_NO_PIE_CFLAGS}" > > > > > > > > > > > > > > > > > > > > > > These tend to go into security-flags.inc, not the recipe. > > > > > > > > > > > > > > > > > > > I know that's been the case but I think having a global > > > > > > file is > > > error prone > > > > > > its better to have it in recipe context since it can get > > > > > > attention at > > > > > > upgrade time to test if this has been fixed in new release > > > > > > etc > > > > > > > > > > Do you mean that there's some bug in pulseaudio, and this is > > > > > a > > > > > workaround for it? Is the bug that there are textrels? Ross > > > > > saw > > > > > textrels in pulseaudio before (see the discussion starting at > > > > > [1]), but > > > > > I was unable to reproduce that. If you give instructions for > > > > > reproducing the problem, I'll see if I can fix pulseaudio > > > > > (until then > > > > > I'm fine with having a workaround). > > > > > > > > > > > > > yes there is a bug lurking when compiling with hardening flags > > > > are > > > turned on > > > > so you can do something like > > > > > > > > in local.conf > > > > > > > > require conf/distro/include/security_flags.inc > > > > > > > > then > > > > > > > > MACHINE=qemux86 bitbake pulseaudio > > > > > > > > it also happens on arm so qemuarm will reproduce it too. > > > > > > > > some assembly code is probably missing using GOT relative > > > > accesses > > > > > > Resurrecting this ancient thread... I finally tried to reproduce > > > this > > > problem with the given instructions. No success. Have you still > > > been > > > running into this issue? > > > > I don’t know for sure if this still exists but we did disable > > assembly in > > few packages which addresses this issue since in assembly PIC has > > to be > > respected > > In hand written code > > > > You might have to check if we did something similar for pulseaudio > > There seem to be no such changes to the pulseaudio recipe. Some > upstream fix seems unlikely as well. The only possibly relevant > change > that I could find was removing a buggy implementation of reading the > cpuid register (the removed code was replaced with the __get_cpuid() > macro that compilers provide in cpuid.h). > > Oh well, if the problem reappears, let me know. Shortly after this, Khem submitted: http://git.yoctoproject.org/cgit.cgi/poky/commit/?id=c91314ec160420a320007d552cec6c7da4d54833 and http://git.yoctoproject.org/cgit.cgi/poky/commit/?id=6733a7873ca121295a2e309a6915b9816e1ae36b which I suspect made this other change unnecessary? Cheers, Richard ^ permalink raw reply [flat|nested] 14+ messages in thread
* [PATCH 3/3] rng-tools: Fix textrels on 32bit x86 2017-06-09 3:41 [PATCH 0/3] Fix imagetests with harderning flags Khem Raj 2017-06-09 3:41 ` [PATCH 1/3] testimage.bbclass: Correct the comment to state right dir for test cases Khem Raj 2017-06-09 3:41 ` [PATCH 2/3] pulseaudio: disable PIE flags when hardened flags are enabled Khem Raj @ 2017-06-09 3:41 ` Khem Raj 2 siblings, 0 replies; 14+ messages in thread From: Khem Raj @ 2017-06-09 3:41 UTC (permalink / raw) To: openembedded-core When testing core-image-sato with hardening flags, it fails with SIGSEGV in libc.so during relocation time This is due to relocations in .text [textrel] build QA points it out clearly during qemux86 build as well AssertionError: 2 != 0 : Log: /mnt/a/oe/build/tmp/work/qemux86-bec-linux-musl/core-image-sato/1.0-r0/dmesg_output.log ----------------------- Central error: [ 19.043597] rngd[525]: segfault at 80098bb7 ip b77b14fc sp bfe9b380 error 7 in libc.so[b774c000+97000] Signed-off-by: Khem Raj <raj.khem@gmail.com> --- .../rng-tools-5-fix-textrels-on-PIC-x86.patch | 104 +++++++++++++++++++++ meta/recipes-support/rng-tools/rng-tools_5.bb | 1 + 2 files changed, 105 insertions(+) create mode 100644 meta/recipes-support/rng-tools/rng-tools/rng-tools-5-fix-textrels-on-PIC-x86.patch diff --git a/meta/recipes-support/rng-tools/rng-tools/rng-tools-5-fix-textrels-on-PIC-x86.patch b/meta/recipes-support/rng-tools/rng-tools/rng-tools-5-fix-textrels-on-PIC-x86.patch new file mode 100644 index 0000000000..90c9d8c515 --- /dev/null +++ b/meta/recipes-support/rng-tools/rng-tools/rng-tools-5-fix-textrels-on-PIC-x86.patch @@ -0,0 +1,104 @@ +From: Francisco Blas Izquierdo Riera (klondike) <klondike@gentoo.org> +Subject: [PATCH] Fix assemby textrels on rdrand_asm.S on PIC x86 + +This patch updates the fixes in the assembly in rdrand_asm.S in +sys-apps/rng-tools-5 so it won't generate textrels on PIC systems. +The main fixes are in the use of leal in SETPTR for such systems, the rest is +the usual PIC support stuff. + +This should fix Gentoo bug #469962 and help fix #518210 + +This patch is released under the GPLv2 or a higher version license as is the +original file as long as the author and the tester are credited. + +Gentoo-bug-url: https://bugs.gentoo.org/show_bug.cgi?id=469962 +Gentoo-bug-url: https://bugs.gentoo.org/show_bug.cgi?id=518210 +Upstream-status: Not sent yet +Signed-off-by: Francisco Blas Izquierdo Riera (klondike) <klondike@gentoo.org> +Reported-by: cilly <cilly@cilly.mine.nu> +Reported-by: Manuel Rüger <mrueg@gentoo.org> +Tested-by: Anthony Basile <blueness@gentoo.org> + +Upstream-Status: Pending + +Index: rng-tools-5/rdrand_asm.S +=================================================================== +--- rng-tools-5.orig/rdrand_asm.S ++++ rng-tools-5/rdrand_asm.S +@@ -2,6 +2,7 @@ + * Copyright (c) 2011-2014, Intel Corporation + * Authors: Fenghua Yu <fenghua.yu@intel.com>, + * H. Peter Anvin <hpa@linux.intel.com> ++ * PIC code by: Francisco Blas Izquierdo Riera (klondike) <klondike@gentoo.org> + * + * This program is free software; you can redistribute it and/or modify it + * under the terms and conditions of the GNU General Public License, +@@ -174,7 +175,19 @@ ENTRY(x86_rdseed_or_rdrand_bytes) + jmp 4b + ENDPROC(x86_rdseed_or_rdrand_bytes) + ++#if defined(__PIC__) ++#define INIT_PIC() \ ++ pushl %ebx ; \ ++ call __x86.get_pc_thunk.bx ; \ ++ addl $_GLOBAL_OFFSET_TABLE_, %ebx ++#define END_PIC() \ ++ popl %ebx ++#define SETPTR(var,ptr) leal (var)@GOTOFF(%ebx),ptr ++#else ++#define INIT_PIC() ++#define END_PIC() + #define SETPTR(var,ptr) movl $(var),ptr ++#endif + #define PTR0 %eax + #define PTR1 %edx + #define PTR2 %ecx +@@ -190,6 +203,7 @@ ENTRY(x86_aes_mangle) + movl 8(%ebp), %eax + movl 12(%ebp), %edx + push %esi ++ INIT_PIC() + #endif + movl $512, CTR3 /* Number of rounds */ + +@@ -280,6 +294,7 @@ offset = offset + 16 + movdqa %xmm7, (7*16)(PTR1) + + #ifdef __i386__ ++ END_PIC() + pop %esi + pop %ebp + #endif +@@ -294,6 +309,7 @@ ENTRY(x86_aes_expand_key) + push %ebp + mov %esp, %ebp + movl 8(%ebp), %eax ++ INIT_PIC() + #endif + + SETPTR(aes_round_keys, PTR1) +@@ -323,6 +339,7 @@ ENTRY(x86_aes_expand_key) + call 1f + + #ifdef __i386__ ++ END_PIC() + pop %ebp + #endif + ret +@@ -343,6 +360,16 @@ ENTRY(x86_aes_expand_key) + + ENDPROC(x86_aes_expand_key) + ++#if defined(__i386__) && defined(__PIC__) ++ .section .text.__x86.get_pc_thunk.bx,"axG",@progbits,__x86.get_pc_thunk.bx,comdat ++ .globl __x86.get_pc_thunk.bx ++ .hidden __x86.get_pc_thunk.bx ++ .type __x86.get_pc_thunk.bx, @function ++__x86.get_pc_thunk.bx: ++ movl (%esp), %ebx ++ ret ++#endif ++ + .bss + .balign 64 + aes_round_keys: diff --git a/meta/recipes-support/rng-tools/rng-tools_5.bb b/meta/recipes-support/rng-tools/rng-tools_5.bb index 9329e8ad31..e2acaba91a 100644 --- a/meta/recipes-support/rng-tools/rng-tools_5.bb +++ b/meta/recipes-support/rng-tools/rng-tools_5.bb @@ -7,6 +7,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/gkernel/${BP}.tar.gz \ file://0002-Add-argument-to-control-the-libargp-dependency.patch \ file://underquote.patch \ file://uclibc-libuargp-configure.patch \ + file://rng-tools-5-fix-textrels-on-PIC-x86.patch \ file://init \ file://default" -- 2.13.1 ^ permalink raw reply related [flat|nested] 14+ messages in thread
end of thread, other threads:[~2019-04-26 13:52 UTC | newest] Thread overview: 14+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2017-06-09 3:41 [PATCH 0/3] Fix imagetests with harderning flags Khem Raj 2017-06-09 3:41 ` [PATCH 1/3] testimage.bbclass: Correct the comment to state right dir for test cases Khem Raj 2017-06-09 3:41 ` [PATCH 2/3] pulseaudio: disable PIE flags when hardened flags are enabled Khem Raj 2017-06-09 12:55 ` Burton, Ross 2017-06-09 13:07 ` Khem Raj 2017-06-09 14:02 ` André Draszik 2017-06-09 14:07 ` Khem Raj 2017-06-09 16:38 ` Tanu Kaskinen 2017-06-09 17:10 ` Khem Raj 2019-04-22 12:33 ` Tanu Kaskinen 2019-04-22 20:28 ` Khem Raj 2019-04-26 12:53 ` Tanu Kaskinen 2019-04-26 13:52 ` Richard Purdie 2017-06-09 3:41 ` [PATCH 3/3] rng-tools: Fix textrels on 32bit x86 Khem Raj
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox