* Release engineering: Mass rebuild required

== Contingency Plan == * Contingency mechanism: (What to do? Who will do it?) If too many packages are found to be broken at runtime, the default for fortification will be left at `_FORTIFY_SOURCE=2` for Fedora 38. Change owner will do this in `redhat-rpm-config` * Contingency deadline: Beta freeze

On Mon, Dec 5, 2022 at 7:58 PM Ben Cotton <bcotton(a)redhat.com&gt; wrote: > > https://fedoraproject.org/wiki/Changes/Add_FORTIFY_SOURCE%3D3_to_distribu... > It is my vague recollection (I could easily be wrong, so correct me as appropriate) that _FORTIFY_SOURCE=3 adds some runtime overhead that did not apply in previous levels. If that is correct, has the potential performance impact been evaluated and documented somewhere? And, if correct, the change proposal should probably be modified to mention the potential performance impacts.

On Mon, Dec 5, 2022 at 10:53 PM Neal Gompa <ngompa13(a)gmail.com&gt; wrote: > It has a similar impact that turning back on frame pointers would. > > Cf. https://developers.redhat.com/articles/2022/09/17/gccs-new-fortification-... > That article explicitly states: "We need a proper study of performance and code size to understand the magnitude of the impact" I look forward to seeing the results of that proper study before this is even considered for approval (since, after all, one of the strong push-backs for -fno-omit-frame-pointer was performance).

On Tue, Dec 06, 2022 at 03:12:19AM +0000, Gary Buhrmaster wrote: Note that is not a fully equivalent scenario. The no-omit-frame-pointer proposal was only offering a functional debugging benefit to a fairly small number of users who are also developers, while adding a likely performance hit to all users. There needs to be a high bar to justify the performance hit when the benefit offered is narrow.

On Tue, Dec 06, 2022 at 05:52:16PM -0000, Andrii Nakryiko wrote: >> On Tue, Dec 06, 2022 at 03:12:19AM +0000, Gary Buhrmaster wrote: >> >> Note that is not a fully equivalent scenario. The no-omit-frame-pointer >> proposal was only offering a functional debugging benefit to a fairly >> small number of users who are also developers, while adding a likely >> performance hit to all users. There needs to be a high bar to justify >> the performance hit when the benefit offered is narrow. > > First, frame pointers are not just for debugging benefit. It's not even it's main benefit from POV of https://pagure.io/fesco/issue/2817. Frame pointers are for performance profiling and observability first and foremost, and that's most useful under real-world conditions of production workloads. Not some custom re-built debug versions of applications. > > Second, it might benefit a relatively small (but not tiny, it's at least thousands of people doing performance profiling) fraction of users, but those users (developers that care about performance) are the ones bringing benefits to very wide user base. Yes! I spent a frustrating time getting perf to record stack traces properly until I recompiled the program with frame pointers. (I know about --call-graph=dwarf but it doesn't seem to work most of the time.)

On Mon, Dec 5, 2022 at 3:17 PM Gary Buhrmaster <gary.buhrmaster(a)gmail.com&gt; wrote: > > On Mon, Dec 5, 2022 at 7:58 PM Ben Cotton <bcotton(a)redhat.com&gt; wrote: > > > > https://fedoraproject.org/wiki/Changes/Add_FORTIFY_SOURCE%3D3_to_distribu... > > > > It is my vague recollection (I could easily be wrong, so > correct me as appropriate) that _FORTIFY_SOURCE=3 > adds some runtime overhead that did not apply in > previous levels. > > If that is correct, has the potential performance impact > been evaluated and documented somewhere? And, if > correct, the change proposal should probably be modified > to mention the potential performance impacts. It has a similar impact that turning back on frame pointers would. Cf. https://developers.redhat.com/articles/2022/09/17/gccs-new-fortification-... I'm extremely displeased now, as the toolchain team basically told us they wouldn't accept register pressure on x86_64 and then turned around and made a proposal that does the same thing. Apparently quality of life improvements for developers and real-time tracing (e.g. making bpftrace useful) isn't worth it, but this is. I want a really good justification for not doing both at the same time if we're going to accept this.

"may improve" is proven to be "does improve significantly". We had

Now, about prologues/epilogues. What percentage of useful workload is spent in those? Tiny fraction of a percent at best? Even if we don't get accurate stack trace in such cases it doesn't matter in the grand scheme of things.

As for hand-written assembly functions. I looked at strcmp, memcpy and similar very frequent and hot functions in glibc.

> On Tue, Dec 06, 2022 at 08:13:51AM -0500, Neal Gompa wrote: > > That is nonsense. Even with -fno-omit-frame-pointers, you can't rely > on frame pointers, they are not accurate in function prologues and epilogues > and they are total garbage e.g. in a lot of functions written in assembly. First of all, https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpagure.... is first and foremost about enabling low-overhead **profiling** of applications (periodic in background or on-demand requested by users explicitly), not debugging use cases. For debugging use cases GDB might be perfectly adequate to rely only on DWARF information. But -fno-omit-frame-pointers is to enable profiling **production workloads** as they happen, because very often reproducibility of results is impossible without understanding the issue in the first place, which is what frame pointers are needed for. Even more often you don't even realize that application is doing something suboptimal unless you profile it continuously, as it handles *real workload*. Now, about prologues/epilogues. What percentage of useful workload is spent in those? Tiny fraction of a percent at best? Even if we don't get accurate stack trace in such cases it doesn't matter in the grand scheme of things. As for hand-written assembly functions. I looked at strcmp, memcpy and similar very frequent and hot functions in glibc. Yes, they don't save %rbp and don't maintain frame pointers. But they also don't use %rbp register at all, which means **they don't clobber it**. So if we take stack trace while such function is executing, we'll still get non-broken stack trace all the way up to the root parent function, we just won't have leaf-level function in stack traces. That's much better and more useful than completely broken stack and allows to reason very well about application performance. Also, almost all fpu-related routines under sysdeps/x86_64/fpu/multiarch/svml*.S that are using %rbp, are also properly maintaining frame pointers: There is a very good reason why Meta enabled -fno-omit-frame-pointers across all its internal software 5 years ago and never looked back. We rely on frame pointers being available across millions of machines to drive performance improvements and investigations saving millions of dollars of real non-hypothetical savings. Google, Netflix, Apple, etc -- all enable frame pointers due to sheer usefulness of them in practice, either for performance profiling and/or better real-time introspection of their workloads. So much for the "nonsense". I realize that not everyone have experience with tracing production workloads and generally working in profiling area, but I expect people to keep an open mind and not use double standards when thinking about implications of system-wide changes like this one or frame pointers one. > The only reliable way to get backtraces is DWARF info or something derived > from it, that is for code emitted by the compilers (with the default > -fasynchronous-unwind-tables) accurate for all instructions and for > hand written assembly one has at least a way to describe that through > .cfi_* directives. > > As has been written multiple times, for profiling there doesn't need to be > full DWARF unwinder in the kernel, it is enough that there is something > that can handle the wast majority of cases and punt (copy to userland full > stack) in case of anything unexpected as long as it is rare. > Say on x86-64 and various other targets, the stack pointer, CFA (how to get > caller's stack pointer), frame pointer if any or return address is very > rarely stored anywhere but on the stack, so it should be enough to consider > CFA, sp, bp, ip during unwinding and ignore everything else and from the > harder DW_CFA_* ops (those that need DWARF expression evaluation) > perhaps only pattern recognize the most common ones (say PLT slot, signal > frame). You clearly have never tried to do this in practice. You'd know about the price of discovering and pre-computing such look up tables, both in terms of memory usage, CPU usage, complexity and reliability. And then you'd also realize the problem of tracing short-lived processes that started after profiling started and were discovered upfront. As for the approach with capturing stack and sending it for post-processing. Beyond just the overhead of capturing and sending so much data for post-processing, you'd also stop and wonder what is the right size of stack to capture to handle deep stacks/recursion or functions with large stack size usage. DWARF is not a panacea. For production workloads it doesn't even come close as an satisfactory solution, if employed in isolation. > Frame pointers will never result in anything reliable though, it results > purely in severe performance degradation and false feeling they can be > relied on. THIS is nonsense, both on degradation and reliability points. Performance engineers and just typical applications owners laugh at your statement detached from the reality. > Jakub _______________________________________________ devel mailing list -- devel(a)lists.fedoraproject.org To unsubscribe send an email to devel-leave(a)lists.fedoraproject.org Fedora Code of Conduct: https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.fe... List Guidelines: https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffedorap... List Archives: https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.f... Do not reply to spam, report it: https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpagure....

Red Hat's desktop performance engineer ....

Even if extra bounds checking makes code 10% slower, which seems very unlikely, the benefit of the extra hardening would still be worth it. _FORTIFY_SOURCE=3 is going to make it harder to hack Fedora users, converting code execution vulnerabilities into denial of service vulnerabilities.

Anyway, the effort that went into that change proposal has established new expectations for any change that will impact system performance: the new flags should be benchmarked in an environment where all Fedora packages have been rebuilt with the new flags, so we can critique the change based on benchmarks that are not representative of real-world usage and reject it if they show a 2% performance hit, regardless of value to Fedora. If you don't like the idea of rebuilding all packages with the new flags, then maybe it was a mistake to require developers to do just that if they want to profile applications successfully.

Andrii, copilot to pilot, you are responding to Jakub Jelinek's points, not

Neal's. Jakub is a compiler/toolchain engineer with considerable

experience, so when he talks about compiler technology involved in tracing execution flow, I am inclined to believe him.

I understand that your experience lies in running (and tracing/profiling) production applications, but please consider that your viewpoint may be biased by your experience with existing frame pointer-based instrumentation. This means that you just know from experience when your results are solid and when you have to be careful because of e.g. a particular application's large number of small prolog/epilog-dominated functions or complex and intensive flow of memory allocations. Jakub is saying that DWARF is a superior technology that provide the frame pointer information more reliably, so the real issue is that frame pointer based infrastructure is already here and DWARF handling requires more development. I haven't heard anyone question the solidity of the DWARF approach outlined by Jakub and other people involved with the toolchain, so I think it is reasonable to expect that it will get implemented.

Are you actually against using the DWARF approach for technical reasons, or is your argument based on the practical consideration of what's available right now?

Very Respectfully p.k.

Overall even if there is a miniscule performance overhead, I reckon the reward is much higher.

My full comment in that blog post is: "We need a proper study of performance and code size to understand the magnitude of the impact created by _FORTIFY_SOURCE=3 additional runtime code generation. However the performance and code size overhead may well be worth it due to the magnitude of improvement in security coverage."

I have added a performance note[1] in the proposal.

On Tue, Dec 6, 2022 at 10:06 AM Gary Buhrmaster <gary.buhrmaster(a)gmail.com&gt; wrote: My full comment in that blog post is: "We need a proper study of performance and code size to understand the magnitude of the impact created by _FORTIFY_SOURCE=3 additional runtime code generation. However the performance and code size overhead may well be worth it due to the magnitude of improvement in security coverage." To elaborate, I think the performance and code size study is an interesting academic concern, but the magnitude of improvement justifies whatever little performance impact this may introduce and it should not be a blocker for the improvement.

Sure, I could add that as a comment in the proposal.

On Tue, Dec 6, 2022 at 12:56 PM Andrii Nakryiko <andrii.nakryiko(a)gmail.com&gt; wrote: I don't think the two are comparable at all, neither in terms of potential performance impact (register pressure across an entire program vs at specific API call points in some unique cases) nor in terms of the benefits it provides.

On Wed, Dec 7, 2022 at 3:15 PM Andrii Nakryiko <andrii.nakryiko(a)gmail.com&gt; wrote: > > > On Tue, Dec 6, 2022 at 12:56 PM Andrii Nakryiko > > <andrii.nakryiko(a)gmail.com&gt; wrote: > > > > I don't think the two are comparable at all, neither in terms of > > potential performance impact (register pressure across an entire > > program vs at specific API call points in some unique cases) nor in > > terms of the benefits it provides. > > It's irrelevant if they are comparable. This is a system-wide change that has potential to cause performance regression. By how much -- not clear. Hand-waiving such concerns is extremely disappointing in the face of the scrutiny given to https://pagure.io/fesco/issue/2817. So, please get inspiration from that proposal and do benchmarks. You're basically making a political statement, so I'll just leave that bit for FESCO to deal with.

On 12/5/22 20:58, Ben Cotton wrote: The core change to bring in this mitigation is to change the default build flags in `redhat-rpm-config` so that packages build by default with `-Wp,-D_FORTIFY_SOURCE=3`. There are packages (e.g. `systemd`) that do not interact well with `_FORTIFY_SOURCE` and will also need a workaround to downgrade fortification to level 2. The change will also include this override. How come systemd gets an exception? If it is a security option, it should be enabled everywhere.

I do not see benefit in a security change that ignores PID 1 process,

If the feature, on the GCC side, is not 100% done. How do I tell a difference of a bug with the _FORTIFY_SOURCE which I will ignore and a bug with my package?

I do not have the knowledge or the time to be able to say that GCC generated the wrong machine code and therefore it is not a bug with my package. If my program was not complaining before the change and is now complaining with the change, I am opting out of the change, and filing a bug against GCC on Fedora.

On Tue, Dec 06, 2022 at 08:59:03AM +0000, Richard W.M. Jones wrote: > I don't believe the proposal is that everyone *has* to use this (or at > least, I hope not). Even existing _FORTIFY_SOURCE=2 is optional. I'd > like to know what the problems are that affect systemd however. It's mentioned in this document: https://developers.redhat.com/articles/2022/09/17/gccs-new-fortification-... _FORTIFY_SOURCE=3 revealed another pattern. Applications such as systemd used malloc_usable_size to determine available space in objects and then used the residual space. The glibc manual discourages this type of usage, dictating that malloc_usable_size is for diagnostic purposes only. But applications use the function as a hack to avoid reallocating buffers when there is space in the underlying malloc chunk. The implementation of malloc_usable_size needs to be fixed to return the allocated object size instead of the chunk size in non-diagnostic use. Alternatively, another solution is to deprecate the function. But that is a topic for discussion by the glibc community. Rich.

Default C and C++ compiler flags to build packages in Fedora currently includes `-Wp,-D_FORTIFY_SOURCE=2`, which enables fortification of some functions in glibc, thus providing some mitigation against buffer overflows. Since glibc 2.34 and GCC 12, there has been a new fortification level (`_FORTIFY_SOURCE=3`) which improves the coverage of this mitigation. The core change to bring in this mitigation is to change the default build flags in `redhat-rpm-config` so that packages build by default with `-Wp,-D_FORTIFY_SOURCE=3`. There are packages (e.g. `systemd`) that do not interact well with `_FORTIFY_SOURCE` and will also need a workaround to downgrade fortification to level 2. The change will also include this override. How come systemd gets an exception? If it is a security option, it should be enabled everywhere.

I do not see benefit in a security change that ignores PID 1 process,

If the feature, on the GCC side, is not 100% done. How do I tell a difference of a bug with the _FORTIFY_SOURCE which I will ignore and a bug with my package?

I do not have the knowledge or the time to be able to say that GCC generated the wrong machine code and therefore it is not a bug with my package. If my program was not complaining before the change and is now complaining with the change, I am opting out of the change, and filing a bug against GCC on Fedora. I assume that by the package providing the exception, packagers get to choose themselves and we do not need to go through FESCO to disable a security feature?

== Benefit to Fedora == [https://docs.google.com/spreadsheets/d/1nPSmbEf3HVB91zI8yBraMqVry3_ILmlV2... Analysis of packages] in Fedora rawhide indicate that the improvement of mitigation coverage is on average over 2.4x, in some cases protecting more than half of the fortified glibc calls in the target application. This change will thus harden Fedora to a significant extent, thus making it a more secure distribution out of the box. 1) Is there some complete source for all these findings? If google sheets cannot handle all the "raw data" as noted in the comment, maybe it is the wrong medium.

2) What does *anything* on that google sheet mean. I have managed to figure out, from the article, that bos and bdos correspond to level 2 and 3 of _FORTIFY_SOURCE. However, total of /.*/? Violated accesses? Segfaults? Then followed by "Sum of total". For rubygem-ffi, this reaches into hundreds while "bdos" is 2. That is the only sum I can make, with the data provided. I am no wiser from looking at it, what do the data mean?

3) I cannot speak to much else than Ruby, I do not see ruby in neither the failures or "All x86_64". Should we attempt to test it ourselves?

Please provide a proper "how to test" section, I cannot fix what I cannot test or compare results when I have no idea what I am seeing. Actually, last time I heard about number of packages, it was around 50k (not source, build result), and as I stated, Ruby is missing, and so are quite a few dependent packages that should have GCC involved somewhere: ~~~ $ dnf repoquery --whatrequires "*libruby.so*" --disablerepo="*" --enablerepo="fedora" 2>/dev/null | grep -v "i686" | uniq | wc -l 115 ~~~ If we also filter rubygem-* packages that depend on the *libruby.so* (and most probably contain a binary extension written in C/C++ that links to Ruby), I get 68 packages. When I search "All x86_64" for "ruby" I get 28 packages. That is... not adding up.

== Scope == * Proposal owners: Post a merge request to redhat-rpm-config with the actual change to build flags. * Other developers: Resolve bugs filed for build failures, either by fixing the bug exposed by `_FORTIFY_SOURCE=3` or by disabling `_FORTIFY_SOURCE=3` for the package if it is a false positive or if the package is unable to adapt to the change. * Release engineering: Mass rebuild required * Policies and guidelines: Guidelines should include workaround for packages that fail to build with `-Wp,-D_FORTIFY_SOURCE=3` due to a false positive. I'll just ask, what is a false positive. How can I tell. What are the steps for this.

* Trademark approval: N/A (not needed for this Change) == Upgrade/compatibility impact == No ABI change, so there should be no impact on compatibility in a mixed environment. == How To Test == * Smoke testing of packages to ensure that they continue to work correctly. Some packages may have overflows exposed at runtime, which may need to be fixed. This does not describe how to test, e.g. ahead of time, just that the packagers are to deal with the fallout...

== User Experience == No noticeable change to users. I beg to differ. From what I am able to tell, from the limited provided sources, packages can have a runtime crash. A LOT of GUI packages use C or the likes that respond to the flags of "fortify source". This can have a serious impact to users by the recompiled packages: * not suddenly working, package's tests passed, but user triggered just the right code branch * performance impacted due to overhead.

On Tue, Dec 6, 2022 at 8:14 AM Siddhesh Poyarekar <siddhesh(a)redhat.com&gt; wrote: > > Please provide a proper "how to test" section, I cannot fix what I cannot test or compare results when I have no idea what I am seeing. > > > > Actually, last time I heard about number of packages, it was around 50k (not source, build result), and as I stated, > > Ruby is missing, and so are quite a few dependent packages that should have GCC involved somewhere: > > ~~~ > > $ dnf repoquery --whatrequires "*libruby.so*" --disablerepo="*" --enablerepo="fedora" 2>/dev/null | grep -v "i686" | uniq | wc -l > > 115 > > ~~~ > > > > If we also filter rubygem-* packages that depend on the *libruby.so* (and most probably contain a binary extension written in C/C++ that links to Ruby), I get 68 packages. > > When I search "All x86_64" for "ruby" I get 28 packages. That is... not adding up. > > Yeah, I have missed packages; I had looked at revdeps glibc-devel, > which turned out around 9k packages, of which 6k had any > _FORTIFY_SOURCE use at all. I can redo with *all* packages and > generate a report. I checked again and it looks like ruby had failed in that mass rebuild[1] but I can't see the logs anymore; they've probably been garbage collected. I reckon it was one of those with a transient failure that I reran by hand later. I'm going to run a full rebuild anyway (should take about 8 days, about 23k source packages AFAICT) and will share the results here.

Replace the current `_FORTIFY_SOURCE=2` with `_FORTIFY_SOURCE=3` to improve mitigation of security issues arising from buffer overflows in packages in Fedora.

On Tue, Dec 06, 2022 at 11:13:38AM +0100, Vitaly Zaitsev via devel wrote: > On 05/12/2022 20:58, Ben Cotton wrote: > > Replace the current `_FORTIFY_SOURCE=2` with `_FORTIFY_SOURCE=3` to > > improve mitigation of security issues arising from buffer overflows in > > packages in Fedora. > > AFAIK, _FORTIFY_SOURCE=3 enables runtime checks for every mem*() function > call. This should result in significant performance degradation. That is misunderstanding. The way _FORTIFY_SOURCE works is that say for memcpy if the destination has known upper bound on size (__builtin_object_size (dst, 0) returns something other than ~(size_t)0), then __memcpy_chk is used instead of memcpy, unless the compiler can prove that the length will always fit into that destination (in that case it is folded back to (builtin) memcpy). So, "every" is definitely not the case. In many cases nothing is known about the size of the destination, and in a lot of cases it is provable that no overflow will happen.

> To proposal owner: add information about potential performance degradation, > including benchmark results. Deferring that to Siddhesh, I haven't done that benchmarking myself.

Is this supported yet? I'm doing a build of rubberband for Rawhide, and every file generates this warning: ../src/test/TestStretcher.cpp: warning: -D_FORTIFY_SOURCE defined but value is too low

The warning seems to happen only in mock, the Koji build is clean: https://koji.fedoraproject.org/koji/taskinfo?taskID=96015653 Let me paste the root.log and build.log from the local build (I'm now working on upgrading a second package that uses -Werror, so on that the FORTIFY_SOURCE issue actually fails the build - will have to locally test against fedora-37-x86_64 instead of Rawhide for now). build.log: https://paste.centos.org/view/ea89a51c root.log: https://paste.centos.org/view/c25c9b3f

Just `mock -r fedora-rawhide-x86_64 ./*.src.rpm` I have these additional knobs in ~/.config/mock.cfg: config_opts['plugin_conf']['ccache_enable'] = True config_opts['plugin_conf']['ccache_opts']['max_cache_size'] = '10G' # False: build from Koji, e.g. to grab packages just put into Rawhide # config_opts['mirrored'] = False

On Wed, Jan 11, 2023 at 4:37 PM Siddhesh Poyarekar <siddhesh(a)redhat.com&gt; wrote: > > On Wed, Jan 11, 2023 at 3:05 PM Michel Alexandre Salim > <salimma(a)fedoraproject.org&gt; wrote: > > Just `mock -r fedora-rawhide-x86_64 ./*.src.rpm` > > > > I have these additional knobs in ~/.config/mock.cfg: > > > > > > config_opts['plugin_conf']['ccache_enable'] = True > > config_opts['plugin_conf']['ccache_opts']['max_cache_size'] = '10G' > > > > # False: build from Koji, e.g. to grab packages just put into Rawhide > > # config_opts['mirrored'] = False > > > > OK I see the warning now. Let me dig deeper. So if you want the quick answer to unblock you, it is ccache; I disabled it and the warning went away. That should help you get your -Werror going. I'll look closer at why that's happening.

> I've filed a ccache bug. It looks like ccache is moving the compiler > arguments around, causing one of the -U_FORTIFY_SOURCE to the end. > > https://bugzilla.redhat.com/show_bug.cgi?id=2160275 Why we do have those -U_FORTIFY_SOURCE and -Wp,-U_FORTIFY_SOURCE options in there at all? Previously we just had -Wp,-D_FORTIFY_SOURCE=2 and I think just changing it to -Wp,-D_FORTIFY_SOURCE=3 is more than enough. If you think some programs are adding -D_FORTIFY_SOURCE=2 to their *FLAGS make vars etc., then perhaps -Wp,-U_FORTIFY_SOURCE,-D_FORTIFY_SOURCE=3 But having both -U_FORTIFY_SOURCE and -Wp,-U_FORTIFY_SOURCE seems completely pointless to me.

But at least you don't need both -U_FORTIFY_SOURCE and -Wp,-U_FORTIFY_SOURCE, one of them is enough. And the latter I think better gets through libtool and other tools; especially if you put it into a single -Wp, option together with the redefinition...