[Fedora-packaging] RFC mass bug reporting: checksec failures
Kaleb S. KEITHLEY
kkeithle at redhat.com
Wed Sep 16 20:05:20 UTC 2015
On 09/16/2015 01:19 PM, Jason L Tibbitts III wrote:
>>>>>> "AT" == Alexander Todorov <atodorov at redhat.com> writes:
>
> AT> offending packages. You can find links to the script and execution
> AT> log here:
> AT> http://atodorov.org/blog/2015/09/16/4000-bugs-in-fedora-checksec-failures/
>
> BTW to see if any packages you own are on the list, you can do:
>
> wget https://raw.githubusercontent.com/atodorov/fedora-scripts/master/checksec.log
> for i in $(pkgdb-cli list --user tibbs --nameonly); do grep "^$i.*rpm$" checksec.log|uniq; done
>
GlusterFS packages have seven "No canary found" [1]. I get the same
results with gcc-5.1.1 on f22.
However GlusterFS _is_ built with '%global _hardened_build 1' and I have
confirmed that all its sources are compiled with -fstack-protector-strong.
As I read the gcc man page for -fstack-protector,
-fstack-protector-strong, and -fstack-protector-all, it's clear that
with just -fstack-protector-strong it's entirely plausible that these
DSOs would not have the call to __stack_chk_fail, i.e. the canary.
If I compile them with -fstack-protector-all then the resulting .o and
.so files _do_ have the call to __stack_chk_fail.
Off hand I'd say that checksec's test for the canary is wanting.
The glusterfs packages need to be excluded. Or change _hardened_build to
use -fstack-protector-all.
[1] excerpted from
https://raw.githubusercontent.com/atodorov/fedora-scripts/master/checksec.log
...
----------
glusterfs-3.7.4-2.fc24.src.rpm
/mnt/fedora/Packages/g/glusterfs-api-3.7.4-2.fc24.x86_64.rpm
RELRO STACK CANARY NX PIE RPATH
RUNPATH FILE
Full RELRO No canary found NX enabled DSO No RPATH
No RUNPATH ./usr/lib64/glusterfs/3.7.4/xlator/mount/api.so
----------
glusterfs-3.7.4-2.fc24.src.rpm
/mnt/fedora/Packages/g/glusterfs-client-xlators-3.7.4-2.fc24.x86_64.rpm
RELRO STACK CANARY NX PIE RPATH
RUNPATH FILE
Full RELRO No canary found NX enabled DSO No RPATH
No RUNPATH ./usr/lib64/glusterfs/3.7.4/xlator/features/ganesha.so
----------
glusterfs-3.7.4-2.fc24.src.rpm
/mnt/fedora/Packages/g/glusterfs-extra-xlators-3.7.4-2.fc24.x86_64.rpm
RELRO STACK CANARY NX PIE RPATH
RUNPATH FILE
Full RELRO No canary found NX enabled DSO No RPATH
No RUNPATH ./usr/lib64/glusterfs/3.7.4/xlator/encryption/rot-13.so
Full RELRO No canary found NX enabled DSO No RPATH
No RUNPATH ./usr/lib64/glusterfs/3.7.4/xlator/features/prot_dht.so
Full RELRO No canary found NX enabled DSO No RPATH
No RUNPATH ./usr/lib64/glusterfs/3.7.4/xlator/features/prot_server.so
Full RELRO No canary found NX enabled DSO No RPATH
No RUNPATH ./usr/lib64/glusterfs/3.7.4/xlator/features/quiesce.so
Full RELRO No canary found NX enabled DSO No RPATH
No RUNPATH
./usr/lib64/glusterfs/3.7.4/xlator/testing/features/template.so
...
--
Kaleb
More information about the devel
mailing list