[Fedora-packaging] RFC mass bug reporting: checksec failures

Wed Sep 16 20:05:20 UTC 2015

On 09/16/2015 01:19 PM, Jason L Tibbitts III wrote:
>>>>>> "AT" == Alexander Todorov <atodorov at redhat.com> writes:
> 
> AT> offending packages. You can find links to the script and execution
> AT> log here:
> AT> http://atodorov.org/blog/2015/09/16/4000-bugs-in-fedora-checksec-failures/
> 
> BTW to see if any packages you own are on the list, you can do:
> 
> wget https://raw.githubusercontent.com/atodorov/fedora-scripts/master/checksec.log
> for i in $(pkgdb-cli list --user tibbs --nameonly); do grep "^$i.*rpm$" checksec.log|uniq; done
> 

GlusterFS packages have seven "No canary found" [1]. I get the same
results with gcc-5.1.1 on f22.

However GlusterFS _is_ built with '%global _hardened_build 1' and I have
confirmed that all its sources are compiled with -fstack-protector-strong.

As I read the gcc man page for -fstack-protector,
-fstack-protector-strong, and -fstack-protector-all, it's clear that
with just -fstack-protector-strong it's entirely plausible that these
DSOs would not have the call to __stack_chk_fail, i.e. the canary.

If I compile them with -fstack-protector-all then the resulting .o and
.so files _do_ have the call to __stack_chk_fail.

Off hand I'd say that checksec's test for the canary is wanting.

The glusterfs packages need to be excluded. Or change _hardened_build to
use -fstack-protector-all.

[1] excerpted from
https://raw.githubusercontent.com/atodorov/fedora-scripts/master/checksec.log

...
----------
glusterfs-3.7.4-2.fc24.src.rpm
/mnt/fedora/Packages/g/glusterfs-api-3.7.4-2.fc24.x86_64.rpm
RELRO           STACK CANARY      NX            PIE             RPATH
   RUNPATH      FILE
Full RELRO      No canary found   NX enabled    DSO             No RPATH
  No RUNPATH   ./usr/lib64/glusterfs/3.7.4/xlator/mount/api.so

----------
glusterfs-3.7.4-2.fc24.src.rpm
/mnt/fedora/Packages/g/glusterfs-client-xlators-3.7.4-2.fc24.x86_64.rpm
RELRO           STACK CANARY      NX            PIE             RPATH
   RUNPATH      FILE
Full RELRO      No canary found   NX enabled    DSO             No RPATH
  No RUNPATH   ./usr/lib64/glusterfs/3.7.4/xlator/features/ganesha.so

----------
glusterfs-3.7.4-2.fc24.src.rpm
/mnt/fedora/Packages/g/glusterfs-extra-xlators-3.7.4-2.fc24.x86_64.rpm
RELRO           STACK CANARY      NX            PIE             RPATH
   RUNPATH      FILE
Full RELRO      No canary found   NX enabled    DSO             No RPATH
  No RUNPATH   ./usr/lib64/glusterfs/3.7.4/xlator/encryption/rot-13.so
Full RELRO      No canary found   NX enabled    DSO             No RPATH
  No RUNPATH   ./usr/lib64/glusterfs/3.7.4/xlator/features/prot_dht.so
Full RELRO      No canary found   NX enabled    DSO             No RPATH
  No RUNPATH   ./usr/lib64/glusterfs/3.7.4/xlator/features/prot_server.so
Full RELRO      No canary found   NX enabled    DSO             No RPATH
  No RUNPATH   ./usr/lib64/glusterfs/3.7.4/xlator/features/quiesce.so
Full RELRO      No canary found   NX enabled    DSO             No RPATH
  No RUNPATH
./usr/lib64/glusterfs/3.7.4/xlator/testing/features/template.so

...

-- 

Kaleb