-
Bug
-
Resolution: Done-Errata
-
Normal
-
rhel-9.2.0
-
redhat-rpm-config-204-1.el9
-
Normal
-
sst_pt_libraries
-
ssg_platform_tools
-
2
-
6
-
1
-
QE ack
-
False
-
-
No
-
Pass
-
Yes
-
If docs needed, set a value
-
-
All
+++ This bug was initially created as a clone of Bug #2167430 +++
Hi. It looks like Fedora/RH build systems hardening (/usr/lib/rpm/redhat/redhat-hardened-cc1) does
not enable PIC mode for assembler files. This is so for both Koji and Brew builders. Some research
and some conclusions follow.
A test C or Assembly code containing some check if it is build in PIC mode or not can be just like:
#if defined(_PIC_)
#warning defined _PIC_
#else
#warning no _PIC_
#endif
This works both for C and assembly code when a PIC build is requested in a usual way with "-fPIE":
$ gcc -fPIE picpie.c
picpie.c:8:2: warning: #warning defined _PIC_ [-Wcpp]
$ gcc -fPIE picpie.S
picpie.S:8:2: warning: #warning defined _PIC_ [-Wcpp]
Brew/Koji build system forces PIC in an indirect way using GCC specs:
gcc -DHAVE_CONFIG_H -I. -O2 -flto=auto -ffat-lto-objects -fexceptions -g -grecord-gcc-switches
-pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS
-specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong
-specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m32 -march=i686 -mtune=generic -msse2 -mfpmath=sse
-mstackrealign -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection
-c -o rdrand_asm.o rdrand_asm.S
It turns out that this indirect way of forcing PIC works fine with C code but does not work with Asm.
I've tried to adjust redhat-hardened-cc1 specs to work for assembly sources also, but to no success:
$ gcc -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 picpie.c
picpie.c:8:2: warning: #warning defined _PIC_ [-Wcpp]
$ gcc -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 picpie.S
picpie.S:10:2: warning: #warning no _PIC_ [-Wcpp]
This means a PIC-aware assembly code is not built as PIC in our build systems Brew and Koji.
See https://kojihub.stream.rdu2.redhat.com/kojifiles/work/tasks/796/1840796/build.log as an example:
(task: https://kojihub.stream.rdu2.redhat.com/koji/taskinfo?taskID=1840796)
gcc I/usr/include/libxml2 -pthread -O2 -flto=auto -ffat-lto-objects -fexceptions -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m32 -march=i686 -mtune=generic -msse2 -mfpmath=sse -mstackrealign -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -pthread -Wl,-z,relro -Wl,-as-needed -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -o rngd rngd-rngd.o rngd-rngd_entsource.o rngd-rngd_linux.o rngd-util.o rngd-ossl_helpers.o rngd-rngd_nistbeacon.o rngd-rngd_rdrand.o rdrand_asm.o rngd-rngd_jitter.o rngd-rngd_qrypt.o librngd.a -ljitterentropy -ljansson -lcurl -lxml2 -lssl -lcrypto -lcap -ljitterentropy
make[2]: Leaving directory '/builddir/build/BUILD/rng-tools-6.15'
/usr/bin/ld: rdrand_asm.o: warning: relocation in read-only section `.text'
/usr/bin/ld: warning: creating DT_TEXTREL in a PIE
The result here is 'rngd' executable which is supposed to be PIE is not exactly PIE, rpminspect reports:
elf: BAD: Security: /usr/sbin/rngd in rng-tools has TEXTREL relocations on i686
Suggested remedy: Ensure all object files are compiled with -fPIC
This looks like some security issue to me, though in quite a corner case - PIC-aware assembly code.
I believe it would be great if /usr/lib/rpm/redhat/redhat-hardened-cc1 is adjusted so assmbly code sees _PIC_ and _PIE_ set
the same way it is done for C code.
- external trackers
- links to
-
RHBA-2023:120311 redhat-rpm-config bug fix and enhancement update
- mentioned on