[#109095] [Ruby master Misc#18888] Migrate ruby-lang.org mail services to Google Domains and Google Workspace — "shugo (Shugo Maeda)" <noreply@...>
Issue #18888 has been reported by shugo (Shugo Maeda).
16 messages
2022/06/30
[ruby-core:108990] [Ruby master Bug#18061] Execshield test: libruby.so.N.N.N: FAIL: property-note test because no .note.gnu.property section found
From:
"jaruga (Jun Aruga)" <noreply@...>
Date:
2022-06-17 21:28:44 UTC
List:
ruby-core #108990
Issue #18061 has been updated by jaruga (Jun Aruga).
@ioquatix (Samuel Williams) @nobu, possibly Samuel already fixed the property-note issue failed by `annocheck` correctly on the master branch. Sorry for my mistake.
I tested Ruby on the (relatively) latest master branch `78425d7e74887b57ee15e6b8933bd3878db6a888`. And when I built with all the build flags used to build Fedora's Ruby RPM package, the `annocheck` passed for the `ruby` binary.
This repository is my experiment, and the details: <https://github.com/junaruga/ruby-annocheck-test/>
I built with the flags below in the `build_with_fedora_build_flags.sh`.
https://github.com/junaruga/ruby-annocheck-test/blob/main/build_with_fedora_build_flags.sh
```
CFLAGS='-O2 -flto=auto -ffat-lto-objects -fexceptions -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection' \
CXXFLAGS='-O2 -flto=auto -ffat-lto-objects -fexceptions -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection' \
LDFLAGS='-Wl,-z,relro -Wl,--as-needed -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -Wl,--build-id=sha1 ' \
./configure \
--enable-shared \
--enable-mkmf-verbose 2>&1 | tee configure.log
```
For the `gcc -specs=file` options I used, I put the files in the <https://github.com/junaruga/ruby-annocheck-test/tree/main/gcc_specs>.
I will try to understand what gcc flags fixed the 2 failures (<https://bugs.ruby-lang.org/issues/18061#note-22>), then update the CI `.github/workflows/compilers.yml` annocheck case with the minimal flags.
----------------------------------------
Bug #18061: Execshield test: libruby.so.N.N.N: FAIL: property-note test because no .note.gnu.property section found
https://bugs.ruby-lang.org/issues/18061#change-98099
* Author: jaruga (Jun Aruga)
* Status: Open
* Priority: Normal
* Backport: 2.6: UNKNOWN, 2.7: REQUIRED, 3.0: REQUIRED
----------------------------------------
I found an issue in our company's internal test called "execshield" by a security tool annobin - annocheck command [1][2].
```
Hardened: libruby.so.2.7.4: FAIL: property-note test because no .note.gnu.property section found
```
Here is the reproducer on the upstream latest master, commit is 5f2987d6c2ae9ace3178ac3e1bbb4ac7079101eb,
```
$ autoconf
$ ./configure --enable-shared
$ make
$ ls libruby.so.3.1.0
libruby.so.3.1.0*
```
If you are using Red Hat based Linux distro, it's easy to install by the RPM package like this.
```
$ sudo dnf -y install annobin-annocheck
```
```
$ sudo yum -y install annobin-annocheck
```
Then
```
$ annocheck libruby.so.3.1.0
```
If you are using other Linux distros such as Ubuntu, you can use it by a container I prepared.
Prepare the following `Dockerfile`.
```
$ cat Dockerfile
FROM docker.io/fedora:34
RUN cat /etc/fedora-release
RUN dnf -y install annobin-annocheck
WORKDIR /work
```
Then build the container image with the `Dockerfile` and run the annocheck command for the `libruby.so.3.1.0` on your host environment. The `-v` is an option for bind mount between host and container environment.
```
$ docker build --rm -t fedora-annocheck .
$ docker run --rm -t -v $(pwd):/work fedora-annocheck annocheck /work/libruby.so.3.1.0
annocheck: Version 9.79.
Hardened: libruby.so.3.1.0: FAIL: bind-now test because not linked with -Wl,-z,now
Hardened: libruby.so.3.1.0: FAIL: notes test because gaps were detected in the annobin coverage
Hardened: libruby.so.3.1.0: FAIL: cf-protection test because no .note.gnu.property section = no control flow information
Hardened: libruby.so.3.1.0: FAIL: property-note test because no .note.gnu.property section found
Hardened: Rerun annocheck with --verbose to see more information on the tests.
```
The message `Hardened: libruby.so.3.1.0: FAIL: property-note test because no .note.gnu.property section found` is what I found in our internal test. For other FAIL messages, maybe it can be fixed by changing how to build.
Asking a colleague, I was told that the `coroutine/*/Context.S` files such as [coroutine/x86/Context.S](https://github.com/ruby/ruby/blob/master/coroutine/x86/Context.S) cause the failure. Do you have any idea how to fix this? Thanks.
* [1] https://sourceware.org/annobin/
* [2] You can see `man annocheck` or https://www.mankier.com/1/annocheck .
---Files--------------------------------
0001-Add-.note.gnu.property-sections.patch (2.64 KB)
0001-Add-.note.gnu.property-sections.patch (3.69 KB)
config-pie.log (11.4 KB)
--
https://bugs.ruby-lang.org/
Unsubscribe: <mailto:ruby-core-request@ruby-lang.org?subject=unsubscribe>
<http://lists.ruby-lang.org/cgi-bin/mailman/options/ruby-core>