On 09/16/2015 01:19 PM, Jason L Tibbitts III wrote: >>>>>> "AT" == Alexander Todorov <atodorov@xxxxxxxxxx> writes: > > AT> offending packages. You can find links to the script and execution > AT> log here: > AT> http://atodorov.org/blog/2015/09/16/4000-bugs-in-fedora-checksec-failures/ > > BTW to see if any packages you own are on the list, you can do: > > wget https://raw.githubusercontent.com/atodorov/fedora-scripts/master/checksec.log > for i in $(pkgdb-cli list --user tibbs --nameonly); do grep "^$i.*rpm$" checksec.log|uniq; done > GlusterFS packages have seven "No canary found" [1]. I get the same results with gcc-5.1.1 on f22. However GlusterFS _is_ built with '%global _hardened_build 1' and I have confirmed that all its sources are compiled with -fstack-protector-strong. As I read the gcc man page for -fstack-protector, -fstack-protector-strong, and -fstack-protector-all, it's clear that with just -fstack-protector-strong it's entirely plausible that these DSOs would not have the call to __stack_chk_fail, i.e. the canary. If I compile them with -fstack-protector-all then the resulting .o and .so files _do_ have the call to __stack_chk_fail. Off hand I'd say that checksec's test for the canary is wanting. The glusterfs packages need to be excluded. Or change _hardened_build to use -fstack-protector-all. [1] excerpted from https://raw.githubusercontent.com/atodorov/fedora-scripts/master/checksec.log ... ---------- glusterfs-3.7.4-2.fc24.src.rpm /mnt/fedora/Packages/g/glusterfs-api-3.7.4-2.fc24.x86_64.rpm RELRO STACK CANARY NX PIE RPATH RUNPATH FILE Full RELRO No canary found NX enabled DSO No RPATH No RUNPATH ./usr/lib64/glusterfs/3.7.4/xlator/mount/api.so ---------- glusterfs-3.7.4-2.fc24.src.rpm /mnt/fedora/Packages/g/glusterfs-client-xlators-3.7.4-2.fc24.x86_64.rpm RELRO STACK CANARY NX PIE RPATH RUNPATH FILE Full RELRO No canary found NX enabled DSO No RPATH No RUNPATH ./usr/lib64/glusterfs/3.7.4/xlator/features/ganesha.so ---------- glusterfs-3.7.4-2.fc24.src.rpm /mnt/fedora/Packages/g/glusterfs-extra-xlators-3.7.4-2.fc24.x86_64.rpm RELRO STACK CANARY NX PIE RPATH RUNPATH FILE Full RELRO No canary found NX enabled DSO No RPATH No RUNPATH ./usr/lib64/glusterfs/3.7.4/xlator/encryption/rot-13.so Full RELRO No canary found NX enabled DSO No RPATH No RUNPATH ./usr/lib64/glusterfs/3.7.4/xlator/features/prot_dht.so Full RELRO No canary found NX enabled DSO No RPATH No RUNPATH ./usr/lib64/glusterfs/3.7.4/xlator/features/prot_server.so Full RELRO No canary found NX enabled DSO No RPATH No RUNPATH ./usr/lib64/glusterfs/3.7.4/xlator/features/quiesce.so Full RELRO No canary found NX enabled DSO No RPATH No RUNPATH ./usr/lib64/glusterfs/3.7.4/xlator/testing/features/template.so ... -- Kaleb -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
