vanilla build of 7.7p1 release on linux/4.17 fails with gcc8 @ "/usr/bin/ld: unrecognized option '-Wl,-z,retpolineplt'"

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



Verifying a report I just got pinged about, building vanilla openssh 7.7p1 on linux configures ok, but fails build around 'retpoline'

I've started looking through recent reports; haven't _yet_ found anything similar.

While I continue, is any of the following familiar/expected?  Either known bug/issue or env conflict?

The current env includes supposedly retpoline-ready GCC 8.1.1,

	uname -rm
		4.17.0-lp150.2.gbcb3422-default x86_64

	cat /sys/devices/system/cpu/vulnerabilities/spectre_v2
		Mitigation: Full AMD retpoline

	gcc-8 -v
		Using built-in specs.
		Reading specs from /usr/lib64/gcc/x86_64-suse-linux/8/defaults.spec
		COLLECT_GCC=gcc-8
		COLLECT_LTO_WRAPPER=/usr/lib64/gcc/x86_64-suse-linux/8/lto-wrapper
		OFFLOAD_TARGET_NAMES=hsa:nvptx-none
		Target: x86_64-suse-linux
		Configured with: ../configure --prefix=/usr --infodir=/usr/share/info --mandir=/usr/share/man --libdir=/usr/lib64 --libexecdir=/usr/lib64 --enable-languages=c,c++,objc,fortran,obj-c++,ada,go --enable-offload-targets=hsa,nvptx-none=/usr/nvptx-none, --without-cuda-driver --enable-checking=release --disable-werror --with-gxx-include-dir=/usr/include/c++/8 --enable-ssp --disable-libssp --disable-libvtv --disable-cet --disable-libcc1 --enable-plugin --with-bugurl=http://bugs.opensuse.org/ --with-pkgversion='SUSE Linux' --with-slibdir=/lib64 --with-system-zlib --enable-__cxa_atexit --enable-libstdcxx-allocator=new --disable-libstdcxx-pch --enable-version-specific-runtime-libs --with-gcc-major-version-only --enable-linker-build-id --enable-linux-futex --enable-gnu-indirect-function --program-suffix=-8 --without-system-libunwind --enable-multilib --with-arch-32=x86-64 --with-tune=generic --build=x86_64-suse-linux --host=x86_64-suse-linux
		Thread model: posix
		gcc version 8.1.1 20180523 [gcc-8-branch revision 260570] (SUSE Linux)

	ld -v
		GNU ld (GNU Binutils; home:pgnd:devel:gcc8 / openSUSE_Leap_15.0) 2.30.0.20180320-lp150.319

removing all optimization presets

	unset CFLAGS LDFLAGS CPPFLAGS CXXFLAGS
	echo $CC $CPP $CXX $LD
		/usr/bin/gcc-8 /usr/bin/cpp-8 /usr/bin/g++-8 /usr/bin/ld

configuring

	cd openssh-7.7p1
	./configure --without-openssl
		...
		configure: creating ./config.status
		config.status: creating Makefile
		config.status: creating buildpkg.sh
		config.status: creating opensshd.init
		config.status: creating openssh.xml
		config.status: creating openbsd-compat/Makefile
		config.status: creating openbsd-compat/regress/Makefile
		config.status: creating survey.sh
		config.status: creating config.h
		config.status: config.h is unchanged
		OpenSSH has been configured with the following options:
		                     User binaries: /usr/local/bin
		                   System binaries: /usr/local/sbin
		               Configuration files: /usr/local/etc
		                   Askpass program: /usr/local/lib/ssh-askpass
		                      Manual pages: /usr/local/share/man/manX
		                          PID file: /var/run
		  Privilege separation chroot path: /var/empty
		            sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin
		                    Manpage format: doc
		                       PAM support: no
		                   OSF SIA support: no
		                 KerberosV support: no
		                   SELinux support: no
		                     S/KEY support: no
		              MD5 password support: no
		                   libedit support: no
		                   libldns support: no
		  Solaris process contract support: no
		           Solaris project support: no
		         Solaris privilege support: no
		       IP address in $DISPLAY hack: no
		           Translate v4 in v6 hack: yes
		                  BSD Auth support: no
		              Random number source:
		             Privsep sandbox style: seccomp_filter

		              Host: x86_64-pc-linux-gnu
		          Compiler: /usr/bin/gcc-8
		    Compiler flags: -g -O2 -pipe -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-result -fno-strict-aliasing -mfunction-return=thunk -mindirect-branch=thunk -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-strong -fPIE
		Preprocessor flags:  -D_XOPEN_SOURCE=600 -D_BSD_SOURCE -D_DEFAULT_SOURCE
		      Linker flags:  -Wl,-z,retpolineplt -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -fstack-protector-strong -pie
		         Libraries: -lutil -lz  -lcrypt -lresolv

reports no errors.

build,

	make V=1

		...
		a - platform-tracing.o
		a - platform-misc.o
		ranlib libssh.a
		/usr/bin/gcc-8 -g -O2 -pipe -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-result -fno-strict-aliasing -mfunction-return=thunk -mindirect-branch=thunk -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-strong -fPIE   -I. -I.  -D_XOPEN_SOURCE=600 -D_BSD_SOURCE -D_DEFAULT_SOURCE -DSSHDIR=\"/usr/local/etc\" -D_PATH_SSH_PROGRAM=\"/usr/local/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/local/lib/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/local/lib/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/local/lib/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/local/lib/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -c ssh.c -o ssh.o
		/usr/bin/gcc-8 -g -O2 -pipe -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-result -fno-strict-aliasing -mfunction-return=thunk -mindirect-branch=thunk -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-strong -fPIE   -I. -I.  -D_XOPEN_SOURCE=600 -D_BSD_SOURCE -D_DEFAULT_SOURCE -DSSHDIR=\"/usr/local/etc\" -D_PATH_SSH_PROGRAM=\"/usr/local/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/local/lib/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/local/lib/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/local/lib/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/local/lib/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -c readconf.c -o readconf.o
		/usr/bin/gcc-8 -g -O2 -pipe -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-result -fno-strict-aliasing -mfunction-return=thunk -mindirect-branch=thunk -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-strong -fPIE   -I. -I.  -D_XOPEN_SOURCE=600 -D_BSD_SOURCE -D_DEFAULT_SOURCE -DSSHDIR=\"/usr/local/etc\" -D_PATH_SSH_PROGRAM=\"/usr/local/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/local/lib/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/local/lib/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/local/lib/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/local/lib/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -c clientloop.c -o clientloop.o
		clientloop.c: In function ‘client_x11_get_proto’:
		clientloop.c:378:14: warning: ‘%s’ directive output may be truncated writing up to 4095 bytes into a region of size 1020 [-Wformat-truncation=]
		        "%s %s%s list %s 2>" _PATH_DEVNULL,
		              ^~
		clientloop.c:381:20:
		        generated ? xauthfile : "",
		                    ~~~~~~~~~
		In file included from /usr/include/stdio.h:862,
		                 from /usr/include/bsd/libutil.h:46,
		                 from includes.h:141,
		                 from clientloop.c:62:
		/usr/include/bits/stdio2.h:64:10: note: ‘__builtin___snprintf_chk’ output 23 or more bytes (assuming 4118) into a destination of size 1024
		   return __builtin___snprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1,
		          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
		        __bos (__s), __fmt, __va_arg_pack ());
		        ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
		/usr/bin/gcc-8 -g -O2 -pipe -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-result -fno-strict-aliasing -mfunction-return=thunk -mindirect-branch=thunk -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-strong -fPIE   -I. -I.  -D_XOPEN_SOURCE=600 -D_BSD_SOURCE -D_DEFAULT_SOURCE -DSSHDIR=\"/usr/local/etc\" -D_PATH_SSH_PROGRAM=\"/usr/local/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/local/lib/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/local/lib/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/local/lib/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/local/lib/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -c sshtty.c -o sshtty.o
		/usr/bin/gcc-8 -g -O2 -pipe -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-result -fno-strict-aliasing -mfunction-return=thunk -mindirect-branch=thunk -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-strong -fPIE   -I. -I.  -D_XOPEN_SOURCE=600 -D_BSD_SOURCE -D_DEFAULT_SOURCE -DSSHDIR=\"/usr/local/etc\" -D_PATH_SSH_PROGRAM=\"/usr/local/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/local/lib/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/local/lib/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/local/lib/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/local/lib/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -c sshconnect.c -o sshconnect.o
		sshconnect.c: In function ‘check_host_key.constprop’:
		sshconnect.c:1047:8: warning: ‘%s’ directive output may be truncated writing up to 1023 bytes into a region of size between 773 and 973 [-Wformat-truncation=]
		        "The authenticity of host '%.200s (%s)' can't be "
		        ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
		sshconnect.c:1052:18:
		        host, ip, msg1, type, fp,
		                  ~~~~
		sshconnect.c:1048:20: note: format string is defined here
		        "established%s\n"
		                    ^~
		In file included from /usr/include/stdio.h:862,
		                 from /usr/include/bsd/libutil.h:46,
		                 from includes.h:141,
		                 from sshconnect.c:16:
		/usr/include/bits/stdio2.h:64:10: note: ‘__builtin___snprintf_chk’ output 130 or more bytes (assuming 2377) into a destination of size 1024
		   return __builtin___snprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1,
		          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
		        __bos (__s), __fmt, __va_arg_pack ());
		        ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
		/usr/bin/gcc-8 -g -O2 -pipe -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-result -fno-strict-aliasing -mfunction-return=thunk -mindirect-branch=thunk -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-strong -fPIE   -I. -I.  -D_XOPEN_SOURCE=600 -D_BSD_SOURCE -D_DEFAULT_SOURCE -DSSHDIR=\"/usr/local/etc\" -D_PATH_SSH_PROGRAM=\"/usr/local/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/local/lib/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/local/lib/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/local/lib/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/local/lib/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -c sshconnect2.c -o sshconnect2.o
		/usr/bin/gcc-8 -g -O2 -pipe -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-result -fno-strict-aliasing -mfunction-return=thunk -mindirect-branch=thunk -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-strong -fPIE   -I. -I.  -D_XOPEN_SOURCE=600 -D_BSD_SOURCE -D_DEFAULT_SOURCE -DSSHDIR=\"/usr/local/etc\" -D_PATH_SSH_PROGRAM=\"/usr/local/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/local/lib/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/local/lib/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/local/lib/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/local/lib/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -c mux.c -o mux.o
		/usr/bin/ld -o ssh ssh.o readconf.o clientloop.o sshtty.o sshconnect.o sshconnect2.o mux.o -L. -Lopenbsd-compat/  -Wl,-z,retpolineplt -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -fstack-protector-strong -pie  -lssh -lopenbsd-compat  -lutil -lz  -lcrypt -lresolv
		/usr/bin/ld: unrecognized option '-Wl,-z,retpolineplt'
		/usr/bin/ld: use the --help option for usage information
		make: *** [Makefile:172: ssh] Error 1

The ldflags check originates in

	cat configure.ac
		...
164	    if test "x$use_toolchain_hardening" = "x1"; then
	    OSSH_CHECK_CFLAG_COMPILE([-mfunction-return=thunk]) # gcc
	    OSSH_CHECK_CFLAG_COMPILE([-mindirect-branch=thunk]) # gcc
	    OSSH_CHECK_CFLAG_COMPILE([-mretpoline]) # clang
!!	    OSSH_CHECK_LDFLAG_LINK([-Wl,-z,retpolineplt])
	    OSSH_CHECK_CFLAG_COMPILE([-D_FORTIFY_SOURCE=2])
	    OSSH_CHECK_LDFLAG_LINK([-Wl,-z,relro])
		...

I've not had any issues, yet, with any other of many packages I build with this GCC env; this fail is, so far, unique to this openssh build attempt.

Not clear yet if relevant, noting @ HardenedBSD,

	"HBSD: Do not enable RETPOLINE if LLD_UNSAFE or USE_GCC is set"
	 https://github.com/HardenedBSD/hardenedbsd-ports/commit/e57638c87f44c91c12539bb9fc5d00b862a4974a

Should the retpoline flag be getting added?  If so, what's needed to make LD happy with it?

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev




[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux