Verifying a report I just got pinged about, building vanilla openssh 7.7p1 on linux configures ok, but fails build around 'retpoline' I've started looking through recent reports; haven't _yet_ found anything similar. While I continue, is any of the following familiar/expected? Either known bug/issue or env conflict? The current env includes supposedly retpoline-ready GCC 8.1.1, uname -rm 4.17.0-lp150.2.gbcb3422-default x86_64 cat /sys/devices/system/cpu/vulnerabilities/spectre_v2 Mitigation: Full AMD retpoline gcc-8 -v Using built-in specs. Reading specs from /usr/lib64/gcc/x86_64-suse-linux/8/defaults.spec COLLECT_GCC=gcc-8 COLLECT_LTO_WRAPPER=/usr/lib64/gcc/x86_64-suse-linux/8/lto-wrapper OFFLOAD_TARGET_NAMES=hsa:nvptx-none Target: x86_64-suse-linux Configured with: ../configure --prefix=/usr --infodir=/usr/share/info --mandir=/usr/share/man --libdir=/usr/lib64 --libexecdir=/usr/lib64 --enable-languages=c,c++,objc,fortran,obj-c++,ada,go --enable-offload-targets=hsa,nvptx-none=/usr/nvptx-none, --without-cuda-driver --enable-checking=release --disable-werror --with-gxx-include-dir=/usr/include/c++/8 --enable-ssp --disable-libssp --disable-libvtv --disable-cet --disable-libcc1 --enable-plugin --with-bugurl=http://bugs.opensuse.org/ --with-pkgversion='SUSE Linux' --with-slibdir=/lib64 --with-system-zlib --enable-__cxa_atexit --enable-libstdcxx-allocator=new --disable-libstdcxx-pch --enable-version-specific-runtime-libs --with-gcc-major-version-only --enable-linker-build-id --enable-linux-futex --enable-gnu-indirect-function --program-suffix=-8 --without-system-libunwind --enable-multilib --with-arch-32=x86-64 --with-tune=generic --build=x86_64-suse-linux --host=x86_64-suse-linux Thread model: posix gcc version 8.1.1 20180523 [gcc-8-branch revision 260570] (SUSE Linux) ld -v GNU ld (GNU Binutils; home:pgnd:devel:gcc8 / openSUSE_Leap_15.0) 2.30.0.20180320-lp150.319 removing all optimization presets unset CFLAGS LDFLAGS CPPFLAGS CXXFLAGS echo $CC $CPP $CXX $LD /usr/bin/gcc-8 /usr/bin/cpp-8 /usr/bin/g++-8 /usr/bin/ld configuring cd openssh-7.7p1 ./configure --without-openssl ... configure: creating ./config.status config.status: creating Makefile config.status: creating buildpkg.sh config.status: creating opensshd.init config.status: creating openssh.xml config.status: creating openbsd-compat/Makefile config.status: creating openbsd-compat/regress/Makefile config.status: creating survey.sh config.status: creating config.h config.status: config.h is unchanged OpenSSH has been configured with the following options: User binaries: /usr/local/bin System binaries: /usr/local/sbin Configuration files: /usr/local/etc Askpass program: /usr/local/lib/ssh-askpass Manual pages: /usr/local/share/man/manX PID file: /var/run Privilege separation chroot path: /var/empty sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin Manpage format: doc PAM support: no OSF SIA support: no KerberosV support: no SELinux support: no S/KEY support: no MD5 password support: no libedit support: no libldns support: no Solaris process contract support: no Solaris project support: no Solaris privilege support: no IP address in $DISPLAY hack: no Translate v4 in v6 hack: yes BSD Auth support: no Random number source: Privsep sandbox style: seccomp_filter Host: x86_64-pc-linux-gnu Compiler: /usr/bin/gcc-8 Compiler flags: -g -O2 -pipe -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-result -fno-strict-aliasing -mfunction-return=thunk -mindirect-branch=thunk -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-strong -fPIE Preprocessor flags: -D_XOPEN_SOURCE=600 -D_BSD_SOURCE -D_DEFAULT_SOURCE Linker flags: -Wl,-z,retpolineplt -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -fstack-protector-strong -pie Libraries: -lutil -lz -lcrypt -lresolv reports no errors. build, make V=1 ... a - platform-tracing.o a - platform-misc.o ranlib libssh.a /usr/bin/gcc-8 -g -O2 -pipe -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-result -fno-strict-aliasing -mfunction-return=thunk -mindirect-branch=thunk -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-strong -fPIE -I. -I. -D_XOPEN_SOURCE=600 -D_BSD_SOURCE -D_DEFAULT_SOURCE -DSSHDIR=\"/usr/local/etc\" -D_PATH_SSH_PROGRAM=\"/usr/local/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/local/lib/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/local/lib/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/local/lib/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/local/lib/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -c ssh.c -o ssh.o /usr/bin/gcc-8 -g -O2 -pipe -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-result -fno-strict-aliasing -mfunction-return=thunk -mindirect-branch=thunk -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-strong -fPIE -I. -I. -D_XOPEN_SOURCE=600 -D_BSD_SOURCE -D_DEFAULT_SOURCE -DSSHDIR=\"/usr/local/etc\" -D_PATH_SSH_PROGRAM=\"/usr/local/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/local/lib/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/local/lib/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/local/lib/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/local/lib/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -c readconf.c -o readconf.o /usr/bin/gcc-8 -g -O2 -pipe -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-result -fno-strict-aliasing -mfunction-return=thunk -mindirect-branch=thunk -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-strong -fPIE -I. -I. -D_XOPEN_SOURCE=600 -D_BSD_SOURCE -D_DEFAULT_SOURCE -DSSHDIR=\"/usr/local/etc\" -D_PATH_SSH_PROGRAM=\"/usr/local/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/local/lib/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/local/lib/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/local/lib/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/local/lib/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -c clientloop.c -o clientloop.o clientloop.c: In function ‘client_x11_get_proto’: clientloop.c:378:14: warning: ‘%s’ directive output may be truncated writing up to 4095 bytes into a region of size 1020 [-Wformat-truncation=] "%s %s%s list %s 2>" _PATH_DEVNULL, ^~ clientloop.c:381:20: generated ? xauthfile : "", ~~~~~~~~~ In file included from /usr/include/stdio.h:862, from /usr/include/bsd/libutil.h:46, from includes.h:141, from clientloop.c:62: /usr/include/bits/stdio2.h:64:10: note: ‘__builtin___snprintf_chk’ output 23 or more bytes (assuming 4118) into a destination of size 1024 return __builtin___snprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1, ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ __bos (__s), __fmt, __va_arg_pack ()); ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ /usr/bin/gcc-8 -g -O2 -pipe -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-result -fno-strict-aliasing -mfunction-return=thunk -mindirect-branch=thunk -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-strong -fPIE -I. -I. -D_XOPEN_SOURCE=600 -D_BSD_SOURCE -D_DEFAULT_SOURCE -DSSHDIR=\"/usr/local/etc\" -D_PATH_SSH_PROGRAM=\"/usr/local/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/local/lib/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/local/lib/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/local/lib/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/local/lib/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -c sshtty.c -o sshtty.o /usr/bin/gcc-8 -g -O2 -pipe -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-result -fno-strict-aliasing -mfunction-return=thunk -mindirect-branch=thunk -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-strong -fPIE -I. -I. -D_XOPEN_SOURCE=600 -D_BSD_SOURCE -D_DEFAULT_SOURCE -DSSHDIR=\"/usr/local/etc\" -D_PATH_SSH_PROGRAM=\"/usr/local/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/local/lib/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/local/lib/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/local/lib/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/local/lib/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -c sshconnect.c -o sshconnect.o sshconnect.c: In function ‘check_host_key.constprop’: sshconnect.c:1047:8: warning: ‘%s’ directive output may be truncated writing up to 1023 bytes into a region of size between 773 and 973 [-Wformat-truncation=] "The authenticity of host '%.200s (%s)' can't be " ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ sshconnect.c:1052:18: host, ip, msg1, type, fp, ~~~~ sshconnect.c:1048:20: note: format string is defined here "established%s\n" ^~ In file included from /usr/include/stdio.h:862, from /usr/include/bsd/libutil.h:46, from includes.h:141, from sshconnect.c:16: /usr/include/bits/stdio2.h:64:10: note: ‘__builtin___snprintf_chk’ output 130 or more bytes (assuming 2377) into a destination of size 1024 return __builtin___snprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1, ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ __bos (__s), __fmt, __va_arg_pack ()); ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ /usr/bin/gcc-8 -g -O2 -pipe -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-result -fno-strict-aliasing -mfunction-return=thunk -mindirect-branch=thunk -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-strong -fPIE -I. -I. -D_XOPEN_SOURCE=600 -D_BSD_SOURCE -D_DEFAULT_SOURCE -DSSHDIR=\"/usr/local/etc\" -D_PATH_SSH_PROGRAM=\"/usr/local/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/local/lib/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/local/lib/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/local/lib/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/local/lib/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -c sshconnect2.c -o sshconnect2.o /usr/bin/gcc-8 -g -O2 -pipe -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-result -fno-strict-aliasing -mfunction-return=thunk -mindirect-branch=thunk -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-strong -fPIE -I. -I. -D_XOPEN_SOURCE=600 -D_BSD_SOURCE -D_DEFAULT_SOURCE -DSSHDIR=\"/usr/local/etc\" -D_PATH_SSH_PROGRAM=\"/usr/local/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/local/lib/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/local/lib/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/local/lib/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/local/lib/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -c mux.c -o mux.o /usr/bin/ld -o ssh ssh.o readconf.o clientloop.o sshtty.o sshconnect.o sshconnect2.o mux.o -L. -Lopenbsd-compat/ -Wl,-z,retpolineplt -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -fstack-protector-strong -pie -lssh -lopenbsd-compat -lutil -lz -lcrypt -lresolv /usr/bin/ld: unrecognized option '-Wl,-z,retpolineplt' /usr/bin/ld: use the --help option for usage information make: *** [Makefile:172: ssh] Error 1 The ldflags check originates in cat configure.ac ... 164 if test "x$use_toolchain_hardening" = "x1"; then OSSH_CHECK_CFLAG_COMPILE([-mfunction-return=thunk]) # gcc OSSH_CHECK_CFLAG_COMPILE([-mindirect-branch=thunk]) # gcc OSSH_CHECK_CFLAG_COMPILE([-mretpoline]) # clang !! OSSH_CHECK_LDFLAG_LINK([-Wl,-z,retpolineplt]) OSSH_CHECK_CFLAG_COMPILE([-D_FORTIFY_SOURCE=2]) OSSH_CHECK_LDFLAG_LINK([-Wl,-z,relro]) ... I've not had any issues, yet, with any other of many packages I build with this GCC env; this fail is, so far, unique to this openssh build attempt. Not clear yet if relevant, noting @ HardenedBSD, "HBSD: Do not enable RETPOLINE if LLD_UNSAFE or USE_GCC is set" https://github.com/HardenedBSD/hardenedbsd-ports/commit/e57638c87f44c91c12539bb9fc5d00b862a4974a Should the retpoline flag be getting added? If so, what's needed to make LD happy with it? _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev