[PATCH 0/3] Fix imagetests with harderning flags

[PATCH 0/3] Fix imagetests with harderning flags

[Khem Raj]

This patchset is fixing packages to build without textrels when
security flags are turned on. When testing the image built with musl
it clearly segfaults and results in failures in imagetest

Tested with MACHINE=qemux86 TCLIBC=musl bitbake -ctestimage core-image-sato

ore-image-sato-1.0-r0 do_testimage_auto: SUMMARY:
core-image-sato-1.0-r0 do_testimage_auto: core-image-sato () - Ran 13 tests in 19.907s
core-image-sato-1.0-r0 do_testimage_auto: core-image-sato - OK - All required tests passed
core-image-sato-1.0-r0 do_testimage_auto: RESULTS:
core-image-sato-1.0-r0 do_testimage_auto: RESULTS - connman.ConnmanTest.test_connmand_help - Testcase 961: PASSED
core-image-sato-1.0-r0 do_testimage_auto: RESULTS - connman.ConnmanTest.test_connmand_running - Testcase 221: PASSED
core-image-sato-1.0-r0 do_testimage_auto: RESULTS - date.DateTest.test_date - Testcase 211: PASSED
core-image-sato-1.0-r0 do_testimage_auto: RESULTS - df.DfTest.test_df - Testcase 234: PASSED
core-image-sato-1.0-r0 do_testimage_auto: RESULTS - oe_syslog.SyslogTest.test_syslog_running - Testcase 201: PASSED
core-image-sato-1.0-r0 do_testimage_auto: RESULTS - oe_syslog.SyslogTestConfig.test_syslog_logger - Testcase 1149: PASSED
core-image-sato-1.0-r0 do_testimage_auto: RESULTS - oe_syslog.SyslogTestConfig.test_syslog_restart - Testcase 1150: PASSED
core-image-sato-1.0-r0 do_testimage_auto: RESULTS - oe_syslog.SyslogTestConfig.test_syslog_startup_config - Testcase 202: PASSED
core-image-sato-1.0-r0 do_testimage_auto: RESULTS - parselogs.ParseLogsTest.test_parselogs - Testcase 1059: PASSED
core-image-sato-1.0-r0 do_testimage_auto: RESULTS - ping.PingTest.test_ping - Testcase 964: PASSED
core-image-sato-1.0-r0 do_testimage_auto: RESULTS - scp.ScpTest.test_scp_file - Testcase 220: PASSED
core-image-sato-1.0-r0 do_testimage_auto: RESULTS - ssh.SSHTest.test_ssh - Testcase 224: PASSED
core-image-sato-1.0-r0 do_testimage_auto: RESULTS - xorg.XorgTest.test_xorg_running - Testcase 1151: PASSED
NOTE: Tasks Summary: Attempted 5732 tasks of which 5717 didn't need to be rerun and all succeeded.

The following changes since commit 186882ca62bf683b93cd7a250963921b89ba071f:

  buildhistory: skip tests if GitPython module is missing (2017-06-07 16:00:43 +0100)

are available in the git repository at:

  git://git.openembedded.org/openembedded-core-contrib kraj/hardening-fixes
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=kraj/hardening-fixes

Khem Raj (3):
  testimage.bbclass: Correct the comment to state right dir for test
    cases
  pulseaudio: disable PIE flags when hardened flags are enabled
  rng-tools: Fix textrels on 32bit x86

 meta/classes/testimage.bbclass                     |   2 +-
 .../pulseaudio/pulseaudio_10.0.bb                  |   2 +
 .../rng-tools-5-fix-textrels-on-PIC-x86.patch      | 104 +++++++++++++++++++++
 meta/recipes-support/rng-tools/rng-tools_5.bb      |   1 +
 4 files changed, 108 insertions(+), 1 deletion(-)
 create mode 100644 meta/recipes-support/rng-tools/rng-tools/rng-tools-5-fix-textrels-on-PIC-x86.patch

-- 
2.13.1

[PATCH 1/3] testimage.bbclass: Correct the comment to state right dir for test cases

[Khem Raj]

Signed-off-by: Khem Raj <raj.khem@gmail.com>
---
 meta/classes/testimage.bbclass | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/classes/testimage.bbclass b/meta/classes/testimage.bbclass
index 1185593a1b..589ef5db93 100644
--- a/meta/classes/testimage.bbclass
+++ b/meta/classes/testimage.bbclass
@@ -13,7 +13,7 @@
 
 # You can set (or append to) TEST_SUITES in local.conf to select the tests
 # which you want to run for your target.
-# The test names are the module names in meta/lib/oeqa/runtime.
+# The test names are the module names in meta/lib/oeqa/runtime/cases.
 # Each name in TEST_SUITES represents a required test for the image. (no skipping allowed)
 # Appending "auto" means that it will try to run all tests that are suitable for the image (each test decides that on it's own).
 # Note that order in TEST_SUITES is relevant: tests are run in an order such that
-- 
2.13.1

[PATCH 2/3] pulseaudio: disable PIE flags when hardened flags are enabled

[Khem Raj]

Fixes

WARNING: pulseaudio-10.0-r0 do_package_qa: QA Issue: ELF binary '/mnt/a/oe/build/tmp/work/i586-bec-linux-musl/pulseaudio/10.0-r0/packages-split/pulseaudio-server/usr/bin/pulseaudio' has relocations in .text [textrel]

This also makes bitbake -c testimage core-image-sato (hardened)
build to pass all tests

Fixes

AssertionError: 1 != 0 : Log: /mnt/a/oe/build/tmp/work/qemux86-bec-linux-musl/core-image-sato/1.0-r0/dmesg_output.log
-----------------------
Central error: [   20.726960] pulseaudio[729]: segfault at 80052b6c ip b771b4fc sp bfc97940 error 7 in libc.so[b76b6000+97000]

Signed-off-by: Khem Raj <raj.khem@gmail.com>
---
 meta/recipes-multimedia/pulseaudio/pulseaudio_10.0.bb | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/meta/recipes-multimedia/pulseaudio/pulseaudio_10.0.bb b/meta/recipes-multimedia/pulseaudio/pulseaudio_10.0.bb
index f3a85737fc..3ea35e592a 100644
--- a/meta/recipes-multimedia/pulseaudio/pulseaudio_10.0.bb
+++ b/meta/recipes-multimedia/pulseaudio/pulseaudio_10.0.bb
@@ -8,6 +8,8 @@ SRC_URI = "http://freedesktop.org/software/pulseaudio/releases/${BP}.tar.xz \
 SRC_URI[md5sum] = "4950d2799bf55ab91f6b7f990b7f0971"
 SRC_URI[sha256sum] = "a3186824de9f0d2095ded5d0d0db0405dc73133983c2fbb37291547e37462f57"
 
+SECURITY_CFLAGS = "${SECURITY_NO_PIE_CFLAGS}"
+
 do_compile_prepend() {
     mkdir -p ${S}/libltdl
     cp ${STAGING_LIBDIR}/libltdl* ${S}/libltdl
-- 
2.13.1

[PATCH 3/3] rng-tools: Fix textrels on 32bit x86

[Khem Raj]

When testing core-image-sato with hardening flags, it fails with
SIGSEGV in libc.so during relocation time

This is due to relocations in .text [textrel]
build QA points it out clearly during qemux86 build as well

AssertionError: 2 != 0 : Log: /mnt/a/oe/build/tmp/work/qemux86-bec-linux-musl/core-image-sato/1.0-r0/dmesg_output.log
-----------------------
Central error: [   19.043597] rngd[525]: segfault at 80098bb7 ip b77b14fc sp bfe9b380 error 7 in libc.so[b774c000+97000]

Signed-off-by: Khem Raj <raj.khem@gmail.com>
---
 .../rng-tools-5-fix-textrels-on-PIC-x86.patch      | 104 +++++++++++++++++++++
 meta/recipes-support/rng-tools/rng-tools_5.bb      |   1 +
 2 files changed, 105 insertions(+)
 create mode 100644 meta/recipes-support/rng-tools/rng-tools/rng-tools-5-fix-textrels-on-PIC-x86.patch

diff --git a/meta/recipes-support/rng-tools/rng-tools/rng-tools-5-fix-textrels-on-PIC-x86.patch b/meta/recipes-support/rng-tools/rng-tools/rng-tools-5-fix-textrels-on-PIC-x86.patch
new file mode 100644
index 0000000000..90c9d8c515
--- /dev/null
+++ b/meta/recipes-support/rng-tools/rng-tools/rng-tools-5-fix-textrels-on-PIC-x86.patch
@@ -0,0 +1,104 @@
+From: Francisco Blas Izquierdo Riera (klondike) <klondike@gentoo.org>
+Subject: [PATCH] Fix assemby textrels on rdrand_asm.S on PIC x86
+
+This patch updates the fixes in the assembly in rdrand_asm.S in
+sys-apps/rng-tools-5 so it won't generate textrels on PIC systems.
+The main fixes are in the use of leal in SETPTR for such systems, the rest is
+the usual PIC support stuff.
+
+This should fix Gentoo bug #469962 and help fix #518210
+
+This patch is released under the GPLv2 or a higher version license as is the
+original file as long as the author and the tester are credited.
+
+Gentoo-bug-url: https://bugs.gentoo.org/show_bug.cgi?id=469962
+Gentoo-bug-url: https://bugs.gentoo.org/show_bug.cgi?id=518210
+Upstream-status: Not sent yet
+Signed-off-by: Francisco Blas Izquierdo Riera (klondike) <klondike@gentoo.org>
+Reported-by: cilly <cilly@cilly.mine.nu>
+Reported-by: Manuel Rüger <mrueg@gentoo.org>
+Tested-by: Anthony Basile <blueness@gentoo.org>
+
+Upstream-Status: Pending
+
+Index: rng-tools-5/rdrand_asm.S
+===================================================================
+--- rng-tools-5.orig/rdrand_asm.S
++++ rng-tools-5/rdrand_asm.S
+@@ -2,6 +2,7 @@
+  * Copyright (c) 2011-2014, Intel Corporation
+  * Authors: Fenghua Yu <fenghua.yu@intel.com>,
+  *          H. Peter Anvin <hpa@linux.intel.com>
++ * PIC code by: Francisco Blas Izquierdo Riera (klondike) <klondike@gentoo.org>
+  *
+  * This program is free software; you can redistribute it and/or modify it
+  * under the terms and conditions of the GNU General Public License,
+@@ -174,7 +175,19 @@ ENTRY(x86_rdseed_or_rdrand_bytes)
+ 	jmp	4b
+ ENDPROC(x86_rdseed_or_rdrand_bytes)
+ 
++#if defined(__PIC__)
++#define INIT_PIC() \
++	pushl	%ebx ; \
++	call    __x86.get_pc_thunk.bx ; \
++	addl    $_GLOBAL_OFFSET_TABLE_, %ebx
++#define END_PIC() \
++	popl	%ebx
++#define SETPTR(var,ptr) leal (var)@GOTOFF(%ebx),ptr
++#else
++#define INIT_PIC()
++#define END_PIC()
+ #define SETPTR(var,ptr)	movl $(var),ptr
++#endif
+ #define PTR0	%eax
+ #define PTR1	%edx
+ #define PTR2	%ecx
+@@ -190,6 +203,7 @@ ENTRY(x86_aes_mangle)
+ 	movl	8(%ebp), %eax
+ 	movl	12(%ebp), %edx
+ 	push	%esi
++	INIT_PIC()
+ #endif
+ 	movl	$512, CTR3	/* Number of rounds */
+ 	
+@@ -280,6 +294,7 @@ offset = offset + 16
+ 	movdqa	%xmm7, (7*16)(PTR1)
+ 
+ #ifdef __i386__
++	END_PIC()
+ 	pop	%esi
+ 	pop	%ebp
+ #endif
+@@ -294,6 +309,7 @@ ENTRY(x86_aes_expand_key)
+ 	push	%ebp
+ 	mov	%esp, %ebp
+ 	movl	8(%ebp), %eax
++	INIT_PIC()
+ #endif
+ 
+ 	SETPTR(aes_round_keys, PTR1)
+@@ -323,6 +339,7 @@ ENTRY(x86_aes_expand_key)
+ 	call	1f
+ 
+ #ifdef __i386__
++	END_PIC()
+ 	pop	%ebp
+ #endif
+ 	ret
+@@ -343,6 +360,16 @@ ENTRY(x86_aes_expand_key)
+ 
+ ENDPROC(x86_aes_expand_key)
+ 
++#if defined(__i386__) && defined(__PIC__)
++	.section	.text.__x86.get_pc_thunk.bx,"axG",@progbits,__x86.get_pc_thunk.bx,comdat
++	.globl	__x86.get_pc_thunk.bx
++	.hidden	__x86.get_pc_thunk.bx
++	.type	__x86.get_pc_thunk.bx, @function
++__x86.get_pc_thunk.bx:
++	movl	(%esp), %ebx
++	ret
++#endif
++
+ 	.bss
+ 	.balign 64
+ aes_round_keys:
diff --git a/meta/recipes-support/rng-tools/rng-tools_5.bb b/meta/recipes-support/rng-tools/rng-tools_5.bb
index 9329e8ad31..e2acaba91a 100644
--- a/meta/recipes-support/rng-tools/rng-tools_5.bb
+++ b/meta/recipes-support/rng-tools/rng-tools_5.bb
@@ -7,6 +7,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/gkernel/${BP}.tar.gz \
            file://0002-Add-argument-to-control-the-libargp-dependency.patch \
            file://underquote.patch \
            file://uclibc-libuargp-configure.patch \
+           file://rng-tools-5-fix-textrels-on-PIC-x86.patch \
            file://init \
            file://default"
 
-- 
2.13.1

Re: [PATCH 2/3] pulseaudio: disable PIE flags when hardened flags are enabled

[Burton, Ross]

[-- Attachment #1: Type: text/plain, Size: 187 bytes --]

On 9 June 2017 at 04:41, Khem Raj <raj.khem@gmail.com> wrote:

> +SECURITY_CFLAGS = "${SECURITY_NO_PIE_CFLAGS}"
>

These tend to go into security-flags.inc, not the recipe.

Ross

[-- Attachment #2: Type: text/html, Size: 602 bytes --]

Re: [PATCH 2/3] pulseaudio: disable PIE flags when hardened flags are enabled

[Khem Raj]

[-- Attachment #1: Type: text/plain, Size: 501 bytes --]

On Fri, Jun 9, 2017 at 5:56 AM Burton, Ross <ross.burton@intel.com> wrote:

>
> On 9 June 2017 at 04:41, Khem Raj <raj.khem@gmail.com> wrote:
>
>> +SECURITY_CFLAGS = "${SECURITY_NO_PIE_CFLAGS}"
>>
>
> These tend to go into security-flags.inc, not the recipe.
>

I know that's been the case but I think having a global file is error prone
its better to have it in recipe context since it can get attention at
upgrade time to test if this has been fixed in new release etc

>
> Ross
>

[-- Attachment #2: Type: text/html, Size: 1371 bytes --]

Re: [PATCH 2/3] pulseaudio: disable PIE flags when hardened flags are enabled

[André Draszik]

On Fri, 2017-06-09 at 13:07 +0000, Khem Raj wrote:
> On Fri, Jun 9, 2017 at 5:56 AM Burton, Ross <ross.burton@intel.com> wrote:
> 
> > 
> > On 9 June 2017 at 04:41, Khem Raj <raj.khem@gmail.com> wrote:
> > 
> > > +SECURITY_CFLAGS = "${SECURITY_NO_PIE_CFLAGS}"
> > > 
> > 
> > These tend to go into security-flags.inc, not the recipe.
> > 
> 
> I know that's been the case but I think having a global file is error
> prone
> its better to have it in recipe context since it can get attention at
> upgrade time to test if this has been fixed in new release etc

Isn't one of the main root causes really that bitbake passes -fpie -pie even
when the recipe is building a shared library? (Maybe not in this case here,
though). Obviously, bitbake doesn't really know about shared libraries, and
yes, each recipe's build system could filter out pie flags for shared
library targets, but that's probably better done at libtool level:

http://lists.openembedded.org/pipermail/openembedded-devel/2016-November/110048.html


Cheers,
Andre'

Re: [PATCH 2/3] pulseaudio: disable PIE flags when hardened flags are enabled

[Khem Raj]

On Fri, Jun 9, 2017 at 7:02 AM, André Draszik <git@andred.net> wrote:
> On Fri, 2017-06-09 at 13:07 +0000, Khem Raj wrote:
>> On Fri, Jun 9, 2017 at 5:56 AM Burton, Ross <ross.burton@intel.com> wrote:
>>
>> >
>> > On 9 June 2017 at 04:41, Khem Raj <raj.khem@gmail.com> wrote:
>> >
>> > > +SECURITY_CFLAGS = "${SECURITY_NO_PIE_CFLAGS}"
>> > >
>> >
>> > These tend to go into security-flags.inc, not the recipe.
>> >
>>
>> I know that's been the case but I think having a global file is error
>> prone
>> its better to have it in recipe context since it can get attention at
>> upgrade time to test if this has been fixed in new release etc
>
> Isn't one of the main root causes really that bitbake passes -fpie -pie even
> when the recipe is building a shared library?

thats a different case not relevant to this one as much. here we have textrel
in pulseaudio  PIE executable

(Maybe not in this case here,
> though). Obviously, bitbake doesn't really know about shared libraries, and
> yes, each recipe's build system could filter out pie flags for shared
> library targets, but that's probably better done at libtool level:
>
> http://lists.openembedded.org/pipermail/openembedded-devel/2016-November/110048.html
>
>
> Cheers,
> Andre'
>
> --
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core

Re: [PATCH 2/3] pulseaudio: disable PIE flags when hardened flags are enabled

[Tanu Kaskinen]

On Fri, 2017-06-09 at 13:07 +0000, Khem Raj wrote:
> On Fri, Jun 9, 2017 at 5:56 AM Burton, Ross <ross.burton@intel.com> wrote:
> 
> > 
> > On 9 June 2017 at 04:41, Khem Raj <raj.khem@gmail.com> wrote:
> > 
> > > +SECURITY_CFLAGS = "${SECURITY_NO_PIE_CFLAGS}"
> > > 
> > 
> > These tend to go into security-flags.inc, not the recipe.
> > 
> 
> I know that's been the case but I think having a global file is error prone
> its better to have it in recipe context since it can get attention at
> upgrade time to test if this has been fixed in new release etc

Do you mean that there's some bug in pulseaudio, and this is a
workaround for it? Is the bug that there are textrels? Ross saw
textrels in pulseaudio before (see the discussion starting at [1]), but
I was unable to reproduce that. If you give instructions for
reproducing the problem, I'll see if I can fix pulseaudio (until then
I'm fine with having a workaround).

[1] http://lists.openembedded.org/pipermail/openembedded-core/2017-February/133215.html

-- 
Tanu

https://www.patreon.com/tanuk

Re: [PATCH 2/3] pulseaudio: disable PIE flags when hardened flags are enabled

[Khem Raj]

On Fri, Jun 9, 2017 at 9:38 AM, Tanu Kaskinen <tanuk@iki.fi> wrote:
> On Fri, 2017-06-09 at 13:07 +0000, Khem Raj wrote:
>> On Fri, Jun 9, 2017 at 5:56 AM Burton, Ross <ross.burton@intel.com> wrote:
>>
>> >
>> > On 9 June 2017 at 04:41, Khem Raj <raj.khem@gmail.com> wrote:
>> >
>> > > +SECURITY_CFLAGS = "${SECURITY_NO_PIE_CFLAGS}"
>> > >
>> >
>> > These tend to go into security-flags.inc, not the recipe.
>> >
>>
>> I know that's been the case but I think having a global file is error prone
>> its better to have it in recipe context since it can get attention at
>> upgrade time to test if this has been fixed in new release etc
>
> Do you mean that there's some bug in pulseaudio, and this is a
> workaround for it? Is the bug that there are textrels? Ross saw
> textrels in pulseaudio before (see the discussion starting at [1]), but
> I was unable to reproduce that. If you give instructions for
> reproducing the problem, I'll see if I can fix pulseaudio (until then
> I'm fine with having a workaround).
>

yes there is a bug lurking when compiling with hardening flags are turned on
so you can do something like

in local.conf

require conf/distro/include/security_flags.inc

then

MACHINE=qemux86 bitbake pulseaudio

it also happens on arm so qemuarm will reproduce it too.

some assembly code is probably missing using GOT relative accesses

> [1] http://lists.openembedded.org/pipermail/openembedded-core/2017-February/133215.html
>
> --
> Tanu
>
> https://www.patreon.com/tanuk

Re: [PATCH 2/3] pulseaudio: disable PIE flags when hardened flags are enabled

[Tanu Kaskinen]

On Fri, 2017-06-09 at 10:10 -0700, Khem Raj wrote:
> On Fri, Jun 9, 2017 at 9:38 AM, Tanu Kaskinen <tanuk@iki.fi> wrote:
> > On Fri, 2017-06-09 at 13:07 +0000, Khem Raj wrote:
> > > On Fri, Jun 9, 2017 at 5:56 AM Burton, Ross <ross.burton@intel.com> wrote:
> > > 
> > > > On 9 June 2017 at 04:41, Khem Raj <raj.khem@gmail.com> wrote:
> > > > 
> > > > > +SECURITY_CFLAGS = "${SECURITY_NO_PIE_CFLAGS}"
> > > > > 
> > > > 
> > > > These tend to go into security-flags.inc, not the recipe.
> > > > 
> > > 
> > > I know that's been the case but I think having a global file is error prone
> > > its better to have it in recipe context since it can get attention at
> > > upgrade time to test if this has been fixed in new release etc
> > 
> > Do you mean that there's some bug in pulseaudio, and this is a
> > workaround for it? Is the bug that there are textrels? Ross saw
> > textrels in pulseaudio before (see the discussion starting at [1]), but
> > I was unable to reproduce that. If you give instructions for
> > reproducing the problem, I'll see if I can fix pulseaudio (until then
> > I'm fine with having a workaround).
> > 
> 
> yes there is a bug lurking when compiling with hardening flags are turned on
> so you can do something like
> 
> in local.conf
> 
> require conf/distro/include/security_flags.inc
> 
> then
> 
> MACHINE=qemux86 bitbake pulseaudio
> 
> it also happens on arm so qemuarm will reproduce it too.
> 
> some assembly code is probably missing using GOT relative accesses

Resurrecting this ancient thread... I finally tried to reproduce this
problem with the given instructions. No success. Have you still been
running into this issue?

-- 
Tanu

https://www.patreon.com/tanuk
https://liberapay.com/tanuk

Re: [PATCH 2/3] pulseaudio: disable PIE flags when hardened flags are enabled

[Khem Raj]

[-- Attachment #1: Type: text/plain, Size: 2207 bytes --]

On Mon, Apr 22, 2019 at 6:33 AM Tanu Kaskinen <tanuk@iki.fi> wrote:

> On Fri, 2017-06-09 at 10:10 -0700, Khem Raj wrote:
> > On Fri, Jun 9, 2017 at 9:38 AM, Tanu Kaskinen <tanuk@iki.fi> wrote:
> > > On Fri, 2017-06-09 at 13:07 +0000, Khem Raj wrote:
> > > > On Fri, Jun 9, 2017 at 5:56 AM Burton, Ross <ross.burton@intel.com>
> wrote:
> > > >
> > > > > On 9 June 2017 at 04:41, Khem Raj <raj.khem@gmail.com> wrote:
> > > > >
> > > > > > +SECURITY_CFLAGS = "${SECURITY_NO_PIE_CFLAGS}"
> > > > > >
> > > > >
> > > > > These tend to go into security-flags.inc, not the recipe.
> > > > >
> > > >
> > > > I know that's been the case but I think having a global file is
> error prone
> > > > its better to have it in recipe context since it can get attention at
> > > > upgrade time to test if this has been fixed in new release etc
> > >
> > > Do you mean that there's some bug in pulseaudio, and this is a
> > > workaround for it? Is the bug that there are textrels? Ross saw
> > > textrels in pulseaudio before (see the discussion starting at [1]), but
> > > I was unable to reproduce that. If you give instructions for
> > > reproducing the problem, I'll see if I can fix pulseaudio (until then
> > > I'm fine with having a workaround).
> > >
> >
> > yes there is a bug lurking when compiling with hardening flags are
> turned on
> > so you can do something like
> >
> > in local.conf
> >
> > require conf/distro/include/security_flags.inc
> >
> > then
> >
> > MACHINE=qemux86 bitbake pulseaudio
> >
> > it also happens on arm so qemuarm will reproduce it too.
> >
> > some assembly code is probably missing using GOT relative accesses
>
> Resurrecting this ancient thread... I finally tried to reproduce this
> problem with the given instructions. No success. Have you still been
> running into this issue?


I don’t know for sure if this still exists but we did disable assembly in
few packages which addresses this issue since in assembly PIC has to be
respected
In hand written code

You might have to check if we did something similar for pulseaudio

>
>
> --
> Tanu
>
> https://www.patreon.com/tanuk
> https://liberapay.com/tanuk
>
>

[-- Attachment #2: Type: text/html, Size: 3398 bytes --]

Re: [PATCH 2/3] pulseaudio: disable PIE flags when hardened flags are enabled

[Tanu Kaskinen]

On Mon, 2019-04-22 at 14:28 -0600, Khem Raj wrote:
> On Mon, Apr 22, 2019 at 6:33 AM Tanu Kaskinen <tanuk@iki.fi> wrote:
> 
> > On Fri, 2017-06-09 at 10:10 -0700, Khem Raj wrote:
> > > On Fri, Jun 9, 2017 at 9:38 AM, Tanu Kaskinen <tanuk@iki.fi> wrote:
> > > > On Fri, 2017-06-09 at 13:07 +0000, Khem Raj wrote:
> > > > > On Fri, Jun 9, 2017 at 5:56 AM Burton, Ross <ross.burton@intel.com>
> > wrote:
> > > > > > On 9 June 2017 at 04:41, Khem Raj <raj.khem@gmail.com> wrote:
> > > > > > 
> > > > > > > +SECURITY_CFLAGS = "${SECURITY_NO_PIE_CFLAGS}"
> > > > > > > 
> > > > > > 
> > > > > > These tend to go into security-flags.inc, not the recipe.
> > > > > > 
> > > > > 
> > > > > I know that's been the case but I think having a global file is
> > error prone
> > > > > its better to have it in recipe context since it can get attention at
> > > > > upgrade time to test if this has been fixed in new release etc
> > > > 
> > > > Do you mean that there's some bug in pulseaudio, and this is a
> > > > workaround for it? Is the bug that there are textrels? Ross saw
> > > > textrels in pulseaudio before (see the discussion starting at [1]), but
> > > > I was unable to reproduce that. If you give instructions for
> > > > reproducing the problem, I'll see if I can fix pulseaudio (until then
> > > > I'm fine with having a workaround).
> > > > 
> > > 
> > > yes there is a bug lurking when compiling with hardening flags are
> > turned on
> > > so you can do something like
> > > 
> > > in local.conf
> > > 
> > > require conf/distro/include/security_flags.inc
> > > 
> > > then
> > > 
> > > MACHINE=qemux86 bitbake pulseaudio
> > > 
> > > it also happens on arm so qemuarm will reproduce it too.
> > > 
> > > some assembly code is probably missing using GOT relative accesses
> > 
> > Resurrecting this ancient thread... I finally tried to reproduce this
> > problem with the given instructions. No success. Have you still been
> > running into this issue?
> 
> I don’t know for sure if this still exists but we did disable assembly in
> few packages which addresses this issue since in assembly PIC has to be
> respected
> In hand written code
> 
> You might have to check if we did something similar for pulseaudio

There seem to be no such changes to the pulseaudio recipe. Some
upstream fix seems unlikely as well. The only possibly relevant change
that I could find was removing a buggy implementation of reading the
cpuid register (the removed code was replaced with the __get_cpuid()
macro that compilers provide in cpuid.h).

Oh well, if the problem reappears, let me know.

-- 
Tanu

https://www.patreon.com/tanuk
https://liberapay.com/tanuk

Re: [PATCH 2/3] pulseaudio: disable PIE flags when hardened flags are enabled

[Richard Purdie]

On Fri, 2019-04-26 at 15:53 +0300, Tanu Kaskinen wrote:
> On Mon, 2019-04-22 at 14:28 -0600, Khem Raj wrote:
> > On Mon, Apr 22, 2019 at 6:33 AM Tanu Kaskinen <tanuk@iki.fi> wrote:
> > 
> > > On Fri, 2017-06-09 at 10:10 -0700, Khem Raj wrote:
> > > > On Fri, Jun 9, 2017 at 9:38 AM, Tanu Kaskinen <tanuk@iki.fi>
> > > > wrote:
> > > > > On Fri, 2017-06-09 at 13:07 +0000, Khem Raj wrote:
> > > > > > On Fri, Jun 9, 2017 at 5:56 AM Burton, Ross <
> > > > > > ross.burton@intel.com>
> > > wrote:
> > > > > > > On 9 June 2017 at 04:41, Khem Raj <raj.khem@gmail.com>
> > > > > > > wrote:
> > > > > > > 
> > > > > > > > +SECURITY_CFLAGS = "${SECURITY_NO_PIE_CFLAGS}"
> > > > > > > > 
> > > > > > > 
> > > > > > > These tend to go into security-flags.inc, not the recipe.
> > > > > > > 
> > > > > > 
> > > > > > I know that's been the case but I think having a global
> > > > > > file is
> > > error prone
> > > > > > its better to have it in recipe context since it can get
> > > > > > attention at
> > > > > > upgrade time to test if this has been fixed in new release
> > > > > > etc
> > > > > 
> > > > > Do you mean that there's some bug in pulseaudio, and this is
> > > > > a
> > > > > workaround for it? Is the bug that there are textrels? Ross
> > > > > saw
> > > > > textrels in pulseaudio before (see the discussion starting at
> > > > > [1]), but
> > > > > I was unable to reproduce that. If you give instructions for
> > > > > reproducing the problem, I'll see if I can fix pulseaudio
> > > > > (until then
> > > > > I'm fine with having a workaround).
> > > > > 
> > > > 
> > > > yes there is a bug lurking when compiling with hardening flags
> > > > are
> > > turned on
> > > > so you can do something like
> > > > 
> > > > in local.conf
> > > > 
> > > > require conf/distro/include/security_flags.inc
> > > > 
> > > > then
> > > > 
> > > > MACHINE=qemux86 bitbake pulseaudio
> > > > 
> > > > it also happens on arm so qemuarm will reproduce it too.
> > > > 
> > > > some assembly code is probably missing using GOT relative
> > > > accesses
> > > 
> > > Resurrecting this ancient thread... I finally tried to reproduce
> > > this
> > > problem with the given instructions. No success. Have you still
> > > been
> > > running into this issue?
> > 
> > I don’t know for sure if this still exists but we did disable
> > assembly in
> > few packages which addresses this issue since in assembly PIC has
> > to be
> > respected
> > In hand written code
> > 
> > You might have to check if we did something similar for pulseaudio
> 
> There seem to be no such changes to the pulseaudio recipe. Some
> upstream fix seems unlikely as well. The only possibly relevant
> change
> that I could find was removing a buggy implementation of reading the
> cpuid register (the removed code was replaced with the __get_cpuid()
> macro that compilers provide in cpuid.h).
> 
> Oh well, if the problem reappears, let me know.

Shortly after this, Khem submitted:

http://git.yoctoproject.org/cgit.cgi/poky/commit/?id=c91314ec160420a320007d552cec6c7da4d54833
and 
http://git.yoctoproject.org/cgit.cgi/poky/commit/?id=6733a7873ca121295a2e309a6915b9816e1ae36b

which I suspect made this other change unnecessary?

Cheers,

Richard