Project

General

Profile

Actions

Bug #20520

closed

_FORTIFY_SOURCE=3 is not correctly respected

Added by vo.x (Vit Ondruch) 5 months ago. Updated 5 months ago.

Status:
Closed
Target version:
-
ruby -v:
ruby 3.3.1 (2024-04-23 revision c56cd86388) [aarch64-linux]
[ruby-core:118150]

Description

In Fedora, we are using following compilation options:

+ CFLAGS='-O2 -flto=auto -ffat-lto-objects -fexceptions -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-U_FORTIFY_SOURCE,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1  -mbranch-protection=standard -fasynchronous-unwind-tables -fstack-clash-protection -fno-omit-frame-pointer -mno-omit-leaf-frame-pointer '

Please note that as of recently, there is included _FORTIFY_SOURCE=3. The problem is, that Ruby doing its configuration check:

checking whether -O3 -D_FORTIFY_SOURCE=2 is accepted as CFLAGS... yes

Includes another variant of _FORTIFY_SOURCE=2 into XFLAGS:

$ /usr/bin/make -O -j12 V=1 VERBOSE=1 'COPY=cp -p' -C redhat-linux-build
make: Entering directory '/builddir/build/BUILD/ruby-3.3.1-build/ruby-3.3.1/redhat-linux-build'
	BASERUBY = /builddir/build/BUILD/ruby-3.3.1-build/ruby-3.3.1/tool/missing-baseruby.bat
	CC = gcc
	LD = ld
	LDSHARED = gcc -shared
	CFLAGS = -O2 -flto=auto -ffat-lto-objects -fexceptions -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-U_FORTIFY_SOURCE,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1  -mbranch-protection=standard -fasynchronous-unwind-tables -fstack-clash-protection -fno-omit-frame-pointer -mno-omit-leaf-frame-pointer  -fPIC 
	XCFLAGS = -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -fstack-protector-strong -mbranch-protection=standard -fno-strict-overflow -fvisibility=hidden -fexcess-precision=standard -DRUBY_EXPORT -I. -I.ext/include/aarch64-linux -I/builddir/build/BUILD/ruby-3.3.1-build/ruby-3.3.1/include -I/builddir/build/BUILD/ruby-3.3.1-build/ruby-3.3.1 -I/builddir/build/BUILD/ruby-3.3.1-build/ruby-3.3.1/prism -I/builddir/build/BUILD/ruby-3.3.1-build/ruby-3.3.1/enc/unicode/15.0.0  
	CPPFLAGS =   
	DLDFLAGS = -Wl,-z,relro -Wl,--as-needed   -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1  -Wl,--build-id=sha1   -Wl,-soname,libruby.so.3.3 -fstack-protector-strong  
	SOLIBS = -lz -lrt -lrt -lgmp -ldl -lcrypt -lm -lpthread 
	LANG = C.UTF-8
	LC_ALL = 
	LC_CTYPE = 
	MFLAGS = -j12 -Otarget --jobserver-auth=fifo:/tmp/GMfifo10279 --sync-mutex=fnm:/tmp/GmbGoenG
	RUSTC = rustc
	YJIT_RUSTC_ARGS = --crate-name=yjit --crate-type=staticlib --edition=2021 -g -C lto=thin -C opt-level=3 -C overflow-checks=on '--out-dir=/builddir/build/BUILD/ruby-3.3.1-build/ruby-3.3.1/redhat-linux-build/yjit/target/release/' /builddir/build/BUILD/ruby-3.3.1-build/ruby-3.3.1/yjit/src/lib.rs
gcc (GCC) 14.1.1 20240522 (Red Hat 14.1.1-4)
Copyright (C) 2024 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
make: Leaving directory '/builddir/build/BUILD/ruby-3.3.1-build/ruby-3.3.1/redhat-linux-build'
make: Entering directory '/builddir/build/BUILD/ruby-3.3.1-build/ruby-3.3.1/redhat-linux-build'
gcc -O2 -flto=auto -ffat-lto-objects -fexceptions -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-U_FORTIFY_SOURCE,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1  -mbranch-protection=standard -fasynchronous-unwind-tables -fstack-clash-protection -fno-omit-frame-pointer -mno-omit-leaf-frame-pointer  -fPIC  -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -fstack-protector-strong -mbranch-protection=standard -fno-strict-overflow -fvisibility=hidden -fexcess-precision=standard -DRUBY_EXPORT -I. -I.ext/include/aarch64-linux -I/builddir/build/BUILD/ruby-3.3.1-build/ruby-3.3.1/include -I/builddir/build/BUILD/ruby-3.3.1-build/ruby-3.3.1 -I/builddir/build/BUILD/ruby-3.3.1-build/ruby-3.3.1/prism -I/builddir/build/BUILD/ruby-3.3.1-build/ruby-3.3.1/enc/unicode/15.0.0      -o dmyext.o -c /builddir/build/BUILD/ruby-3.3.1-build/ruby-3.3.1/dmyext.c

... snip ...

Updated by vo.x (Vit Ondruch) 5 months ago

I'll try to workaround this by --disable-fortify-source, I hope it won't have another side effects.

Updated by kjtsanaktsidis (KJ Tsanaktsidis) 5 months ago

  • Assignee set to kjtsanaktsidis (KJ Tsanaktsidis)
Actions #3

Updated by Anonymous 5 months ago

  • Status changed from Open to Closed

Applied in changeset git|0ccb80d6bf57cd6e79ad622c024d3d0940ec6f3b.


Extract hardening CFLAGS to a special $hardenflags variable

This changes the automatic detection of -fstack-protector,
-D_FORTIFY_SOURCE, and -mbranch-protection to write to $hardenflags
instead of $XCFLAGS. The definition of $cflags is changed to
"$hardenflags $orig_cflags $optflags $debugflags $warnflags" to match.

Furthermore, these flags are prepended to $hardenflags, rather than
appended.

The implications of doing this are as follows:

  • If a CRuby builder specifies cflags="-mbranch-protection=foobar" at
    the ./configure script, and the configure script detects that
    -mbranch-protection=pac-ret is accepted, then GCC will be invoked as
    "gcc -mbranch-protection=pac-ret -mbranch-protection=foobar". Since
    the last flags take precedence, that means that user-supplied values
    of these flags in $cflags will take priority.
  • Likewise, if a CRuby builder explicitly specifies
    "hardenflags=-mbranch-protection=foobar", because we prepend to
    $hardenflags in our autoconf script, we will still invoke GCC as
    "gcc -mbranch-protection=pac-ret -mbranch-protection=foobar".
  • If a CRuby builder specifies CFLAGS="..." at the configure line,
    automatic detection of hardening flags is ignored as before.
  • C extensions will also be built with hardening flags now as well
    (this was not the case by default before because the detected flags
    went into $XCFLAGS).

Additionally, as part of this work, I changed how the detection of
PAC/BTI in Context.S works. Rather than appending the autodetected
option to ASFLAGS, we simply compile a set of test programs with the
actual CFLAGS in use to determine what PAC/BTI settings were actually
chosen by the builder. Context.S is made aware of these choices through
some custom macros.

The result of this work is that:

  • Ruby will continue to choose some sensible defaults for hardening
    options for the C compiler
  • Distributors are able to specify CFLAGS that are consistent with their
    distribution and override these defaults
  • Context.S will react to whatever -mbranch-protection is actually in
    use, not what was autodetected
  • Extensions get built with hardening flags too.

[Bug #20154]
[Bug #20520]

Actions

Also available in: Atom PDF

Like0
Like0Like0Like0