Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Support for GCC 4.x on hardened systems
View unanswered posts
View posts from last 24 hours

Goto page Previous  1, 2, 3, 4, 5  Next  
Reply to topic    Gentoo Forums Forum Index Unsupported Software
View previous topic :: View next topic  
Author Message
radegand
n00b
n00b


Joined: 22 Aug 2008
Posts: 45
Location: Poland

PostPosted: Wed Sep 23, 2009 7:29 pm    Post subject: Reply with quote

radegand wrote:

Yep, it compiled fine, thanks! :)

My bad, I was too quick, it didn't. I forgot to switch gcc back from hardenednopie to hardened :roll:
It errors out here:
Code:
/usr/lib/gcc/x86_64-pc-linux-gnu/4.4.1/../../../../x86_64-pc-linux-gnu/bin/ld: /var/tmp/portage/sys-libs/glibc-2.10.1/work/build-amd64-x86_64-pc-linux-gnu-nptl/iconv/iconvconfig.o: relocation R_X86_64_32 against `a local symbol' can not be used when making a shared object; recompile with -fPIC
/var/tmp/portage/sys-libs/glibc-2.10.1/work/build-amd64-x86_64-pc-linux-gnu-nptl/iconv/iconvconfig.o: could not read symbols: Bad value
collect2: ld returned 1 exit status

No worries, I can't wait for the new espf, don't really need to recompile it now I guess.. :)
Back to top
View user's profile Send private message
Tom_
Guru
Guru


Joined: 20 May 2004
Posts: 340
Location: France

PostPosted: Wed Sep 23, 2009 7:36 pm    Post subject: Reply with quote

kernelOfTruth wrote:

confirmed ! :D

Quote:
cat /etc/portage/profile/package.use.mask
sys-devel/gcc -hardened
sys-libs/glibc -hardened


don't forget to enable hardened USE-flag globally !

Thank you a lot ;)

So, i've to follow the following steps :
- retrieving the hardened overlay,
- globally enabling hardened use-flag,
- adding gcc and glibc to /etc/portage/profile/package.use.mask,
- recompiling the toolchain : gcc-config linux-headers glibc binutils gcc portage,
- and finally, recompiling the system and the world.

Am i right ?
Back to top
View user's profile Send private message
kernelOfTruth
Watchman
Watchman


Joined: 20 Dec 2005
Posts: 5699
Location: Vienna, Austria; Germany; hello world :)

PostPosted: Wed Sep 23, 2009 7:57 pm    Post subject: Reply with quote

Tom_ wrote:

Thank you a lot ;)

So, i've to follow the following steps :
- retrieving the hardened overlay,
- globally enabling hardened use-flag,
- adding gcc and glibc to /etc/portage/profile/package.use.mask,

yes, you might need to add other packages to that file if hardened-useflag is (profile-) masked for them

Tom_ wrote:

- recompiling the toolchain : gcc-config linux-headers glibc binutils gcc portage,

yes, you better start with >=binutils-2.20.51.0.1 since that fixed problems with pie for me (practically before that it wouldn't really work - sometimes it wasn't shown in the below mentioned script)

after than you can go on with the other packages

you can check existance of stack canary, pie and nx bit with the script from:
checksec.sh

kudos to Tobias Klein for that script and his nice site :)

Tom_ wrote:

- and finally, recompiling the system and the world.

Am i right ?

just go ahead :)
_________________
https://github.com/kernelOfTruth/ZFS-for-SystemRescueCD
2.6.37.2_plus_v1: BFS, CFS,THP,compaction, zcache or TOI
Hardcore Linux user since 2004 :D
Back to top
View user's profile Send private message
Tom_
Guru
Guru


Joined: 20 May 2004
Posts: 340
Location: France

PostPosted: Wed Sep 23, 2009 8:02 pm    Post subject: Reply with quote

Hey thank you!! :)

I''ll do it as soon as possible. :wink:
Back to top
View user's profile Send private message
Dwokfur
Tux's lil' helper
Tux's lil' helper


Joined: 15 Sep 2006
Posts: 85
Location: Budapest, Hungary, Europe

PostPosted: Sat Oct 03, 2009 10:32 pm    Post subject: Reply with quote

I'm having problems compiling glibc-2.10.1 even using the latest gcc (4.4.1-r2 - espf-0.3.5):

Code:

i686-pc-linux-gnu-gcc -Wl,-O1  -nostdlib -nostartfiles -shared -o /var/tmp/portage/sys-libs/glibc-2.10.1/work/build-default-i686-pc-linux-gnu-nptl/elf/ld.so                    \
                  -Wl,-z,combreloc -Wl,-z,relro -Wl,--hash-style=both -Wl,-z,defs -Wl,-z,now    \
                  /var/tmp/portage/sys-libs/glibc-2.10.1/work/build-default-i686-pc-linux-gnu-nptl/elf/librtld.os -Wl,--version-script=/var/tmp/portage/sys-libs/glibc-2.10.1/work/build-default-i686-pc-linux-gnu-nptl/ld.map          \
                  -Wl,-soname=ld-linux.so.2 -T /var/tmp/portage/sys-libs/glibc-2.10.1/work/build-default-i686-pc-linux-gnu-nptl/elf/ld.so.lds
/var/tmp/portage/sys-libs/glibc-2.10.1/work/build-default-i686-pc-linux-gnu-nptl/elf/librtld.os: In function `_dl_initial_error_catch_tsd':
(.text+0xa6): undefined reference to `__stack_chk_fail_local'
/var/tmp/portage/sys-libs/glibc-2.10.1/work/build-default-i686-pc-linux-gnu-nptl/elf/librtld.os: In function `rtld_lock_default_lock_recursive':
rtld.c:(.text+0xd7): undefined reference to `__stack_chk_fail_local'
/var/tmp/portage/sys-libs/glibc-2.10.1/work/build-default-i686-pc-linux-gnu-nptl/elf/librtld.os: In function `rtld_lock_default_unlock_recursive':
rtld.c:(.text+0x107): undefined reference to `__stack_chk_fail_local'
/var/tmp/portage/sys-libs/glibc-2.10.1/work/build-default-i686-pc-linux-gnu-nptl/elf/librtld.os: In function `lookup_doit':
rtld.c:(.text+0x193): undefined reference to `__stack_chk_fail_local'
/var/tmp/portage/sys-libs/glibc-2.10.1/work/build-default-i686-pc-linux-gnu-nptl/elf/librtld.os: In function `dlmopen_doit':
rtld.c:(.text+0x21c): undefined reference to `__stack_chk_fail_local'
/var/tmp/portage/sys-libs/glibc-2.10.1/work/build-default-i686-pc-linux-gnu-nptl/elf/librtld.os:rtld.c:(.text+0x7d8): more undefined references to `__stack_chk_fail_local' follow
/usr/lib/gcc/i686-pc-linux-gnu/4.4.1/../../../../i686-pc-linux-gnu/bin/ld: /var/tmp/portage/sys-libs/glibc-2.10.1/work/build-default-i686-pc-linux-gnu-nptl/elf/ld.so: hidden symbol `__stack_chk_fail_local' isn't defined
/usr/lib/gcc/i686-pc-linux-gnu/4.4.1/../../../../i686-pc-linux-gnu/bin/ld: final link failed: Nonrepresentable section on output
collect2: ld returned 1 exit status
make[2]: *** [/var/tmp/portage/sys-libs/glibc-2.10.1/work/build-default-i686-pc-linux-gnu-nptl/elf/ld.so] Error 1
make[2]: Leaving directory `/var/tmp/portage/sys-libs/glibc-2.10.1/work/glibc-2.10.1/elf'
make[1]: *** [elf/subdir_lib] Error 2
make[1]: Leaving directory `/var/tmp/portage/sys-libs/glibc-2.10.1/work/glibc-2.10.1'
make: *** [all] Error 2


Another snippet:
Code:
 * Patching Glibc to support older SSP __guard

Is this normal?

I think it might be a problem, that I use binutils-2.19.1-r1. I wanted to bump binutils to the latest masked version of binutils, but higher version ebuilds have an empty KEYWORDS specified. Therefore portage moans about it.
What is the proper way of intstalling an ebuild with empty KEYWORDS apart from unmasking it as usual?

Regards & thx:
Dw.
Back to top
View user's profile Send private message
Anarchy
Developer
Developer


Joined: 29 Jun 2005
Posts: 108

PostPosted: Sun Oct 04, 2009 8:26 pm    Post subject: Reply with quote

Dwokfur wrote:
I'm having problems compiling glibc-2.10.1 even using the latest gcc (4.4.1-r2 - espf-0.3.5):

Code:

i686-pc-linux-gnu-gcc -Wl,-O1  -nostdlib -nostartfiles -shared -o /var/tmp/portage/sys-libs/glibc-2.10.1/work/build-default-i686-pc-linux-gnu-nptl/elf/ld.so                    \
                  -Wl,-z,combreloc -Wl,-z,relro -Wl,--hash-style=both -Wl,-z,defs -Wl,-z,now    \
                  /var/tmp/portage/sys-libs/glibc-2.10.1/work/build-default-i686-pc-linux-gnu-nptl/elf/librtld.os -Wl,--version-script=/var/tmp/portage/sys-libs/glibc-2.10.1/work/build-default-i686-pc-linux-gnu-nptl/ld.map          \
                  -Wl,-soname=ld-linux.so.2 -T /var/tmp/portage/sys-libs/glibc-2.10.1/work/build-default-i686-pc-linux-gnu-nptl/elf/ld.so.lds
/var/tmp/portage/sys-libs/glibc-2.10.1/work/build-default-i686-pc-linux-gnu-nptl/elf/librtld.os: In function `_dl_initial_error_catch_tsd':
(.text+0xa6): undefined reference to `__stack_chk_fail_local'
/var/tmp/portage/sys-libs/glibc-2.10.1/work/build-default-i686-pc-linux-gnu-nptl/elf/librtld.os: In function `rtld_lock_default_lock_recursive':
rtld.c:(.text+0xd7): undefined reference to `__stack_chk_fail_local'
/var/tmp/portage/sys-libs/glibc-2.10.1/work/build-default-i686-pc-linux-gnu-nptl/elf/librtld.os: In function `rtld_lock_default_unlock_recursive':
rtld.c:(.text+0x107): undefined reference to `__stack_chk_fail_local'
/var/tmp/portage/sys-libs/glibc-2.10.1/work/build-default-i686-pc-linux-gnu-nptl/elf/librtld.os: In function `lookup_doit':
rtld.c:(.text+0x193): undefined reference to `__stack_chk_fail_local'
/var/tmp/portage/sys-libs/glibc-2.10.1/work/build-default-i686-pc-linux-gnu-nptl/elf/librtld.os: In function `dlmopen_doit':
rtld.c:(.text+0x21c): undefined reference to `__stack_chk_fail_local'
/var/tmp/portage/sys-libs/glibc-2.10.1/work/build-default-i686-pc-linux-gnu-nptl/elf/librtld.os:rtld.c:(.text+0x7d8): more undefined references to `__stack_chk_fail_local' follow
/usr/lib/gcc/i686-pc-linux-gnu/4.4.1/../../../../i686-pc-linux-gnu/bin/ld: /var/tmp/portage/sys-libs/glibc-2.10.1/work/build-default-i686-pc-linux-gnu-nptl/elf/ld.so: hidden symbol `__stack_chk_fail_local' isn't defined
/usr/lib/gcc/i686-pc-linux-gnu/4.4.1/../../../../i686-pc-linux-gnu/bin/ld: final link failed: Nonrepresentable section on output
collect2: ld returned 1 exit status
make[2]: *** [/var/tmp/portage/sys-libs/glibc-2.10.1/work/build-default-i686-pc-linux-gnu-nptl/elf/ld.so] Error 1
make[2]: Leaving directory `/var/tmp/portage/sys-libs/glibc-2.10.1/work/glibc-2.10.1/elf'
make[1]: *** [elf/subdir_lib] Error 2
make[1]: Leaving directory `/var/tmp/portage/sys-libs/glibc-2.10.1/work/glibc-2.10.1'
make: *** [all] Error 2


Another snippet:
Code:
 * Patching Glibc to support older SSP __guard

Is this normal?

I think it might be a problem, that I use binutils-2.19.1-r1. I wanted to bump binutils to the latest masked version of binutils, but higher version ebuilds have an empty KEYWORDS specified. Therefore portage moans about it.
What is the proper way of intstalling an ebuild with empty KEYWORDS apart from unmasking it as usual?

Regards & thx:
Dw.


Please post your emerge --info, I have done the update in a stable chroot and testing chroot for both x86 and amd64 and all was fine.
Back to top
View user's profile Send private message
Dwokfur
Tux's lil' helper
Tux's lil' helper


Joined: 15 Sep 2006
Posts: 85
Location: Budapest, Hungary, Europe

PostPosted: Tue Oct 06, 2009 12:31 pm    Post subject: Reply with quote

Anarchy wrote:


Please post your emerge --info, I have done the update in a stable chroot and testing chroot for both x86 and amd64 and all was fine.


Here it is:
Code:

Portage 2.1.6.13 (hardened/linux/x86/10.0, gcc-4.4.1, glibc-2.10.1-r0, 2.6.30.8-grsec i686)
=================================================================
System uname: Linux-2.6.30.8-grsec-i686-AMD_Athlon-TM-_MP_2600+-with-gentoo-1.12.11.1
Timestamp of tree: Fri, 02 Oct 2009 06:00:01 +0000
ccache version 2.4 [disabled]
app-shells/bash:     4.0_p28
dev-java/java-config: 1.3.7-r1, 2.1.8-r1
dev-lang/python:     2.5.4-r3, 2.6.2-r1
dev-python/pycrypto: 2.0.1-r8
dev-util/ccache:     2.4-r7
dev-util/cmake:      2.6.4-r3
sys-apps/baselayout: 1.12.11.1
sys-apps/sandbox:    1.6-r2
sys-devel/autoconf:  2.13, 2.63-r1
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10.2
sys-devel/binutils:  2.19.1-r1
sys-devel/gcc-config: 1.4.1
sys-devel/libtool:   2.2.6a
virtual/os-headers:  2.6.30-r1
ACCEPT_KEYWORDS="x86"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2 -march=i686 -mtune=athlon-mp -pipe"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/lib/mozilla/defaults/pref /var/bind /var/lib/hsqldb"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c /etc/udev/rules.d"
CXXFLAGS="-O2 -march=i686 -mtune=athlon-mp -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoaddcvs autoconfig distlocks fixpackages metadata-transfer parallel-fetch protect-owned sandbox sfperms strict unmerge-orphans userfetch"
GENTOO_MIRRORS="http://gentoo.inode.at/ http://gentoo.inf.elte.hu/"
LANG="hu_HU.utf8"
LC_ALL="hu_HU.utf8"
LDFLAGS="-Wl,-O1"
LINGUAS="hu en"
MAKEOPTS="-j3"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage /usr/portage/local/layman/hardened-development /home/atoth/public_html/overlay"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="3dnow 3dnowext 7zip GNU X X509 Xaw3d a52 aac aalib acl acpi aiglx alsa amr amrnb amrwb aotuv apache2 applet ares asf atmo audiofile bash-completion bcmath bdf berkdb bidi binfilter bitmap-fonts bittorrent blas bluetooth boost branding browserplugin bugzilla bzip2 cairo caps cdaudio cdda cddax cddb cdio cdparanoia cdr cdrom cgi chardet checkpath clamdtop cli consolekit contentcache context contrib cracklib crypt css ctype cups curl curlwrappers dba dbm dbus dcmtk deskbar detex devhelp device-mapper dga dhcp dia dicom dirac disassembler discard-path divx divx4linux djbfft djvu dlloader dmi dot dri dts dv dvd dvdnav dvdr dvdread dvi dvi2tty dvipdfm eds elf emerald enca encode enscript epiphany epoll evo exif expat extensions extra extrafilters extras faac faad fam fame ffmpeg fftw finger firefox flac flash flatfile follow-xff fontconfig foomaticdb force-cgi-redirect fortran fpx ftp gadu galago gd gdb gdbm gdl gedit geoip gif gimp gimpprint ginac git glade glibc glitz gmedia gmp gnet gnome gnome-keyring gnome-print gnomecanvas gnomecd gopher gpac gpg gphoto2 gpm graphics graphviz gs gsf gsl gsm gstreamer gtk gtk2 gtkhtml guile h323 hal hardened html hub iconv icu id3 id3tag idea idn iksemel imagemagick imap imlib inherit-graph inifile inkjar inode iplsrc irc irda isdnlog jabber jadetex java java-internal java6 javascript jingle jpeg jpeg2k jpgraph jrtplib json kate kpathsea ladspa lame lapack latex latex3 lcms libass libburn libcaca libnotify libplot libsamplerate libssh2 libv4l2 lm_sensors logitech-mouse loop-aes lyx lzma lzo lzw m17n-lib mad matroska mbox mcal md5sum memlimit mhash mikmod milter ming mjpeg mktemp mmap mmx mmxext mng mode-owner modules motif mozbranding mozcalendar mp2 mp3 mp4 mpeg mpeg1 mpeg2 mplayer mudflap musepack mysql mysqli nautilus ncurses nemesi network networking new-login nifti nls nntp nopop3d nptl nptlonly nsplugin nss ntfs nuv oav odbc odk ofx ogg oggvorbis ogm oil onaccess openexr opengl optimisememory otr overload pam pam_chroot pam_timestamp pango passwdqc paste64 pasteafter pccts pcmcia pcntl pcre pda pdf pear perl php pic plotutils png pnm policykit posix postscript ppds pppd projectm pstricks publishers pvr python qhull quicktime quotas rar rc5 rcs readline realmedia reflection reiserfs remoteosd replytolist rle rtc rtf samba sasl scanner scenarios schroedinger science screen sdl sendmail sensord session sftplogging sid sidebar sieve silc skins slang smime smp sms smtp sndfile soap sockets sound soundex soundtouch sourceview sox speex spell spf spl srt sse ssh ssl ssp sspall startup-notification subtitles subversion suhosin svg svnserve sysfs syslog sysvipc t1lib taglib tagwriting tcl tcltk tcpd templates tetex tex4ht tga themes theora threads threadsafe tidy tiff tilepath tk tlen tokenizer toolbar tools totem tracker transcode truetype truetype-fonts twolame type1-fonts type3 udev underscores unicode urandom usb userlocales utils v4l v4l2 valgrind vcd vcdinfo vcdx vidix virus-scan vista visualization vlm volpack vorbis vtk wavplay wifi win32codecs wma wmf wmp wxwidgets wxwindows x264 x86 xattr xcb xetex xforms xine xmedcon xml xml2 xmlreader xmlrpc xmlwriter xorg xpm xsl xulrunner xv xvid xvmc yahoo zip zlib zvbi" ALSA_CARDS="cmipci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias auth_digest version filter ident charset_lite asis dbd authn_dbd proxy proxy_ajp proxy_balancer proxy_connect proxy_http imagemap" APACHE2_MPMS="worker" CAMERAS="ptp2" ELIBC="glibc" INPUT_DEVICES="keyboard mouse acecad evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="hu en" USERLAND="GNU" VIDEO_CARDS="radeon v4l"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS


The situation is the same for my Pentium M based laptop, running a similar config - otherwise.

Please let me know what else I should do.

Regards:
Dw.
Back to top
View user's profile Send private message
kernelOfTruth
Watchman
Watchman


Joined: 20 Dec 2005
Posts: 5699
Location: Vienna, Austria; Germany; hello world :)

PostPosted: Tue Oct 06, 2009 11:00 pm    Post subject: Reply with quote

Dwokfur wrote:

I think it might be a problem, that I use binutils-2.19.1-r1. I wanted to bump binutils to the latest masked version of binutils, but higher version ebuilds have an empty KEYWORDS specified. Therefore portage moans about it.
What is the proper way of intstalling an ebuild with empty KEYWORDS apart from unmasking it as usual?

Regards & thx:
Dw.


you might need to add it to

Code:
echo "sys-devel/binutils **" >> /etc/portage/package.keywords


should always give you the latest binutils

there's no other additional steps besides that (afaik)
_________________
https://github.com/kernelOfTruth/ZFS-for-SystemRescueCD
2.6.37.2_plus_v1: BFS, CFS,THP,compaction, zcache or TOI
Hardcore Linux user since 2004 :D
Back to top
View user's profile Send private message
zorry
Developer
Developer


Joined: 30 Mar 2008
Posts: 364
Location: Umeå The north part of scandinavia

PostPosted: Thu Oct 08, 2009 2:37 am    Post subject: Reply with quote

Dwokfur wrote:
I'm having problems compiling glibc-2.10.1 even using the latest gcc (4.4.1-r2 - espf-0.3.5):

Code:

i686-pc-linux-gnu-gcc -Wl,-O1  -nostdlib -nostartfiles -shared -o /var/tmp/portage/sys-libs/glibc-2.10.1/work/build-default-i686-pc-linux-gnu-nptl/elf/ld.so                    \
                  -Wl,-z,combreloc -Wl,-z,relro -Wl,--hash-style=both -Wl,-z,defs -Wl,-z,now    \
                  /var/tmp/portage/sys-libs/glibc-2.10.1/work/build-default-i686-pc-linux-gnu-nptl/elf/librtld.os -Wl,--version-script=/var/tmp/portage/sys-libs/glibc-2.10.1/work/build-default-i686-pc-linux-gnu-nptl/ld.map          \
                  -Wl,-soname=ld-linux.so.2 -T /var/tmp/portage/sys-libs/glibc-2.10.1/work/build-default-i686-pc-linux-gnu-nptl/elf/ld.so.lds
/var/tmp/portage/sys-libs/glibc-2.10.1/work/build-default-i686-pc-linux-gnu-nptl/elf/librtld.os: In function `_dl_initial_error_catch_tsd':
(.text+0xa6): undefined reference to `__stack_chk_fail_local'
/var/tmp/portage/sys-libs/glibc-2.10.1/work/build-default-i686-pc-linux-gnu-nptl/elf/librtld.os: In function `rtld_lock_default_lock_recursive':
rtld.c:(.text+0xd7): undefined reference to `__stack_chk_fail_local'
/var/tmp/portage/sys-libs/glibc-2.10.1/work/build-default-i686-pc-linux-gnu-nptl/elf/librtld.os: In function `rtld_lock_default_unlock_recursive':
rtld.c:(.text+0x107): undefined reference to `__stack_chk_fail_local'
/var/tmp/portage/sys-libs/glibc-2.10.1/work/build-default-i686-pc-linux-gnu-nptl/elf/librtld.os: In function `lookup_doit':
rtld.c:(.text+0x193): undefined reference to `__stack_chk_fail_local'
/var/tmp/portage/sys-libs/glibc-2.10.1/work/build-default-i686-pc-linux-gnu-nptl/elf/librtld.os: In function `dlmopen_doit':
rtld.c:(.text+0x21c): undefined reference to `__stack_chk_fail_local'
/var/tmp/portage/sys-libs/glibc-2.10.1/work/build-default-i686-pc-linux-gnu-nptl/elf/librtld.os:rtld.c:(.text+0x7d8): more undefined references to `__stack_chk_fail_local' follow
/usr/lib/gcc/i686-pc-linux-gnu/4.4.1/../../../../i686-pc-linux-gnu/bin/ld: /var/tmp/portage/sys-libs/glibc-2.10.1/work/build-default-i686-pc-linux-gnu-nptl/elf/ld.so: hidden symbol `__stack_chk_fail_local' isn't defined
/usr/lib/gcc/i686-pc-linux-gnu/4.4.1/../../../../i686-pc-linux-gnu/bin/ld: final link failed: Nonrepresentable section on output
collect2: ld returned 1 exit status
make[2]: *** [/var/tmp/portage/sys-libs/glibc-2.10.1/work/build-default-i686-pc-linux-gnu-nptl/elf/ld.so] Error 1
make[2]: Leaving directory `/var/tmp/portage/sys-libs/glibc-2.10.1/work/glibc-2.10.1/elf'
make[1]: *** [elf/subdir_lib] Error 2
make[1]: Leaving directory `/var/tmp/portage/sys-libs/glibc-2.10.1/work/glibc-2.10.1'
make: *** [all] Error 2


Another snippet:
Code:
 * Patching Glibc to support older SSP __guard

Is this normal?

I think it might be a problem, that I use binutils-2.19.1-r1. I wanted to bump binutils to the latest masked version of binutils, but higher version ebuilds have an empty KEYWORDS specified. Therefore portage moans about it.
What is the proper way of intstalling an ebuild with empty KEYWORDS apart from unmasking it as usual?

Regards & thx:
Dw.

The glibc 2.10.1 in the tree have the same patches we did have on the overlay.
I haven't so far have any probs with it and i use ~amd64 packages
The __guard stuff patch was in the glibc patchset before 2.10 and it the did't applay to the new glibc.
__guard is to support SSP on old gcc < 4.
_________________
gcc version 4.6.2 (Gentoo Hardened 4.6.2 p1.1, pie-0.5.0)
Back to top
View user's profile Send private message
cord
Apprentice
Apprentice


Joined: 28 Apr 2007
Posts: 204

PostPosted: Fri Oct 09, 2009 6:59 pm    Post subject: Reply with quote

So, I tested your hardened toolchain overlay. Here is my report.

I installed the gentoo base system by handbook and then followed your guide.
Everything was fine, but command
Code:

# while read ebuild; do emerge -v1 "${ebuild}" || echo "${ebuild}" >>failed; done < <(emerge -ep --columns --color=n system| cut -d] -f2 | awk '{print$1}' | egrep -v "(glibc|/portage|binutils|gcc|linux-h)"|sed '1,4d')

failed with syntax error (of course I checked it many times, but the error continued to occur).

Well, did this:
Code:

# emerge -1 linux-headers gcc glibc binutils gcc-config
# gcc-config x86_64-pc-linux-gnu-4.4.1; env-update; source /etc/profile
# emerge -1b gcc glibc binutils portage
# emerge -ek system
# emerge -ek world


my 'emerge --info'
Code:

Portage 2.1.6.13 (hardened/linux/amd64, gcc-4.4.1, glibc-2.10.1-r0, 2.6.28-hardened-r9 x86_64)
=================================================================
System uname: Linux-2.6.28-hardened-r9-x86_64-AMD_Athlon-tm-_64_Processor_3000+-with-gentoo-2.0.1
Timestamp of tree: Tue, 06 Oct 2009 01:45:01 +0000
app-shells/bash:     4.0_p28
dev-java/java-config: 2.1.8-r1
dev-lang/python:     2.6.2-r1
dev-util/cmake:      2.6.4
sys-apps/baselayout: 2.0.1
sys-apps/openrc:     0.4.3-r3
sys-apps/sandbox:    1.6-r2
sys-devel/autoconf:  2.63-r1
sys-devel/automake:  1.7.9-r1, 1.9.6-r2, 1.10.2
sys-devel/binutils:  2.18-r3
sys-devel/gcc-config: 1.4.1
sys-devel/libtool:   2.2.6a
virtual/os-headers:  2.6.27-r2
ACCEPT_KEYWORDS="amd64"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-O2 -march=native -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/config"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/udev/rules.d"
CXXFLAGS="-O2 -march=native -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="buildsyspkg distlocks fixpackages parallel-fetch protect-owned sandbox sfperms strict unmerge-orphans userfetch"
GENTOO_MIRRORS="ftp://gentoo.kiev.ua/"
LANG="ru_UA.UTF-8"
LC_ALL=""
LDFLAGS="-Wl,-O1 -Wl,--sort-common -Wl,--warn-once,--hash-style=gnu"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage/layman/hardened-development /usr/local/my-overlay"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="3dnow X alsa amd64 berkdb cli cracklib crypt dri flac hal hardened iconv isdnlog justify kde mmx modules mudflap multilib ncurses nls opengl pam pcre perl pic pppd python qt4 readline reflection session spl sse sse2 ssl sysfs tcpd unicode urandom utf8 xorg zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="nv vesa"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LINGUAS, MAKEOPTS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS

I forgot to set 'MAKEOPTS' variable before recompiling the system :( And I think this is not critical considering that my CPU is 'one core'.

my /etc/portage/package.keywords
Code:

=sys-devel/gcc-4.4* ~amd64
=sys-libs/glibc-2.10* ~amd64
=sys-apps/openrc-0.4* ~amd64
=sys-apps/baselayout-2* ~amd64
=sys-apps/sysvinit-2.86* ~amd64
=media-video/mediainfo-0.7.17 ~amd64
=sys-fs/udftools-1.0.0b-r9 ~amd64
media-video/cinelerra ~amd64
=media-video/subtitleeditor-0.33.0 ~amd64
=media-video/dvgrab-3.5 ~amd64
=dev-libs/boost-1.39.0 ~amd64
=app-admin/eselect-boost-0.3 ~amd64
=dev-util/boost-build-1.39.0 ~amd64
=net-im/licq-1.3.6 ~amd64
=media-tv/tvtime-1.0.2-r2 ~amd64
=media-video/mkvtoolnix-2.9.8
=media-video/avidemux-2.5.1-r2 ~amd64
=media-libs/x264-0.0.20090923 ~amd64

Stable versions of these packages (and their dependencies) were not compile successful. Excepting gcc, glibc, openrc, baselayout-2, sysvinit :)

My system is desktop :) However, here is my 'world'
Code:

app-admin/logrotate
app-admin/mcelog
app-admin/syslog-ng
app-antivirus/klamav
app-arch/p7zip
app-arch/rar
app-cdr/bin2iso
app-cdr/ccd2iso
app-cdr/dvd+rw-tools
app-cdr/isomaster
app-cdr/k3b
app-cdr/nrg2iso
app-emulation/wine
app-misc/mc
app-office/openoffice
app-portage/emerge-delta-webrsync
app-portage/gentoolkit
app-portage/layman
dev-java/sun-jdk
kde-base/ark
kde-base/kamera
kde-base/kcalc
kde-base/kdebase-startkde
kde-base/kdegraphics-kfile-plugins
kde-base/kdemultimedia-kfile-plugins
kde-base/kdenetwork-kfile-plugins
kde-base/kdm
kde-base/kedit
kde-base/kget
kde-base/klipper
kde-base/kmix
kde-base/kolourpaint
kde-base/konq-plugins
kde-base/konsole
kde-base/kpackage
kde-base/ksnapshot
kde-base/ksysguard
kde-base/kuser
kde-misc/kdirstat
kde-misc/knetstats
kde-misc/krename
media-fonts/corefonts
media-fonts/terminus-font
media-gfx/blender
media-gfx/gimp
media-gfx/gwenview
media-sound/amarok
media-sound/audacity
media-sound/timidity++
media-tv/kdetv
media-tv/tvtime
media-video/avidemux
media-video/cinelerra
media-video/dvgrab
media-video/kino
media-video/mediainfo
media-video/mkvtoolnix
media-video/smplayer
media-video/subtitleeditor
net-analyzer/traceroute
net-firewall/iptables
net-ftp/proftpd
net-im/licq
net-im/psi
net-misc/dhcpcd
net-misc/ntp
net-p2p/ktorrent
sys-apps/netplug
sys-apps/paxctl
sys-boot/grub-static
sys-fs/dosfstools
sys-fs/ntfs3g
sys-fs/ntfsprogs
sys-fs/reiserfsprogs
sys-fs/udftools
sys-fs/xfsprogs
sys-kernel/hardened-sources
www-client/opera
x11-base/xorg-server
x11-base/xorg-x11


The problem packages were mplayer, wine and openoffice.
MPlayer was compiled successfully only on 'x86_64-pc-linux-gnu-4.4.1-hardenednopie' gcc profile, and plus #269975.
Wine and OO was compiled successfully only on 'x86_64-pc-linux-gnu-4.4.1-vanilla' gcc profile and only with PaX's 'Soft Mode' enabled.
After this
Code:

paxctl -xperms /usr/bin/wine-preloader /usr/bin/wine /usr/bin/wineserver

wine works fine :)

What doesn't work:
- 'frame buffer' under console with enabled security options in kernel
- Neither 'tvtime' nor 'kdetv' doesn't see tv device (tvtuner Philips saa7134), but mplayer does
Back to top
View user's profile Send private message
cord
Apprentice
Apprentice


Joined: 28 Apr 2007
Posts: 204

PostPosted: Sun Oct 11, 2009 3:15 pm    Post subject: Reply with quote

Oh, KDE-4 become stable today! (#287697)
It will be interesting on hardened :)
Back to top
View user's profile Send private message
maztec
n00b
n00b


Joined: 13 Oct 2009
Posts: 3

PostPosted: Wed Oct 14, 2009 3:53 am    Post subject: Reply with quote

gcc --version shows that gcc has pie-10.1.5, but gcc-config says I have nopie, yet emerge --info gcc says I have -nopie; nevertheless, when I compile glibc it says I can't have pie. So, do I have pie or do I not have pie? And if I don't have pie, can I and how do I bake me some pie?
Back to top
View user's profile Send private message
Xake
Guru
Guru


Joined: 11 Feb 2004
Posts: 588
Location: Göteborg, the rainy part of scandinavia

PostPosted: Wed Oct 14, 2009 8:15 am    Post subject: Reply with quote

maztec wrote:
gcc --version shows that gcc has pie-10.1.5, but gcc-config says I have nopie, yet emerge --info gcc says I have -nopie; nevertheless, when I compile glibc it says I can't have pie. So, do I have pie or do I not have pie? And if I don't have pie, can I and how do I bake me some pie?


Please post output of the following commands:
Code:
eselect profile show
gcc-config -l
emerge -pv gcc glibc

and I can tell you more.
_________________
If I edit a post without commenting it mostly is spelling-errors.
And if I sounds rude I am sorry, that is just my personality speaking and has most of the time nothing to do with you personally.
Back to top
View user's profile Send private message
maztec
n00b
n00b


Joined: 13 Oct 2009
Posts: 3

PostPosted: Wed Oct 14, 2009 8:32 am    Post subject: Reply with quote

Xake: Thank you for taking the time to respond. Below is the output to those commands.

Xake wrote:
maztec wrote:
gcc --version shows that gcc has pie-10.1.5, but gcc-config says I have nopie, yet emerge --info gcc says I have -nopie; nevertheless, when I compile glibc it says I can't have pie. So, do I have pie or do I not have pie? And if I don't have pie, can I and how do I bake me some pie?


Please post output of the following commands:
Code:
eselect profile show
gcc-config -l
emerge -pv gcc glibc

and I can tell you more.


Code:
# eselect profile show
  Current make.profile symlink:
  hardened/linux/amd64/10.0

# gcc-config -l
  [1] x86_64-pc-linux-gnu-4.3.4
  [2] x86_64-pc-linux-gnu-4.3.4-hardenednopie *
  [3] x86_64-pc-linux-gnu-4.3.4-vanilla

# emerge -pv gcc glibc
!!! Invalid PORTDIR_OVERLAY (not a dir): '/usr/local/toolchain-overlay'

These are the packages that would be merged, in order:

Calculating dependencies... done!
[ebuild   R   ] sys-devel/gcc-4.3.4 USE="hardened mudflap (multilib) nls nptl openmp (-altivec) -bootstrap -build -doc (-fixed-point) -fortran -gcj -gtk -ip28 -ip32r10k -libffi -multislot (-n32) (-n64) -nocxx -nopie -objc -objc++ -objc-gcc -test -vanilla" 0 kB
[ebuild  R    ] sys-libs/glibc-2.10.1 USE="hardened (multilib) nls selinux -debug -gd -glibc-omitfp -profile -vanilla" 0 kB

Total: 2 packages (2 reinstalls), Size of downloads: 0 kB


And, gnu was nopie for both selinux and -selinux, and multilib and -multilib. And yes, I do need multilib selinux and understand it is nowhere near supported.
Back to top
View user's profile Send private message
Xake
Guru
Guru


Joined: 11 Feb 2004
Posts: 588
Location: Göteborg, the rainy part of scandinavia

PostPosted: Wed Oct 14, 2009 9:50 am    Post subject: Reply with quote

maztec wrote:

[...]
Code:

# gcc-config -l
  [1] x86_64-pc-linux-gnu-4.3.4
  [2] x86_64-pc-linux-gnu-4.3.4-hardenednopie *
  [3] x86_64-pc-linux-gnu-4.3.4-vanilla



To use pie, just
Code:
gcc-config x86_64-pc-linux-gnu-4.3.4 && source /etc/profile


The rest will fix itself.

The PIE in gcc -v is what versions of the piepatches you are using,
Why it says nopie is becouse of -hardenednopie in gcc-config which is a special config for gcc that use the hardened patches but does not use pie, mostly for debugging purposes.
What glibc complains about is that since you do not have PIE enabled in your compiler the pie patches for glibc makes no sense.

So in short: to bake a PIE system you need to run the codesnippet above and then at least recompile glibc binutils and gcc.
Then a "emerge -e world" is recommended, but not necessary. Just remember that all packages you do not recompile will not take advantage of PIE.
_________________
If I edit a post without commenting it mostly is spelling-errors.
And if I sounds rude I am sorry, that is just my personality speaking and has most of the time nothing to do with you personally.
Back to top
View user's profile Send private message
maztec
n00b
n00b


Joined: 13 Oct 2009
Posts: 3

PostPosted: Wed Oct 14, 2009 11:50 pm    Post subject: Reply with quote

Well, make me feel stupid. Thanks! :lol:

I think I got confused the fact that it doesn't say hardened on its title. Ahh well.
Back to top
View user's profile Send private message
kernelOfTruth
Watchman
Watchman


Joined: 20 Dec 2005
Posts: 5699
Location: Vienna, Austria; Germany; hello world :)

PostPosted: Fri Oct 16, 2009 6:28 pm    Post subject: Reply with quote

Reminder :idea: :

gcc 4.4.2 got released: http://gcc.gnu.org/gcc-4.4/changes.html#4.4.2
_________________
https://github.com/kernelOfTruth/ZFS-for-SystemRescueCD
2.6.37.2_plus_v1: BFS, CFS,THP,compaction, zcache or TOI
Hardcore Linux user since 2004 :D
Back to top
View user's profile Send private message
zorry
Developer
Developer


Joined: 30 Mar 2008
Posts: 364
Location: Umeå The north part of scandinavia

PostPosted: Sun Oct 18, 2009 1:15 am    Post subject: Reply with quote

kernelOfTruth wrote:
Reminder :idea: :

gcc 4.4.2 got released: http://gcc.gnu.org/gcc-4.4/changes.html#4.4.2

GCC 4.4.2 is in the overlay :D
_________________
gcc version 4.6.2 (Gentoo Hardened 4.6.2 p1.1, pie-0.5.0)
Back to top
View user's profile Send private message
kernelOfTruth
Watchman
Watchman


Joined: 20 Dec 2005
Posts: 5699
Location: Vienna, Austria; Germany; hello world :)

PostPosted: Sun Oct 18, 2009 12:43 pm    Post subject: Reply with quote

thanks zorry ! :D

could we also include -fno-tree-vrp in the specs for the future ?

Quote:
-ftree-vrp
Perform Value Range Propagation on trees. This is similar to the constant propagation pass, but instead of values, ranges of values are propagated. This allows the optimizers to remove unnecessary range checks like array bound checks and null pointer checks. This is enabled by default at -O2 and higher. Null pointer check elimination is only done if -fdelete-null-pointer-checks is enabled.


if -fno-delete-null-pointer-checks is enabled the logical consequence would be to enable -fno-tree-vrp explicitly, too
_________________
https://github.com/kernelOfTruth/ZFS-for-SystemRescueCD
2.6.37.2_plus_v1: BFS, CFS,THP,compaction, zcache or TOI
Hardcore Linux user since 2004 :D
Back to top
View user's profile Send private message
radegand
n00b
n00b


Joined: 22 Aug 2008
Posts: 45
Location: Poland

PostPosted: Fri Oct 23, 2009 6:57 pm    Post subject: Reply with quote

cord wrote:
Oh, KDE-4 become stable today! (#287697)
It will be interesting on hardened :)


Hi,
KDE-4 is fine on hardened with grsec. The only troublemaker is 'nepomuk' which needs to be compiled with grsec disabled and tends to segfault on grsec kernels :? I don't really use it so it doesn't bother me too much... :lol:

Other than that - KDE 4 is smooth! 8)
Back to top
View user's profile Send private message
Dwokfur
Tux's lil' helper
Tux's lil' helper


Joined: 15 Sep 2006
Posts: 85
Location: Budapest, Hungary, Europe

PostPosted: Fri Oct 23, 2009 9:20 pm    Post subject: Reply with quote

zorry wrote:

The glibc 2.10.1 in the tree have the same patches we did have on the overlay.
I haven't so far have any probs with it and i use ~amd64 packages
The __guard stuff patch was in the glibc patchset before 2.10 and it the did't applay to the new glibc.
__guard is to support SSP on old gcc < 4.


Gnome 2.26 is stable now on x86. Version bump went fine. Epiphany still requires -PAX_MPROTECT to start.

I'm still struggling with glibc. I have a bad feeling about it. My previous report turned out to be the same, which is described at the beginning of ticket #10. If I apply the patch attached to the ticket, the compilation goes forward, but dies later like it is indicated in comment #9. If I link stack_chk_fail_local to libmemusage.so, the compilation continues even further, but later I get three segfaults.

Quote:

.././scripts/mkinstalldirs /var/tmp/portage/sys-libs/glibc-2.10.1/work/build-default-i686-pc-linux-gnu-nptl/sunrpc/rpcsvc
CPP='i686-pc-linux-gnu-gcc -E -x c-header' /var/tmp/portage/sys-libs/glibc-2.10.1/work/build-default-i686-pc-linux-gnu-nptl/elf/ld-linux.so.2 --library-path /var/tmp/portage/sys-libs/glibc-2.10.1/work/build-default-i686-pc-linux-gnu-nptl:/var/tmp/portage/sys-libs/glibc-2.10.1/work/build-default-i686-pc-linux-gnu-nptl/math:/var/tmp/portage/sys-libs/glibc-2.10.1/work/build-default-i686-pc-linux-gnu-nptl/elf:/var/tmp/portage/sys-libs/glibc-2.10.1/work/build-default-i686-pc-linux-gnu-nptl/dlfcn:/var/tmp/portage/sys-libs/glibc-2.10.1/work/build-default-i686-pc-linux-gnu-nptl/nss:/var/tmp/portage/sys-libs/glibc-2.10.1/work/build-default-i686-pc-linux-gnu-nptl/nis:/var/tmp/portage/sys-libs/glibc-2.10.1/work/build-default-i686-pc-linux-gnu-nptl/rt:/var/tmp/portage/sys-libs/glibc-2.10.1/work/build-default-i686-pc-linux-gnu-nptl/resolv:/var/tmp/portage/sys-libs/glibc-2.10.1/work/build-default-i686-pc-linux-gnu-nptl/crypt:/var/tmp/portage/sys-libs/glibc-2.10.1/work/build-default-i686-pc-linux-gnu-nptl/nptl /var/tmp/portage/sys-libs/glibc-2.10.1/work/build-default-i686-pc-linux-gnu-nptl/sunrpc/rpcgen -Y ../scripts -c rpcsvc/bootparam_prot.x -o /var/tmp/portage/sys-libs/glibc-2.10.1/work/build-default-i686-pc-linux-gnu-nptl/sunrpc/xbootparam_prot.T
CPP='i686-pc-linux-gnu-gcc -E -x c-header' /var/tmp/portage/sys-libs/glibc-2.10.1/work/build-default-i686-pc-linux-gnu-nptl/elf/ld-linux.so.2 --library-path /var/tmp/portage/sys-libs/glibc-2.10.1/work/build-default-i686-pc-linux-gnu-nptl:/var/tmp/portage/sys-libs/glibc-2.10.1/work/build-default-i686-pc-linux-gnu-nptl/math:/var/tmp/portage/sys-libs/glibc-2.10.1/work/build-default-i686-pc-linux-gnu-nptl/elf:/var/tmp/portage/sys-libs/glibc-2.10.1/work/build-default-i686-pc-linux-gnu-nptl/dlfcn:/var/tmp/portage/sys-libs/glibc-2.10.1/work/build-default-i686-pc-linux-gnu-nptl/nss:/var/tmp/portage/sys-libs/glibc-2.10.1/work/build-default-i686-pc-linux-gnu-nptl/nis:/var/tmp/portage/sys-libs/glibc-2.10.1/work/build-default-i686-pc-linux-gnu-nptl/rt:/var/tmp/portage/sys-libs/glibc-2.10.1/work/build-default-i686-pc-linux-gnu-nptl/resolv:/var/tmp/portage/sys-libs/glibc-2.10.1/work/build-default-i686-pc-linux-gnu-nptl/crypt:/var/tmp/portage/sys-libs/glibc-2.10.1/work/build-default-i686-pc-linux-gnu-nptl/nptl /var/tmp/portage/sys-libs/glibc-2.10.1/work/build-default-i686-pc-linux-gnu-nptl/sunrpc/rpcgen -Y ../scripts -c rpcsvc/nlm_prot.x -o /var/tmp/portage/sys-libs/glibc-2.10.1/work/build-default-i686-pc-linux-gnu-nptl/sunrpc/xnlm_prot.T
mkdir /var/tmp/portage/sys-libs/glibc-2.10.1/work/build-default-i686-pc-linux-gnu-nptl/sunrpc/rpcsvc
make[2]: *** [/var/tmp/portage/sys-libs/glibc-2.10.1/work/build-default-i686-pc-linux-gnu-nptl/sunrpc/xbootparam_prot.stmp] Segmentation fault
make[2]: *** Waiting for unfinished jobs....
make[2]: *** [/var/tmp/portage/sys-libs/glibc-2.10.1/work/build-default-i686-pc-linux-gnu-nptl/sunrpc/xnlm_prot.stmp] Segmentation fault
CPP='i686-pc-linux-gnu-gcc -E -x c-header' /var/tmp/portage/sys-libs/glibc-2.10.1/work/build-default-i686-pc-linux-gnu-nptl/elf/ld-linux.so.2 --library-path /var/tmp/portage/sys-libs/glibc-2.10.1/work/build-default-i686-pc-linux-gnu-nptl:/var/tmp/portage/sys-libs/glibc-2.10.1/work/build-default-i686-pc-linux-gnu-nptl/math:/var/tmp/portage/sys-libs/glibc-2.10.1/work/build-default-i686-pc-linux-gnu-nptl/elf:/var/tmp/portage/sys-libs/glibc-2.10.1/work/build-default-i686-pc-linux-gnu-nptl/dlfcn:/var/tmp/portage/sys-libs/glibc-2.10.1/work/build-default-i686-pc-linux-gnu-nptl/nss:/var/tmp/portage/sys-libs/glibc-2.10.1/work/build-default-i686-pc-linux-gnu-nptl/nis:/var/tmp/portage/sys-libs/glibc-2.10.1/work/build-default-i686-pc-linux-gnu-nptl/rt:/var/tmp/portage/sys-libs/glibc-2.10.1/work/build-default-i686-pc-linux-gnu-nptl/resolv:/var/tmp/portage/sys-libs/glibc-2.10.1/work/build-default-i686-pc-linux-gnu-nptl/crypt:/var/tmp/portage/sys-libs/glibc-2.10.1/work/build-default-i686-pc-linux-gnu-nptl/nptl /var/tmp/portage/sys-libs/glibc-2.10.1/work/build-default-i686-pc-linux-gnu-nptl/sunrpc/rpcgen -Y ../scripts -h rpcsvc/bootparam_prot.x -o /var/tmp/portage/sys-libs/glibc-2.10.1/work/build-default-i686-pc-linux-gnu-nptl/sunrpc/rpcsvc/bootparam_prot.T
make[2]: *** [/var/tmp/portage/sys-libs/glibc-2.10.1/work/build-default-i686-pc-linux-gnu-nptl/sunrpc/rpcsvc/bootparam_prot.stmp] Segmentation fault
make[2]: Leaving directory `/var/tmp/portage/sys-libs/glibc-2.10.1/work/glibc-2.10.1/sunrpc'
make[1]: *** [sunrpc/others] Error 2
make[1]: Leaving directory `/var/tmp/portage/sys-libs/glibc-2.10.1/work/glibc-2.10.1'
make: *** [all] Error 2


I have a very bad feeling: am I the only one using hardened toolchain on x86? If I get it correctly it's not a real problem on x86_64.

Please give me some advice where to continue. Should I try to disable fstack-protector on memusage?

Are there anyone else out there lucky enough to have x86 - hardened in combo?

Regards,
Dw.
Back to top
View user's profile Send private message
zorry
Developer
Developer


Joined: 30 Mar 2008
Posts: 364
Location: Umeå The north part of scandinavia

PostPosted: Sat Oct 24, 2009 1:29 pm    Post subject: Reply with quote

Dwokfur wrote:
zorry wrote:

The glibc 2.10.1 in the tree have the same patches we did have on the overlay.
I haven't so far have any probs with it and i use ~amd64 packages
The __guard stuff patch was in the glibc patchset before 2.10 and it the did't applay to the new glibc.
__guard is to support SSP on old gcc < 4.


Gnome 2.26 is stable now on x86. Version bump went fine. Epiphany still requires -PAX_MPROTECT to start.

I'm still struggling with glibc. I have a bad feeling about it. My previous report turned out to be the same, which is described at the beginning of ticket #10. If I apply the patch attached to the ticket, the compilation goes forward, but dies later like it is indicated in comment #9. If I link stack_chk_fail_local to libmemusage.so, the compilation continues even further, but later I get three segfaults.

Quote:

.././scripts/mkinstalldirs /var/tmp/portage/sys-libs/glibc-2.10.1/work/build-default-i686-pc-linux-gnu-nptl/sunrpc/rpcsvc
CPP='i686-pc-linux-gnu-gcc -E -x c-header' /var/tmp/portage/sys-libs/glibc-2.10.1/work/build-default-i686-pc-linux-gnu-nptl/elf/ld-linux.so.2 --library-path /var/tmp/portage/sys-libs/glibc-2.10.1/work/build-default-i686-pc-linux-gnu-nptl:/var/tmp/portage/sys-libs/glibc-2.10.1/work/build-default-i686-pc-linux-gnu-nptl/math:/var/tmp/portage/sys-libs/glibc-2.10.1/work/build-default-i686-pc-linux-gnu-nptl/elf:/var/tmp/portage/sys-libs/glibc-2.10.1/work/build-default-i686-pc-linux-gnu-nptl/dlfcn:/var/tmp/portage/sys-libs/glibc-2.10.1/work/build-default-i686-pc-linux-gnu-nptl/nss:/var/tmp/portage/sys-libs/glibc-2.10.1/work/build-default-i686-pc-linux-gnu-nptl/nis:/var/tmp/portage/sys-libs/glibc-2.10.1/work/build-default-i686-pc-linux-gnu-nptl/rt:/var/tmp/portage/sys-libs/glibc-2.10.1/work/build-default-i686-pc-linux-gnu-nptl/resolv:/var/tmp/portage/sys-libs/glibc-2.10.1/work/build-default-i686-pc-linux-gnu-nptl/crypt:/var/tmp/portage/sys-libs/glibc-2.10.1/work/build-default-i686-pc-linux-gnu-nptl/nptl /var/tmp/portage/sys-libs/glibc-2.10.1/work/build-default-i686-pc-linux-gnu-nptl/sunrpc/rpcgen -Y ../scripts -c rpcsvc/bootparam_prot.x -o /var/tmp/portage/sys-libs/glibc-2.10.1/work/build-default-i686-pc-linux-gnu-nptl/sunrpc/xbootparam_prot.T
CPP='i686-pc-linux-gnu-gcc -E -x c-header' /var/tmp/portage/sys-libs/glibc-2.10.1/work/build-default-i686-pc-linux-gnu-nptl/elf/ld-linux.so.2 --library-path /var/tmp/portage/sys-libs/glibc-2.10.1/work/build-default-i686-pc-linux-gnu-nptl:/var/tmp/portage/sys-libs/glibc-2.10.1/work/build-default-i686-pc-linux-gnu-nptl/math:/var/tmp/portage/sys-libs/glibc-2.10.1/work/build-default-i686-pc-linux-gnu-nptl/elf:/var/tmp/portage/sys-libs/glibc-2.10.1/work/build-default-i686-pc-linux-gnu-nptl/dlfcn:/var/tmp/portage/sys-libs/glibc-2.10.1/work/build-default-i686-pc-linux-gnu-nptl/nss:/var/tmp/portage/sys-libs/glibc-2.10.1/work/build-default-i686-pc-linux-gnu-nptl/nis:/var/tmp/portage/sys-libs/glibc-2.10.1/work/build-default-i686-pc-linux-gnu-nptl/rt:/var/tmp/portage/sys-libs/glibc-2.10.1/work/build-default-i686-pc-linux-gnu-nptl/resolv:/var/tmp/portage/sys-libs/glibc-2.10.1/work/build-default-i686-pc-linux-gnu-nptl/crypt:/var/tmp/portage/sys-libs/glibc-2.10.1/work/build-default-i686-pc-linux-gnu-nptl/nptl /var/tmp/portage/sys-libs/glibc-2.10.1/work/build-default-i686-pc-linux-gnu-nptl/sunrpc/rpcgen -Y ../scripts -c rpcsvc/nlm_prot.x -o /var/tmp/portage/sys-libs/glibc-2.10.1/work/build-default-i686-pc-linux-gnu-nptl/sunrpc/xnlm_prot.T
mkdir /var/tmp/portage/sys-libs/glibc-2.10.1/work/build-default-i686-pc-linux-gnu-nptl/sunrpc/rpcsvc
make[2]: *** [/var/tmp/portage/sys-libs/glibc-2.10.1/work/build-default-i686-pc-linux-gnu-nptl/sunrpc/xbootparam_prot.stmp] Segmentation fault
make[2]: *** Waiting for unfinished jobs....
make[2]: *** [/var/tmp/portage/sys-libs/glibc-2.10.1/work/build-default-i686-pc-linux-gnu-nptl/sunrpc/xnlm_prot.stmp] Segmentation fault
CPP='i686-pc-linux-gnu-gcc -E -x c-header' /var/tmp/portage/sys-libs/glibc-2.10.1/work/build-default-i686-pc-linux-gnu-nptl/elf/ld-linux.so.2 --library-path /var/tmp/portage/sys-libs/glibc-2.10.1/work/build-default-i686-pc-linux-gnu-nptl:/var/tmp/portage/sys-libs/glibc-2.10.1/work/build-default-i686-pc-linux-gnu-nptl/math:/var/tmp/portage/sys-libs/glibc-2.10.1/work/build-default-i686-pc-linux-gnu-nptl/elf:/var/tmp/portage/sys-libs/glibc-2.10.1/work/build-default-i686-pc-linux-gnu-nptl/dlfcn:/var/tmp/portage/sys-libs/glibc-2.10.1/work/build-default-i686-pc-linux-gnu-nptl/nss:/var/tmp/portage/sys-libs/glibc-2.10.1/work/build-default-i686-pc-linux-gnu-nptl/nis:/var/tmp/portage/sys-libs/glibc-2.10.1/work/build-default-i686-pc-linux-gnu-nptl/rt:/var/tmp/portage/sys-libs/glibc-2.10.1/work/build-default-i686-pc-linux-gnu-nptl/resolv:/var/tmp/portage/sys-libs/glibc-2.10.1/work/build-default-i686-pc-linux-gnu-nptl/crypt:/var/tmp/portage/sys-libs/glibc-2.10.1/work/build-default-i686-pc-linux-gnu-nptl/nptl /var/tmp/portage/sys-libs/glibc-2.10.1/work/build-default-i686-pc-linux-gnu-nptl/sunrpc/rpcgen -Y ../scripts -h rpcsvc/bootparam_prot.x -o /var/tmp/portage/sys-libs/glibc-2.10.1/work/build-default-i686-pc-linux-gnu-nptl/sunrpc/rpcsvc/bootparam_prot.T
make[2]: *** [/var/tmp/portage/sys-libs/glibc-2.10.1/work/build-default-i686-pc-linux-gnu-nptl/sunrpc/rpcsvc/bootparam_prot.stmp] Segmentation fault
make[2]: Leaving directory `/var/tmp/portage/sys-libs/glibc-2.10.1/work/glibc-2.10.1/sunrpc'
make[1]: *** [sunrpc/others] Error 2
make[1]: Leaving directory `/var/tmp/portage/sys-libs/glibc-2.10.1/work/glibc-2.10.1'
make: *** [all] Error 2


I have a very bad feeling: am I the only one using hardened toolchain on x86? If I get it correctly it's not a real problem on x86_64.

Please give me some advice where to continue. Should I try to disable fstack-protector on memusage?

Are there anyone else out there lucky enough to have x86 - hardened in combo?

Regards,
Dw.

Sounds like the filter-flags -fstack-protector in ../sys-libs/glibs/files/eblits/common.eblit
do not work and don't pass -fno-stack-protector to the CFLAGS
Check if you got the -fno-stack-protector to the CFLAGS when you compile glibc.
_________________
gcc version 4.6.2 (Gentoo Hardened 4.6.2 p1.1, pie-0.5.0)
Back to top
View user's profile Send private message
Dwokfur
Tux's lil' helper
Tux's lil' helper


Joined: 15 Sep 2006
Posts: 85
Location: Budapest, Hungary, Europe

PostPosted: Sun Oct 25, 2009 8:45 pm    Post subject: Reply with quote

zorry wrote:

Sounds like the filter-flags -fstack-protector in ../sys-libs/glibs/files/eblits/common.eblit
do not work and don't pass -fno-stack-protector to the CFLAGS
Check if you got the -fno-stack-protector to the CFLAGS when you compile glibc.


Just to make a note about how the problem resolved.
When I first saw the news about repos.conf, I set it up for myself. However stable portage didn't supported it that time. I commented out all rows and waited for portage 2.2. Repos.conf support arrived in 2.1 portage in the mean time. If there's no repos.conf in /etc/portage, the proper eclass gets used. An empty or uncommented or unconfigured repos.conf breaks eclass inheritance.

Regards:
Dw.
Back to top
View user's profile Send private message
causality
Apprentice
Apprentice


Joined: 03 Jun 2006
Posts: 163

PostPosted: Sun Nov 01, 2009 2:30 am    Post subject: Reply with quote

I hope this isn't an inappropriate place to post this as it relates to Hardened in general and not GCC specifically. However, this was one of the few threads I could find that mentioned the crashes/segfaults that users of Hardened systems experience when trying to compile Nepomuk. I found a very simple workaround and wanted to share it in the hope that it may save some time for someone.

I run a Hardened system and I also had an issue with compiling kde-base/nepomuk. However, it was not necessary for me to go so far as disabling grsec (a kernel setting) in order to compile it.

From looking at the build log, the program /usr/bin/onto2vocabularyclass is the one crashing:

Code:

Scanning dependencies of target nepomuk-manpage-man-nepomukservicestub
[  1%] [  1%] Generating nie.h, nie.cpp
Generating nepomukservicestub.8
/bin/sh: line 1: 13307 Segmentation fault      onto2vocabularyclass --name NIE --encoding trig --namespace Nepomuk::Vocabulary --no-visibility-export /var/tmp/portage/kde-base/nepomuk-4.3.1/work/nepomuk-4.3.1/nepomuk/ontologies/nie.trig
make[2]: *** [nepomuk/strigibackend/nie.h] Error 139
make[1]: *** [nepomuk/strigibackend/CMakeFiles/sopranobackend.dir/all] Error 2
make[1]: *** Waiting for unfinished jobs....
Writing nepomukserver.8 for refentry
Writing nepomukservicestub.8 for refentry
[  2%] Built target nepomuk-manpage-man-nepomukserver
[  3%] Built target nepomuk-manpage-man-nepomukservicestub
make: *** [all] Error 2


This was all I had to do:

Code:
localhost ~ # paxctl -m /usr/bin/onto2vocabularyclass


After that, kde-base/nepomuk successfully emerged with no problems.

Since I have no other reason to lift any restrictions on /usr/bin/onto2vocabularyclass, I went ahead and restored the default PaX flags:

Code:

localhost ~ # paxctl -z /usr/bin/onto2vocabularyclass
Back to top
View user's profile Send private message
zorry
Developer
Developer


Joined: 30 Mar 2008
Posts: 364
Location: Umeå The north part of scandinavia

PostPosted: Sun Nov 01, 2009 12:16 pm    Post subject: Reply with quote

causality wrote:
I hope this isn't an inappropriate place to post this as it relates to Hardened in general and not GCC specifically. However, this was one of the few threads I could find that mentioned the crashes/segfaults that users of Hardened systems experience when trying to compile Nepomuk. I found a very simple workaround and wanted to share it in the hope that it may save some time for someone.

I run a Hardened system and I also had an issue with compiling kde-base/nepomuk. However, it was not necessary for me to go so far as disabling grsec (a kernel setting) in order to compile it.

From looking at the build log, the program /usr/bin/onto2vocabularyclass is the one crashing:

Code:

Scanning dependencies of target nepomuk-manpage-man-nepomukservicestub
[  1%] [  1%] Generating nie.h, nie.cpp
Generating nepomukservicestub.8
/bin/sh: line 1: 13307 Segmentation fault      onto2vocabularyclass --name NIE --encoding trig --namespace Nepomuk::Vocabulary --no-visibility-export /var/tmp/portage/kde-base/nepomuk-4.3.1/work/nepomuk-4.3.1/nepomuk/ontologies/nie.trig
make[2]: *** [nepomuk/strigibackend/nie.h] Error 139
make[1]: *** [nepomuk/strigibackend/CMakeFiles/sopranobackend.dir/all] Error 2
make[1]: *** Waiting for unfinished jobs....
Writing nepomukserver.8 for refentry
Writing nepomukservicestub.8 for refentry
[  2%] Built target nepomuk-manpage-man-nepomukserver
[  3%] Built target nepomuk-manpage-man-nepomukservicestub
make: *** [all] Error 2


This was all I had to do:

Code:
localhost ~ # paxctl -m /usr/bin/onto2vocabularyclass


After that, kde-base/nepomuk successfully emerged with no problems.

Since I have no other reason to lift any restrictions on /usr/bin/onto2vocabularyclass, I went ahead and restored the default PaX flags:

Code:

localhost ~ # paxctl -z /usr/bin/onto2vocabularyclass

kde-base/nepomuk-4.3.0 doesn't compile (hardened toolchain)
_________________
gcc version 4.6.2 (Gentoo Hardened 4.6.2 p1.1, pie-0.5.0)
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Unsupported Software All times are GMT
Goto page Previous  1, 2, 3, 4, 5  Next
Page 2 of 5

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum