What Happened to 4.14 kernel?

Message

Post by Hu » Wed Jan 03, 2018 11:54 pm

proteusx wrote:Does anyone know if -fstack-check is set for non-hardened profiles?
These things are now buried under layers of labyrinthine eclasses.
Not easy to tell what is happening.

This is not an eclass issue. For systems where -fstack-check is enabled, it is done through a gcc specfile. This has the advantage of applying to all compiled output, regardless of whether the compiler is run by Portage or whether the ebuild respects CC, CFLAGS, etc. Unfortunately, this leads to:

Tony0945 wrote:All I can think of is a local ebuild that compiles something innocuous like "main(){exit(0);}" and looking at the screen output.

EDIT:Froze an emerge with CTRL-S Found this line
Code: Select all
x86_64-pc-linux-gnu-gcc -march=native -O2 -pipe -fno-strict-aliasing -Wstrict-prototypes -Wall -D_GNU_SOURCE  -c ping.c   -DUSE_OPENSSL  -o ping.o

Nice idea, but incorrect implementation. Since the feature is done through the specfile, you will not see it on the command line even when it is active.

Tony0945 wrote:There is a new kernel so I'll compile that too and try to catch the gcc lines, If you are not upgrading a kernel you can always rebuild your current kernel.

EDIT2:
Kernel compiles with stuff like
Code: Select all
CC      drivers/acpi/acpica/utxferror.o
I have no idea what's buried in the CC macro. Hopefully, someone more adept than I knows how to expand it.

You can pass a variable (I believe it is just V=1) to tell the kernel build system to show the full command line. However, as above, you won't see -fstack-check on the command line.

To check whether your gcc defaults to using -fstack-check, you can use gcc -dumpspecs to show the full specfile (and try to parse that language to answer the question), or you can compile a trivial C program to assembly and inspect whether gcc includes in the assembly the typical stack check prologue.

Code: Select all

$ cat a.c
void f()
{
}
$ gcc-7.2.0 -O2 -no-pie -S -o - a.c
	.file	"a.c"
	.text
	.p2align 4,,15
	.globl	f
	.type	f, @function
f:
.LFB0:
	.cfi_startproc
	subq	$4152, %rsp
	orq	$0, (%rsp)
	addq	$4128, %rsp
	.cfi_def_cfa_offset 32
	movq	%fs:40, %rax
	movq	%rax, 8(%rsp)
	xorl	%eax, %eax
	movq	8(%rsp), %rax
	xorq	%fs:40, %rax
	jne	.L5
	addq	$24, %rsp
	.cfi_remember_state
	.cfi_def_cfa_offset 8
	ret
.L5:
	.cfi_restore_state
	call	__stack_chk_fail@PLT
	.cfi_endproc
.LFE0:
	.size	f, .-f
	.ident	"GCC: (Gentoo Hardened 7.2.0 p1.1) 7.2.0"
	.section	.note.GNU-stack,"",@progbits

That subq/orq/addq sequence right after the label LFB0 is characteristic of the stack-check code.

Code: Select all

$ gcc-7.2.0 -O2 -no-pie -S -o - a.c -fno-stack-check
	.file	"a.c"
	.text
	.p2align 4,,15
	.globl	f
	.type	f, @function
f:
.LFB0:
	.cfi_startproc
	subq	$24, %rsp
	.cfi_def_cfa_offset 32
	movq	%fs:40, %rax
	movq	%rax, 8(%rsp)
	xorl	%eax, %eax
	movq	8(%rsp), %rax
	xorq	%fs:40, %rax
	jne	.L5
	addq	$24, %rsp
	.cfi_remember_state
	.cfi_def_cfa_offset 8
	ret
.L5:
	.cfi_restore_state
	call	__stack_chk_fail@PLT
	.cfi_endproc
.LFE0:
	.size	f, .-f
	.ident	"GCC: (Gentoo Hardened 7.2.0 p1.1) 7.2.0"
	.section	.note.GNU-stack,"",@progbits

Adding -fno-stack-check suppressed the implicit -fstack-check, so now that subq/orq/addq sequence is absent.

benchaney · Post by **benchaney** » Thu Jan 04, 2018 12:22 am

It doesn't seem like -fstack-check is on for the kernel either. Running genkernal --loglevel=5 --makeopts=V=1 all gives:

Code: Select all


  gcc -Wp,-MD,drivers/acpi/acpica/.utxferror.o.d  -nostdinc -isystem /usr/lib/gcc/x86_64-pc-linux-gnu/6.4.0/include -I./arch/x86/include -I./arch/x86/include/generated  -I./include -I./arch/x86/include/uapi -I./arch/x86/include/generated/uapi -I./include/uapi -I./include/generated/uapi -include ./include/linux/kconfig.h -D__KERNEL__ -Wall -Wundef -Wstrict-prototypes -Wno-trigraphs -fno-strict-aliasing -fno-common -fshort-wchar -Werror-implicit-function-declaration -Wno-format-security -std=gnu89 -fno-PIE -mno-sse -mno-mmx -mno-sse2 -mno-3dnow -mno-avx -m64 -falign-jumps=1 -falign-loops=1 -mno-80387 -mno-fp-ret-in-387 -mpreferred-stack-boundary=3 -mskip-rax-setup -mtune=generic -mno-red-zone -mcmodel=kernel -funit-at-a-time -DCONFIG_X86_X32_ABI -DCONFIG_AS_CFI=1 -DCONFIG_AS_CFI_SIGNAL_FRAME=1 -DCONFIG_AS_CFI_SECTIONS=1 -DCONFIG_AS_FXSAVEQ=1 -DCONFIG_AS_SSSE3=1 -DCONFIG_AS_CRC32=1 -DCONFIG_AS_AVX=1 -DCONFIG_AS_AVX2=1 -DCONFIG_AS_AVX512=1 -DCONFIG_AS_SHA1_NI=1 -DCONFIG_AS_SHA256_NI=1 -pipe -Wno-sign-compare -fno-asynchronous-unwind-tables -fno-delete-null-pointer-checks -Wno-frame-address -O2 --param=allow-store-data-races=0 -DCC_HAVE_ASM_GOTO -Wframe-larger-than=1024 -fstack-protector -Wno-unused-but-set-variable -Wno-unused-const-variable -fno-var-tracking-assignments -pg -mfentry -DCC_USING_FENTRY -fno-inline-functions-called-once -Wdeclaration-after-statement -Wno-pointer-sign -fno-strict-overflow -fno-stack-check -fconserve-stack -Werror=implicit-int -Werror=strict-prototypes -Werror=date-time -Werror=incompatible-pointer-types -Werror=designated-init -Os -D_LINUX -DBUILDING_ACPICA    -DKBUILD_BASENAME='"utxferror"'  -DKBUILD_MODNAME='"acpi"' -c -o drivers/acpi/acpica/.tmp_utxferror.o drivers/acpi/acpica/utxferror.c

I'm on default/linux/amd64/17.0/desktop/plasma if it makes a difference.

proteusx · Post by **proteusx** » Thu Jan 04, 2018 12:50 am

@Hu
Excellent! Thank you for the detailed answer.
One more question: Where within the profile/scripts/flags is the spec file where the implicit -fstack-check is set?

Tony0945 · Post by **Tony0945** » Thu Jan 04, 2018 1:20 am

proteusx wrote:One more question: Where within the profile/scripts/flags is the spec file where the implicit -fstack-check is set?

No where that I can see:

Code: Select all

X3 ~ # grep -r check /usr/portage/profiles|grep stack
X3 ~ #

Unless I'm not grepping for the right thing.

Tony0945 · Post by **Tony0945** » Thu Jan 04, 2018 1:25 am

Using 6.4.0 on a profile 17.0/desktop system:

Code: Select all

X3 ~ # gcc -O2  -S -o - a.c
        .file   "a.c"
        .text
        .p2align 4,,15
        .globl  f
        .type   f, @function
f:
.LFB0:
        .cfi_startproc
        rep ret
        .cfi_endproc
.LFE0:
        .size   f, .-f
        .ident  "GCC: (Gentoo 6.4.0 p1.1) 6.4.0"
        .section        .note.GNU-stack,"",@progbits

and

Code: Select all

X3 ~ # gcc -O2  -S -no-pie -o - a.c
        .file   "a.c"
        .text
        .p2align 4,,15
        .globl  f
        .type   f, @function
f:
.LFB0:
        .cfi_startproc
        rep ret
        .cfi_endproc
.LFE0:
        .size   f, .-f
        .ident  "GCC: (Gentoo 6.4.0 p1.1) 6.4.0"
        .section        .note.GNU-stack,"",@progbits

Looks like no stack-check either way, so not on by default.

EDIT: typo (spelling)

Post by Hu » Thu Jan 04, 2018 3:22 am

benchaney wrote:It doesn't seem like -fstack-check is on for the kernel either. Running genkernal --loglevel=5 --makeopts=V=1 all gives:

Per my post immediately before yours, you should not expect to see this in the command line. It is set as part of the compiler's internal configuration.

proteusx wrote:@Hu
Excellent! Thank you for the detailed answer.
One more question: Where within the profile/scripts/flags is the spec file where the implicit -fstack-check is set?

In older gcc versions, Gentoo installed multiple alternate spec files, picked one via the environment variable GCC_SPECS, and that one influenced the choice. For gcc-6 and gcc-7, no such spec files seem to be installed, and gcc-config does not let me switch between hardened and regular variants. However, I found in the gcc patch archive gcc-7.1.0-patches-1.1.tar.bz2 (applied by the ebuild) 55_all_extra-options.patch, which appears to be responsible for enabling -fstack-check when the cpp symbol EXTRA_OPTIONS is defined. $PORTDIR/eclass/toolchain.eclass defines this symbol if use hardened.

Tony0945 wrote:Using 6.4.0 on a profile 17.0/desktop system:

Thank you. I did not have a non-hardened system at hand, and did not seek out the answers in this post until asked above. As you are not on a hardened profile, your gcc would have been built without that cpp symbol defined, so would not default to stack-check enabled (nor default to enabling other hardening features controlled by that patch).

Tony0945 · Post by **Tony0945** » Thu Jan 04, 2018 3:09 pm

Hu wrote:Thank you. I did not have a non-hardened system at hand, and did not seek out the answers in this post until asked above.

Just PM me if you need me to check something (or ask if I'm in thread). Always glad to give back and help.

miket · Post by **miket** » Thu Jan 04, 2018 8:12 pm

I was going to say that maybe they'd want to re-think about masking Linux 4.14. From what I read about the Meltdown vulnerability, the fix was made to the in-development 4.15 version and backported to 4.14.11. Wikipedia made no mention about a backport to the 4.9 series, but a look at the kernel.org changelogs shows that 4.9.74 also has the patch. Both those versions are in the Portage tree, but still keyworded.

If you're on 4.12, though, you're out of luck.

ct85711 · Post by **ct85711** » Thu Jan 04, 2018 10:39 pm

Luckily since my linux system is AMD, I don't need to worry about the meltdown vulnerability. I haven't read up on the other vulnerability to see if it's something I need to care about that one. Considering my system is still running 4.10.5, I may update the kernel to 4.15 sometime when that branch settles down some. Though the big thing I want to wait for, is make sure any necessary nvidia patches gets available more. I have considered switching the the nouveau driver, and even the amdgpu drivers (the builtin graphics).

Linux Oate 4.10.5-gentoo #2 SMP Thu Mar 23 19:57:59 CDT 2017 x86_64 AMD A10-7850K Radeon R7, 12 Compute Cores 4C+8G AuthenticAMD GNU/Linux