Bug #15335
closedRuby 2.6.0 is not properly fortified
Description
For some while, we carry this test in Fedora package 1:
checksec -f libruby.so.%{ruby_version} | \
grep "Full RELRO.*Canary found.*NX enabled.*DSO.*No RPATH.*No RUNPATH.*Yes.*\d*.*\d*.*libruby.so.%{ruby_version}"
This should ensure, that the library is properly fortified 2. This test was passing with preview3, but it started to fail, testing with r65928:
$ checksec -f libruby.so.2.6.0
WARNING: 'openssl' not found! It's required for most checks.
WARNING: Not all necessary commands found. Some tests might not work!
RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Fortified Fortifiable FILE
Full RELRO Canary found NX disabled DSO No RPATH No RUNPATH Yes 16 42 libruby.so.2.6.0
The NX disabled
is the difference. Looking at the log, it is definitely not about configuration options. So if I should point finger at something, it seems to me that this must be it:
... snip ...
assembling coroutine/amd64/Context.s
gcc -I. -I.ext/include/x86_64-linux -I./include -I. -I./enc/unicode/10.0.0 -o coroutine/amd64/Context.o -c coroutine/amd64/Context.s
... snip ...
gcc -shared -Wl,-z,relro -Wl,--as-needed -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,-soname,libruby.so.2.6 -fstack-protector-strong -m64 dln.o localeinit.o loadpath.o array.o ast.o bignum.o class.o compar.o compile.o complex.o cont.o debug.o debug_counter.o dir.o dln_find.o encoding.o enum.o enumerator.o error.o eval.o file.o gc.o hash.o inits.o io.o iseq.o load.o marshal.o math.o mjit.o mjit_compile.o node.o numeric.o object.o pack.o parse.o proc.o process.o random.o range.o rational.o re.o regcomp.o regenc.o regerror.o regexec.o regparse.o regsyntax.o ruby.o safe.o signal.o sprintf.o st.o strftime.o string.o struct.o symbol.o thread.o time.o transcode.o transient_heap.o util.o variable.o version.o vm.o vm_backtrace.o vm_dump.o vm_trace.o coroutine/amd64/Context.o probes.o enc/ascii.o enc/us_ascii.o enc/unicode.o enc/utf_8.o enc/trans/newline.o setproctitle.o strlcat.o strlcpy.o addr2line.o prelude.o dmyext.o dmyenc.o -lpthread -lrt -lrt -lgmp -ldl -lcrypt -lm -o libruby.so.2.6.0
... snip ...
I.e. the coroutines assembly. Not sure how to prove it nor fix it.
Updated by mame (Yusuke Endoh) about 6 years ago
- Status changed from Open to Assigned
- Assignee set to ioquatix (Samuel Williams)
Updated by ioquatix (Samuel Williams) about 6 years ago
How can we solve this problem?
Updated by normalperson (Eric Wong) about 6 years ago
samuel@oriontransfer.net wrote:
How can we solve this problem?
Fedora can configure with --disable-fiber-coroutine option
as a stopgap...
I.e. the coroutines assembly. Not sure how to prove it nor fix it.
Maybe this can help?
https://wiki.gentoo.org/wiki/Hardened/GNU_stack_quickstart
Updated by ioquatix (Samuel Williams) about 6 years ago
Thanks Eric. Those two suggestions are really helpful. I'll investigate it now.
Updated by ioquatix (Samuel Williams) about 6 years ago
I'm attempting to fix this issue here: https://github.com/ruby/ruby/pull/2027
@vo.x (Vit Ondruch) do you mind trying to build that PR?
Updated by ioquatix (Samuel Williams) about 6 years ago
I've merged the first set of changes into trunk, for amd64 - @vo.x (Vit Ondruch) if you confirm this has fixed the issue I will extend to other architectures.
Updated by vo.x (Vit Ondruch) about 6 years ago
Thx. I hope I'll be able to check it on Monday.
Updated by vo.x (Vit Ondruch) about 6 years ago
Testing with r65990 on x86_64 and the test passed. I guess I should not try to build on other arches yet, right?
Updated by vo.x (Vit Ondruch) about 6 years ago
Updated by Anonymous about 6 years ago
- Status changed from Assigned to Closed
Updated by ioquatix (Samuel Williams) about 6 years ago
I've fixed x86 implementation too, now that it was confirmed the previous effort to fix x64 worked as expected. This issue should be completely resolved now (dc6908ab44c3a3fc78319422410b57d3b7fb6c0c / r66341).
Updated by vo.x (Vit Ondruch) almost 6 years ago
ioquatix (Samuel Williams) wrote:
I've fixed x86 implementation too.
Thx, I can build Ruby 2.6.0 on all platforms just fine.
Updated by vo.x (Vit Ondruch) over 4 years ago
- Related to Bug #16762: Ruby is not properly fortified on armv7hl added