Project

General

Profile

Actions

Bug #15335

closed

Ruby 2.6.0 is not properly fortified

Added by vo.x (Vit Ondruch) almost 4 years ago. Updated over 3 years ago.

Status:
Closed
Priority:
Normal
Target version:
-
ruby -v:
ruby 2.6.0dev (2018-11-22 trunk 65928) [x86_64-linux]
[ruby-core:90000]

Description

For some while, we carry this test in Fedora package 1:

checksec -f libruby.so.%{ruby_version} | \	
  grep "Full RELRO.*Canary found.*NX enabled.*DSO.*No RPATH.*No RUNPATH.*Yes.*\d*.*\d*.*libruby.so.%{ruby_version}"

This should ensure, that the library is properly fortified 2. This test was passing with preview3, but it started to fail, testing with r65928:

$ checksec -f libruby.so.2.6.0
WARNING: 'openssl' not found! It's required for most checks.

WARNING: Not all necessary commands found. Some tests might not work!

RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH	FORTIFY	Fortified Fortifiable  FILE
Full RELRO      Canary found      NX disabled   DSO             No RPATH   No RUNPATH   Yes	16		42	libruby.so.2.6.0

The NX disabled is the difference. Looking at the log, it is definitely not about configuration options. So if I should point finger at something, it seems to me that this must be it:

... snip ...

assembling coroutine/amd64/Context.s
gcc -I. -I.ext/include/x86_64-linux -I./include -I. -I./enc/unicode/10.0.0 -o coroutine/amd64/Context.o -c coroutine/amd64/Context.s

... snip ...

gcc -shared -Wl,-z,relro -Wl,--as-needed  -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,-soname,libruby.so.2.6 -fstack-protector-strong  -m64 dln.o localeinit.o loadpath.o array.o ast.o bignum.o class.o compar.o compile.o complex.o cont.o debug.o debug_counter.o dir.o dln_find.o encoding.o enum.o enumerator.o error.o eval.o file.o gc.o hash.o inits.o io.o iseq.o load.o marshal.o math.o mjit.o mjit_compile.o node.o numeric.o object.o pack.o parse.o proc.o process.o random.o range.o rational.o re.o regcomp.o regenc.o regerror.o regexec.o regparse.o regsyntax.o ruby.o safe.o signal.o sprintf.o st.o strftime.o string.o struct.o symbol.o thread.o time.o transcode.o transient_heap.o util.o variable.o version.o vm.o vm_backtrace.o vm_dump.o vm_trace.o coroutine/amd64/Context.o probes.o enc/ascii.o enc/us_ascii.o enc/unicode.o enc/utf_8.o enc/trans/newline.o setproctitle.o strlcat.o strlcpy.o addr2line.o  prelude.o dmyext.o dmyenc.o -lpthread -lrt -lrt -lgmp -ldl -lcrypt -lm   -o libruby.so.2.6.0

... snip ...

I.e. the coroutines assembly. Not sure how to prove it nor fix it.


Related issues 1 (0 open1 closed)

Related to Ruby master - Bug #16762: Ruby is not properly fortified on armv7hlClosedioquatix (Samuel Williams)Actions

Updated by mame (Yusuke Endoh) almost 4 years ago

  • Status changed from Open to Assigned
  • Assignee set to ioquatix (Samuel Williams)

Updated by ioquatix (Samuel Williams) almost 4 years ago

How can we solve this problem?

Updated by normalperson (Eric Wong) almost 4 years ago

https://bugs.ruby-lang.org/issues/15335#change-75132

wrote:

How can we solve this problem?

Fedora can configure with --disable-fiber-coroutine option
as a stopgap...

I.e. the coroutines assembly. Not sure how to prove it nor fix it.

Maybe this can help?
https://wiki.gentoo.org/wiki/Hardened/GNU_stack_quickstart

Updated by ioquatix (Samuel Williams) almost 4 years ago

Thanks Eric. Those two suggestions are really helpful. I'll investigate it now.

Updated by ioquatix (Samuel Williams) almost 4 years ago

I'm attempting to fix this issue here: https://github.com/ruby/ruby/pull/2027

@vo.x (Vit Ondruch) do you mind trying to build that PR?

Updated by ioquatix (Samuel Williams) almost 4 years ago

I've merged the first set of changes into trunk, for amd64 - @vo.x (Vit Ondruch) if you confirm this has fixed the issue I will extend to other architectures.

Updated by vo.x (Vit Ondruch) almost 4 years ago

Thx. I hope I'll be able to check it on Monday.

Updated by vo.x (Vit Ondruch) almost 4 years ago

Testing with r65990 on x86_64 and the test passed. I guess I should not try to build on other arches yet, right?

Updated by vo.x (Vit Ondruch) almost 4 years ago

Just FTR trying to build r66092 on Fedora Rawhide 1, x86_64, ppc64le, aarch64, s390x, and armv7hl were properly fortified while only i686 failed to pass 2 the fortification test.

Actions #10

Updated by Anonymous almost 4 years ago

  • Status changed from Assigned to Closed

Applied in changeset trunk|r66341.


Ensure x86 stack is fortified, fixed #15335.

Updated by ioquatix (Samuel Williams) almost 4 years ago

I've fixed x86 implementation too, now that it was confirmed the previous effort to fix x64 worked as expected. This issue should be completely resolved now (dc6908ab44c3a3fc78319422410b57d3b7fb6c0c / r66341).

Updated by vo.x (Vit Ondruch) over 3 years ago

ioquatix (Samuel Williams) wrote:

I've fixed x86 implementation too.

Thx, I can build Ruby 2.6.0 on all platforms just fine.

Actions #13

Updated by vo.x (Vit Ondruch) over 2 years ago

  • Related to Bug #16762: Ruby is not properly fortified on armv7hl added
Actions

Also available in: Atom PDF