DevHeads.net

rpmlint: new "executable stack" warnings on rawhide

Hi everybody,

I've noticed that as of some days ago, some packages I build on rawhide are
now triggering the "W: executable-stack" warning for all included
executables and shared libraries.

I'm not sure which change might be the cause of this, but meson 0.50.0
seems to be a good candidate, since all my affected packages are built with
meson and the new version landed six days ago.

Is that new warning something we should worry about?

Fabio

Comments

Re: rpmlint: new "executable stack" warnings on rawhide

By Adam Williamson at 04/16/2019 - 12:10

On Sun, 2019-03-17 at 12:07 +0100, Fabio Valentini wrote:
Just to loop back on this...this wound up causing a release blocker
bug:

<a href="https://bugzilla.redhat.com/show_bug.cgi?id=1699099" title="https://bugzilla.redhat.com/show_bug.cgi?id=1699099">https://bugzilla.redhat.com/show_bug.cgi?id=1699099</a>

mclasen, mcatanzaro and I investigated it and eventually worked out
that it is indeed caused by a bug in meson 0.50.0:

<a href="https://github.com/mesonbuild/meson/issues/5268" title="https://github.com/mesonbuild/meson/issues/5268">https://github.com/mesonbuild/meson/issues/5268</a>

the offending meson change was actually later reverted for other
reasons. I have now backported the reversion to the Fedora meson
packages and am rebuilding everything that was built with meson 0.50.0
(it's likely that at least some of the rebuilds aren't strictly
necessary, but it's easier to rebuild everything than try to figure out
which packages did and didn't wind up with execstack marked bits).

Note meson 0.50.0 wound up in the buildroots for F29 and F30 as well as
Rawhide, so there are rebuilds for all three going through.

Once I've rebuilt everything (there are quite a lot of things) I'll
figure out a strategy for sending out updates.

Thanks for spotting this earlier, wish we'd worked out the cause at the
time, it would've saved some pain!

Re: rpmlint: new "executable stack" warnings on rawhide

By Fabio Valentini at 04/16/2019 - 13:44

On Tue, Apr 16, 2019 at 6:11 PM Adam Williamson
< ... at fedoraproject dot org> wrote:
Since you probably have a list of affected packages / builds, I can
help by submitting updates for my own packages at least (once the
rebuilds are finished), if that helps.

Fabio

Re: rpmlint: new "executable stack" warnings on rawhide

By Adam Williamson at 04/16/2019 - 13:56

On Tue, 2019-04-16 at 19:44 +0200, Fabio Valentini wrote:
Thanks, but it's probably gonna be easier for one person just to do it,
so we don't have to spend cycles trying to co-ordinate :P I'll let you
know if I need help, though.

Re: rpmlint: new "executable stack" warnings on rawhide

By Fabio Valentini at 04/16/2019 - 12:07

On Sun, Mar 17, 2019 at 12:07 PM Fabio Valentini < ... at gmail dot com> wrote:
Well, it turns out, it *was* a bug in meson 0.50.0 which, by now, has
affected a long list of packages and is starting to cause issues with
SELinux denials, etc.

The issue is tracked at [0] and meson has been fixed for all branches
of fedora, rebuilds of affected packages are running now.

Fabio

[0]: <a href="https://bugzilla.redhat.com/show_bug.cgi?id=1699099" title="https://bugzilla.redhat.com/show_bug.cgi?id=1699099">https://bugzilla.redhat.com/show_bug.cgi?id=1699099</a>

Re: rpmlint: new "executable stack" warnings on rawhide

By John Reiser at 03/17/2019 - 09:48

Yes. The warning means that an executable is not as secure as it could be against malware.

The likely cause is some assembly-language source file that lacks a line such as
.section .note.GNU-stack,"",@progbits
which tells the assembler and static binder (/usr/bin/ld) that "the code in this file
does not need an executable stack."

To identify the files that lack the line:
find src -name '*.S' | sort > files-S.txt
grep -l note.GNU-stack $(< files-S.txt) > files-non-W-stack.txt
comm -3 files-S.txt files-non-W-stack.txt

To remove the warning: append the line to the end of each file listed
in the output from 'comm'.

Re: rpmlint: new "executable stack" warnings on rawhide

By Fabio Valentini at 03/17/2019 - 10:00

On Sun, Mar 17, 2019 at 2:49 PM John Reiser < ... at bitwagon dot com> wrote:
No, that's not it. The packages that now trigger this warning don't
contain any assembly sources, only Vala (which is compiled to C) and
C.
For example: <a href="https://taskotron.fedoraproject.org/artifacts/all/2ac7eb02-48a6-11e9-a48a-525400fc9f92/tests.yml/elementary-code-3.1.1-1.fc31.log" title="https://taskotron.fedoraproject.org/artifacts/all/2ac7eb02-48a6-11e9-a48a-525400fc9f92/tests.yml/elementary-code-3.1.1-1.fc31.log">https://taskotron.fedoraproject.org/artifacts/all/2ac7eb02-48a6-11e9-a48...</a>

Fabio

Re: rpmlint: new "executable stack" warnings on rawhide

By =?UTF-8?Q?Bj=c3... at 03/17/2019 - 12:37

Am Sonntag, den 17.03.2019, 15:00 +0100 schrieb Fabio Valentini:

Did you examine the C code files generated from the Vala sources not to
have local functions that are called through function pointers?

See [1] as a reference.

[1] <a href="https://www.win.tue.nl/~aeb/linux/hh/protection.html" title="https://www.win.tue.nl/~aeb/linux/hh/protection.html">https://www.win.tue.nl/~aeb/linux/hh/protection.html</a>