From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on dcvr.yhbt.net X-Spam-Level: X-Spam-ASN: AS4713 221.184.0.0/13 X-Spam-Status: No, score=-4.0 required=3.0 tests=AWL,BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED, SPF_PASS shortcircuit=no autolearn=ham autolearn_force=no version=3.4.2 Received: from neon.ruby-lang.org (neon.ruby-lang.org [221.186.184.75]) by dcvr.yhbt.net (Postfix) with ESMTP id A96F21F97F for ; Sat, 24 Nov 2018 07:30:19 +0000 (UTC) Received: from neon.ruby-lang.org (localhost [IPv6:::1]) by neon.ruby-lang.org (Postfix) with ESMTP id AE9D5121552; Sat, 24 Nov 2018 16:30:16 +0900 (JST) Received: from o1678916x28.outbound-mail.sendgrid.net (o1678916x28.outbound-mail.sendgrid.net [167.89.16.28]) by neon.ruby-lang.org (Postfix) with ESMTPS id 7576E12153B for ; Sat, 24 Nov 2018 16:30:14 +0900 (JST) Received: by filter0065p3mdw1.sendgrid.net with SMTP id filter0065p3mdw1-22021-5BF8FE03-7 2018-11-24 07:30:11.120021652 +0000 UTC m=+42000.718500073 Received: from herokuapp.com (ec2-54-198-251-73.compute-1.amazonaws.com [54.198.251.73]) by ismtpd0037p1iad1.sendgrid.net (SG) with ESMTP id YgJno2X8R5CvcFd3jmCJSA Sat, 24 Nov 2018 07:30:11.090 +0000 (UTC) Date: Sat, 24 Nov 2018 07:30:11 +0000 (UTC) From: samuel@oriontransfer.net To: ruby-core@ruby-lang.org Message-ID: References: Mime-Version: 1.0 X-Redmine-MailingListIntegration-Message-Ids: 65423 X-Redmine-Project: ruby-trunk X-Redmine-Issue-Id: 15335 X-Redmine-Issue-Author: vo.x X-Redmine-Issue-Assignee: ioquatix X-Redmine-Sender: ioquatix X-Mailer: Redmine X-Redmine-Host: bugs.ruby-lang.org X-Redmine-Site: Ruby Issue Tracking System X-Auto-Response-Suppress: All Auto-Submitted: auto-generated X-SG-EID: ync6xU2WACa70kv/Ymy4QrNMhiuLXJG8OTL2vJD1yS5rPI0GyM324UhIrmuRaOpb2AlZSOCf5eTyKH 4U54k7ivtpT6qsXVm1tDqrbb88TKihvNBkxdoA2zqaHyDyPMCyUm62TOkqf4svEuW0r7Jr2uvlvRI6 f1akvi8zyPKJzKXvtk1JS1+X5sVkWqUnNABC88OkVbZdi6LJeO5zMf6Duw== X-ML-Name: ruby-core X-Mail-Count: 90027 Subject: [ruby-core:90027] [Ruby trunk Bug#15335] Ruby 2.6.0 is not properly fortified X-BeenThere: ruby-core@ruby-lang.org X-Mailman-Version: 2.1.15 Precedence: list Reply-To: Ruby developers List-Id: Ruby developers List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: ruby-core-bounces@ruby-lang.org Sender: "ruby-core" Issue #15335 has been updated by ioquatix (Samuel Williams). How can we solve this problem? ---------------------------------------- Bug #15335: Ruby 2.6.0 is not properly fortified https://bugs.ruby-lang.org/issues/15335#change-75132 * Author: vo.x (Vit Ondruch) * Status: Assigned * Priority: Normal * Assignee: ioquatix (Samuel Williams) * Target version: * ruby -v: ruby 2.6.0dev (2018-11-22 trunk 65928) [x86_64-linux] * Backport: 2.3: UNKNOWN, 2.4: UNKNOWN, 2.5: UNKNOWN ---------------------------------------- For some while, we carry this test in Fedora package [1]: ~~~ checksec -f libruby.so.%{ruby_version} | \ grep "Full RELRO.*Canary found.*NX enabled.*DSO.*No RPATH.*No RUNPATH.*Yes.*\d*.*\d*.*libruby.so.%{ruby_version}" ~~~ This should ensure, that the library is properly fortified [2]. This test was passing with preview3, but it started to fail, testing with r65928: ~~~ $ checksec -f libruby.so.2.6.0 WARNING: 'openssl' not found! It's required for most checks. WARNING: Not all necessary commands found. Some tests might not work! RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Fortified Fortifiable FILE Full RELRO Canary found NX disabled DSO No RPATH No RUNPATH Yes 16 42 libruby.so.2.6.0 ~~~ The `NX disabled` is the difference. Looking at the log, it is definitely not about configuration options. So if I should point finger at something, it seems to me that this must be it: ~~~ ... snip ... assembling coroutine/amd64/Context.s gcc -I. -I.ext/include/x86_64-linux -I./include -I. -I./enc/unicode/10.0.0 -o coroutine/amd64/Context.o -c coroutine/amd64/Context.s ... snip ... gcc -shared -Wl,-z,relro -Wl,--as-needed -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,-soname,libruby.so.2.6 -fstack-protector-strong -m64 dln.o localeinit.o loadpath.o array.o ast.o bignum.o class.o compar.o compile.o complex.o cont.o debug.o debug_counter.o dir.o dln_find.o encoding.o enum.o enumerator.o error.o eval.o file.o gc.o hash.o inits.o io.o iseq.o load.o marshal.o math.o mjit.o mjit_compile.o node.o numeric.o object.o pack.o parse.o proc.o process.o random.o range.o rational.o re.o regcomp.o regenc.o regerror.o regexec.o regparse.o regsyntax.o ruby.o safe.o signal.o sprintf.o st.o strftime.o string.o struct.o symbol.o thread.o time.o transcode.o transient_heap.o util.o variable.o version.o vm.o vm_backtrace.o vm_dump.o vm_trace.o coroutine/amd64/Context.o probes.o enc/ascii.o enc/us_ascii.o enc/unicode.o enc/utf_8.o enc/trans/newline.o setproctitle.o strlcat.o strlcpy.o addr2line.o prelude.o dmyext.o dmyenc.o -lpthread -lrt -lrt -lgmp -ldl -lcrypt -lm -o libruby.so.2.6.0 ... snip ... ~~~ I.e. the coroutines assembly. Not sure how to prove it nor fix it. [1]: https://src.fedoraproject.org/rpms/ruby/blob/c80ecd9db905f328079a9c8afee70a34e1dcc18c/f/ruby.spec#_735 [2]: https://fedoraproject.org/wiki/Changes/Harden_All_Packages#How_To_Test -- https://bugs.ruby-lang.org/