From: samuel@oriontransfer.net
To: ruby-core@ruby-lang.org
Subject: [ruby-core:90430] [Ruby trunk Bug#15335] Ruby 2.6.0 is not properly fortified
Date: Wed, 12 Dec 2018 00:00:23 +0000 (UTC) [thread overview]
Message-ID: <redmine.journal-75584.20181212000022.56f72d0fe6071bad@ruby-lang.org> (raw)
In-Reply-To: redmine.issue-15335.20181123084829@ruby-lang.org
Issue #15335 has been updated by ioquatix (Samuel Williams).
@vo.x I'm so sorry but I edit your last post rather than creating new one. Now it's changed, I can't revert it back. :(
I've fixed x86 implementation too, now that it was confirmed the previous effort to fix x64 worked as expected. This issue should be completely resolved now (dc6908ab44c3a3fc78319422410b57d3b7fb6c0c / r66341).
----------------------------------------
Bug #15335: Ruby 2.6.0 is not properly fortified
https://bugs.ruby-lang.org/issues/15335#change-75584
* Author: vo.x (Vit Ondruch)
* Status: Closed
* Priority: Normal
* Assignee: ioquatix (Samuel Williams)
* Target version:
* ruby -v: ruby 2.6.0dev (2018-11-22 trunk 65928) [x86_64-linux]
* Backport: 2.3: UNKNOWN, 2.4: UNKNOWN, 2.5: UNKNOWN
----------------------------------------
For some while, we carry this test in Fedora package [1]:
~~~
checksec -f libruby.so.%{ruby_version} | \
grep "Full RELRO.*Canary found.*NX enabled.*DSO.*No RPATH.*No RUNPATH.*Yes.*\d*.*\d*.*libruby.so.%{ruby_version}"
~~~
This should ensure, that the library is properly fortified [2]. This test was passing with preview3, but it started to fail, testing with r65928:
~~~
$ checksec -f libruby.so.2.6.0
WARNING: 'openssl' not found! It's required for most checks.
WARNING: Not all necessary commands found. Some tests might not work!
RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Fortified Fortifiable FILE
Full RELRO Canary found NX disabled DSO No RPATH No RUNPATH Yes 16 42 libruby.so.2.6.0
~~~
The `NX disabled` is the difference. Looking at the log, it is definitely not about configuration options. So if I should point finger at something, it seems to me that this must be it:
~~~
... snip ...
assembling coroutine/amd64/Context.s
gcc -I. -I.ext/include/x86_64-linux -I./include -I. -I./enc/unicode/10.0.0 -o coroutine/amd64/Context.o -c coroutine/amd64/Context.s
... snip ...
gcc -shared -Wl,-z,relro -Wl,--as-needed -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,-soname,libruby.so.2.6 -fstack-protector-strong -m64 dln.o localeinit.o loadpath.o array.o ast.o bignum.o class.o compar.o compile.o complex.o cont.o debug.o debug_counter.o dir.o dln_find.o encoding.o enum.o enumerator.o error.o eval.o file.o gc.o hash.o inits.o io.o iseq.o load.o marshal.o math.o mjit.o mjit_compile.o node.o numeric.o object.o pack.o parse.o proc.o process.o random.o range.o rational.o re.o regcomp.o regenc.o regerror.o regexec.o regparse.o regsyntax.o ruby.o safe.o signal.o sprintf.o st.o strftime.o string.o struct.o symbol.o thread.o time.o transcode.o transient_heap.o util.o variable.o version.o vm.o vm_backtrace.o vm_dump.o vm_trace.o coroutine/amd64/Context.o probes.o enc/ascii.o enc/us_ascii.o enc/unicode.o enc/utf_8.o enc/trans/newline.o setproctitle.o strlcat.o strlcpy.o addr2line.o prelude.o dmyext.o dmyenc.o -lpthread -lrt -lrt -lgmp -ldl -lcrypt -lm
-o libruby.so.2.6.0
... snip ...
~~~
I.e. the coroutines assembly. Not sure how to prove it nor fix it.
[1]: https://src.fedoraproject.org/rpms/ruby/blob/c80ecd9db905f328079a9c8afee70a34e1dcc18c/f/ruby.spec#_735
[2]: https://fedoraproject.org/wiki/Changes/Harden_All_Packages#How_To_Test
--
https://bugs.ruby-lang.org/
next prev parent reply other threads:[~2018-12-12 0:00 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <redmine.issue-15335.20181123084829@ruby-lang.org>
2018-11-23 8:48 ` [ruby-core:90000] [Ruby trunk Bug#15335] Ruby 2.6.0 is not properly fortified v.ondruch
2018-11-24 7:18 ` [ruby-core:90026] [Ruby trunk Bug#15335][Assigned] " mame
2018-11-24 7:30 ` [ruby-core:90027] [Ruby trunk Bug#15335] " samuel
2018-11-24 7:52 ` [ruby-core:90028] " Eric Wong
2018-11-24 9:19 ` [ruby-core:90032] " samuel
2018-11-24 11:12 ` [ruby-core:90033] " samuel
2018-11-24 11:36 ` [ruby-core:90034] " samuel
2018-11-24 15:58 ` [ruby-core:90039] " v.ondruch
2018-11-26 11:38 ` [ruby-core:90074] " v.ondruch
2018-11-29 14:47 ` [ruby-core:90168] " v.ondruch
2018-12-12 0:00 ` samuel [this message]
2019-01-04 14:09 ` [ruby-core:90889] " v.ondruch
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://www.ruby-lang.org/en/community/mailing-lists/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=redmine.journal-75584.20181212000022.56f72d0fe6071bad@ruby-lang.org \
--to=ruby-core@ruby-lang.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).