PGNet Dev
2018-Jun-07 21:09 UTC
vanilla build of 7.7p1 release on linux/4.17 fails with gcc8 @ "/usr/bin/ld: unrecognized option '-Wl,-z,retpolineplt'"
Verifying a report I just got pinged about, building vanilla openssh 7.7p1 on linux configures ok, but fails build around 'retpoline' I've started looking through recent reports; haven't _yet_ found anything similar. While I continue, is any of the following familiar/expected? Either known bug/issue or env conflict? The current env includes supposedly retpoline-ready GCC 8.1.1, uname -rm 4.17.0-lp150.2.gbcb3422-default x86_64 cat /sys/devices/system/cpu/vulnerabilities/spectre_v2 Mitigation: Full AMD retpoline gcc-8 -v Using built-in specs. Reading specs from /usr/lib64/gcc/x86_64-suse-linux/8/defaults.spec COLLECT_GCC=gcc-8 COLLECT_LTO_WRAPPER=/usr/lib64/gcc/x86_64-suse-linux/8/lto-wrapper OFFLOAD_TARGET_NAMES=hsa:nvptx-none Target: x86_64-suse-linux Configured with: ../configure --prefix=/usr --infodir=/usr/share/info --mandir=/usr/share/man --libdir=/usr/lib64 --libexecdir=/usr/lib64 --enable-languages=c,c++,objc,fortran,obj-c++,ada,go --enable-offload-targets=hsa,nvptx-none=/usr/nvptx-none, --without-cuda-driver --enable-checking=release --disable-werror --with-gxx-include-dir=/usr/include/c++/8 --enable-ssp --disable-libssp --disable-libvtv --disable-cet --disable-libcc1 --enable-plugin --with-bugurl=http://bugs.opensuse.org/ --with-pkgversion='SUSE Linux' --with-slibdir=/lib64 --with-system-zlib --enable-__cxa_atexit --enable-libstdcxx-allocator=new --disable-libstdcxx-pch --enable-version-specific-runtime-libs --with-gcc-major-version-only --enable-linker-build-id --enable-linux-futex --enable-gnu-indirect-function --program-suffix=-8 --without-system-libunwind --enable-multilib --with-arch-32=x86-64 --with-tune=generic --build=x86_64-suse-linux --host=x86_64-suse-linux Thread model: posix gcc version 8.1.1 20180523 [gcc-8-branch revision 260570] (SUSE Linux) ld -v GNU ld (GNU Binutils; home:pgnd:devel:gcc8 / openSUSE_Leap_15.0) 2.30.0.20180320-lp150.319 removing all optimization presets unset CFLAGS LDFLAGS CPPFLAGS CXXFLAGS echo $CC $CPP $CXX $LD /usr/bin/gcc-8 /usr/bin/cpp-8 /usr/bin/g++-8 /usr/bin/ld configuring cd openssh-7.7p1 ./configure --without-openssl ... configure: creating ./config.status config.status: creating Makefile config.status: creating buildpkg.sh config.status: creating opensshd.init config.status: creating openssh.xml config.status: creating openbsd-compat/Makefile config.status: creating openbsd-compat/regress/Makefile config.status: creating survey.sh config.status: creating config.h config.status: config.h is unchanged OpenSSH has been configured with the following options: User binaries: /usr/local/bin System binaries: /usr/local/sbin Configuration files: /usr/local/etc Askpass program: /usr/local/lib/ssh-askpass Manual pages: /usr/local/share/man/manX PID file: /var/run Privilege separation chroot path: /var/empty sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin Manpage format: doc PAM support: no OSF SIA support: no KerberosV support: no SELinux support: no S/KEY support: no MD5 password support: no libedit support: no libldns support: no Solaris process contract support: no Solaris project support: no Solaris privilege support: no IP address in $DISPLAY hack: no Translate v4 in v6 hack: yes BSD Auth support: no Random number source: Privsep sandbox style: seccomp_filter Host: x86_64-pc-linux-gnu Compiler: /usr/bin/gcc-8 Compiler flags: -g -O2 -pipe -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-result -fno-strict-aliasing -mfunction-return=thunk -mindirect-branch=thunk -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-strong -fPIE Preprocessor flags: -D_XOPEN_SOURCE=600 -D_BSD_SOURCE -D_DEFAULT_SOURCE Linker flags: -Wl,-z,retpolineplt -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -fstack-protector-strong -pie Libraries: -lutil -lz -lcrypt -lresolv reports no errors. build, make V=1 ... a - platform-tracing.o a - platform-misc.o ranlib libssh.a /usr/bin/gcc-8 -g -O2 -pipe -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-result -fno-strict-aliasing -mfunction-return=thunk -mindirect-branch=thunk -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-strong -fPIE -I. -I. -D_XOPEN_SOURCE=600 -D_BSD_SOURCE -D_DEFAULT_SOURCE -DSSHDIR=\"/usr/local/etc\" -D_PATH_SSH_PROGRAM=\"/usr/local/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/local/lib/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/local/lib/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/local/lib/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/local/lib/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -c ssh.c -o ssh.o /usr/bin/gcc-8 -g -O2 -pipe -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-result -fno-strict-aliasing -mfunction-return=thunk -mindirect-branch=thunk -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-strong -fPIE -I. -I. -D_XOPEN_SOURCE=600 -D_BSD_SOURCE -D_DEFAULT_SOURCE -DSSHDIR=\"/usr/local/etc\" -D_PATH_SSH_PROGRAM=\"/usr/local/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/local/lib/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/local/lib/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/local/lib/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/local/lib/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -c readconf.c -o readconf.o /usr/bin/gcc-8 -g -O2 -pipe -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-result -fno-strict-aliasing -mfunction-return=thunk -mindirect-branch=thunk -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-strong -fPIE -I. -I. -D_XOPEN_SOURCE=600 -D_BSD_SOURCE -D_DEFAULT_SOURCE -DSSHDIR=\"/usr/local/etc\" -D_PATH_SSH_PROGRAM=\"/usr/local/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/local/lib/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/local/lib/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/local/lib/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/local/lib/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -c clientloop.c -o clientloop.o clientloop.c: In function ?client_x11_get_proto?: clientloop.c:378:14: warning: ?%s? directive output may be truncated writing up to 4095 bytes into a region of size 1020 [-Wformat-truncation=] "%s %s%s list %s 2>" _PATH_DEVNULL, ^~ clientloop.c:381:20: generated ? xauthfile : "", ~~~~~~~~~ In file included from /usr/include/stdio.h:862, from /usr/include/bsd/libutil.h:46, from includes.h:141, from clientloop.c:62: /usr/include/bits/stdio2.h:64:10: note: ?__builtin___snprintf_chk? output 23 or more bytes (assuming 4118) into a destination of size 1024 return __builtin___snprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1, ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ __bos (__s), __fmt, __va_arg_pack ()); ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ /usr/bin/gcc-8 -g -O2 -pipe -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-result -fno-strict-aliasing -mfunction-return=thunk -mindirect-branch=thunk -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-strong -fPIE -I. -I. -D_XOPEN_SOURCE=600 -D_BSD_SOURCE -D_DEFAULT_SOURCE -DSSHDIR=\"/usr/local/etc\" -D_PATH_SSH_PROGRAM=\"/usr/local/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/local/lib/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/local/lib/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/local/lib/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/local/lib/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -c sshtty.c -o sshtty.o /usr/bin/gcc-8 -g -O2 -pipe -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-result -fno-strict-aliasing -mfunction-return=thunk -mindirect-branch=thunk -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-strong -fPIE -I. -I. -D_XOPEN_SOURCE=600 -D_BSD_SOURCE -D_DEFAULT_SOURCE -DSSHDIR=\"/usr/local/etc\" -D_PATH_SSH_PROGRAM=\"/usr/local/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/local/lib/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/local/lib/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/local/lib/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/local/lib/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -c sshconnect.c -o sshconnect.o sshconnect.c: In function ?check_host_key.constprop?: sshconnect.c:1047:8: warning: ?%s? directive output may be truncated writing up to 1023 bytes into a region of size between 773 and 973 [-Wformat-truncation=] "The authenticity of host '%.200s (%s)' can't be " ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ sshconnect.c:1052:18: host, ip, msg1, type, fp, ~~~~ sshconnect.c:1048:20: note: format string is defined here "established%s\n" ^~ In file included from /usr/include/stdio.h:862, from /usr/include/bsd/libutil.h:46, from includes.h:141, from sshconnect.c:16: /usr/include/bits/stdio2.h:64:10: note: ?__builtin___snprintf_chk? output 130 or more bytes (assuming 2377) into a destination of size 1024 return __builtin___snprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1, ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ __bos (__s), __fmt, __va_arg_pack ()); ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ /usr/bin/gcc-8 -g -O2 -pipe -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-result -fno-strict-aliasing -mfunction-return=thunk -mindirect-branch=thunk -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-strong -fPIE -I. -I. -D_XOPEN_SOURCE=600 -D_BSD_SOURCE -D_DEFAULT_SOURCE -DSSHDIR=\"/usr/local/etc\" -D_PATH_SSH_PROGRAM=\"/usr/local/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/local/lib/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/local/lib/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/local/lib/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/local/lib/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -c sshconnect2.c -o sshconnect2.o /usr/bin/gcc-8 -g -O2 -pipe -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-result -fno-strict-aliasing -mfunction-return=thunk -mindirect-branch=thunk -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-strong -fPIE -I. -I. -D_XOPEN_SOURCE=600 -D_BSD_SOURCE -D_DEFAULT_SOURCE -DSSHDIR=\"/usr/local/etc\" -D_PATH_SSH_PROGRAM=\"/usr/local/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/local/lib/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/local/lib/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/local/lib/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/local/lib/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -c mux.c -o mux.o /usr/bin/ld -o ssh ssh.o readconf.o clientloop.o sshtty.o sshconnect.o sshconnect2.o mux.o -L. -Lopenbsd-compat/ -Wl,-z,retpolineplt -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -fstack-protector-strong -pie -lssh -lopenbsd-compat -lutil -lz -lcrypt -lresolv /usr/bin/ld: unrecognized option '-Wl,-z,retpolineplt' /usr/bin/ld: use the --help option for usage information make: *** [Makefile:172: ssh] Error 1 The ldflags check originates in cat configure.ac ... 164 if test "x$use_toolchain_hardening" = "x1"; then OSSH_CHECK_CFLAG_COMPILE([-mfunction-return=thunk]) # gcc OSSH_CHECK_CFLAG_COMPILE([-mindirect-branch=thunk]) # gcc OSSH_CHECK_CFLAG_COMPILE([-mretpoline]) # clang !! OSSH_CHECK_LDFLAG_LINK([-Wl,-z,retpolineplt]) OSSH_CHECK_CFLAG_COMPILE([-D_FORTIFY_SOURCE=2]) OSSH_CHECK_LDFLAG_LINK([-Wl,-z,relro]) ... I've not had any issues, yet, with any other of many packages I build with this GCC env; this fail is, so far, unique to this openssh build attempt. Not clear yet if relevant, noting @ HardenedBSD, "HBSD: Do not enable RETPOLINE if LLD_UNSAFE or USE_GCC is set" https://github.com/HardenedBSD/hardenedbsd-ports/commit/e57638c87f44c91c12539bb9fc5d00b862a4974a Should the retpoline flag be getting added? If so, what's needed to make LD happy with it?
Darren Tucker
2018-Jun-07 23:03 UTC
vanilla build of 7.7p1 release on linux/4.17 fails with gcc8 @ "/usr/bin/ld: unrecognized option '-Wl,-z,retpolineplt'"
On 8 June 2018 at 07:09, PGNet Dev <pgnet.dev at gmail.com> wrote:> Verifying a report I just got pinged about, building vanilla openssh 7.7p1 on linux configures ok, but fails build around 'retpoline'[...]> Should the retpoline flag be getting added? If so, what's needed to make LD happy with it?configure checks to see if the linker accepts those flags, so my guess is that something is added later in configure that causes it to fail. I suggest looking at config.log to see what the actaul compiler messages are from these parts: OSSH_CHECK_CFLAG_COMPILE([-mretpoline]) # clang OSSH_CHECK_LDFLAG_LINK([-Wl,-z,retpolineplt]) and the actual compiler output show up in config.log. I wrote and tested this patch against the development versions of gcc and clang which was all that was available at the time, it's possible the released versions don't behave quite the same. -- Darren Tucker (dtucker at dtucker.net) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
PGNet Dev
2018-Jun-07 23:44 UTC
vanilla build of 7.7p1 release on linux/4.17 fails with gcc8 @ "/usr/bin/ld: unrecognized option '-Wl,-z,retpolineplt'"
hi On 6/7/18 4:03 PM, Darren Tucker wrote:> On 8 June 2018 at 07:09, PGNet Dev <pgnet.dev at gmail.com> wrote: >> Verifying a report I just got pinged about, building vanilla openssh 7.7p1 on linux configures ok, but fails build around 'retpoline' > [...] >> Should the retpoline flag be getting added? If so, what's needed to make LD happy with it? > > configure checks to see if the linker accepts those flags, so my guess > is that something is added later in configure that causes it to fail. > I suggest looking at config.log to see what the actaul compiler > messages are from these parts: > > OSSH_CHECK_CFLAG_COMPILE([-mretpoline]) # clang > OSSH_CHECK_LDFLAG_LINK([-Wl,-z,retpolineplt]) > > and the actual compiler output show up in config.log. > > I wrote and tested this patch against the development versions of gcc > and clang which was all that was available at the time, it's possible > the released versions don't behave quite the same.here's the complete config.log: https://paste.fedoraproject.org/paste/WtZP~Oe1~es2ddeqCBtCqQ the 'fun' appears to start at line# 652 gcc-8: error: unrecognized command line option '-mretpoline'; did you mean '-Wtrampolines'? nooooo, no trampolines (is that a thing?) ;-) at 1st quick look-thru, I'm just seeing that the flag failed, but not _why_. yet. looking closer now. also, just fyi, during my testing I did try clang6 et al as well. failed as well, with different/additional errors. didn't spend any further time on it yet.