[gentoo-user] Am I in trouble now?

public inbox for gentoo-user@lists.gentoo.org
 help / color / mirror / Atom feed

* [gentoo-user] Am I in trouble now?
@ 2017-12-03 18:56 tuxic
  2017-12-03 20:22 ` Marc Joliet
  0 siblings, 1 reply; 4+ messages in thread
From: tuxic @ 2017-12-03 18:56 UTC (permalink / raw
  To: Gentoo

Hi,

From the news I did everything to switch to the 17th profile EXCEPT
emerge -e @world.

One application which was recompiled was gcc-7.20.

From my undertsand/point of view gcc now has to have the PIE-feature

gcc-bin/7.2.0>l
total 6676
lrwxrwxrwx 1 root root      23 2017-12-02 16:36 c++ -> x86_64-pc-linux-gnu-c++
lrwxrwxrwx 1 root root      23 2017-12-02 16:36 cpp -> x86_64-pc-linux-gnu-cpp
lrwxrwxrwx 1 root root      23 2017-12-02 16:36 g++ -> x86_64-pc-linux-gnu-g++
lrwxrwxrwx 1 root root      23 2017-12-02 16:36 gcc -> x86_64-pc-linux-gnu-gcc
-rwxr-xr-x 2 root root   26896 2017-12-02 16:36 gcc-ar
-rwxr-xr-x 2 root root   26896 2017-12-02 16:36 gcc-nm
-rwxr-xr-x 2 root root   26896 2017-12-02 16:36 gcc-ranlib
lrwxrwxrwx 1 root root      24 2017-12-02 16:36 gcov -> x86_64-pc-linux-gnu-gcov
-rwxr-xr-x 1 root root  495400 2017-12-02 16:36 gcov-dump
-rwxr-xr-x 1 root root  515944 2017-12-02 16:36 gcov-tool
lrwxrwxrwx 1 root root      28 2017-12-02 16:36 gfortran -> x86_64-pc-linux-gnu-gfortran
-rwxr-xr-x 2 root root 1002192 2017-12-02 16:36 x86_64-pc-linux-gnu-c++
-rwxr-xr-x 1 root root  998096 2017-12-02 16:36 x86_64-pc-linux-gnu-cpp
-rwxr-xr-x 2 root root 1002192 2017-12-02 16:36 x86_64-pc-linux-gnu-g++
-rwxr-xr-x 1 root root  998096 2017-12-02 16:36 x86_64-pc-linux-gnu-gcc
lrwxrwxrwx 1 root root      23 2017-12-02 16:36 x86_64-pc-linux-gnu-gcc-7.2.0 -> x86_64-pc-linux-gnu-gcc
-rwxr-xr-x 2 root root   26896 2017-12-02 16:36 x86_64-pc-linux-gnu-gcc-ar
-rwxr-xr-x 2 root root   26896 2017-12-02 16:36 x86_64-pc-linux-gnu-gcc-nm
-rwxr-xr-x 2 root root   26896 2017-12-02 16:36 x86_64-pc-linux-gnu-gcc-ranlib
-rwxr-xr-x 1 root root  639312 2017-12-02 16:36 x86_64-pc-linux-gnu-gcov
-rwxr-xr-x 1 root root 1002192 2017-12-02 16:36 x86_64-pc-linux-gnu-gfortran


solfire:gcc-bin/7.2.0>checksec --file x86_64-pc-linux-gnu-c++
RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH	FORTIFY	Fortified Fortifiable  FILE
Partial RELRO   Canary found      NX enabled    No PIE          No RPATH   No RUNPATH   Yes	8		21	x86_64-pc-linux-gnu-c++



So...No PIE it says.

/root #>eselect profile show
Current /etc/portage/make.profile symlink:
  default/linux/amd64/17.0/no-multilib

Before I start the rebuild of 2000++ packages ...
Is this all correct up to this point?

Cheers
Meino




^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [gentoo-user] Am I in trouble now?
  2017-12-03 18:56 [gentoo-user] Am I in trouble now? tuxic
@ 2017-12-03 20:22 ` Marc Joliet
  2017-12-04 11:58   ` Marc Joliet
  0 siblings, 1 reply; 4+ messages in thread
From: Marc Joliet @ 2017-12-03 20:22 UTC (permalink / raw
  To: Gentoo

[-- Attachment #1: Type: text/plain, Size: 3634 bytes --]

Am Sonntag, 3. Dezember 2017, 19:56:19 CET schrieb tuxic@posteo.de:
> Hi,
> 
> From the news I did everything to switch to the 17th profile EXCEPT
> emerge -e @world.
> 
> One application which was recompiled was gcc-7.20.
> 
> From my undertsand/point of view gcc now has to have the PIE-feature
> 
> gcc-bin/7.2.0>l
> total 6676
> lrwxrwxrwx 1 root root      23 2017-12-02 16:36 c++ ->
> x86_64-pc-linux-gnu-c++ lrwxrwxrwx 1 root root      23 2017-12-02 16:36 cpp
> -> x86_64-pc-linux-gnu-cpp lrwxrwxrwx 1 root root      23 2017-12-02 16:36
> g++ -> x86_64-pc-linux-gnu-g++ lrwxrwxrwx 1 root root      23 2017-12-02
> 16:36 gcc -> x86_64-pc-linux-gnu-gcc -rwxr-xr-x 2 root root   26896
> 2017-12-02 16:36 gcc-ar
> -rwxr-xr-x 2 root root   26896 2017-12-02 16:36 gcc-nm
> -rwxr-xr-x 2 root root   26896 2017-12-02 16:36 gcc-ranlib
> lrwxrwxrwx 1 root root      24 2017-12-02 16:36 gcov ->
> x86_64-pc-linux-gnu-gcov -rwxr-xr-x 1 root root  495400 2017-12-02 16:36
> gcov-dump
> -rwxr-xr-x 1 root root  515944 2017-12-02 16:36 gcov-tool
> lrwxrwxrwx 1 root root      28 2017-12-02 16:36 gfortran ->
> x86_64-pc-linux-gnu-gfortran -rwxr-xr-x 2 root root 1002192 2017-12-02
> 16:36 x86_64-pc-linux-gnu-c++ -rwxr-xr-x 1 root root  998096 2017-12-02
> 16:36 x86_64-pc-linux-gnu-cpp -rwxr-xr-x 2 root root 1002192 2017-12-02
> 16:36 x86_64-pc-linux-gnu-g++ -rwxr-xr-x 1 root root  998096 2017-12-02
> 16:36 x86_64-pc-linux-gnu-gcc lrwxrwxrwx 1 root root      23 2017-12-02
> 16:36 x86_64-pc-linux-gnu-gcc-7.2.0 -> x86_64-pc-linux-gnu-gcc -rwxr-xr-x 2
> root root   26896 2017-12-02 16:36 x86_64-pc-linux-gnu-gcc-ar -rwxr-xr-x 2
> root root   26896 2017-12-02 16:36 x86_64-pc-linux-gnu-gcc-nm -rwxr-xr-x 2
> root root   26896 2017-12-02 16:36 x86_64-pc-linux-gnu-gcc-ranlib
> -rwxr-xr-x 1 root root  639312 2017-12-02 16:36 x86_64-pc-linux-gnu-gcov
> -rwxr-xr-x 1 root root 1002192 2017-12-02 16:36
> x86_64-pc-linux-gnu-gfortran
> 
> 
> solfire:gcc-bin/7.2.0>checksec --file x86_64-pc-linux-gnu-c++
> RELRO           STACK CANARY      NX            PIE             RPATH     
> RUNPATH	FORTIFY	Fortified Fortifiable  FILE Partial RELRO   Canary found   
>   NX enabled    No PIE          No RPATH   No RUNPATH  
> Yes	8		21	x86_64-pc-linux-gnu-c++
> 
> 
> 
> So...No PIE it says.
> 
> /root #>eselect profile show
> Current /etc/portage/make.profile symlink:
>   default/linux/amd64/17.0/no-multilib
> 
> Before I start the rebuild of 2000++ packages ...
> Is this all correct up to this point?

Keep in mind that the news item literally says:

"2) Where supported, GCC will now build position-independent
   executables (PIE) by default."

Note the "Where supported" bit.  I don't know if that means "CPUs that this 
works with" or "profiles that support this", but it looks like the "pie" USE 
flag is forced globally in the profile and not deactivated in any of its sub-
profiles, so I'm tending to the former.

Of course, that doesn't mean that things are correct on your end, though.  On 
one of my computers, checksec does say "PIE enabled".  Maybe you should try 
compiling something else and verifying it.  After all, there's probably a 
reason why the "emerge -e @world" bit doesn't exclude any of the packages 
previously rebuilt.  I'll try to verify that on my desktop, though, which is 
the one out of three computers I haven't migrated yet -- both my home server 
and laptop have completed their "emerge -e @world" already (thankfully almost, 
but not entirely, without problems).

> Cheers
> Meino

HTH
-- 
Marc Joliet
--
"People who think they know everything really annoy those of us who know we
don't" - Bjarne Stroustrup

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [gentoo-user] Am I in trouble now?
  2017-12-03 20:22 ` Marc Joliet
@ 2017-12-04 11:58   ` Marc Joliet
  2017-12-04 14:40     ` David Haller
  0 siblings, 1 reply; 4+ messages in thread
From: Marc Joliet @ 2017-12-04 11:58 UTC (permalink / raw
  To: gentoo-user

[-- Attachment #1: Type: text/plain, Size: 960 bytes --]

Am Sonntag, 3. Dezember 2017, 21:22:23 CET schrieb Marc Joliet:
> Of course, that doesn't mean that things are correct on your end, though. 
> On one of my computers, checksec does say "PIE enabled".  Maybe you should
> try compiling something else and verifying it.  After all, there's probably
> a reason why the "emerge -e @world" bit doesn't exclude any of the packages
> previously rebuilt.  I'll try to verify that on my desktop, though

Just to follow up on this, I've now done everything except the "emerge -e 
@world" step on my desktop, which shows "No PIE" for /usr/bin/x86_64-pc-linux-
gnu-g++, but "PIE enabled" for /usr/x86_64-pc-linux-gnu/binutils-bin/2.29.1/ld 
(part of binutils, which was rebuilt *after* gcc).  So try checking that if 
you want to be sure (and haven't done your own verification in the meantime).

HTH
-- 
Marc Joliet
--
"People who think they know everything really annoy those of us who know we
don't" - Bjarne Stroustrup

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [gentoo-user] Am I in trouble now?
  2017-12-04 11:58   ` Marc Joliet
@ 2017-12-04 14:40     ` David Haller
  0 siblings, 0 replies; 4+ messages in thread
From: David Haller @ 2017-12-04 14:40 UTC (permalink / raw
  To: gentoo-user

Hello,

On Mon, 04 Dec 2017, Marc Joliet wrote:
>Am Sonntag, 3. Dezember 2017, 21:22:23 CET schrieb Marc Joliet:
>> Of course, that doesn't mean that things are correct on your end, though. 
>> On one of my computers, checksec does say "PIE enabled".  Maybe you should
>> try compiling something else and verifying it.  After all, there's probably
>> a reason why the "emerge -e @world" bit doesn't exclude any of the packages
>> previously rebuilt.  I'll try to verify that on my desktop, though
>
>Just to follow up on this, I've now done everything except the "emerge -e 
>@world" step on my desktop, which shows "No PIE" for /usr/bin/x86_64-pc-linux-
>gnu-g++, but "PIE enabled" for /usr/x86_64-pc-linux-gnu/binutils-bin/2.29.1/ld 
>(part of binutils, which was rebuilt *after* gcc).  So try checking that if 
>you want to be sure (and haven't done your own verification in the meantime).

Don't worry. I find plenty of _explicit_ '-fno-pie -fno-PIE' in the
sys-devel/gcc build-stuff and build logs.

Using my "check-pie" "extracted from checksec" script[1]:

# check-pie /usr/bin/*gcc* /usr/bin/*g++* 2>/dev/null
/usr/bin/gcc    PIE
/usr/bin/gcc-6.4.0      no pie
/usr/bin/gcc-7.2.0      no pie
/usr/bin/gcc-ar PIE
/usr/bin/gcc-nm PIE
/usr/bin/gcc-ranlib     PIE
/usr/bin/gccgo  no pie
/usr/bin/x86_64-pc-linux-gnu-gcc        PIE
/usr/bin/x86_64-pc-linux-gnu-gcc-6.4.0  no pie
/usr/bin/x86_64-pc-linux-gnu-gcc-7.2.0  no pie
/usr/bin/x86_64-pc-linux-gnu-gcc-ar     PIE
/usr/bin/x86_64-pc-linux-gnu-gcc-nm     PIE
/usr/bin/x86_64-pc-linux-gnu-gcc-ranlib PIE
/usr/bin/x86_64-pc-linux-gnu-gccgo      no pie
/usr/bin/g++    PIE
/usr/bin/g++-6.4.0      no pie
/usr/bin/g++-7.2.0      no pie
/usr/bin/x86_64-pc-linux-gnu-g++        PIE
/usr/bin/x86_64-pc-linux-gnu-g++-6.4.0  no pie
/usr/bin/x86_64-pc-linux-gnu-g++-7.2.0  no pie

[the 2>/dev/null filters out the "not an executable" stuff]

I see a pattern there ;)

I've rebuilt 7.2.0 after the profile change and the "pie" useflag was
set. I guess gcc/g++ does some magic internal (assembler?) stuff while
compiling that makes it unsuitable to be compiled as a PI Executable.

I eselected 7.2.0, as I'm recompiling @world anyways ;) Let's see how
that'll work out. Currently I'm at 353/710 of an '--emptytree
@system'... I think I'll recompile the rest (of @world |¯| @system as
I go along during regular updates, @world would've been something like
939 IIRC, but probably all the biggies. Oh, and I explicitly excluded
icedtea for now. Or I'll "check-pie"/"checksec" and follow that.

HTH,
-dnh

[1] see a thread or two previous to this

-- 
Eine Wognatur wird nicht gesiggt, sondern gewoggt.
                                       [Axel Woelke in dag°, 31.3.2000]


^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2017-12-04 14:42 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-12-03 18:56 [gentoo-user] Am I in trouble now? tuxic
2017-12-03 20:22 ` Marc Joliet
2017-12-04 11:58   ` Marc Joliet
2017-12-04 14:40     ` David Haller

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox