lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20170213213132.GA28220@merlins.org>
Date:   Mon, 13 Feb 2017 13:31:32 -0800
From:   Marc MERLIN <marc@...lins.org>
To:     Josh Poimboeuf <jpoimboe@...hat.com>
Cc:     linux-kernel@...r.kernel.org
Subject: Re: Please turn "Cannot use CONFIG_STACK_VALIDATION" into build error

On Mon, Feb 13, 2017 at 12:41:06PM -0600, Josh Poimboeuf wrote:
> Hm, that doesn't sound right.  Nothing automatically enables
> CONFIG_STACK_VALIDATION.  It should be disabled unless manually enabled.
> Maybe you got it confused with CONFIG_HAVE_STACK_VALIDATION, which is
> always enabled?
 
I did mean CONFIG_STACK_VALIDATION, which is what requires objtool.
It's very possible I enabled it myself during a make oldconfig some time
back, what I meant is that disabling it from the config file doesn't make it
go away, it comes back on its own (see below)

> BTW, there is a config option for it in the menu:
> 
>   Kernel hacking
>     Compile-time checks and compiler options
>       Compile-time stack metadata validation
 
Thanks, I had a hard time finding it since it was not in the same place than
the other options around it. To be honest, I never quite know how to find
where a .config option is located in an xconfig menu, so I looked around
other ones above and below it in .config, and turns out it was the wrong
place.

Anyway, after not finding it in xconfig, I editted .config, and did:
# CONFIG_STACK_VALIDATION is not set
save .config
and the next build re-enabled the option.
That's what caught me by surprise. Did I do something wrong, or is there an
issue there?

> > 2) without libelf-dev, the kernel will build but will leave a tree
> > missing objtool, which in turn causes (all?) 3rd party modules to fail
> > building.
> 
> Yes, this is a bug.
 
Obviously the fix is to make sure objtool builds, but is there a way to make
things better if it doesn't build?
(apparently yes, as you replied below)

> Correct me if I'm wrong, but it sounds like make-kpkg suppressed stderr?
> If so, that should be fixed.
 
It does not, but it adds lines of output before the build starts, and since
the error with libelf-dev missing is not colorized, it was effectively
invisible (one line amongst hundreds scrolling on the screen).
Now that I know what the error is and how to look for it, I can see it, but
as a diagnosis that things were wrong and that things should be fixed, or
3rd party modules would fail to build in weird ways, it was unfortunately
useless.

> When I try to build an OOT module with CONFIG_STACK_VALIDATION enabled
> and elfutils-libelf-devel missing (on Fedora), I get:
> 
>   make: Entering directory '/home/jpoimboe/git/linux'
>   make[1]: Entering directory '/home/jpoimboe/ktest/output'
>     CC [M]  /home/jpoimboe/livepatch-test/1/livepatch2.o
>   /bin/sh: ./tools/objtool/objtool: No such file or directory
>   /home/jpoimboe/git/linux/scripts/Makefile.build:300: recipe for target '/home/jpoimboe/livepatch-test/1/livepatch2.o' failed
>   make[2]: *** [/home/jpoimboe/livepatch-test/1/livepatch2.o] Error 1
>   /home/jpoimboe/git/linux/Makefile:1490: recipe for target '_module_/home/jpoimboe/livepatch-test/1' failed
>   make[1]: *** [_module_/home/jpoimboe/livepatch-test/1] Error 2
>   make[1]: Leaving directory '/home/jpoimboe/ktest/output'
>   Makefile:150: recipe for target 'sub-make' failed
>   make: *** [sub-make] Error 2
>   make: Leaving directory '/home/jpoimboe/git/linux'
> 
> It's not a perfect error message, but the
>   '/bin/sh: ./tools/objtool/objtool: No such file or directory'
> is at least a big clue.  I'm curious why you didn't see that.
 
In the virtualbox build, it just doesn't show up at all, even in the debug
log :(
It's only after spending many many hours trying to find why virtualbox was
not working, that I realized that my bbswitch module wasn't building either,
and that one did point to objtool as a culprit.
But even after I found this, it was non trivial to link this to libelf-dev
missing, given that the message wasn't that visible in a kernel build.

> Anyway, the above libelf-dev warning is just a warning and not a build
> error because CONFIG_STACK_VALIDATION is enabled for allyesconfig, and
> it's not a severe enough problem to warrant breaking the build.

Understood.

> Ideally the same warning should be printed when building OOT modules.
> I'll try to figure out if there's a way to do that it.

This would help, although in that case you can even make the warning an
error since objtool missing seems to be fatal?

Thanks,
Marc
-- 
"A mouse is a device used to point at the xterm you want to type in" - A.S.R.
Microsoft is to operating systems ....
                                      .... what McDonalds is to gourmet cooking
Home page: http://marc.merlins.org/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ