Bug#1098205: marked as done (onnxruntime: autopkgtest failure with glibc 2.41 due to use of executable stack)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Wed, 19 Feb 2025 07:05:31 +0000
with message-id <E1tke9D-008hvS-MA@fasolo.debian.org>
and subject line Bug#1098205: fixed in onnxruntime 1.20.1+dfsg-2
has caused the Debian Bug report #1098205,
regarding onnxruntime: autopkgtest failure with glibc 2.41 due to use of executable stack
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1098205: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1098205
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: onnxruntime: autopkgtest failure with glibc 2.41 due to use of executable stack
• From: Aurelien Jarno <aurel32@debian.org>
• Date: Mon, 17 Feb 2025 19:07:03 +0100
• Message-id: <[🔎] 173981562359.442572.18183013751274059209.reportbug@ohm.local>

Source: onnxruntime
Version: 1.19.2+dfsg-9
Severity: important
Tags: ftbfs patch upstream
X-Debbugs-Cc: debian-glibc@lists.debian.org
User: debian-glibc@lists.debian.org
Usertags: glibc2.41 dlopen-executable-stack
Control: found -1 onnxruntime/1.20.1+dfsg-1~exp2

Dear maintainer,

Starting with glibc 2.41, the dlopen and dlmopen functions no longer
make the stack executable if a shared library requires it and instead
just fail. This change aims to improve security, as the previous
behaviour was used as a vector for RCE (CVE-2023-38408).

Unfortunately the python3-onnxruntime package provide a python module
which requires an executable stack. With this change, it can't be
imported anymore, causing the autopkgtest to fail:

| 145s autopkgtest [07:39:12]: test command1: [-----------------------
| 147s Exported graph: graph(%feature : Float(1, 128, strides=[128, 1], requires_grad=0, device=cpu),
| 147s       %0.weight : Float(16, 128, strides=[128, 1], requires_grad=1, device=cpu),
| 147s       %0.bias : Float(16, strides=[1], requires_grad=1, device=cpu),
| 147s       %2.weight : Float(1, 16, strides=[16, 1], requires_grad=1, device=cpu),
| 147s       %2.bias : Float(1, strides=[1], requires_grad=1, device=cpu)):
| 147s   %/0/Gemm_output_0 : Float(1, 16, strides=[16, 1], requires_grad=1, device=cpu) = onnx::Gemm[alpha=1., beta=1., transB=1, onnx_name="/0/Gemm"](%feature, %0.weight, %0.bias), scope: torch.nn.modules.container.Sequential::/torch.nn.modules.linear.Linear::0 # /usr/lib/python3/dist-packages/torch/nn/modules/linear.py:125:0
| 147s   %/1/Relu_output_0 : Float(1, 16, strides=[16, 1], requires_grad=1, device=cpu) = onnx::Relu[onnx_name="/1/Relu"](%/0/Gemm_output_0), scope: torch.nn.modules.container.Sequential::/torch.nn.modules.activation.ReLU::1 # /usr/lib/python3/dist-packages/torch/nn/functional.py:1704:0
| 147s   %7 : Float(1, 1, strides=[1, 1], requires_grad=1, device=cpu) = onnx::Gemm[alpha=1., beta=1., transB=1, onnx_name="/2/Gemm"](%/1/Relu_output_0, %2.weight, %2.bias), scope: torch.nn.modules.container.Sequential::/torch.nn.modules.linear.Linear::2 # /usr/lib/python3/dist-packages/torch/nn/modules/linear.py:125:0
| 147s   return (%7)
| 147s 
| 147s Exported a dummy neural network at test_model.onnx
| 147s Traceback (most recent call last):
| 147s   File "/tmp/autopkgtest-lxc.x7zg2iaj/downtmp/build.4Lq/src/debian/tests/inference.py", line 25, in <module>
| 147s     import onnxruntime as rt
| 147s   File "/usr/lib/python3/dist-packages/onnxruntime/__init__.py", line 57, in <module>
| 147s     raise import_capi_exception
| 147s   File "/usr/lib/python3/dist-packages/onnxruntime/__init__.py", line 23, in <module>
| 147s     from onnxruntime.capi._pybind_state import ExecutionMode  # noqa: F401
| 147s     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
| 147s   File "/usr/lib/python3/dist-packages/onnxruntime/capi/_pybind_state.py", line 32, in <module>
| 147s     from .onnxruntime_pybind11_state import *  # noqa
| 147s     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
| 147s ImportError: /usr/lib/python3/dist-packages/onnxruntime/capi/onnxruntime_pybind11_state.cpython-313-x86_64-linux-gnu.so: cannot enable executable stack as shared object requires: Invalid argument
| 148s autopkgtest [07:39:15]: test command1: -----------------------]
| 148s command1             FAIL non-zero exit status 1

For a full log, see:
https://ci.debian.net/packages/o/onnxruntime/unstable/amd64/57637366/

The problem is that the assembly sources in
onnxruntime/core/mlas/lib/x86_64/*.S does not mark the stack as
non-executable, as can be seen in the build log:

| /usr/bin/ld: warning: QgemmU8S8KernelAmx.S.o: missing .note.GNU-stack section implies executable stack
| /usr/bin/ld: NOTE: This behaviour is deprecated and will be removed in a future version of the linker

I think this should be fixed at that assembly code level but upstream
chose to fix that at the link time for the main library [1]. Therefore
please find a oatch to use the same strategy for the python modules:

--- onnxruntime-1.19.2+dfsg.orig/cmake/onnxruntime_python.cmake
+++ onnxruntime-1.19.2+dfsg/cmake/onnxruntime_python.cmake
@@ -119,9 +119,9 @@ if(APPLE)
   set(ONNXRUNTIME_SO_LINK_FLAG "-Xlinker -exported_symbols_list -Xlinker ${ONNXRUNTIME_ROOT}/python/exported_symbols.lst")
 elseif(UNIX)
   if (onnxruntime_ENABLE_EXTERNAL_CUSTOM_OP_SCHEMAS)
-    set(ONNXRUNTIME_SO_LINK_FLAG "-Xlinker --version-script=${ONNXRUNTIME_ROOT}/python/version_script_expose_onnx_protobuf.lds -Xlinker --gc-sections")
+    set(ONNXRUNTIME_SO_LINK_FLAG "-Xlinker --version-script=${ONNXRUNTIME_ROOT}/python/version_script_expose_onnx_protobuf.lds -Xlinker --gc-sections -z noexecstack")
   else()
-    set(ONNXRUNTIME_SO_LINK_FLAG "-Xlinker --version-script=${ONNXRUNTIME_ROOT}/python/version_script.lds -Xlinker --gc-sections")
+    set(ONNXRUNTIME_SO_LINK_FLAG "-Xlinker --version-script=${ONNXRUNTIME_ROOT}/python/version_script.lds -Xlinker --gc-sections -z noexecstack")
   endif()
 else()
   set(ONNXRUNTIME_SO_LINK_FLAG "-DEF:${ONNXRUNTIME_ROOT}/python/pybind.def")

Regards
Aurelien

[1] https://github.com/microsoft/onnxruntime/commit/49ce4891bced02db4554253f98e595f1857b58f8

--- End Message ---

--- Begin Message ---

• To: 1098205-close@bugs.debian.org
• Subject: Bug#1098205: fixed in onnxruntime 1.20.1+dfsg-2
• From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
• Date: Wed, 19 Feb 2025 07:05:31 +0000
• Message-id: <E1tke9D-008hvS-MA@fasolo.debian.org>
• Reply-to: Shengqi Chen <harry@debian.org>

Source: onnxruntime
Source-Version: 1.20.1+dfsg-2
Done: Shengqi Chen <harry@debian.org>

We believe that the bug you reported is fixed in the latest version of
onnxruntime, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1098205@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Shengqi Chen <harry@debian.org> (supplier of updated onnxruntime package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 19 Feb 2025 14:27:32 +0800
Source: onnxruntime
Architecture: source
Version: 1.20.1+dfsg-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Deep Learning Team <debian-ai@lists.debian.org>
Changed-By: Shengqi Chen <harry@debian.org>
Closes: 1098205
Changes:
 onnxruntime (1.20.1+dfsg-2) unstable; urgency=medium
 .
   * d/rules: disable xnnpack EP on riscv64 (currently unusable)
   * d/patches: add patch to set noexecstack in linker flags
     (closes: #1098205)
Checksums-Sha1:
 81d89a36e5648ca3ac22ef3b240d835ddd633309 3106 onnxruntime_1.20.1+dfsg-2.dsc
 37d44ee484d9b5981695ef838ddfffced6c167b3 23264 onnxruntime_1.20.1+dfsg-2.debian.tar.xz
 6acc1fa17ce6435a81f5fb91df287ac201423dd7 11752 onnxruntime_1.20.1+dfsg-2_amd64.buildinfo
Checksums-Sha256:
 0cfb1ef0ec71c0906ccdfe80d3a0e89f8b574bfc35cffa15c6e3a7146eddafd9 3106 onnxruntime_1.20.1+dfsg-2.dsc
 730e562438984f7f791923a8e25b11cc11c50d0a55f0fab5124cfeb6a056dd91 23264 onnxruntime_1.20.1+dfsg-2.debian.tar.xz
 23c0862bcbdbfca3e7f9566f90692b40ea49c35058f64a27436dc93b3609f730 11752 onnxruntime_1.20.1+dfsg-2_amd64.buildinfo
Files:
 1f69d85dabac8bcaacd88d3283576d18 3106 science optional onnxruntime_1.20.1+dfsg-2.dsc
 0d905da9f2e65d4c0a870b8eb572f6b8 23264 science optional onnxruntime_1.20.1+dfsg-2.debian.tar.xz
 ab258c47cbc0bf350fac5480975a90b4 11752 science optional onnxruntime_1.20.1+dfsg-2_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE+Fg++qmpHzqjSzySzhGnsHs6uUYFAme1gC8ACgkQzhGnsHs6
uUZmyg/9EMiEFpc9o/RsKq45fB41IwosnfeVG9AKRtyCyQ1jW5qKujV0f7vLWiYR
Jaz6lSakpEQLIni7Y1oZmTlKfb46Te8lKNFScQvWm63d4ypTeLdkh0sxneujdIMG
YhJyIuhJDYthafTt0yXFNo7Ckrl2V4iWnglyp3U5mdFOTBXDvAvDmSdLSklL0sFb
MkddbQCWW9fxV0C778TxOqpIDObhWMYTj0vBy5RJ9/tMwR7Y9NBSuzKyp/O4dl8h
S9EQWTknx//Flyto8cnS33jV/NT6sRy8ebd5nDH2vsPjKsL3fgoBzqT2iukTzPSb
flMsSFYccf7qi5parIpR4fddF2Jjf875IVa69r0V4yMS2frS6/QH+ff5Rl42Qvxj
VYHcVUl6Kl3612gzjJzX6mO8C6f6x0QLJrlZpcke5/mq+XGs9o6BIjXjNhOS1cc2
b/Xwh2MS049QmyrjUy92TqH9isBI7JvKIQxOKEnD0k3gwueMGf78xGrNRCado82P
niHfD3l1jWJBtSTjbDRecwdx4roNNBjOKJkO+6BIK1FD83fOR767QWCsCrYgG0b3
WDUQJBbfw/qh/E3OQtL0iW2VMzASquQCK1zDDtWmG3mrMEja49By9xuQxezxRPko
Xu9GtVwlSK4QRziWQWR1m1h7jFVmUhRBO7c2gA9YIBiSlmuOQ0A=
=ugOz
-----END PGP SIGNATURE-----

Attachment: pgpUFJxH68Hca.pgp
Description: PGP signature

--- End Message ---