[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#834044: src:ocaml: ocaml does not appear to allow all hardening flags when building other projects

reassign 834044 sks
tags 834044 + patch
thanks

On 11/08/2016 17:52, Daniel Kahn Gillmor wrote:

In particular, i see errors like the following:

 […]
    ocamlopt -o sks -I lib -I bdb -I +cryptokit   -ccopt -g  -ccopt -O2  -ccopt -fdebug-prefix-map=/home/dkg/src/sks/sks=.  -ccopt -fPIE  -ccopt -fstack-protector-strong  -ccopt -Wformat  -ccopt -Werror=format-security  -ccopt -O3  -ccopt -Werror-implicit-function-declaration  -ccopt -I`ocamlc  -ccopt -where`  -ccopt -I  -ccopt .  -ccopt -fPIE  -ccopt -pie  -ccopt -Wl,-z,relro  -ccopt -Wl,-z,now -ccopt -Lbdb -dtypes  -inline 40 unix.cmxa str.cmxa bdb.cmxa nums.cmxa bigarray.cmxa cryptokit.cmxa crc.o pSet.cmx pMap.cmx utils.cmx heap.cmx mList.cmx mTimer.cmx mArray.cmx settings.cmx pstyle.cmx getfileopts.cmx common.cmx channel.cmx eventloop.cmx ehandlers.cmx bitstring.cmx meteredChannel.cmx number.cmx prime.cmx zZp.cmx rMisc.cmx linearAlg.cmx poly.cmx decode.cmx fqueue.cmx prefixTree.cmx msgContainer.cmx nbMsgContainer.cmx cMarshal.cmx reconMessages.cmx server.cmx client.cmx reconCS.cmx number_test.cmx decode_test.cmx poly_test.cmx Unique_time.cmx version.cmx packet.cmx parsePGP.cmx sS
 tream.cmx bdbwrap.cmx key.cmx keyHash.cmx keyMerge.cmx fixkey.cmx fingerprint.cmx keydb.cmx armor.cmx dbMessages.cmx htmlTemplates.cmx wserver.cmx membership.cmx tester.cmx request.cmx stats.cmx index.cmx mRindex.cmx pTreeDB.cmx sendmail.cmx recvmail.cmx mailsync.cmx clean_keydb.cmx build.cmx fastbuild.cmx pbuild.cmx merge_keyfiles.cmx sksdump.cmx incdump.cmx dbserver.cmx reconComm.cmx recoverList.cmx catchup.cmx reconserver.cmx update_subkeys.cmx sks_do.cmx unit_tests.cmx sks.cmx
    /usr/bin/ld: cannot find .: File format not recognized
    /usr/bin/ld: cannot find .: File format not recognized
    /usr/bin/ld: cannot find .: File format not recognized
    /usr/bin/ld: /usr/lib/ocaml/libasmrun.a(startup.o): relocation R_X86_64_32 against `.rodata.str1.1' can not be used when making a shared object; recompile with -fPIC
    /usr/lib/ocaml/libasmrun.a: error adding symbols: Bad value
    collect2: error: ld returned 1 exit status
    File "caml_startup", line 1:
    Error: Error during linking
    Makefile:180: recipe for target 'sks' failed

I don't know where the report "ld: cannot find ." comes from (or what
it means) at all.


This error comes from the snippet:

  -ccopt -I`ocamlc  -ccopt -where`  -ccopt -I  -ccopt .

which expands to:

  -I -I .
i.e. -I takes as argument "-I", and the following "." is interpreted as a file. 


And interestingly, ocaml ships a /usr/lib/ocaml/libasmrun_pic.a, which
it seems like should be chosen instead of /usr/lib/ocaml/libasmrun.a
if the goal is to link a position-independent executable.
/usr/lib/ocaml/libasmrun_pic.a can be selected with the option "-runtime-variant _pic". 


If you'd like to reproduce these errors, you can try from the sks git
repo:

    git clone https://anonscm.debian.org/git/pkg-sks/pkg-sks.git -b try-hardening sks
    cd sks
    dpkg-buildpackage -uc -us

If you see a way to resolve the issue in sks directly, feel free to
note it here and reassign this bug report to sks.
Attached is a simple patch that fixes compilation of sks. I don't believe something is to be done in ocaml, therefore I am reassigning to sks. 


Cheers,

--
Stéphane


From: Stephane Glondu <steph@glondu.net>
Date: Fri, 12 Aug 2016 10:25:34 +0200
Subject: Fix hardened build

---
 Makefile     | 4 ++--
 bdb/Makefile | 2 +-
 sks_build.sh | 0
 3 files changed, 3 insertions(+), 3 deletions(-)
 mode change 100644 => 100755 sks_build.sh

diff --git a/Makefile b/Makefile
index 3411370..186f466 100644
--- a/Makefile
+++ b/Makefile
@@ -14,7 +14,7 @@
 #   Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307
 #   USA
 #
-CINCLUDES=-I`ocamlc -where`
+CINCLUDES=-I$(shell ocamlc -where)
 CC=gcc
 CXX=g++
 CFLAGS+=-O3 -Werror-implicit-function-declaration $(CINCLUDES) -I .
@@ -45,7 +45,7 @@ else
 	OCAMLLIB= -ccopt $(BDBLIB)
 endif
 
-CAMLLDFLAGS=$(foreach x, $(LDFLAGS), -ccopt $(x))
+CAMLLDFLAGS=$(foreach x, $(LDFLAGS), -ccopt $(x)) -runtime-variant _pic
 CAMLCFLAGS=$(foreach x, $(CFLAGS), -ccopt $(x))
 
 SKSVS=$(shell grep 'version_suffix = "+"' common.ml)
diff --git a/bdb/Makefile b/bdb/Makefile
index 3818fe2..52fbbfe 100644
--- a/bdb/Makefile
+++ b/bdb/Makefile
@@ -14,7 +14,7 @@
 # $Id: Makefile,v 1.6 2003/07/05 15:16:29 yminsky Exp $
 include ../Makefile.local
 
-CINCLUDES=-I`ocamlc -where` $(BDBINCLUDE)
+CINCLUDES=-I$(shell ocamlc -where) $(BDBINCLUDE)
 CC=gcc
 CXX=g++
 CFLAGS+=-O3 -Werror-implicit-function-declaration $(CINCLUDES) $(BDBLIB) -I .
diff --git a/sks_build.sh b/sks_build.sh
old mode 100644
new mode 100755
Reply to: