Re: ffmpeg6 and SSP?
On Wed, Nov 15, 2023 at 01:48:19PM +0200, Vitaly Shevtsov wrote: > Even arcticfox cannot be built due to the same reason. Christos fixed it - cvs update and rebuild, and check you have # nm -g /lib/libc.so | grep ssp 00055136 T __ssp_protected_getcwd 0005512c T __ssp_protected_read 00055131 T __ssp_protected_readlink 0007cc3a T _getfsspec 0007cc3a W getfsspec 0019822f T isspace 00198245 T isspace_l 0004afb7 T wcsspn Cheers, Patrick
Re: ffmpeg6 and SSP?
On Tue, Nov 14, 2023 at 11:30:27AM +, Patrick Welche wrote: > On Tue, Nov 14, 2023 at 10:32:01AM +, Patrick Welche wrote: > > On Mon, Nov 13, 2023 at 11:22:55AM +, Patrick Welche wrote: > > > I'm pretty sure ffmpeg6 compiled recently, but on today's NetBSD-current > > > with HAVE_GCC=12 and pkgsrc-current I'm seeing > > > > > > => Bootstrap dependency digest>=20211023: found digest-20220214 > > > ===> Checking for vulnerabilities in ffmpeg6-6.0nb6 > > > ===> Building for ffmpeg6-6.0nb6 > > > LD ffmpeg6_g > > > LD ffprobe6_g > > > ld: /usr/lib/crt0.o and /usr/lib/crt0.o: warning: multiple common of > > > `environ' > > > ld: /usr/lib/crt0.o and /usr/lib/crt0.o: warning: multiple common of > > > `environ' > > > ld: libavdevice/libavdevice.so: undefined reference to > > > `__ssp_protected_read' > > > ld: libavdevice/libavdevice.so: undefined reference to > > > `__ssp_protected_read' > > > gmake: *** [Makefile:131: ffprobe6_g] Error 1 > > > gmake: *** Waiting for unfinished jobs > > > gmake: *** [Makefile:131: ffmpeg6_g] Error 1 > > > *** Error code 2 > > > > > > > > > Suggestions? Try no FORTIFY? > > > > I tried "no FORTIFY" on ffmpeg6 as > > > > CONFIGURE_ENV+="CPPFLAGS=\"-D_FORTIFY_SOURCE=0\"" > > > > which didn't help. > > > > I tried a NetBSD-current box with gcc 10.5.0 (i.e., without HAVE_GCC=12) > > which didn't help. > > > > I also see the problem with the simpler lang/gawk package: > > > > ld: awkgram.o: in function `get_src_buf': > > awkgram.c:(.text+0x2d8c): undefined reference to `__ssp_protected_read' > > ld: io.o: in function `iop_alloc': > > io.c:(.text+0xf03): undefined reference to `__ssp_protected_read' > > ld: io.o: in function `get_a_record': > > io.c:(.text+0x22d6): undefined reference to `__ssp_protected_read' > > ld: io.o: in function `after_beginfile': > > io.c:(.text+0x27c7): undefined reference to `__ssp_protected_read' > > ld: io.o: in function `redirect_string': > > io.c:(.text+0x55e7): undefined reference to `__ssp_protected_read' > > ld: io.o:io.c:(.text+0x5606): more undefined references to > > `__ssp_protected_read' follow > > > > If I simply edit /usr/include/ssp/ssp.h to remove the __gnu_inline__ from > > the definition of__ssp_inline and make it static again, then gawk builds, > > > > i.e., reverting > > > > -/* $NetBSD: ssp.h,v 1.14 2023/03/29 13:37:10 christos Exp $*/ > > +/* $NetBSD: ssp.h,v 1.15 2023/11/10 23:03:37 christos Exp $*/ > > > > allows gawk to build. > > Userland was built with MKUPDATE=yes - maybe I didn't rebuild whichever > library should contain the extern definition of __ssp_protected_read ? > > git grep ssp_protected_read > > on https://github.com/NetBSD/src.git returned nothing - where should > the __ssp_protected_read symbol live? Thank you to Christos for putting the symbol in libc today with the addition of ssp_redirect.c! Before: $ nm -g libc.so.12.221 | grep ssp 0007bb8a T _getfsspec 0007bb8a W getfsspec 0019717f T isspace 00197195 T isspace_l 00049f67 T wcsspn After: $ nm -g libc.so.12.221 | grep ssp 00055136 T __ssp_protected_getcwd 0005512c T __ssp_protected_read 00055131 T __ssp_protected_readlink 0007cc3a T _getfsspec 0007cc3a W getfsspec 0019822f T isspace 00198245 T isspace_l 0004afb7 T wcsspn Cheers, Patrick
Re: ffmpeg6 and SSP?
Even arcticfox cannot be built due to the same reason. -- Vitaly
SSP
Talking of SSP, what can you do once a detection happens? I see in /var/log/messages: Nov 15 06:59:32 mail -: mail.example.com exim - - - stack overflow detected; terminated I have: kern.coredump.setid.dump = 1 kern.coredump.setid.path = /var/crash/%n.core proc.curproc.rlimit.coredumpsize.soft = unlimited proc.curproc.rlimit.coredumpsize.hard = unlimited but /var/crash is empty. How do you make use of SSP? Cheers, Patrick
Re: ffmpeg6 and SSP?
On Tue, 14 Nov 2023 11:30:27 + Patrick Welche wrote: > Userland was built with MKUPDATE=yes - maybe I didn't rebuild whichever > library should contain the extern definition of __ssp_protected_read ? Same problem with a clean userland build. I'll also note it doesn't work to override _FORTIFY_SOURCE with CFLAGS in pkgsrc, because SSP is enforced through wrappers. Minimal reproducer: #define _FORTIFY_SOURCE 2 #include ssize_t (*myread)(int d, void *buf, size_t nbytes); int main(void) { char c; myread = return myread(STDIN_FILENO, , sizeof(c)); }
Re: ffmpeg6 and SSP?
On Tue, Nov 14, 2023 at 10:32:01AM +, Patrick Welche wrote: > On Mon, Nov 13, 2023 at 11:22:55AM +, Patrick Welche wrote: > > I'm pretty sure ffmpeg6 compiled recently, but on today's NetBSD-current > > with HAVE_GCC=12 and pkgsrc-current I'm seeing > > > > => Bootstrap dependency digest>=20211023: found digest-20220214 > > ===> Checking for vulnerabilities in ffmpeg6-6.0nb6 > > ===> Building for ffmpeg6-6.0nb6 > > LD ffmpeg6_g > > LD ffprobe6_g > > ld: /usr/lib/crt0.o and /usr/lib/crt0.o: warning: multiple common of > > `environ' > > ld: /usr/lib/crt0.o and /usr/lib/crt0.o: warning: multiple common of > > `environ' > > ld: libavdevice/libavdevice.so: undefined reference to > > `__ssp_protected_read' > > ld: libavdevice/libavdevice.so: undefined reference to > > `__ssp_protected_read' > > gmake: *** [Makefile:131: ffprobe6_g] Error 1 > > gmake: *** Waiting for unfinished jobs > > gmake: *** [Makefile:131: ffmpeg6_g] Error 1 > > *** Error code 2 > > > > > > Suggestions? Try no FORTIFY? > > I tried "no FORTIFY" on ffmpeg6 as > > CONFIGURE_ENV+="CPPFLAGS=\"-D_FORTIFY_SOURCE=0\"" > > which didn't help. > > I tried a NetBSD-current box with gcc 10.5.0 (i.e., without HAVE_GCC=12) > which didn't help. > > I also see the problem with the simpler lang/gawk package: > > ld: awkgram.o: in function `get_src_buf': > awkgram.c:(.text+0x2d8c): undefined reference to `__ssp_protected_read' > ld: io.o: in function `iop_alloc': > io.c:(.text+0xf03): undefined reference to `__ssp_protected_read' > ld: io.o: in function `get_a_record': > io.c:(.text+0x22d6): undefined reference to `__ssp_protected_read' > ld: io.o: in function `after_beginfile': > io.c:(.text+0x27c7): undefined reference to `__ssp_protected_read' > ld: io.o: in function `redirect_string': > io.c:(.text+0x55e7): undefined reference to `__ssp_protected_read' > ld: io.o:io.c:(.text+0x5606): more undefined references to > `__ssp_protected_read' follow > > If I simply edit /usr/include/ssp/ssp.h to remove the __gnu_inline__ from > the definition of__ssp_inline and make it static again, then gawk builds, > > i.e., reverting > > -/* $NetBSD: ssp.h,v 1.14 2023/03/29 13:37:10 christos Exp $*/ > +/* $NetBSD: ssp.h,v 1.15 2023/11/10 23:03:37 christos Exp $*/ > > allows gawk to build. Userland was built with MKUPDATE=yes - maybe I didn't rebuild whichever library should contain the extern definition of __ssp_protected_read ? git grep ssp_protected_read on https://github.com/NetBSD/src.git returned nothing - where should the __ssp_protected_read symbol live? Cheers, Patrick
Re: ffmpeg6 and SSP?
On Mon, Nov 13, 2023 at 11:22:55AM +, Patrick Welche wrote: > I'm pretty sure ffmpeg6 compiled recently, but on today's NetBSD-current > with HAVE_GCC=12 and pkgsrc-current I'm seeing > > => Bootstrap dependency digest>=20211023: found digest-20220214 > ===> Checking for vulnerabilities in ffmpeg6-6.0nb6 > ===> Building for ffmpeg6-6.0nb6 > LD ffmpeg6_g > LD ffprobe6_g > ld: /usr/lib/crt0.o and /usr/lib/crt0.o: warning: multiple common of `environ' > ld: /usr/lib/crt0.o and /usr/lib/crt0.o: warning: multiple common of `environ' > ld: libavdevice/libavdevice.so: undefined reference to `__ssp_protected_read' > ld: libavdevice/libavdevice.so: undefined reference to `__ssp_protected_read' > gmake: *** [Makefile:131: ffprobe6_g] Error 1 > gmake: *** Waiting for unfinished jobs > gmake: *** [Makefile:131: ffmpeg6_g] Error 1 > *** Error code 2 > > > Suggestions? Try no FORTIFY? I tried "no FORTIFY" on ffmpeg6 as CONFIGURE_ENV+="CPPFLAGS=\"-D_FORTIFY_SOURCE=0\"" which didn't help. I tried a NetBSD-current box with gcc 10.5.0 (i.e., without HAVE_GCC=12) which didn't help. I also see the problem with the simpler lang/gawk package: ld: awkgram.o: in function `get_src_buf': awkgram.c:(.text+0x2d8c): undefined reference to `__ssp_protected_read' ld: io.o: in function `iop_alloc': io.c:(.text+0xf03): undefined reference to `__ssp_protected_read' ld: io.o: in function `get_a_record': io.c:(.text+0x22d6): undefined reference to `__ssp_protected_read' ld: io.o: in function `after_beginfile': io.c:(.text+0x27c7): undefined reference to `__ssp_protected_read' ld: io.o: in function `redirect_string': io.c:(.text+0x55e7): undefined reference to `__ssp_protected_read' ld: io.o:io.c:(.text+0x5606): more undefined references to `__ssp_protected_read' follow If I simply edit /usr/include/ssp/ssp.h to remove the __gnu_inline__ from the definition of__ssp_inline and make it static again, then gawk builds, i.e., reverting -/* $NetBSD: ssp.h,v 1.14 2023/03/29 13:37:10 christos Exp $*/ +/* $NetBSD: ssp.h,v 1.15 2023/11/10 23:03:37 christos Exp $*/ allows gawk to build. Cheers, Patrick
Re: ffmpeg6 and SSP?
On Tuesday, November 14th, 2023 at 8:48 AM, Vitaly Shevtsov wrote: > Hello! > > What if you put -D_FORTIFY_SOURCE=0 into Makefile, will it help? Won't know until I try :) Will have to wait a bit, though ... currently building firefox. If someone else can try before tomorrow, it would be great. Else, I can test it.
Re: ffmpeg6 and SSP?
Hello! What if you put -D_FORTIFY_SOURCE=0 into Makefile, will it help? On Tue, Nov 14, 2023 at 9:05 AM pin wrote: > > Hi all, > > I've reported off-list to wiz@ that building ffmpeg6 on current from Saturday > Nov. 11 2023 failed for me. > > The error is/was the same as reported here, > https://mail-index.netbsd.org/pkgsrc-users/2023/11/13/msg038461.html > > I can now confirm that downgrading userland to Nov. 8 2023 allows the build > to complete successfully. > It's highly likely the issue is related to the changes introduced to ssp on > Nov. 10 2023 > > Regards, > -- Vitaly
Re: ffmpeg6 and SSP?
Hi all, I've reported off-list to wiz@ that building ffmpeg6 on current from Saturday Nov. 11 2023 failed for me. The error is/was the same as reported here, https://mail-index.netbsd.org/pkgsrc-users/2023/11/13/msg038461.html I can now confirm that downgrading userland to Nov. 8 2023 allows the build to complete successfully. It's highly likely the issue is related to the changes introduced to ssp on Nov. 10 2023 Regards,
ssp(3) problem?
Hi! A user tried following the ssp man page and got unexpected results. I'd like to know if the man page is wrong or implementation. Here's his translated message: Take any program using stdio.h, say #include #include as the only lines, and use gcc as described in ssp(3): gcc -I/usr/include/ssp -D_FORTIFY_SOURCE=2 file.c On NetBSD 6 this gives In file included from file.c:2:0: /usr/include/ssp/stdio.h:49:40: error: expected declaration specifiers or ‘...’ before ‘FILE’ On NetBSD current this gives In file included from file.c:2:0: /usr/include/ssp/stdio.h:49:40: error: unknown type name ‘FILE’ char *__fgets_chk(char *, int, size_t, FILE *); Thomas
Re: ssp(3) problem?
In article <20151126114027.gw12...@danbala.tuwien.ac.at>, Thomas Klausner <w...@netbsd.org> wrote: >Hi! > >A user tried following the ssp man page and got unexpected results. >I'd like to know if the man page is wrong or implementation. > >Here's his translated message: > >Take any program using stdio.h, say > >#include >#include > >as the only lines, and use gcc as described in ssp(3): > >gcc -I/usr/include/ssp -D_FORTIFY_SOURCE=2 file.c The man page is wrong. Never do -I/usr/include/ssp. Definining -D_FORTIFY_SOURCE=<0|1|2> is the only thing you need to do. christos
lib/libc/ssp/h_stpncpy.c breaks multiple builds
With up-to-date sources, I'm seeing the following error on multiple ports (including evbcf, evbppc, mac68k, sun2, vax) cc1: warnings being treated as errors /build/netbsd-local/src/tests/lib/libc/ssp/h_stpncpy.c: In function 'main': /build/netbsd-local/src/tests/lib/libc/ssp/h_stpncpy.c:44: warning: pointer/integer type mismatch in conditional expression - | Paul Goyette | PGP Key fingerprint: | E-mail addresses: | | Customer Service | FA29 0E3B 35AF E8AE 6651 | paul at whooppee.com| | Network Engineer | 0786 F758 55DE 53BA 7731 | pgoyette at juniper.net | | Kernel Developer | | pgoyette at netbsd.org | -