[jira] [Commented] (YARN-7857) -fstack-check compilation flag causes binary incompatibility for container-executor between RHEL 6 and RHEL 7

Tue, 30 Jan 2018 08:42:13 -0800 

    [ 
https://issues.apache.org/jira/browse/YARN-7857?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16345341#comment-16345341
 ] 

Jim Brennan commented on YARN-7857:
-----------------------------------

This redhat link suggests that there are problems with stack-check: 
[https://access.redhat.com/security/vulnerabilities/stackguard |Redhat 
stackguard vulnerability]:

To avoid stack guard page jumping, every stack allocation primitive needs to 
implement freshly allocated memory probing with the stack guard gap size 
granularity. *The existing gcc -fstack-check implementation aims to do exactly 
that, but currently it is not working correctly.* Before the gcc -fstack-check 
implementation is fixed and all of the exposed binaries are rebuilt, we have a 
combination of kernel and glibc mitigations that addresses all known 
reporter-provided exploits available:

> -fstack-check compilation flag causes binary incompatibility for 
> container-executor between RHEL 6 and RHEL 7
> -------------------------------------------------------------------------------------------------------------
>
>                 Key: YARN-7857
>                 URL: https://issues.apache.org/jira/browse/YARN-7857
>             Project: Hadoop YARN
>          Issue Type: Bug
>          Components: nodemanager
>    Affects Versions: 3.0.0
>            Reporter: Jim Brennan
>            Assignee: Jim Brennan
>            Priority: Major
>
> The segmentation fault in container-executor reported in [YARN-7796]  appears 
> to be due to a binary compatibility issue with the {{-fstack-check}} flag 
> that was added in [YARN-6721]
> Based on my testing, a container-executor (without the patch from 
> [YARN-7796]) compiled on RHEL 6 with the -fstack-check flag always hits this 
> segmentation fault when run on RHEL 7.  But if you compile without this flag, 
> the container-executor runs on RHEL 7 with no problems.  I also verified this 
> with a simple program that just does the copy_file.
> I think we need to either remove this flag, or find a suitable alternative.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to