[jira] [Commented] (YARN-7857) -fstack-check compilation flag causes binary incompatibility for container-executor between RHEL 6 and RHEL 7

[Jim Brennan (JIRA)]

    [ 
https://issues.apache.org/jira/browse/YARN-7857?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16352816#comment-16352816
 ] 

Jim Brennan commented on YARN-7857:
-----------------------------------

[~miklos.szeg...@cloudera.com] I have prepared another patch that only adds the 
{{-fstack-check}} option for GCC versions > 4.8.
But on further review and reflection, I have come around to the opinion that 
the security issue is more important than this incompatibility, especially 
given that we have addressed that incompatibility in YARN-7796.

I have not found anything that officially changes the recommendation of using 
{{-fstack-check}} to help combat stack clash attacks, and I have not found an 
alternative command line option for gcc.   So I am reluctant to remove 
{{-fstack-check}} for any versions of GCC when it is currently not causing a 
problem.   My original motivation of preventing us from running into the same 
incompatibility again (due to future changes to container-executor code) does 
not seem worth re-opening a significant security hole.


> -fstack-check compilation flag causes binary incompatibility for 
> container-executor between RHEL 6 and RHEL 7
> -------------------------------------------------------------------------------------------------------------
>
>                 Key: YARN-7857
>                 URL: https://issues.apache.org/jira/browse/YARN-7857
>             Project: Hadoop YARN
>          Issue Type: Bug
>          Components: nodemanager
>    Affects Versions: 3.0.0
>            Reporter: Jim Brennan
>            Assignee: Jim Brennan
>            Priority: Major
>         Attachments: YARN-7857.001.patch
>
>
> The segmentation fault in container-executor reported in [YARN-7796]  appears 
> to be due to a binary compatibility issue with the {{-fstack-check}} flag 
> that was added in [YARN-6721]
> Based on my testing, a container-executor (without the patch from 
> [YARN-7796]) compiled on RHEL 6 with the -fstack-check flag always hits this 
> segmentation fault when run on RHEL 7.  But if you compile without this flag, 
> the container-executor runs on RHEL 7 with no problems.  I also verified this 
> with a simple program that just does the copy_file.
> I think we need to either remove this flag, or find a suitable alternative.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org