[
https://issues.apache.org/jira/browse/YARN-7857?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16352816#comment-16352816
]
Jim Brennan commented on YARN-7857:
-----------------------------------
[[email protected]] I have prepared another patch that only adds the
{{-fstack-check}} option for GCC versions > 4.8.
But on further review and reflection, I have come around to the opinion that
the security issue is more important than this incompatibility, especially
given that we have addressed that incompatibility in YARN-7796.
I have not found anything that officially changes the recommendation of using
{{-fstack-check}} to help combat stack clash attacks, and I have not found an
alternative command line option for gcc. So I am reluctant to remove
{{-fstack-check}} for any versions of GCC when it is currently not causing a
problem. My original motivation of preventing us from running into the same
incompatibility again (due to future changes to container-executor code) does
not seem worth re-opening a significant security hole.
> -fstack-check compilation flag causes binary incompatibility for
> container-executor between RHEL 6 and RHEL 7
> -------------------------------------------------------------------------------------------------------------
>
> Key: YARN-7857
> URL: https://issues.apache.org/jira/browse/YARN-7857
> Project: Hadoop YARN
> Issue Type: Bug
> Components: nodemanager
> Affects Versions: 3.0.0
> Reporter: Jim Brennan
> Assignee: Jim Brennan
> Priority: Major
> Attachments: YARN-7857.001.patch
>
>
> The segmentation fault in container-executor reported in [YARN-7796] appears
> to be due to a binary compatibility issue with the {{-fstack-check}} flag
> that was added in [YARN-6721]
> Based on my testing, a container-executor (without the patch from
> [YARN-7796]) compiled on RHEL 6 with the -fstack-check flag always hits this
> segmentation fault when run on RHEL 7. But if you compile without this flag,
> the container-executor runs on RHEL 7 with no problems. I also verified this
> with a simple program that just does the copy_file.
> I think we need to either remove this flag, or find a suitable alternative.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
