View Issue Details

IDProjectCategoryView StatusLast Update
0015333CentOS-7glibcpublic2019-07-19 15:24
Reporterbboozzoo 
PrioritynormalSeverityminorReproducibilityalways
Status closedResolutionnot fixable 
Product Version7.5.1804 
Target VersionFixed in Version 
Summary0015333: building static binaries in RPMs fails when hardened build is enabled
DescriptionI have tried to build RPM package of `snapd` for CentOS. Snapd builds 2 Go binaries that need to be statically linked but use cgo. The build failed during linking:

             /usr/lib/golang/pkg/tool/linux_amd64/link -o $WORK/github.com/snapcore/snapd/cmd/snap-exec/_obj/exe/a.out -L $WORK -L /root/rpmbuild/BUILD/snapd-1337.2.35.2/pkg/linux_amd64 -extld=gcc -buildmode=exe -buildid=35902098fe4eb86f9c8bbdb5eded0c6b0cefc92f -B 0xceb077d984f79e47e334cd3e29e5fc6fb5a86171 -extldflags "-Wl,-z,relro -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -static" $WORK/github.com/snapcore/snapd/cmd/snap-exec.a
             # github.com/snapcore/snapd/cmd/snap-exec
             /usr/lib/golang/pkg/tool/linux_amd64/link: running gcc failed: exit status 1
             /usr/bin/ld: /usr/lib/gcc/x86_64-redhat-linux/4.8.5/crtbeginT.o: relocation R_X86_64_32 against hidden symbol `__TMC_END__' can not be used when making a shared object
             /usr/bin/ld: /usr/lib/gcc/x86_64-redhat-linux/4.8.5/../../../../lib64/libpthread.a(libpthread.o): relocation R_X86_64_32S against symbol `__stack_user' can not be used when making a shared object; recompile with -fPIC
             /usr/bin/ld: /usr/lib/gcc/x86_64-redhat-linux/4.8.5/../../../../lib64/libc.a(libc-start.o): relocation R_X86_64_32 against symbol `_dl_starting_up' can not be used when making a shared object; recompile with -fPIC

I have reproduced the same problem with minimal sample of C code:

google:centos-7-64 .../mini/hello# cat test.c
#include <stdio.h>

int main() {
        printf("fails to link\n");
        return 0;
}

I have tracked that down the spec for the linker which enables -pie for !shared build. Since glibc-static was not built with -fPIC the linking fails.

Steps To Reproduce(Using the minimal sample provided in description)

google:centos-7-64 .../mini/hello# gcc -static test.c
google:centos-7-64 .../mini/hello# ./a.out
fails to link

google:centos-7-64 .../mini/hello# rpmbuild -D '_hardened_build 1' -E '%__global_ldflags'
-Wl,-z,relro -specs=/usr/lib/rpm/redhat/redhat-hardened-ld
google:centos-7-64 .../mini/hello# rpmbuild -D '_hardened_build 1' -E '%__global_cflags'
-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1

google:centos-7-64 .../mini/hello# gcc -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -Wl,-z,relro -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -static -v test.c
Using built-in specs.
Reading specs from /usr/lib/rpm/redhat/redhat-hardened-cc1
Reading specs from /usr/lib/rpm/redhat/redhat-hardened-ld
COLLECT_GCC=gcc
COLLECT_LTO_WRAPPER=/usr/libexec/gcc/x86_64-redhat-linux/4.8.5/lto-wrapper
Target: x86_64-redhat-linux
Configured with: ../configure --prefix=/usr --mandir=/usr/share/man --infodir=/usr/share/info --with-bugurl=http://bugzilla.redhat.com/bugzilla --enable-bootstrap --enable-shared --enable-threads=posix --enable-checking=release --with-system-zlib --enable-__cxa_atexit --disable-libunwind-exceptions --enable-gnu-unique-object --enable-linker-build-id --with-linker-hash-style=gnu --enable-languages=c,c++,objc,obj-c++,java,fortran,ada,go,lto --enable-plugin --enable-initfini-array --disable-libgcj --with-isl=/builddir/build/BUILD/gcc-4.8.5-20150702/obj-x86_64-redhat-linux/isl-install --with-cloog=/builddir/build/BUILD/gcc-4.8.5-20150702/obj-x86_64-redhat-linux/cloog-install --enable-gnu-indirect-function --with-tune=generic --with-arch_32=x86-64 --build=x86_64-redhat-linux
Thread model: posix
gcc version 4.8.5 20150623 (Red Hat 4.8.5-28) (GCC)
COLLECT_GCC_OPTIONS='-O2' '-g' '-pipe' '-Wall' '-fexceptions' '-fstack-protector-strong' '--param' 'ssp-buffer-size=4' '-grecord-gcc-switches' '-specs=/usr/lib/rpm/redhat/redhat-hardened-cc1' '-specs=/usr/lib/rpm/redhat/redhat-hardened-ld' '-static' '-v' '-mtune=generic' '-march=x86-64' '-pie'
 /usr/libexec/gcc/x86_64-redhat-linux/4.8.5/cc1 -quiet -v -D_FORTIFY_SOURCE=2 test.c -quiet -dumpbase test.c -mtune=generic -march=x86-64 -auxbase test -g -grecord-gcc-switches -O2 -Wall -version -fexceptions -fstack-protector-strong --param ssp-buffer-size=4 -fPIE -o - |
 as -v --64 -o /tmp/ccfqLvQL.o
GNU C (GCC) version 4.8.5 20150623 (Red Hat 4.8.5-28) (x86_64-redhat-linux)
        compiled by GNU C version 4.8.5 20150623 (Red Hat 4.8.5-28), GMP version 6.0.0, MPFR version 3.1.1, MPC version 1.0.1
GGC heuristics: --param ggc-min-expand=100 --param ggc-min-heapsize=131072
ignoring nonexistent directory "/usr/lib/gcc/x86_64-redhat-linux/4.8.5/include-fixed"
ignoring nonexistent directory "/usr/lib/gcc/x86_64-redhat-linux/4.8.5/../../../../x86_64-redhat-linux/include"
#include "..." search starts here:
#include <...> search starts here:
 /usr/lib/gcc/x86_64-redhat-linux/4.8.5/include
 /usr/local/include
 /usr/include
End of search list.
GNU C (GCC) version 4.8.5 20150623 (Red Hat 4.8.5-28) (x86_64-redhat-linux)
        compiled by GNU C version 4.8.5 20150623 (Red Hat 4.8.5-28), GMP version 6.0.0, MPFR version 3.1.1, MPC version 1.0.1
GGC heuristics: --param ggc-min-expand=100 --param ggc-min-heapsize=131072
Compiler executable checksum: fbe9869a2e70aadeaf82d7c32bbeabe0
GNU assembler version 2.27 (x86_64-redhat-linux) using BFD version version 2.27-28.base.el7_5.1
COMPILER_PATH=/usr/libexec/gcc/x86_64-redhat-linux/4.8.5/:/usr/libexec/gcc/x86_64-redhat-linux/4.8.5/:/usr/libexec/gcc/x86_64-redhat-linux/:/usr/lib/gcc/x86_64-redhat-linux/4.8.5/:/usr/lib/gcc/x86_64-redhat-linux/
LIBRARY_PATH=/usr/lib/gcc/x86_64-redhat-linux/4.8.5/:/usr/lib/gcc/x86_64-redhat-linux/4.8.5/../../../../lib64/:/lib/../lib64/:/usr/lib/../lib64/:/usr/lib/gcc/x86_64-redhat-linux/4.8.5/../../../:/lib/:/usr/lib/
COLLECT_GCC_OPTIONS='-O2' '-g' '-pipe' '-Wall' '-fexceptions' '-fstack-protector-strong' '--param' 'ssp-buffer-size=4' '-grecord-gcc-switches' '-specs=/usr/lib/rpm/redhat/redhat-hardened-cc1' '-specs=/usr/lib/rpm/redhat/redhat-hardened-ld' '-static' '-v' '-mtune=generic' '-march=x86-64' '-pie'
 /usr/libexec/gcc/x86_64-redhat-linux/4.8.5/collect2 --build-id --no-add-needed --hash-style=gnu -m elf_x86_64 -static -z now -pie /usr/lib/gcc/x86_64-redhat-linux/4.8.5/../../../../lib64/Scrt1.o /usr/lib/gcc/x86_64-redhat-linux/4.8.5/../../../../lib64/crti.o /usr/lib/gcc/x86_64-redhat-linux/4.8.5/crtbeginT.o -L/usr/lib/gcc/x86_64-redhat-linux/4.8.5 -L/usr/lib/gcc/x86_64-redhat-linux/4.8.5/../../../../lib64 -L/lib/../lib64 -L/usr/lib/../lib64 -L/usr/lib/gcc/x86_64-redhat-linux/4.8.5/../../.. -z relro /tmp/ccfqLvQL.o --start-group -lgcc -lgcc_eh -lc --end-group /usr/lib/gcc/x86_64-redhat-linux/4.8.5/crtendS.o /usr/lib/gcc/x86_64-redhat-linux/4.8.5/../../../../lib64/crtn.o
/usr/bin/ld: /usr/lib/gcc/x86_64-redhat-linux/4.8.5/crtbeginT.o: relocation R_X86_64_32 against hidden symbol `__TMC_END__' can not be used when making a shared object
/usr/bin/ld: /usr/lib/gcc/x86_64-redhat-linux/4.8.5/../../../../lib64/libc.a(libc-start.o): relocation R_X86_64_32 against symbol `_dl_starting_up' can not be used when making a shared object; recompile with -fPIC
/usr/bin/ld: /usr/lib/gcc/x86_64-redhat-linux/4.8.5/../../../../lib64/libc.a(check_fds.o): relocation R_X86_64_32 against `.rodata.str1.1' can not be used when making a shared object; recompile with -fPIC
...
/usr/bin/ld: /usr/lib/gcc/x86_64-redhat-linux/4.8.5/../../../../lib64/libc.a(sdlvsym.o): relocation R_X86_64_32 against undefined symbol `__pthread_mutex_lock' can not be used when making a shared object; recompile with -fPIC
/usr/bin/ld: /usr/lib/gcc/x86_64-redhat-linux/4.8.5/../../../../lib64/libc.a(dl-deps.o): relocation R_X86_64_32 against `.text' can not be used when making a shared object; recompile with -fPIC
/usr/bin/ld: /usr/lib/gcc/x86_64-redhat-linux/4.8.5/../../../../lib64/libc.a(dl-init.o): relocation R_X86_64_32 against `.rodata.str1.1' can not be used when making a shared object; recompile with -fPIC
/usr/bin/ld: /usr/lib/gcc/x86_64-redhat-linux/4.8.5/../../../../lib64/libc.a(dl-fini.o): relocation R_X86_64_32S against undefined symbol `_dl_ns' can not be used when making a shared object; recompile with -fPIC
/usr/bin/ld: /usr/lib/gcc/x86_64-redhat-linux/4.8.5/../../../../lib64/libc.a(dl-version.o): relocation R_X86_64_32S against `.rodata.str1.1' can not be used when making a shared object; recompile with -fPIC
/usr/bin/ld: /usr/lib/gcc/x86_64-redhat-linux/4.8.5/../../../../lib64/libc.a(dl-sym.o): relocation R_X86_64_32 against `.text' can not be used when making a shared object; recompile with -fPIC
/usr/bin/ld: /usr/lib/gcc/x86_64-redhat-linux/4.8.5/../../../../lib64/libc.a(dl-iteratephdr.o): relocation R_X86_64_32 against undefined symbol `__pthread_mutex_lock' can not be used when making a shared object; recompile with -fPIC
/usr/bin/ld: final link failed: Nonrepresentable section on output
collect2: error: ld returned 1 exit status

* Just dropping the linker spec

google:centos-7-64 .../mini/hello# gcc -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -Wl,-z,relro -static -v test.c
Using built-in specs.
Reading specs from /usr/lib/rpm/redhat/redhat-hardened-cc1
COLLECT_GCC=gcc
COLLECT_LTO_WRAPPER=/usr/libexec/gcc/x86_64-redhat-linux/4.8.5/lto-wrapper
Target: x86_64-redhat-linux
Configured with: ../configure --prefix=/usr --mandir=/usr/share/man --infodir=/usr/share/info --with-bugurl=http://bugzilla.redhat.com/bugzilla --enable-bootstrap --enable-shared --enable-threads=posix --enable-checking=release --with-system-zlib --enable-__cxa_atexit --disable-libunwind-exceptions --enable-gnu-unique-object --enable-linker-build-id --with-linker-hash-style=gnu --enable-languages=c,c++,objc,obj-c++,java,fortran,ada,go,lto --enable-plugin --enable-initfini-array --disable-libgcj --with-isl=/builddir/build/BUILD/gcc-4.8.5-20150702/obj-x86_64-redhat-linux/isl-install --with-cloog=/builddir/build/BUILD/gcc-4.8.5-20150702/obj-x86_64-redhat-linux/cloog-install --enable-gnu-indirect-function --with-tune=generic --with-arch_32=x86-64 --build=x86_64-redhat-linux
Thread model: posix
gcc version 4.8.5 20150623 (Red Hat 4.8.5-28) (GCC)
COLLECT_GCC_OPTIONS='-O2' '-g' '-pipe' '-Wall' '-fexceptions' '-fstack-protector-strong' '--param' 'ssp-buffer-size=4' '-grecord-gcc-switches' '-specs=/usr/lib/rpm/redhat/redhat-hardened-cc1' '-static' '-v' '-mtune=generic' '-march=x86-64'
 /usr/libexec/gcc/x86_64-redhat-linux/4.8.5/cc1 -quiet -v -D_FORTIFY_SOURCE=2 test.c -quiet -dumpbase test.c -mtune=generic -march=x86-64 -auxbase test -g -grecord-gcc-switches -O2 -Wall -version -fexceptions -fstack-protector-strong --param ssp-buffer-size=4 -fPIE -o - |
 as -v --64 -o /tmp/ccS143z1.o
GNU C (GCC) version 4.8.5 20150623 (Red Hat 4.8.5-28) (x86_64-redhat-linux)
        compiled by GNU C version 4.8.5 20150623 (Red Hat 4.8.5-28), GMP version 6.0.0, MPFR version 3.1.1, MPC version 1.0.1
GGC heuristics: --param ggc-min-expand=100 --param ggc-min-heapsize=131072
ignoring nonexistent directory "/usr/lib/gcc/x86_64-redhat-linux/4.8.5/include-fixed"
ignoring nonexistent directory "/usr/lib/gcc/x86_64-redhat-linux/4.8.5/../../../../x86_64-redhat-linux/include"
#include "..." search starts here:
#include <...> search starts here:
 /usr/lib/gcc/x86_64-redhat-linux/4.8.5/include
 /usr/local/include
 /usr/include
End of search list.
GNU C (GCC) version 4.8.5 20150623 (Red Hat 4.8.5-28) (x86_64-redhat-linux)
        compiled by GNU C version 4.8.5 20150623 (Red Hat 4.8.5-28), GMP version 6.0.0, MPFR version 3.1.1, MPC version 1.0.1
GGC heuristics: --param ggc-min-expand=100 --param ggc-min-heapsize=131072
Compiler executable checksum: fbe9869a2e70aadeaf82d7c32bbeabe0
GNU assembler version 2.27 (x86_64-redhat-linux) using BFD version version 2.27-28.base.el7_5.1
COMPILER_PATH=/usr/libexec/gcc/x86_64-redhat-linux/4.8.5/:/usr/libexec/gcc/x86_64-redhat-linux/4.8.5/:/usr/libexec/gcc/x86_64-redhat-linux/:/usr/lib/gcc/x86_64-redhat-linux/4.8.5/:/usr/lib/gcc/x86_64-redhat-linux/
LIBRARY_PATH=/usr/lib/gcc/x86_64-redhat-linux/4.8.5/:/usr/lib/gcc/x86_64-redhat-linux/4.8.5/../../../../lib64/:/lib/../lib64/:/usr/lib/../lib64/:/usr/lib/gcc/x86_64-redhat-linux/4.8.5/../../../:/lib/:/usr/lib/
COLLECT_GCC_OPTIONS='-O2' '-g' '-pipe' '-Wall' '-fexceptions' '-fstack-protector-strong' '--param' 'ssp-buffer-size=4' '-grecord-gcc-switches' '-specs=/usr/lib/rpm/redhat/redhat-hardened-cc1' '-static' '-v' '-mtune=generic' '-march=x86-64'
 /usr/libexec/gcc/x86_64-redhat-linux/4.8.5/collect2 --build-id --no-add-needed --hash-style=gnu -m elf_x86_64 -static /usr/lib/gcc/x86_64-redhat-linux/4.8.5/../../../../lib64/crt1.o /usr/lib/gcc/x86_64-redhat-linux/4.8.5/../../../../lib64/crti.o /usr/lib/gcc/x86_64-redhat-linux/4.8.5/crtbeginT.o -L/usr/lib/gcc/x86_64-redhat-linux/4.8.5 -L/usr/lib/gcc/x86_64-redhat-linux/4.8.5/../../../../lib64 -L/lib/../lib64 -L/usr/lib/../lib64 -L/usr/lib/gcc/x86_64-redhat-linux/4.8.5/../../.. -z relro /tmp/ccS143z1.o --start-group -lgcc -lgcc_eh -lc --end-group /usr/lib/gcc/x86_64-redhat-linux/4.8.5/crtend.o /usr/lib/gcc/x86_64-redhat-linux/4.8.5/../../../../lib64/crtn.o
Additional Informationbinutils-2.27-28.base.el7_5.1.x86_64
gcc-4.8.5-28.el7_5.1.x86_64
glibc-2.17-222.el7.x86_64
glibc-static-2.17-222.el7.x86_64
redhat-rpm-config-9.1.0-80.el7.centos.noarch
TagsNo tags attached.
abrt_hash
URL

Activities

codonell

codonell

2019-07-19 15:23

reporter   ~0034854

You cannot use -static and /usr/lib/rpm/redhat/redhat-hardened-ld together.

There is no support for mixing both together.

In the future we may allow this, but it's not supported today.
TrevorH

TrevorH

2019-07-19 15:24

manager   ~0034855

Closing as per above.

Issue History

Date Modified Username Field Change
2018-09-28 12:34 bboozzoo New Issue
2019-07-19 15:23 codonell Note Added: 0034854
2019-07-19 15:24 TrevorH Status new => closed
2019-07-19 15:24 TrevorH Resolution open => not fixable
2019-07-19 15:24 TrevorH Note Added: 0034855