Build failures with gold linker

[orlitzky]

I'm not sure if this is something you're interested in, but it's worth a shot. I noticed this build failure a while ago with the official grsec sources and reported it in Gentoo bug #607974. I just tested it with HEAD from the repo, and get a similar failure:

  HOSTCC  scripts/mod/sumversion.o
  HOSTLD  scripts/mod/modpost
  HOSTCC  scripts/kallsyms
  HOSTCC  scripts/pnmtologo
  HOSTCC  scripts/conmakehash
  HOSTCC  scripts/sortextable
  CC      init/main.o
ld: warning: init/.tmp_main.o: section .init.rodata.str contains incorrectly aligned strings; the alignment of those strings won't be preserved
  CHK     include/generated/compile.h
  CC      init/version.o
  CC      init/do_mounts.o
ld: warning: init/.tmp_do_mounts.o: section .init.rodata.str contains incorrectly aligned strings; the alignment of those strings won't be preserved
  LD      init/mounts.o
  CC      init/noinitramfs.o
  CC      init/calibrate.o
  CC      init/init_task.o
  LD      init/built-in.o
ld: error: init/version.o: multiple definition of '__rap_hash_call_this_cpu_cmpxchg16b_emu'
ld: init/main.o: previous definition here
ld: error: init/version.o: multiple definition of '__rap_hash_ret_this_cpu_cmpxchg16b_emu'
ld: init/main.o: previous definition here
ld: error: init/version.o: multiple definition of '__rap_hash_call_call_rwsem_down_read_failed'
ld: init/main.o: previous definition here
ld: error: init/version.o: multiple definition of '__rap_hash_ret_call_rwsem_down_read_failed'
ld: init/main.o: previous definition here
...

This happens whenever my "ld" is set to the gold linker:

$ ld --version
GNU gold (Gentoo 2.28.1 p1.0 2.28.1) 1.14

I'll paste only my pax/grsec config options below, but anything else you need is available too.

#
# Security options
#

#
# Grsecurity
#
CONFIG_PAX_PER_CPU_PGD=y
CONFIG_TASK_SIZE_MAX_SHIFT=42
CONFIG_GRKERNSEC=y
CONFIG_GRKERNSEC_CONFIG_AUTO=y
# CONFIG_GRKERNSEC_CONFIG_CUSTOM is not set
# CONFIG_GRKERNSEC_CONFIG_SERVER is not set
CONFIG_GRKERNSEC_CONFIG_DESKTOP=y
# CONFIG_GRKERNSEC_CONFIG_VIRT_NONE is not set
# CONFIG_GRKERNSEC_CONFIG_VIRT_GUEST is not set
CONFIG_GRKERNSEC_CONFIG_VIRT_HOST=y
CONFIG_GRKERNSEC_CONFIG_VIRT_EPT=y
# CONFIG_GRKERNSEC_CONFIG_VIRT_SOFT is not set
# CONFIG_GRKERNSEC_CONFIG_VIRT_XEN is not set
# CONFIG_GRKERNSEC_CONFIG_VIRT_VMWARE is not set
CONFIG_GRKERNSEC_CONFIG_VIRT_KVM=y
# CONFIG_GRKERNSEC_CONFIG_VIRT_VIRTUALBOX is not set
# CONFIG_GRKERNSEC_CONFIG_VIRT_HYPERV is not set
CONFIG_GRKERNSEC_CONFIG_PRIORITY_PERF=y
# CONFIG_GRKERNSEC_CONFIG_PRIORITY_SECURITY is not set

#
# Default Special Groups
#
CONFIG_GRKERNSEC_PROC_GID=0
CONFIG_GRKERNSEC_TPE_UNTRUSTED_GID=117

#
# Customize Configuration
#

#
# PaX
#
CONFIG_PAX=y

#
# PaX Control
#
# CONFIG_PAX_SOFTMODE is not set
# CONFIG_PAX_EI_PAX is not set
CONFIG_PAX_PT_PAX_FLAGS=y
CONFIG_PAX_XATTR_PAX_FLAGS=y
CONFIG_PAX_NO_ACL_FLAGS=y
# CONFIG_PAX_HAVE_ACL_FLAGS is not set
# CONFIG_PAX_HOOK_ACL_FLAGS is not set

#
# Non-executable pages
#
CONFIG_PAX_NOEXEC=y
CONFIG_PAX_PAGEEXEC=y
CONFIG_PAX_EMUTRAMP=y
CONFIG_PAX_MPROTECT=y
CONFIG_PAX_MPROTECT_COMPAT=y
# CONFIG_PAX_ELFRELOCS is not set
CONFIG_PAX_KERNEXEC=y
CONFIG_PAX_KERNEXEC_PLUGIN=y
# CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_NONE is not set
# CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_BTS is not set
CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_OR=y

#
# Address Space Layout Randomization
#
CONFIG_PAX_ASLR=y
CONFIG_PAX_RANDKSTACK=y
CONFIG_PAX_RANDUSTACK=y
CONFIG_PAX_RANDMMAP=y

#
# Miscellaneous hardening features
#
# CONFIG_PAX_MEMORY_SANITIZE is not set
CONFIG_PAX_MEMORY_STACKLEAK=y
CONFIG_PAX_MEMORY_STRUCTLEAK=y
CONFIG_PAX_MEMORY_UDEREF=y
CONFIG_PAX_REFCOUNT=y
CONFIG_PAX_USERCOPY=y
CONFIG_PAX_CONSTIFY_PLUGIN=y
# CONFIG_PAX_USERCOPY_DEBUG is not set
CONFIG_PAX_SIZE_OVERFLOW=y
CONFIG_PAX_SIZE_OVERFLOW_EXTRA=y
CONFIG_PAX_INITIFY=y
CONFIG_HAVE_PAX_INITIFY_INIT_EXIT=y
# CONFIG_PAX_INITIFY_VERBOSE is not set
CONFIG_PAX_LATENT_ENTROPY=y
CONFIG_PAX_RAP=y
# CONFIG_PAX_RAP_VERBOSE is not set

#
# Memory Protections
#
CONFIG_GRKERNSEC_KMEM=y
# CONFIG_GRKERNSEC_IO is not set
CONFIG_GRKERNSEC_BPF_HARDEN=y
CONFIG_GRKERNSEC_PERF_HARDEN=y
CONFIG_GRKERNSEC_RAND_THREADSTACK=y
CONFIG_GRKERNSEC_PROC_MEMMAP=y
CONFIG_GRKERNSEC_KSTACKOVERFLOW=y
CONFIG_GRKERNSEC_BRUTE=y
CONFIG_GRKERNSEC_MODHARDEN=y
CONFIG_GRKERNSEC_HIDESYM=y
CONFIG_GRKERNSEC_RANDSTRUCT=y
CONFIG_GRKERNSEC_RANDSTRUCT_PERFORMANCE=y
CONFIG_GRKERNSEC_KERN_LOCKOUT=y

#
# Role Based Access Control Options
#
CONFIG_GRKERNSEC_NO_RBAC=y
# CONFIG_GRKERNSEC_ACL_HIDEKERN is not set
CONFIG_GRKERNSEC_ACL_MAXTRIES=3
CONFIG_GRKERNSEC_ACL_TIMEOUT=30

#
# Filesystem Protections
#
CONFIG_GRKERNSEC_PROC=y
CONFIG_GRKERNSEC_PROC_USER=y
CONFIG_GRKERNSEC_PROC_ADD=y
CONFIG_GRKERNSEC_LINK=y
# CONFIG_GRKERNSEC_SYMLINKOWN is not set
CONFIG_GRKERNSEC_FIFO=y
# CONFIG_GRKERNSEC_SYSFS_RESTRICT is not set
# CONFIG_GRKERNSEC_ROFS is not set
CONFIG_GRKERNSEC_DEVICE_SIDECHANNEL=y
CONFIG_GRKERNSEC_CHROOT=y
CONFIG_GRKERNSEC_CHROOT_MOUNT=y
CONFIG_GRKERNSEC_CHROOT_DOUBLE=y
CONFIG_GRKERNSEC_CHROOT_PIVOT=y
CONFIG_GRKERNSEC_CHROOT_CHDIR=y
CONFIG_GRKERNSEC_CHROOT_CHMOD=y
CONFIG_GRKERNSEC_CHROOT_FCHDIR=y
CONFIG_GRKERNSEC_CHROOT_MKNOD=y
CONFIG_GRKERNSEC_CHROOT_SHMAT=y
CONFIG_GRKERNSEC_CHROOT_UNIX=y
CONFIG_GRKERNSEC_CHROOT_FINDTASK=y
CONFIG_GRKERNSEC_CHROOT_NICE=y
CONFIG_GRKERNSEC_CHROOT_SYSCTL=y
CONFIG_GRKERNSEC_CHROOT_RENAME=y
CONFIG_GRKERNSEC_CHROOT_CAPS=y

#
# Kernel Auditing
#
# CONFIG_GRKERNSEC_AUDIT_GROUP is not set
# CONFIG_GRKERNSEC_EXECLOG is not set
CONFIG_GRKERNSEC_RESLOG=y
# CONFIG_GRKERNSEC_CHROOT_EXECLOG is not set
# CONFIG_GRKERNSEC_AUDIT_PTRACE is not set
# CONFIG_GRKERNSEC_AUDIT_CHDIR is not set
# CONFIG_GRKERNSEC_AUDIT_MOUNT is not set
CONFIG_GRKERNSEC_SIGNAL=y
# CONFIG_GRKERNSEC_FORKFAIL is not set
CONFIG_GRKERNSEC_TIME=y
CONFIG_GRKERNSEC_PROC_IPADDR=y
CONFIG_GRKERNSEC_RWXMAP_LOG=y

#
# Executable Protections
#
# CONFIG_GRKERNSEC_DMESG is not set
CONFIG_GRKERNSEC_HARDEN_PTRACE=y
CONFIG_GRKERNSEC_PTRACE_READEXEC=y
CONFIG_GRKERNSEC_SETXID=y
CONFIG_GRKERNSEC_HARDEN_IPC=y
CONFIG_GRKERNSEC_HARDEN_TTY=y
CONFIG_GRKERNSEC_TPE=y
CONFIG_GRKERNSEC_TPE_ALL=y
# CONFIG_GRKERNSEC_TPE_INVERT is not set
CONFIG_GRKERNSEC_TPE_GID=117

#
# Network Protections
#
CONFIG_GRKERNSEC_BLACKHOLE=y
CONFIG_GRKERNSEC_NO_SIMULT_CONNECT=y
# CONFIG_GRKERNSEC_SOCKET is not set

#
# Physical Protections
#
CONFIG_GRKERNSEC_DENYUSB=y
# CONFIG_GRKERNSEC_DENYUSB_FORCE is not set

#
# Sysctl Support
#
CONFIG_GRKERNSEC_SYSCTL=y
CONFIG_GRKERNSEC_SYSCTL_ON=y

#
# Logging Options
#
CONFIG_GRKERNSEC_FLOODTIME=10
CONFIG_GRKERNSEC_FLOODBURST=6
# CONFIG_KEYS is not set
# CONFIG_SECURITY_DMESG_RESTRICT is not set
CONFIG_SECURITY=y
# CONFIG_SECURITYFS is not set
# CONFIG_SECURITY_NETWORK is not set
# CONFIG_SECURITY_PATH is not set
CONFIG_HAVE_ARCH_HARDENED_USERCOPY=y
CONFIG_HARDENED_USERCOPY=y
# CONFIG_SECURITY_SMACK is not set
# CONFIG_SECURITY_TOMOYO is not set
# CONFIG_SECURITY_APPARMOR is not set
CONFIG_SECURITY_LOADPIN=y
CONFIG_SECURITY_LOADPIN_ENABLED=y
# CONFIG_INTEGRITY is not set
CONFIG_DEFAULT_SECURITY_DAC=y
CONFIG_DEFAULT_SECURITY=""
CONFIG_CRYPTO=y

[theLOICofFRANCE]

Hi,

RAP is implemented as a GCC compiler plugin. So deactivate it, I think: CONFIG_PAX_RAP=n

[miroR]

On 171114-19:51+0000, Loïc wrote:

Hi,

RAP is implemented as a GCC compiler plugin. So deactivate it, I think: CONFIG_PAX_RAP=n

Hmmh... I don't have those issues. And I have:

cat /boot/config-4.9.59-unofficial+grsec171031-19 | grep PAX_RAP

CONFIG_PAX_RAP=y

CONFIG_PAX_RAP_VERBOSE is not set

( and I even think I'll set it to be:

cat /boot/config-4.9.61-unofficial+grsec17xxxx-xx | grep PAX_RAP

... CONFIG_PAX_RAP_VERBOSE=y #

for my next compilation with the Loïc's patch. :-)

And that means, @Michael Orlitzk, that you would probably need to get the, what is it, let me think... that you would need something like this (and maybe other stuff), and your RAP can be on as well:

apt-cache search gcc | grep plugin

gcc-6-plugin-dev - Files for GNU GCC plugin development. ... #

Because it's an important protection...

And I think that Mathias Krause, minipli, and our guy from Devuan, parazyd, got RAP to work completely, but I'm not advanced enough to be able to check it, it's only indications I think I saw of it, and read about it somewhere... So it is recommended to try and keep it.

You can find on forum.grsecurity.net (or is it forums.grsecurity.net how my attackers aimed exactly at the RAP in my machine, because most everything else was well protected by grsec here... And they aimed at RAP because it was at that time since maybe a year or so disabled in the non-paid grsec kernels (because of the filthy games against spender and PaX Team by Linus and his comrades and by, we know now, Google --for that look up the very last topic in the grsecurity forums, named "Paid access to test patches" and in it the very last post, by spender)... EDIT 2017-11-16 Wait, it may be this link, where the RAP exploit was tried against me, see this topic on grsec forums: PAX: overwritten function pointer or return address, bans portage! https://forums.grsecurity.net/viewtopic.php?f=3&t=4653 EDIT END

But about the gcc plugin, if you go that way, and if that is missing, maybe someone else can instruct Michael Orlitzk more precisely.

Regards!

-- Miroslav Rovis Zagreb, Croatia https://www.CroatiaFidelis.hr

[orlitzky]

Thanks guys. I am actually able to get the sources to build with RAP enabled, but to do that, I have to change my linker from Gold to the BFD linker that comes with GNU binutils. On my system, /usr/bin/ld is a symlink and I can switch freely between the two.

When I'm building the kernel with the Gold linker and receive the above error, I can change the symlink to point to "ld" from GNU binutils. If I then type make again, the build process resumes and succeeds -- so I'm relatively sure that the problem is with the linker.

Of course, there may be a fundamental incompatibility between Gold and the way RAP is implemented, so "use the BFD linker" might wind up being the answer, anyway. Either way it would be nice to know =)

[theLOICofFRANCE]

I think that Mathias Krause, minipli, ... got RAP to work completely

One thing of course is that he's playing with it ;)

You can find on forum.grsecurity.net (or is it forums.grsecurity.net how my attackers aimed exactly at the RAP in my machine

I'll take a look at that.

Either way it would be nice to know =)

Did you try to modify the "scripts/Makefile.gcc-plugins" or "scripts/gcc-plugins/rap_plugin/Makefile" for use the option gcc's with "-fuse-ld=gold" ?

[orlitzky]

Did you try to modify the "scripts/Makefile.gcc-plugins" or "scripts/gcc-plugins/rap_plugin/Makefile" for use the option gcc's with "-fuse-ld=gold" ?

I haven't tried messing with the build system at all, but I think the two options -fuse-ld=bfd and fuse-ld=gold simply switch between the two executables ld.bfd and ld.gold:

$ ls /usr/bin/ld.*
/usr/bin/ld.bfd 
/usr/bin/ld.gold

The default (again, just assuming here) is to use /usr/bin/ld. However, on my system, /usr/bin/ld is a symlink to one of the other two (ld.bfd or ld.gold). So what would typically be accomplished through -fuse-ld=gold is instead accomplished at the symlink level. (We can more or less build and entire Gentoo system using gold in that manner.)

[miroR]

HacKurx replied to my: "Wait, it may be this link, where the RAP exploit was tried against me, see this topic on grsec forums:" and I had previously given a wrong link there. This is the one: PAX: overwritten function pointer or return address, bans portage! https://forums.grsecurity.net/viewtopic.php?f=3&t=4653 ( but it's not much, just indications, due to my Air-Gapped methods of poor-user's security ) And I'm reposting the correct link because people don't get editions to githuweets in their mailboxes.

Loic (firstname of kind developer HacKurx), for some reason, I couldn't decrypt the mail you sent me (and since we don't have an gresec-unoff dedicated mailing list or an gresec-unoff dedicated forum (yet) this is the only place I can tell you about it.

[miroR]

"( but it's not much, just indications, due to my Air-Gapped methods of poor-user's security )" meaning I bailed out before the exploit would develop... and, sadly, couldn't easily test the case as PaX Team had asked: "can you reproduce this with a vanilla kernel?" https://forums.grsecurity.net/viewtopic.php?f=3&t=4653#p16881 And my Air-Gap method is in my (verbose) follow-up reply there.

[minipli]

@orlitzky, I'm not certain if the kernel can be build with the gold linker even with RAP disabled -- actually even at all.

Have you tried building a vanilla kernel with the gold linker? If that works I'm willing to add -fuse-ld=bdf to RAP's CFLAGS. However, the symbols gold is complaining about are absolute ones that should have the same value. So I don't know why it's complaining :/

[orlitzky]

@minipli Changing CONFIG_PAX_RAP=y to CONFIG_PAX_RAP=n does fix the build, with all else held constant.

Please don't introduce any hacks into the build system on my account. Gold is a little bit stricter than the BFD linker, so usually these issues are pretty easy to resolve by adding a missing -lfoo to $LIBS or something trivial (but technically correct) like that.

This is only worth fixing if it's a subtle bug that Gold catches, but that the BFD linker does not. Otherwise, I'm happy to switch linkers before building the kernel.

[minipli]

Well, the issue is, the symbols gold is complaining about are the ones RAP needs to do the hash based type check. It emits them during compilation for each compilation unit. As it can't know in advance which functions have their address taken it emits symbols for all of them. However, those symbols are emitted as absolute values and -- as long as there are no conflicting prototype declarations -- should all be the same for a given function---and, in turn, for a given RAP hash symbol. Otherwise the final link is expected to fail as there are, apparently, two code locations that have a different understanding of how the function prototype should look like. But RAP needs exactly one to do its type check.

However, here it's different. gold is complaining about RAP hash symbols that have the same value. It's IMO not a bug in the RAP plugin, it's just gold that's too picky about multiple definitions of a symbol -- even if they all have the same (absolute) value.

I'll add it to my TODO list but it might take some time. I've a few plugin related changes pending already.

Thanks for the report!

[orlitzky]

it's just gold that's too picky about multiple definitions of a symbol -- even if they all have the same (absolute) value.

I'll ask on the binutils list if this is the intended behavior... maybe I'm wasting your time with a linker bug =P

[orlitzky]

So it goes: https://sourceware.org/ml/binutils/2017-11/msg00543.html

Thanks for your help with this!

[minipli]

Thank you for insisting!