From fe3b111c6a054dd20970d1c9645c3329fc9d10f2 Mon Sep 17 00:00:00 2001 From: Michael Marineau Date: Mon, 13 Jul 2015 23:20:16 -0700 Subject: [PATCH] coreos-kernel: add -fstack-check=no to kernel build In addition to enabling PIE and stack protector, hardened compilers also enable the -fstack-check option which I had previously overlooked, conflating it with -fstack-protector which the kernel build already handles properly. This is the second time I hit this trying to use ccache, I forgot that -nopie was insufficent for kernel builds. Last time around reverted in cd043688f09b22ccf245ffd11f8a22a5ff31e577. At least this time I finally dug deep enough to find the cause instead of setting myself up for repeating history in another 6 months. For reference the issue is that the Go 1.3.x runtime can call clock_gettime with a very small stack. If the vDSO library was built with -fstack-check it will attempt to write 0 to a location beyond the end of the very small stack, triggering SEGV: Dump of assembler code for function __vdso_clock_gettime: 0x00007ffff7ffaa50 <+0>: push %rbp 0x00007ffff7ffaa51 <+1>: mov %rsp,%rbp 0x00007ffff7ffaa54 <+4>: push %r14 0x00007ffff7ffaa56 <+6>: push %r13 0x00007ffff7ffaa58 <+8>: push %r12 0x00007ffff7ffaa5a <+10>: push %rbx 0x00007ffff7ffaa5b <+11>: sub $0x1038,%rsp => 0x00007ffff7ffaa62 <+18>: orq $0x0,(%rsp) 0x00007ffff7ffaa67 <+23>: add $0x1020,%rsp --- .../third_party/coreos-overlay/eclass/coreos-kernel.eclass | 6 ++++-- ...kernel-4.0.7-r3.ebuild => coreos-kernel-4.0.7-r4.ebuild} | 0 2 files changed, 4 insertions(+), 2 deletions(-) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/{coreos-kernel-4.0.7-r3.ebuild => coreos-kernel-4.0.7-r4.ebuild} (100%) diff --git a/sdk_container/src/third_party/coreos-overlay/eclass/coreos-kernel.eclass b/sdk_container/src/third_party/coreos-overlay/eclass/coreos-kernel.eclass index 6acd4979df..5d59e56ddf 100644 --- a/sdk_container/src/third_party/coreos-overlay/eclass/coreos-kernel.eclass +++ b/sdk_container/src/third_party/coreos-overlay/eclass/coreos-kernel.eclass @@ -94,7 +94,7 @@ update_bootengine_cpio() { kmake() { local kernel_arch=$(tc-arch-kernel) kernel_cflags= if gcc-specs-pie; then - kernel_cflags="-nopie" + kernel_cflags="-nopie -fstack-check=no" fi emake ARCH="${kernel_arch}" CROSS_COMPILE="${CHOST}-" \ KCFLAGS="${kernel_cflags}" LDFLAGS="" "$@" @@ -182,10 +182,12 @@ coreos-kernel_src_install() { # Install firmware to a temporary (bogus) location. # The linux-firmware package will be used instead. # Stripping must be done here, not portage, to preserve sigs. + # Uncomment vdso_install for easy access to debug symbols in gdb: + # set debug-file-directory /lib/modules/4.0.7-coreos-r2/vdso/ kmake INSTALL_MOD_PATH="${D}" \ INSTALL_MOD_STRIP="--strip-unneeded" \ INSTALL_FW_PATH="${T}/fw" \ - modules_install + modules_install # vdso_install local version=$(kmake -s --no-print-directory kernelrelease) dosym "vmlinuz-${version}" /usr/boot/vmlinuz diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.0.7-r3.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.0.7-r4.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.0.7-r3.ebuild rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.0.7-r4.ebuild