bug#27429: Stack clash (CVE-2017-1000366 etc)

[Ludovic Courtès]

Hi Mark,

Mark H Weaver <address@hidden> skribis:

> I tried to copy the .drv files for the grafted 'glibc-final' and
> 'glibc-final-with-bootstrap-bash' from my machine to Hydra, in order to
> ask Hydra to build it, but both "guix copy" and "guix archive --export"
> failed:
>
> address@hidden ~$ guix copy address@hidden 
> /gnu/store/17gcwll4a2y3cjk8jf3fg2gr105m9f4i-glibc-2.25.drv 
> /gnu/store/78j5arbcgjfbj0m91fn6p5s71kz7w2yw-glibc-2.25.drv
> sending 11 store items to 'localhost'...
> guix copy: error: corrupt input while restoring archive from #<closed: file 
> 231bbd0>
> address@hidden ~$ guix archive --export 
> /gnu/store/17gcwll4a2y3cjk8jf3fg2gr105m9f4i-glibc-2.25.drv 
> /gnu/store/78j5arbcgjfbj0m91fn6p5s71kz7w2yw-glibc-2.25.drv > 
> GRAFTED-GLIBC-DRVS.nar
> guix archive: error: corrupt input while restoring archive from #<closed: 
> file 17e9d20>

Apparently they got built at some point.

As for the problems above: error reporting in ‘guix copy’ is suboptimal
(help welcome!), and the ‘guix archive --export’ problem looks like a
bug; could you report it?

> I'm concerned that i686 and armhf users are going to have a rude
> awakening when they not only have to build two variants of glibc, but
> also a bunch of the early bootstrap because the NARs are not available
> on Hydra.  It would be good if someone could take care of that.

Doing:

--8<---------------cut here---------------start------------->8---
$ ./pre-inst-env guix build -e '(begin (use-modules (guix)) 
(package-replacement (@@ (gnu packages commencement) glibc-final)))' -s 
i686-linux --log-file --no-grafts
https://mirror.hydra.gnu.org/log/ivvdx2m0p6gnmcxmz355z106ffqg9p25-glibc-2.25.drv
--8<---------------cut here---------------end--------------->8---

I see that glibc fails to build on i686 (but I think you’ve just fixed
it?):

--8<---------------cut here---------------start------------->8---
i686-guix-linux-gnu-gcc ../sysdeps/i386/i686/multiarch/strcspn-c.c -c 
-std=gnu11 -fgnu89-inline  -O2 -Wall -Werror -Wundef -Wwrite-strings 
-fmerge-all-constants -fno-stack-protector -frounding-math -g 
-Wstrict-prototypes -Wold-style-definition   -fPIC -Wa,-mtune=i686  -mno-sse 
-mno-mmx -mfpmath=387  -msse4  -ftls-model=initial-exec      -I../include 
-I/tmp/guix-build-glibc-2.25.drv-0/build/string  
-I/tmp/guix-build-glibc-2.25.drv-0/build  
-I../sysdeps/unix/sysv/linux/i386/i686  -I../sysdeps/i386/i686/nptl  
-I../sysdeps/unix/sysv/linux/i386  -I../sysdeps/unix/sysv/linux/x86  
-I../sysdeps/i386/nptl  -I../sysdeps/unix/sysv/linux/include 
-I../sysdeps/unix/sysv/linux  -I../sysdeps/nptl  -I../sysdeps/pthread  
-I../sysdeps/gnu  -I../sysdeps/unix/inet  -I../sysdeps/unix/sysv  
-I../sysdeps/unix/i386  -I../sysdeps/unix  -I../sysdeps/posix  
-I../sysdeps/i386/i686/fpu/multiarch  -I../sysdeps/i386/i686/fpu  
-I../sysdeps/i386/i686/multiarch  -I../sysdeps/i386/i686  -I../sysdeps/i386/fpu 
 -I../sysdeps/x86/fpu/include -I../sysdeps/x86/fpu  -I../sysdeps/i386  
-I../sysdeps/x86  -I../sysdeps/wordsize-32  
-I../sysdeps/ieee754/ldbl-96/include -I../sysdeps/ieee754/ldbl-96  
-I../sysdeps/ieee754/dbl-64  -I../sysdeps/ieee754/flt-32  -I../sysdeps/ieee754  
-I../sysdeps/generic  -I.. -I../libio -I. -nostdinc -isystem 
/gnu/store/85qsxn71dn6944df5kcvkxg0nm3xdg6z-gcc-cross-boot0-5.4.0-lib/lib/gcc/i686-guix-linux-gnu/5.4.0/include
 -isystem 
/gnu/store/85qsxn71dn6944df5kcvkxg0nm3xdg6z-gcc-cross-boot0-5.4.0-lib/lib/gcc/i686-guix-linux-gnu/5.4.0/include-fixed
 -isystem 
/gnu/store/cwls4k58gw85lsrm2m2icpgwhvd0452n-linux-libre-headers-4.4.47/include  
-D_LIBC_REENTRANT -include 
/tmp/guix-build-glibc-2.25.drv-0/build/libc-modules.h -DMODULE_NAME=rtld 
-include ../include/libc-symbols.h  -DPIC -DSHARED     -o 
/tmp/guix-build-glibc-2.25.drv-0/build/string/rtld-strcspn-c.os -MD -MP -MF 
/tmp/guix-build-glibc-2.25.drv-0/build/string/rtld-strcspn-c.os.dt -MT 
/tmp/guix-build-glibc-2.25.drv-0/build/string/rtld-strcspn-c.os  -mno-sse 
-mno-mmx -mfpmath=387 
In file included from ../sysdeps/x86_64/multiarch/strcspn-c.c:22:0,
                 from ../sysdeps/i386/i686/multiarch/strcspn-c.c:2:
../sysdeps/x86_64/multiarch/varshift.h: In function '__m128i_shift_right':
../sysdeps/x86_64/multiarch/varshift.h:26:1: error: SSE vector return without 
SSE enabled changes the ABI [-Werror=psabi]
 {
 ^
In file included from 
/gnu/store/85qsxn71dn6944df5kcvkxg0nm3xdg6z-gcc-cross-boot0-5.4.0-lib/lib/gcc/i686-guix-linux-gnu/5.4.0/include/smmintrin.h:32:0,
                 from 
/gnu/store/85qsxn71dn6944df5kcvkxg0nm3xdg6z-gcc-cross-boot0-5.4.0-lib/lib/gcc/i686-guix-linux-gnu/5.4.0/include/nmmintrin.h:31,
                 from ../sysdeps/x86_64/multiarch/strcspn-c.c:20,
                 from ../sysdeps/i386/i686/multiarch/strcspn-c.c:2:
/gnu/store/85qsxn71dn6944df5kcvkxg0nm3xdg6z-gcc-cross-boot0-5.4.0-lib/lib/gcc/i686-guix-linux-gnu/5.4.0/include/tmmintrin.h:136:1:
 error: inlining failed in call to always_inline '_mm_shuffle_epi8': target 
specific option mismatch
 _mm_shuffle_epi8 (__m128i __X, __m128i __Y)
 ^
In file included from ../sysdeps/x86_64/multiarch/strcspn-c.c:22:0,
                 from ../sysdeps/i386/i686/multiarch/strcspn-c.c:2:
../sysdeps/x86_64/multiarch/varshift.h:27:10: error: called from here
   return _mm_shuffle_epi8 (value,
          ^
In file included from 
/gnu/store/85qsxn71dn6944df5kcvkxg0nm3xdg6z-gcc-cross-boot0-5.4.0-lib/lib/gcc/i686-guix-linux-gnu/5.4.0/include/pmmintrin.h:31:0,
                 from 
/gnu/store/85qsxn71dn6944df5kcvkxg0nm3xdg6z-gcc-cross-boot0-5.4.0-lib/lib/gcc/i686-guix-linux-gnu/5.4.0/include/tmmintrin.h:31,
                 from 
/gnu/store/85qsxn71dn6944df5kcvkxg0nm3xdg6z-gcc-cross-boot0-5.4.0-lib/lib/gcc/i686-guix-linux-gnu/5.4.0/include/smmintrin.h:32,
                 from 
/gnu/store/85qsxn71dn6944df5kcvkxg0nm3xdg6z-gcc-cross-boot0-5.4.0-lib/lib/gcc/i686-guix-linux-gnu/5.4.0/include/nmmintrin.h:31,
                 from ../sysdeps/x86_64/multiarch/strcspn-c.c:20,
                 from ../sysdeps/i386/i686/multiarch/strcspn-c.c:2:
/gnu/store/85qsxn71dn6944df5kcvkxg0nm3xdg6z-gcc-cross-boot0-5.4.0-lib/lib/gcc/i686-guix-linux-gnu/5.4.0/include/emmintrin.h:696:1:
 error: inlining failed in call to always_inline '_mm_loadu_si128': target 
specific option mismatch
 _mm_loadu_si128 (__m128i const *__P)
 ^
In file included from ../sysdeps/x86_64/multiarch/strcspn-c.c:22:0,
                 from ../sysdeps/i386/i686/multiarch/strcspn-c.c:2:
../sysdeps/x86_64/multiarch/varshift.h:27:10: error: called from here
   return _mm_shuffle_epi8 (value,
          ^
cc1: all warnings being treated as errors
make[4]: *** [/tmp/guix-build-glibc-2.25.drv-0/build/sysd-rules:561: 
/tmp/guix-build-glibc-2.25.drv-0/build/string/rtld-strcspn-c.os] Error 1
make[4]: Leaving directory '/tmp/guix-build-glibc-2.25.drv-0/glibc-2.25/string'
make[3]: *** [../o-iterator.mk:9: 
/tmp/guix-build-glibc-2.25.drv-0/build/string/rtld-strchr.os] Error 2
make[3]: Leaving directory '/tmp/guix-build-glibc-2.25.drv-0/glibc-2.25/elf'
make[2]: *** [Makefile:443: 
/tmp/guix-build-glibc-2.25.drv-0/build/elf/rtld-libc.a] Error 2
make[2]: Leaving directory '/tmp/guix-build-glibc-2.25.drv-0/glibc-2.25/elf'
make[1]: *** [Makefile:215: elf/subdir_lib] Error 2
make[1]: Leaving directory '/tmp/guix-build-glibc-2.25.drv-0/glibc-2.25'
make: *** [Makefile:9: all] Error 2
phase `build' failed after 327.9 seconds
builder for `/gnu/store/ivvdx2m0p6gnmcxmz355z106ffqg9p25-glibc-2.25.drv' failed 
with exit code 1
--8<---------------cut here---------------end--------------->8---

The ARM variant builds fine though:

--8<---------------cut here---------------start------------->8---
$ ./pre-inst-env guix build -e '(begin (use-modules (guix)) 
(package-replacement (@@ (gnu packages commencement) glibc-final)))' -s 
armhf-linux -n --substitute-urls=https://hydra.gnu.org
substitute: updating list of substitutes from 'https://hydra.gnu.org'... 100.0%
27.4 MB would be downloaded:
   /gnu/store/9xcjggbxli1gdp9daz97v1f1f0yxnsxv-glibc-2.25-debug
   /gnu/store/4i5ih43cjk3syk8r24lc12snqfd9dm8m-glibc-2.25
$ git describe
v0.13.0-1020-ga1b46bdc0
--8<---------------cut here---------------end--------------->8---

Ludo’.