** Description changed:
[Impact]
- The packaging does not respect compiler flags when building the Python
extensions, notably hardening flags like the stack protector, as well as
frame-pointer.
- [Test plan]
- Look at the build log and see that the build flags have been passed, notably
stuff like
+ Ceph packaging does not respect compiler flags when building Python
+ extensions, notably hardening flags like the stack protector, as well as
+ frame-pointer.
- -fno-strict-overflow -Wsign-compare -DNDEBUG -g -O2 -Wall -g -O2
-Werror=implicit-function-declaration -fno-omit-frame-pointer
-mno-omit-leaf-frame-pointer -ffile-prefix-map=/<<PKGBUILDDIR>>=.
-fstack-protector-strong -fstack-clash-protection -Wformat -Werror=for
- mat-security -fcf-protection
+ They were enabled and present in focal, but lost somewhere after impish.
+ Jammy is missing them, and noble is too.
- It can be seen that this is already the case for the shared libraries,
- it is only the Python extensions that are missing flags.
+ If we look at the buildlog for 19.2.1-0ubuntu0.24.04.2 on noble amd64,
+ we see CFLAGS="".
- [Where problems could occur]
- Hardening flags could surface existing (possibly security) bugs that have
been asymptomatic so far; frame-pointers will incur some slow down.
+ [ 76%] Generating
../../../lib/cython_modules/lib.3/cephfs.cpython-312-x86_64-linux-gnu.so
+ cd /<<PKGBUILDDIR>>/src/pybind/cephfs && env CC="/usr/bin/cc" CFLAGS=""
CPPFLAGS="-iquote/<<PKGBUILDDIR>>/src/include -w -D'void0=dead_function(void)'
-D'__Pyx_check_single_interpreter(ARG)=ARG##0'" CXX="/usr/bin/c++"
LDSHARED="/usr/bin/cc -shared" OPT="-DNDEBUG -g -fwrapv -O2 -w"
LDFLAGS=-L/<<PKGBUILDDIR>>/obj-x86_64-linux-gnu/lib
CYTHON_BUILD_DIR=/<<PKGBUILDDIR>>/obj-x86_64-linux-gnu/src/pybind/cephfs
CEPH_LIBDIR=/<<PKGBUILDDIR>>/obj-x86_64-linux-gnu/lib /usr/bin/python3.12
/<<PKGBUILDDIR>>/src/pybind/cephfs/setup.py build --build-base
/<<PKGBUILDDIR>>/obj-x86_64-linux-gnu/lib/cython_modules --build-platlib
/<<PKGBUILDDIR>>/obj-x86_64-linux-gnu/lib/cython_modules/lib.3
+
+ This should be fixed to include the standard Ubuntu defined hardening
+ CFLAGS.
+
+ [Testcase]
+
+ Check the buildlog for CFLAGS on "cython_modules" binaries.
+
+ There are test packages available in the following ppa:
+
+ https://launchpad.net/~mruffell/+archive/ubuntu/lp2119024-updates
+
+ If you check the build log for noble amd64, you should see:
+
+ [ 77%] Generating
../../../lib/cython_modules/lib.3/cephfs.cpython-312-x86_64-linux-gnu.so
+ cd /<<PKGBUILDDIR>>/src/pybind/cephfs && env CC="/usr/bin/cc" CFLAGS=""\ -g\
-O2\ -fno-omit-frame-pointer\ -mno-omit-leaf-frame-pointer\
-ffile-prefix-map=/<<PKGBUILDDIR>>=.\ -fstack-protector-strong\
-fstack-clash-protection\ -Wformat\ -Werror=format-security\ -fcf-protection\
-fdebug-prefix-map=/<<PKGBUILDDIR>>=/usr/src/ceph-19.2.3-0ubuntu0.24.04.1~lp2119024v20251106b1\
-Wdate-time\ -D_FORTIFY_SOURCE=3 CPPFLAGS="-iquote/<<PKGBUILDDIR>>/src/include
-w -D'void0=dead_function(void)'
-D'__Pyx_check_single_interpreter(ARG)=ARG##0'" CXX="/usr/bin/c++"
LDSHARED="/usr/bin/cc -shared" OPT="-DNDEBUG -g -fwrapv -O2 -w"
LDFLAGS=-L/<<PKGBUILDDIR>>/obj-x86_64-linux-gnu/lib\ \
-Wl,-Bsymbolic-functions\ -Wl,-z,relro\ -Wl,-z,now\ -Wl,--as-needed\ -latomic
CYTHON_BUILD_DIR=/<<PKGBUILDDIR>>/obj-x86_64-linux-gnu/src/pybind/cephfs
CEPH_LIBDIR=/<<PKGBUILDDIR>>/obj-x86_64-linux-gnu/lib /usr/bin/python3.12
/<<PKGBUILDDIR>>/src/pybind/cephfs/setup.py build --build-base
/<<PKGBUILDDIR>>/obj-x86_64-linux-gnu/lib/cython_modules --build-platlib
/<<PKGBUILDDIR>>/obj-x86_64-linux-gnu/lib/cython_modules/lib.3
+
+ Where all CFLAGS are present.
+
+ [Where problems can occur]
+
+ We are enabling compiler hardening flags which tighten up execution and
+ security requirements as expected of any package in the Ubuntu archive.
+
+ This could potentially lead to these compiled python libraries
+ segmentation faulting if they happen to rely on faulty behaviour of
+ exceeding the stack boundary and overwriting the newly placed stack
+ canaries.
+
+ Ideally, all python modules should be exercised before release, but in
+ general, a certification pass of the ceph point release verification
+ should be enough to smoke test these modules.
+
+ [Other info]
+
+ Gentoo commit:
+
https://github.com/gentoo/gentoo/commit/c588d0c55a2facb7b98331abf3ccb2439cc34286
+
+ Gentoo bugs:
+ https://bugs.gentoo.org/866159
+ https://bugs.gentoo.org/866161
** Changed in: ceph (Ubuntu Noble)
Status: Triaged => In Progress
** Changed in: ceph (Ubuntu Noble)
Assignee: (unassigned) => Matthew Ruffell (mruffell)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2078244
Title:
ceph: Does not respect compiler flags for Python extensions
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ceph/+bug/2078244/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
