firebird
firebird copied to clipboard
FirebirdSQL
extern/decNumber/Makefile does not use CFLAGS
Versions: firebird 5.0.0.1306 gcc 13.2.1
This means the resulting static library will be built without for example distribution hardening. This results in all the firebird binaries that link to that static library not supporting hardening such as CET which requires all units to be built with it enabled.
$ readelf -n ./extern/decNumber/libdecFloat.a
File: ./extern/decNumber/libdecFloat.a(decContext.o)
Displaying notes found in: .note.gnu.property
Owner Data size Description
GNU 0x00000020 NT_GNU_PROPERTY_TYPE_0
Properties: x86 ISA used: x86-64-baseline
x86 feature used: x86
File: ./extern/decNumber/libdecFloat.a(decDouble.o)
Displaying notes found in: .note.gnu.property
Owner Data size Description
GNU 0x00000020 NT_GNU_PROPERTY_TYPE_0
Properties: x86 ISA used: x86-64-baseline
x86 feature used: x86, XMM
File: ./extern/decNumber/libdecFloat.a(decNumber.o)
Displaying notes found in: .note.gnu.property
Owner Data size Description
GNU 0x00000020 NT_GNU_PROPERTY_TYPE_0
Properties: x86 ISA used: x86-64-baseline
x86 feature used: x86, XMM
File: ./extern/decNumber/libdecFloat.a(decPacked.o)
Displaying notes found in: .note.gnu.property
Owner Data size Description
GNU 0x00000020 NT_GNU_PROPERTY_TYPE_0
Properties: x86 ISA used:
x86 feature used: x86
File: ./extern/decNumber/libdecFloat.a(decQuad.o)
Displaying notes found in: .note.gnu.property
Owner Data size Description
GNU 0x00000020 NT_GNU_PROPERTY_TYPE_0
Properties: x86 ISA used: x86-64-baseline
x86 feature used: x86, XMM
File: ./extern/decNumber/libdecFloat.a(decSingle.o)
Displaying notes found in: .note.gnu.property
Owner Data size Description
GNU 0x00000020 NT_GNU_PROPERTY_TYPE_0
Properties: x86 ISA used: x86-64-baseline
x86 feature used: x86, XMM
File: ./extern/decNumber/libdecFloat.a(decimal128.o)
Displaying notes found in: .note.gnu.property
Owner Data size Description
GNU 0x00000020 NT_GNU_PROPERTY_TYPE_0
Properties: x86 ISA used: x86-64-baseline
x86 feature used: x86, XMM
File: ./extern/decNumber/libdecFloat.a(decimal32.o)
Displaying notes found in: .note.gnu.property
Owner Data size Description
GNU 0x00000020 NT_GNU_PROPERTY_TYPE_0
Properties: x86 ISA used: x86-64-baseline
x86 feature used: x86
File: ./extern/decNumber/libdecFloat.a(decimal64.o)
Displaying notes found in: .note.gnu.property
Owner Data size Description
GNU 0x00000020 NT_GNU_PROPERTY_TYPE_0
Properties: x86 ISA used: x86-64-baseline
x86 feature used: x86, XMM
The resulting libfbclient.so.5.0.0' lacks GNU_PROPERTY_X86_FEATURE_1_SHSTK as libdecFloat.a lacks it and the linker requires all compilation units / libraries to support it to use CET. This can be demonstrated by using LDFLAGS=' -Wl,-z,cet-report=error' to have the linker fail when it can not use CET. So using:
export CXXFLAGS=-march=x86-64 -mtune=generic -O2 -pipe -fno-plt -fexceptions -Wp,-D_FORTIFY_SOURCE=2 -fstack-clash-protection -fcf-protection -Wformat -Werror=format-security -Wp,-D_GLIBCXX_ASSERTIONS -g -ffile-prefix-map=/build/libfbclient/src=/usr/src/debug/libfbclient -flto=auto
export LDFLAGS=-Wl,-O1,--sort-common,--as-needed,-z,relro,-z,now -flto=auto -Wl,-z,cet-report=error
export CFLAGS=-march=x86-64 -mtune=generic -O2 -pipe -fno-plt -fexceptions -Wp,-D_FORTIFY_SOURCE=2 -fstack-clash-protection -fcf-protection -Wformat -Werror=format-security -g -ffile-prefix-map=/build/libfbclient/src=/usr/src/debug/libfbclient -flto=auto
./configure --prefix=/usr --without-fbsbin --without-fbconf --without-fbdoc --without-fbsample --without-fbsample-db --without-fbintl --without-fbmisc --without-fbsecure-db --with-fbmsg=/usr/share/firebird --without-fblog --without-fbglock --without-fbplugins --without-fbtzdata --without-tomcrypt --enable-client-only
make
Fails in the final link with:
g++ -march=x86-64 -mtune=generic -O2 -pipe -fno-plt -fexceptions -Wp,-D_FORTIFY_SOURCE=2 -fstack-clash-protection -fcf-protection -Wformat -Werror=format-security -Wp,-D_GLIBCXX_ASSERTIONS -g -ffile-prefix-map=/build/libfbclient/src=/usr/src/debug/libfbclient -flto=auto -Wl,-O1,--sort-common,--as-needed,-z,relro,-z,now -flto=auto -Wl,-z,cet-report=error -Wl,-O1,--sort-common,--as-needed,-z,relro,-z,now -flto=auto -Wl,-z,cet-report=error -static-libstdc++ -Wl,--version-script,firebird.vers -Wl,-O1,--sort-common,--as-needed,-z,relro,-z,now -flto=auto -Wl,-z,cet-report=error -shared -Wl,-soname,libfbclient.so.2 -Wl,-rpath,/lib -o /build/libfbclient/src/Firebird-5.0.0.1306-0-source/gen/Release/firebird/lib/libfbclient.so.5.0.0 /build/libfbclient/src/Firebird-5.0.0.1306-0-source/temp/Release/yvalve/DistributedTransaction.o /build/libfbclient/src/Firebird-5.0.0.1306-0-source/temp/Release/yvalve/MasterImplementation.o /build/libfbclient/src/Firebird-5.0.0.1306-0-source/temp/Release/yvalve/PluginManager.o /build/libfbclient/src/Firebird-5.0.0.1306-0-source/temp/Release/yvalve/alt.o /build/libfbclient/src/Firebird-5.0.0.1306-0-source/temp/Release/yvalve/array.o /build/libfbclient/src/Firebird-5.0.0.1306-0-source/temp/Release/yvalve/blob.o /build/libfbclient/src/Firebird-5.0.0.1306-0-source/temp/Release/yvalve/gds.o /build/libfbclient/src/Firebird-5.0.0.1306-0-source/temp/Release/yvalve/keywordsStub.o /build/libfbclient/src/Firebird-5.0.0.1306-0-source/temp/Release/yvalve/perf.o /build/libfbclient/src/Firebird-5.0.0.1306-0-source/temp/Release/yvalve/preparse.o /build/libfbclient/src/Firebird-5.0.0.1306-0-source/temp/Release/yvalve/user_dsql.o /build/libfbclient/src/Firebird-5.0.0.1306-0-source/temp/Release/yvalve/utl.o /build/libfbclient/src/Firebird-5.0.0.1306-0-source/temp/Release/yvalve/why.o /build/libfbclient/src/Firebird-5.0.0.1306-0-source/temp/Release/yvalve/config/os/posix/binreloc.o /build/libfbclient/src/Firebird-5.0.0.1306-0-source/temp/Release/yvalve/config/os/posix/config_root.o /build/libfbclient/src/Firebird-5.0.0.1306-0-source/temp/Release/remote/inet.o /build/libfbclient/src/Firebird-5.0.0.1306-0-source/temp/Release/remote/merge.o /build/libfbclient/src/Firebird-5.0.0.1306-0-source/temp/Release/remote/parser.o /build/libfbclient/src/Firebird-5.0.0.1306-0-source/temp/Release/remote/protocol.o /build/libfbclient/src/Firebird-5.0.0.1306-0-source/temp/Release/remote/remote.o /build/libfbclient/src/Firebird-5.0.0.1306-0-source/temp/Release/auth/SecureRemotePassword/srp.o /build/libfbclient/src/Firebird-5.0.0.1306-0-source/temp/Release/remote/client/BlrFromMessage.o /build/libfbclient/src/Firebird-5.0.0.1306-0-source/temp/Release/remote/client/interface.o /build/libfbclient/src/Firebird-5.0.0.1306-0-source/temp/Release/auth/SecureRemotePassword/client/SrpClient.o /build/libfbclient/src/Firebird-5.0.0.1306-0-source/temp/Release/auth/SecurityDatabase/LegacyClient.o /build/libfbclient/src/Firebird-5.0.0.1306-0-source/temp/Release/plugins/crypt/arc4/Arc4.o /build/libfbclient/src/Firebird-5.0.0.1306-0-source/temp/Release/common.a -L/build/libfbclient/src/Firebird-5.0.0.1306-0-source/gen/Release/firebird/lib -L/build/libfbclient/src/Firebird-5.0.0.1306-0-source/temp/Release -latomic -lm -ldecFloat -ltommath
/usr/bin/ld: /build/libfbclient/src/Firebird-5.0.0.1306-0-source/temp/Release/libdecFloat.a(decContext.o): error: missing IBT and SHSTK properties
/usr/bin/ld: /build/libfbclient/src/Firebird-5.0.0.1306-0-source/temp/Release/libdecFloat.a(decDouble.o): error: missing IBT and SHSTK properties
/usr/bin/ld: /build/libfbclient/src/Firebird-5.0.0.1306-0-source/temp/Release/libdecFloat.a(decNumber.o): error: missing IBT and SHSTK properties
/usr/bin/ld: /build/libfbclient/src/Firebird-5.0.0.1306-0-source/temp/Release/libdecFloat.a(decQuad.o): error: missing IBT and SHSTK properties
/usr/bin/ld: /build/libfbclient/src/Firebird-5.0.0.1306-0-source/temp/Release/libdecFloat.a(decimal128.o): error: missing IBT and SHSTK properties
/usr/bin/ld: /build/libfbclient/src/Firebird-5.0.0.1306-0-source/temp/Release/libdecFloat.a(decimal64.o): error: missing IBT and SHSTK properties
