Cannot use CONFIG_CC_STACKPROTECTOR_STRONG: -fstack-protector-strong not supported by compiler

Bug #1574982 reported by dino99
230
This bug affects 40 people
Affects Status Importance Assigned to Milestone
dkms (Ubuntu)
Invalid
High
Unassigned
Xenial
Invalid
Undecided
Unassigned
gcc-defaults (Ubuntu)
Invalid
Undecided
Unassigned
linux (Ubuntu)
Fix Released
Undecided
Unassigned
Xenial
Fix Released
Undecided
Joe Abt
nvidia-graphics-drivers-340 (Ubuntu)
Invalid
Undecided
Unassigned
nvidia-graphics-drivers-375 (Ubuntu)
Invalid
Undecided
Unassigned
virtualbox (Ubuntu)
Invalid
Undecided
Unassigned

Bug Description

Installing the latest 4.4.0-22 kernel ends with that error logged into dkmsbuildlog
(only affect yakkety kernel; 4.4.0-22 kernel installation on xenial is fine)

https://launchpadlibrarian.net/256055415/DKMSBuildLog.txt

make "CC=cc" KBUILD_VERBOSE= -C /lib/modules/4.4.0-22-generic/build M=/var/lib/dkms/nvidia-361/361.42/build ARCH=x86_64 NV_KERNEL_SOURCES=/lib/modules/4.4.0-22-generic/build NV_KERNEL_OUTPUT=/lib/modules/4.4.0-22-generic/build NV_KERNEL_MODULES="nvidia nvidia-uvm nvidia-modeset" INSTALL_MOD_DIR=kernel/drivers/video modules
make[1]: Entering directory '/usr/src/linux-headers-4.4.0-22-generic'
arch/x86/Makefile:133: stack-protector enabled but compiler support broken
Makefile:670: Cannot use CONFIG_CC_STACKPROTECTOR_STRONG: -fstack-protector-strong not supported by compiler

the latest error logged is:

/var/lib/dkms/nvidia-361/361.42/build/nvidia/nv-frontend.c:1:0: error: code model kernel does not support PIC mode

Looks like it is related to the latest changes updates: gcc-6/gcc-5 5.3.1-16ubuntu2 (some packages built with gcc-6; gcc-5 disabled for the packages built with gcc-6)
Maybe some alternatives has not been updated to take care of these changes, as asked some time ago:
http://askubuntu.com/questions/26498/choose-gcc-and-g-version

This has been firstly reported against a nvidia crash:
https://bugs.launchpad.net/ubuntu/+source/nvidia-graphics-drivers-361/+bug/1574838

ProblemType: Bug
DistroRelease: Ubuntu 16.10
Package: gcc 4:5.3.1-1ubuntu1
ProcVersionSignature: Ubuntu 4.4.0-21.37-generic 4.4.6
Uname: Linux 4.4.0-21-generic x86_64
NonfreeKernelModules: nvidia_uvm nvidia_modeset nvidia
ApportVersion: 2.20.1-0ubuntu2
Architecture: amd64
CurrentDesktop: GNOME
Date: Tue Apr 26 08:41:32 2016
SourcePackage: gcc-defaults
UpgradeStatus: No upgrade log present (probably fresh install)
---
ApportVersion: 2.20.1-0ubuntu2
Architecture: amd64
AudioDevicesInUse:
 USER PID ACCESS COMMAND
 /dev/snd/controlC1: oem 2014 F.... pulseaudio
 /dev/snd/pcmC0D0p: oem 2014 F...m pulseaudio
 /dev/snd/controlC0: oem 2014 F.... pulseaudio
CurrentDesktop: GNOME
DistroRelease: Ubuntu 16.10
HibernationDevice: RESUME=UUID=0a9ca7f0-6eeb-4b21-b70f-670fa600de16
IwConfig:
 eth0 no wireless extensions.

 eth1 no wireless extensions.

 lo no wireless extensions.
Lsusb:
 Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
 Bus 003 Device 002: ID 046d:c062 Logitech, Inc. M-UAS144 [LS1 Laser Mouse]
 Bus 003 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
 Bus 002 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
MachineType: ASUSTEK COMPUTER INC P5W DH Deluxe
NonfreeKernelModules: nvidia_uvm nvidia_modeset nvidia
Package: ubuntu
ProcFB:

ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-4.4.0-21-generic root=UUID=7c755ed6-51cc-4b75-88ac-9c75acf82749 ro
ProcVersionSignature: Ubuntu 4.4.0-21.37-generic 4.4.6
RelatedPackageVersions:
 linux-restricted-modules-4.4.0-21-generic N/A
 linux-backports-modules-4.4.0-21-generic N/A
 linux-firmware 1.157
RfKill:

Tags: yakkety
Uname: Linux 4.4.0-21-generic x86_64
UpgradeStatus: No upgrade log present (probably fresh install)
UserGroups: adm cdrom dip lpadmin plugdev sambashare sudo
_MarkForUpload: True
dmi.bios.date: 07/22/2010
dmi.bios.vendor: American Megatrends Inc.
dmi.bios.version: 3002
dmi.board.asset.tag: To Be Filled By O.E.M.
dmi.board.name: P5W DH Deluxe
dmi.board.vendor: ASUSTeK Computer INC.
dmi.board.version: Rev 1.xx
dmi.chassis.asset.tag: Asset-1234567890
dmi.chassis.type: 3
dmi.chassis.vendor: Chassis Manufacture
dmi.chassis.version: Chassis Version
dmi.modalias: dmi:bvnAmericanMegatrendsInc.:bvr3002:bd07/22/2010:svnASUSTEKCOMPUTERINC:pnP5WDHDeluxe:pvrSystemVersion:rvnASUSTeKComputerINC.:rnP5WDHDeluxe:rvrRev1.xx:cvnChassisManufacture:ct3:cvrChassisVersion:
dmi.product.name: P5W DH Deluxe
dmi.product.version: System Version
dmi.sys.vendor: ASUSTEK COMPUTER INC

CVE References

Revision history for this message
dino99 (9d9) wrote :
description: updated
Revision history for this message
dino99 (9d9) wrote :

That issue has been met also by other distros many times; and nvidia says its a kernel toolchain problem; so opening a 'linux' issue too.

https://devtalk.nvidia.com/default/topic/902950/linux/-solved-faulty-340-9x-drivers-with-kernels-4-2-x-and-4-3-x/

Revision history for this message
Brad Figg (brad-figg) wrote : Missing required logs.

This bug is missing log files that will aid in diagnosing the problem. From a terminal window please run:

apport-collect 1574982

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status: New → Incomplete
dino99 (9d9)
Changed in linux (Ubuntu):
status: Incomplete → New
Brad Figg (brad-figg)
Changed in linux (Ubuntu):
status: New → Incomplete
dino99 (9d9)
tags: added: apport-collected
description: updated
Changed in linux (Ubuntu):
status: Incomplete → Confirmed
dino99 (9d9)
description: updated
dino99 (9d9)
description: updated
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in gcc-defaults (Ubuntu):
status: New → Confirmed
Changed in ubuntu (Ubuntu):
status: New → Confirmed
Revision history for this message
Matthias Klose (doko) wrote :

you have to build with -no-pie. Please read the Yakkety Yak opening announcement.

Changed in gcc-defaults (Ubuntu):
status: Confirmed → Invalid
Revision history for this message
David Daynard (nardholio) wrote :

Please explain how I am going to build with -no-pie when apt-get and dkms automates the entire process here.

Revision history for this message
dino99 (9d9) wrote :

@David

Please ask on askubuntu to get a dev answer; here it is only for report, not asking. Thanks

Revision history for this message
David Daynard (nardholio) wrote :

My comment was sarcastic. The build flags for dkms packages are invisible to the end user and there is no easy way to change them. This is either a packaging error with the kernel module or the gcc default flags are erroneous. In either case this is not something the end user solves by changing build flags.

Matthias Klose (doko)
affects: ubuntu (Ubuntu) → dkms (Ubuntu)
Changed in dkms (Ubuntu):
importance: Undecided → High
Revision history for this message
dino99 (9d9) wrote :

Got a new dpkg that should help resolving that issue:

dpkg (1.18.4ubuntu2) yakkety; urgency=medium

  * No-change rebuild to pick up -fPIE on amd64 and ppc64el.

 -- Matthias Klose <email address hidden> Fri, 29 Apr 2016 13:53:32 +0200

then i ran a kernel 4.4.0-22 reinstallation: but still got the same crashes (nvidia-364, bbswitch & virtualbox). So the kernel compilation itself might need some tweaks too

Revision history for this message
dino99 (9d9) wrote :

dpkg still needs to be used with the good flags Bug #1576915

Revision history for this message
David Daynard (nardholio) wrote :

This seems to be a bug in gcc itself. It should automatically disable PIE when -mcmodel=kernel or when __KERNEL__ is passed in a header. Attempts to compile using no PIE command line flags don't work either. It's as if it's not allowing it to be turned back off.

Revision history for this message
dino99 (9d9) wrote :

@David
Matthias have set gcc-defaults to 'invalid' (#7); maybe needs to set gcc-6 instead (or gcc-5; does not know which one is used in that case)

Revision history for this message
iLogin (cerebellum-l) wrote :

https://launchpad.net/~canonical-kernel-team/+archive/ubuntu/ppa

linux - 4.6.0-2.3

in Makefile

# force no-pie for distro compilers that enable pie by default
KBUILD_CFLAGS += $(call cc-option, -fno-pie)
KBUILD_CFLAGS += $(call cc-option, -no-pie)
KBUILD_AFLAGS += $(call cc-option, -fno-pie)

....

Revision history for this message
Nazar Mokrynskyi (nazar-pc) wrote :

I was able to compile HHVM and Nvidia binary driver by reverting GCC package to older version, now Xenial uses newer packages by default, which makes compilation out of the box impossible.

This doesn't feel like dkms-specific issue, since HHVM is very different thing and suffers from the same issue.

Revision history for this message
Nazar Mokrynskyi (nazar-pc) wrote :

I've added:
EXTRA_CFLAGS += -fno-pie

In /usr/src/nvidia-364-364.19/Kbuild before line 59 and compilation of Nvidia module using dkms succeeded.

Revision history for this message
dino99 (9d9) wrote :

Thanks Nazar, your solution works fine. Still need a solution for the bbswitch-dkms é virtualbox crashes

Revision history for this message
Nazar Mokrynskyi (nazar-pc) wrote :

No, solution was incomplete.
Correct is following:
EXTRA_CFLAGS += -fno-pie -fno-stack-protector

Otherwise it compiles, but afterwards doesn't work and complains with "Unknown symbol __stack_chk_fail (err 0)"

For all other modules (tried with bbswitch-0.8, tuxedo-wmo-1.5.1, virtualbox-5.0.18) just find corresponding Makefile (there are few of them in virtualbox directory) and add following at the beginning of the file:
EXTRA_CFLAGS := -fno-pie -fno-stack-protector

And it will also compile and work fine.

Revision history for this message
iLogin (cerebellum-l) wrote :

This error is somehow associated with this bug?

Additonal test failures with --enable-default-pie
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70150

11 test regressions when building GCC 6 with --enable-default-ssp
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70230

Revision history for this message
Gianfranco Costamagna (costamagnagianfranco) wrote :

Hi Nazar, I failed to make a vbox patch.
it fails now with some
"error: Missing # define g_kLdrRdrFileOps"

can you please share your patch?
thanks

Revision history for this message
dino99 (9d9) wrote :

Feedback

Following the #19 comment above, both nvidia-xxx and bbswitch compile as expected. But virtualbox (from oracle, as the ubuntu one is unistallable) fails:
- inserted "EXTRA_CFLAGS := -fno-pie -fno-stack-protector" into the many 'Makefile' from /usr/src/... and /var/lib/dkms/.... ; they are well saved
- but reinstalling virtualbox ends with a crash, and all the modified 'Makefile' are reverted to their original status.

I may have miss something somewhere i suppose.

Revision history for this message
dino99 (9d9) wrote :

Feedback_2

Try to boot with the 4.4.0-22 kernel: as the nvidia-361 module has been well compiled, i've made a cold boot.
The process goes well until the lightdm login screen: the password validation fails to load the nvidia graphic process, and bounce back to the login screen.

So the changes made (#19) is good enough to get a clean compilation, but the fix is not complete

Revision history for this message
Nazar Mokrynskyi (nazar-pc) wrote :

For virtualbox you should modify Makefile under following subdirectories only: boxdrv, vboxnetapd, vboxnetflt and vboxpci.

The fix in #19 should be complete, since I'm currently on vanilla kernel 4.6.0-rc7 compiled with similar tweak and all modules compiled with mentioned patches and Nvidia, VirtualBox and other stuff work wonderfully.

If you've compiled Nvidia with incomplete patch first, try `dkms remove ...` for that module and then `dkms install ...` again to force it recompile sources instead of using cached version.

Revision history for this message
Gianfranco Costamagna (costamagnagianfranco) wrote :

You need to build the whole virtualbox, not only the host drivers.
I suspect you took the virtualbox-source package and did some module-assistant tricks.

Revision history for this message
Andy Whitcroft (apw) wrote :

Ok, we now have a minimal patch for the kernel to disable PIE. This reflects into the headers packages so that DKMS packages building against those will also have PIE disabled. Will send to kernel-team@ for review once it passes final testing.

Revision history for this message
Nazar Mokrynskyi (nazar-pc) wrote :

Will mentioned patch have potential to go upstream?

Changed in linux (Ubuntu Xenial):
status: New → Fix Committed
no longer affects: gcc-defaults (Ubuntu Xenial)
Changed in gcc-defaults (Ubuntu):
status: Invalid → New
status: New → Confirmed
Matthias Klose (doko)
Changed in gcc-defaults (Ubuntu):
status: Confirmed → Invalid
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in dkms (Ubuntu Xenial):
status: New → Confirmed
Revision history for this message
dino99 (9d9) wrote :

New kernel installation still crash on amd64. That problem is a blocker, priority might be raised.

Revision history for this message
dino99 (9d9) wrote :

Debian answer & possible solution:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=823869#10

its an Ubuntu problem, and Debian will probably change nothing to their dkms version.

Revision history for this message
twicejr (twicejr) wrote :

Fix:

Needed to add in
EXTRA_CFLAGS += -fno-pie -fno-stack-protector
to /usr/src/nvidia-364-364.19/Kbuild

And to top /usr/src/bbswitch-0.8/Makefile
EXTRA_CFLAGS := -fno-pie -fno-stack-protector

Then issue a command:
ls /usr/src/linux-headers-* -d | sed -e 's/.*linux-headers-//' | sort -V | tac | sudo xargs -n1 /usr/lib/dkms/dkms_autoinstaller start

EXTRA_CFLAGS := -fno-pie -fno-stack-protector

Revision history for this message
twicejr (twicejr) wrote :

Already mentioned, of course, but to sum it up ^

Revision history for this message
dino99 (9d9) wrote :

Feedback: installing kernel 4.4.0−23 (without other kbuild∕makefile tweak)
- no crasher at installation
- reboot with no black screen

 * Cannot use CONFIG_CC_STACKPROTECTOR_STRONG: -fstack-protector-strong not
    supported by compiler (LP: #1574982)
    - SAUCE: (no-up) disable -pie when gcc has it enabled by default

Good job done !!!!
So the other 'affected' packages can be closed now, as the kernel build config takes care of that issue

Changed in dkms (Ubuntu):
status: Confirmed → Invalid
Changed in dkms (Ubuntu Xenial):
status: Confirmed → Invalid
Changed in linux (Ubuntu):
status: Confirmed → Fix Released
Revision history for this message
Kamal Mostafa (kamalmostafa) wrote :

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-xenial' to 'verification-done-xenial'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-xenial
Revision history for this message
Gianfranco Costamagna (costamagnagianfranco) wrote :

looks good to me!

tags: added: verification-done-xenial
removed: verification-needed-xenial
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 4.4.0-24.43

---------------
linux (4.4.0-24.43) xenial; urgency=low

  [ Kamal Mostafa ]

  * CVE-2016-1583 (LP: #1588871)
    - ecryptfs: fix handling of directory opening
    - SAUCE: proc: prevent stacking filesystems on top
    - SAUCE: ecryptfs: forbid opening files without mmap handler
    - SAUCE: sched: panic on corrupted stack end

  * arm64: statically link rtc-efi (LP: #1583738)
    - [Config] Link rtc-efi statically on arm64

 -- Kamal Mostafa <email address hidden> Fri, 03 Jun 2016 10:02:16 -0700

Changed in linux (Ubuntu Xenial):
status: Fix Committed → Fix Released
Revision history for this message
InfleXion Point (inflexion.point) wrote :

I've come across this bug on linux 4.4.0-28-generic on Ubuntu 16.04 when trying to install a network card called Netis AD1103 with Realtek 8168.

Revision history for this message
Nazar Mokrynskyi (nazar-pc) wrote :

I'm having this issue again after upgrade to GCC 6 from GCC 5 recently. I've being able to compile custom kernel with just `KCFLAGS="-fno-pie"`, now it fails with error mentioned in this bug report.
Any ideas why? Am I alone here?

Revision history for this message
iLogin (cerebellum-l) wrote :
Revision history for this message
Nazar Mokrynskyi (nazar-pc) wrote :

Thank you, works for me on upstream 4.8-rc2

Revision history for this message
Rocko (rockorequin) wrote :

Why isn't this a bug in gcc 6? It doesn't seem right that we have to patch the kernel makefile to get it to build.

Revision history for this message
Nazar Mokrynskyi (nazar-pc) wrote :

cerebellum-ukr, is there any place to track for upstreaming necessary patches? Quite boring to do this every time I want to build kernel.

Revision history for this message
Dan Marinescu (dmarinescu) wrote :

this is not a gcc bug. this is an ubuntu management specific arrogance (and perhaps some cash from redmond with love) - of course it is completely wrong to patch the kernel makefile because they decided to ship a gcc unable to build the kernel itself (with wrong defaults/specs). but like they said repeatedly, they are not a democracy. also just like linus said repeatedly, fuck unubuntu!

>Why isn't this a bug in gcc 6? It doesn't seem right that we have to patch the kernel makefile to get it to build.

Revision history for this message
Gianfranco Costamagna (costamagnagianfranco) wrote :

>this is not a gcc bug. this is an ubuntu management specific arrogance (and perhaps some cash from redmond with love) - of course it is completely wrong to patch the kernel makefile because they decided to ship a gcc unable to build the kernel itself (with wrong defaults/specs). but like they said repeatedly, they are not a democracy. also just like linus said repeatedly, fuck unubuntu!

ok thanks for you really nice and well proven point.

AFAICT also Fedora and other major linux distros are starting enabling pie by default, and probably more will come.
https://fedoraproject.org/wiki/Changes/Modernise_GCC_Flags

Unfortunately I don't want to answer why you are wrong, because I don't want to feed the troll, and you didn't say anything worth an answer in your post.

So, the answer will be generic to other people (who probably have more clues than you on the reasons).
pie is a security flag that is really important for an OS. Unfortunately asking maintainers to enable it resulted in not many adaptions, and many critical pieces of software without such hardening flag enabled.
Enabling by default in gcc sounded a better idea, and the side effect has been that virtualbox/kernel had to disable it manually to still build.

For this reason -f-no-pie has been created, and it should work with no issues.
And this bug/flag has been injected and the kernel is now fixed, so please move on.
thanks

Revision history for this message
Nick Desaulniers (ndesaulniers) wrote :

The patch in comment #39 or the env var in comment #38 both work for me. Thank you!

Changed in gcc-defaults (Ubuntu):
status: Invalid → Confirmed
Revision history for this message
iLogin (cerebellum-l) wrote :

-fno-PIE builds (Sebastian Siewior and Borislav Petkov). This is
     not a kernel regression, but one of the Debian gcc package.
     Nevertheless, it's quite annoying, so I think it should go into
     mainline and stable now"

http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=04e36857d6747e4525e68c4292c081b795b48366

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in virtualbox (Ubuntu):
status: New → Confirmed
Changed in nvidia-graphics-drivers-340 (Ubuntu):
status: New → Confirmed
Changed in nvidia-graphics-drivers-375 (Ubuntu):
status: New → Confirmed
Revision history for this message
dino99 (9d9) wrote :

Looks like everything is ok now in 2018; closing that report.

Changed in virtualbox (Ubuntu):
status: Confirmed → Invalid
Changed in nvidia-graphics-drivers-375 (Ubuntu):
status: Confirmed → Invalid
Changed in nvidia-graphics-drivers-340 (Ubuntu):
status: Confirmed → Invalid
Changed in gcc-defaults (Ubuntu):
status: Confirmed → Invalid
Joe Abt (neondiscobrn)
Changed in linux (Ubuntu Xenial):
assignee: nobody → Joe Abt (neondiscobrn)
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.