This is the mail archive of the
gcc-bugs@gcc.gnu.org
mailing list for the GCC project.
[Bug libstdc++/85884] New: On --enable-vtable-verify --enable-libvtv libstdc++.so contains insecure runpath after install:
- From: "slyfox at inbox dot ru" <gcc-bugzilla at gcc dot gnu dot org>
- To: gcc-bugs at gcc dot gnu dot org
- Date: Wed, 23 May 2018 07:06:40 +0000
- Subject: [Bug libstdc++/85884] New: On --enable-vtable-verify --enable-libvtv libstdc++.so contains insecure runpath after install:
- Auto-submitted: auto-generated
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85884
Bug ID: 85884
Summary: On --enable-vtable-verify --enable-libvtv libstdc++.so
contains insecure runpath after install:
Product: gcc
Version: 8.0.1
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: libstdc++
Assignee: unassigned at gcc dot gnu.org
Reporter: slyfox at inbox dot ru
Target Milestone: ---
Bug originally found by QA tools in Gentoo: https://bugs.gentoo.org/582524
* QA Notice: The following files contain insecure RUNPATHs
*
/var/tmp/portage/sys-devel/gcc-6.4.0/image/usr/lib/gcc/x86_64-pc-linux-gnu/6.4.0/libstdc++.so.6.0.22
* RPATH:
/var/tmp/portage/sys-devel/gcc-6.4.0/work/build/x86_64-pc-linux-gnu/libstdc++-v3/../libvtv/.libs
How to reproduce: build/install gcc with --enable-vtable-verify --enable-libvtv
and observe RUNPATH leaking into build directory:
Directory layout:
- gcc source: /home/slyfox/dev/git/gcc
- gcc build dir: /home/slyfox/dev/git/gcc-vtv
- gcc install dir: /home/slyfox/dev/git/gcc-vtv-installed
1. gcc-vtv $ ../gcc/configure \
\
--prefix="$(pwd)/../gcc-vtv-installed" \
\
--disable-bootstrap \
\
--enable-languages=c,c++ \
--disable-nls \
\
--enable-vtable-verify \
--enable-libvtv \
\
CFLAGS="-O0" CXXFLAGS="-O0"
2. gcc-vtv $ make && make install
3. gcc-vtv $ LANG=C readelf -a ../gcc-vtv-installed/lib32/libstdc++.so.6.0.25 |
fgrep gcc-vtv
0x0000001d (RUNPATH) Library runpath:
[/home/slyfox/dev/git/gcc-vtv/x86_64-pc-linux-gnu/32/libstdc++-v3/../libvtv/.libs]
Note: RUNPATH contains a reference to build directory. It should not.
./configure unconditionally injects -rpath into LDFLAGS at:
https://gcc.gnu.org/git/?p=gcc.git;a=blob;f=libstdc%2B%2B-v3/acinclude.m4;h=3bd669a4cc8f5ca07347528b608882e43693a92e;hb=HEAD#l2769
libstdc++-v3/acinclude.m4;h
2753 if test $enable_vtable_verify = yes; then
...
2768 *)
2769 VTV_CXXFLAGS="-fvtable-verify=std
-Wl,-u_vtable_map_vars_start,-u_vtable_map_vars_end"
2770 VTV_CXXLINKFLAGS="-L${toplevel_builddir}/libvtv/.libs -Wl,--rpath
-Wl,${toplevel_builddir}/libvtv/.libs"
2771 ;;
2772 esac
and uses it in make at:
https://gcc.gnu.org/git/?p=gcc.git;a=blob;f=libstdc%2B%2B-v3/src/Makefile.am;h=ba30dde8fecbef2990f89d12e0729f3727d86b00;hb=HEAD#l220
libstdc++-v3/src/Makefile.am
216 CXXLINK = \
...
220 $(VTV_CXXLINKFLAGS) \
It looks like relinking step is missing at install time.
Thanks!