Bug 85884 - On --enable-vtable-verify --enable-libvtv libstdc++.so contains insecure runpath after install:
Summary: On --enable-vtable-verify --enable-libvtv libstdc++.so contains insecure runp...
Status: NEW
Alias: None
Product: gcc
Classification: Unclassified
Component: libstdc++ (show other bugs)
Version: 8.0.1
: P3 normal
Target Milestone: ---
Assignee: Not yet assigned to anyone
URL:
Keywords: build
Depends on:
Blocks:
 
Reported: 2018-05-23 07:06 UTC by Sergei Trofimovich
Modified: 2021-03-02 18:53 UTC (History)
3 users (show)

See Also:
Host:
Target:
Build:
Known to work:
Known to fail:
Last reconfirmed: 2018-05-23 00:00:00


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sergei Trofimovich 2018-05-23 07:06:40 UTC
Bug originally found by QA tools in Gentoo: https://bugs.gentoo.org/582524

 * QA Notice: The following files contain insecure RUNPATHs
 *   /var/tmp/portage/sys-devel/gcc-6.4.0/image/usr/lib/gcc/x86_64-pc-linux-gnu/6.4.0/libstdc++.so.6.0.22
 *     RPATH: /var/tmp/portage/sys-devel/gcc-6.4.0/work/build/x86_64-pc-linux-gnu/libstdc++-v3/../libvtv/.libs

How to reproduce: build/install gcc with --enable-vtable-verify --enable-libvtv and observe RUNPATH leaking into build directory:

Directory layout:
- gcc source:      /home/slyfox/dev/git/gcc
- gcc build dir:   /home/slyfox/dev/git/gcc-vtv 
- gcc install dir: /home/slyfox/dev/git/gcc-vtv-installed

1. gcc-vtv $ ../gcc/configure \
    \
    --prefix="$(pwd)/../gcc-vtv-installed" \
    \
    --disable-bootstrap \
    \
    --enable-languages=c,c++ \
    --disable-nls \
    \
    --enable-vtable-verify \
    --enable-libvtv \
    \
    CFLAGS="-O0" CXXFLAGS="-O0"
2. gcc-vtv $ make && make install
3. gcc-vtv $ LANG=C readelf -a ../gcc-vtv-installed/lib32/libstdc++.so.6.0.25 | fgrep gcc-vtv
 0x0000001d (RUNPATH)                    Library runpath: [/home/slyfox/dev/git/gcc-vtv/x86_64-pc-linux-gnu/32/libstdc++-v3/../libvtv/.libs]

Note: RUNPATH contains a reference to build directory. It should not.

./configure unconditionally injects -rpath into LDFLAGS at:

https://gcc.gnu.org/git/?p=gcc.git;a=blob;f=libstdc%2B%2B-v3/acinclude.m4;h=3bd669a4cc8f5ca07347528b608882e43693a92e;hb=HEAD#l2769

libstdc++-v3/acinclude.m4;h
2753   if test $enable_vtable_verify = yes; then
...
2768       *)
2769         VTV_CXXFLAGS="-fvtable-verify=std -Wl,-u_vtable_map_vars_start,-u_vtable_map_vars_end"
2770         VTV_CXXLINKFLAGS="-L${toplevel_builddir}/libvtv/.libs -Wl,--rpath -Wl,${toplevel_builddir}/libvtv/.libs"
2771         ;;
2772     esac

and uses it in make at:

https://gcc.gnu.org/git/?p=gcc.git;a=blob;f=libstdc%2B%2B-v3/src/Makefile.am;h=ba30dde8fecbef2990f89d12e0729f3727d86b00;hb=HEAD#l220

libstdc++-v3/src/Makefile.am
 216 CXXLINK = \
 ...
 220         $(VTV_CXXLINKFLAGS) \

It looks like relinking step is missing at install time.

Thanks!
Comment 1 Jonathan Wakely 2018-05-23 09:36:47 UTC
I think this should use $ORIGIN to avoid absolute paths.