grsecurity forums

The latest patch causes gcc(?!) to crash:

CHK include/config/kernel.release
UPD include/config/kernel.release
CHK include/generated/uapi/linux/version.h
CHK include/generated/utsrelease.h
UPD include/generated/utsrelease.h
CHK include/generated/bounds.h
CHK include/generated/timeconst.h
CHK include/generated/asm-offsets.h
CALL scripts/checksyscalls.sh
CHK include/generated/compile.h
CC init/version.o
LD init/built-in.o
CC arch/x86/kernel/i8259.o
*** WARNING *** there are active plugins, do not report this as a bug unless you can reproduce it without enabling any plugins.
Event | Plugins
PLUGIN_FINISH_TYPE | randomize_layout_plugin structleak_plugin constify_plugin
PLUGIN_FINISH_DECL | randomize_layout_plugin
PLUGIN_FINISH_UNIT | rap_plugin
PLUGIN_ATTRIBUTES | randomize_layout_plugin structleak_plugin constify_plugin
PLUGIN_START_UNIT | rap_plugin constify_plugin
PLUGIN_ALL_IPA_PASSES_START | randomize_layout_plugin rap_plugin constify_plugin
arch/x86/kernel/i8259.c: In function ‘init_8259A’:
arch/x86/kernel/i8259.c:432:1: internal compiler error: segmentation fault
device_initcall(i8259A_init_ops);
^~~~~~~~~~~~~~~

It's on a Debian machine running the latest gcc suite:
gcc (Debian 6.2.0-11) 6.2.0 20161103

I had to use this patch to be able to use plugins:
--- Makefile~ 2016-11-09 10:12:24.221021085 -0200
+++ Makefile 2016-11-09 10:30:42.148406435 -0200
@@ -623,6 +623,8 @@

KBUILD_CFLAGS += $(call cc-option,-fno-delete-null-pointer-checks,)
KBUILD_CFLAGS += $(call cc-disable-warning,maybe-uninitialized,)
+KBUILD_CFLAGS += $(call cc-option,-fno-PIE)
+KBUILD_AFLAGS += $(call cc-option,-fno-PIE)

ifdef CONFIG_CC_OPTIMIZE_FOR_SIZE
KBUILD_CFLAGS += -Os

This is a GCC bug but it doesn't happen with the vanilla kernel. I'm reporting if ever you have an easy workaround.

i couldn't reproduce the gcc ICE but i do get errors on asm constraints when PIE is enabled for the kernel, so i guess debian's gcc turned that on without making sure that it's not used for kernel compilation (unlike hardened gentoo). in any case, i'll carry the workaround but in general, debian should get their act together and not blindly deliver security this way.

Thanks a lot. However it didn't work, the segfault still exits.

I'm using Debian unstable, updated very often, so this breakage cannot be considered a distribution bug [yet], since it's not a release. For you to see it in your machine it's probably necessary to run the same package versions, which are the latest in the repository. Probably not worth your precious time...

i tried with a gcc-6 snapshot from 20161029 and still no dice... i wonder if you can find out which plugin is needed to trigger the segfault.

I tried to compile in another machine, after spending some hours upgrading it. And it worked! So I returned to the main server to find out why it didn't work there and removed the gcc-4.9 version that was also installed because of Nvidia stuff. And then it worked... So it seems that there is a bug in the Debian packages when there's more than one gcc version installed. Apparently it only shows up when pluggins are used.

BTW, I had to disable gcc stack protection because it says compiler support for it is broken.

Thanks for the support.