Issue metadata
Sign in to add a comment
|
Chrome failing to build on asan builder |
||||||||||||||||||||||||
Issue descriptionhttps://cros-goldeneye.corp.google.com/chromeos/healthmonitoring/buildDetails?buildbucketId=8943642573436043136 chromeos-chrome-69.0.3457.0_rc-r1: scanelf: rpath_security_checks(): Security problem with DT_RPATH='$ORIGIN/.' in /build/amd64-generic/tmp/portage/chromeos-base/chromeos-chrome-69.0.3457.0_rc-r1/image/opt/google/chrome/chrome-sandbox with mode set of 4755 chromeos-chrome-69.0.3457.0_rc-r1: scanelf: rpath_security_checks(): Security problem with DT_RPATH='$ORIGIN/.' in /build/amd64-generic/tmp/portage/chromeos-base/chromeos-chrome-69.0.3457.0_rc-r1/image/opt/google/chrome/chrome-sandbox with mode set of 4755 chromeos-chrome-69.0.3457.0_rc-r1: chromeos-chrome-69.0.3457.0_rc-r1: * QA Notice: The following files contain insecure RUNPATHs chromeos-chrome-69.0.3457.0_rc-r1: * Please file a bug about this at http://bugs.gentoo.org/ chromeos-chrome-69.0.3457.0_rc-r1: * with the maintaining herd of the package. chromeos-chrome-69.0.3457.0_rc-r1: * $ORIGIN/. /build/amd64-generic/tmp/portage/chromeos-base/chromeos-chrome-69.0.3457.0_rc-r1/image/opt/google/chrome/chrome-sandbox chromeos-chrome-69.0.3457.0_rc-r1: chromeos-chrome-69.0.3457.0_rc-r1: * ERROR: chromeos-base/chromeos-chrome-69.0.3457.0_rc-r1::chromiumos failed: chromeos-chrome-69.0.3457.0_rc-r1: * Aborting due to serious QA concerns with RUNPATH/RPATH
,
Jun 19 2018
Looks like a Portage sandbox violation? Over to vapier@ to triage.
,
Jun 19 2018
it's not a sandbox violation. the Chrome build system is adding bad rpath flags to the link line. that's entirely on the Chrome side of things. might help to have the full build log as it might have the -Wl,-rpath flags in it which can be tracked back.
,
Jun 19 2018
The buld packages logs on the builder do not have the full link line. Probably need to create a local build.
,
Jun 19 2018
Suspect CL causing chrome-sandbox rpath issues: https://chromium-review.googlesource.com/c/chromium/src/+/1092077
,
Jun 19 2018
assigning to Thomas. Please take a look.
,
Jun 19 2018
The issue is certainly caused by my cl, sorry for the breakage. A revert should be fine for now.
,
Jun 20 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/d2a6d6bcbeccd540b8a27b4fbb3ed84d5113ea7c commit d2a6d6bcbeccd540b8a27b4fbb3ed84d5113ea7c Author: Thomas Anderson <thomasanderson@chromium.org> Date: Wed Jun 20 01:07:17 2018 Revert "Stop removing rpath_for_built_shared_libraries from chrome_sandbox" This reverts commit 43a48785f23a65d5b3f0cefac086d67c3dea4eb0. Reason for revert: This CL made the assumption that we didn't ship in any configurations that are instrumented or that are component builds. However bug 853266 points out that CrOs ships in an asan configuration, so the rpath removal will still be necessary until the change in [1] is made. [1] https://bugs.chromium.org/p/chromium/issues/detail?id=850682#c14 Original change's description: > Stop removing rpath_for_built_shared_libraries from chrome_sandbox > > For instrumented builds like tsan, this causes chrome_sandbox to reference the > wrong libc++.so due to a missing RPATH. > > Since all configurations we ship don't set RPATH, we don't have to worry about > security vulnerabilities introduced by RPATH=$ORIGIN. There's also a check to > enforce this in chrome/installer/linux/common/installer.include. > > BUG= 850682 > > Change-Id: I25307bd9de388009acffdbb8de6717210873655b > Reviewed-on: https://chromium-review.googlesource.com/1092077 > Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org> > Reviewed-by: Dirk Pranke <dpranke@chromium.org> > Commit-Queue: Thomas Anderson <thomasanderson@chromium.org> > Cr-Commit-Position: refs/heads/master@{#566099} TBR=jorgelo@chromium.org,palmer@chromium.org,dpranke@chromium.org,thomasanderson@chromium.org # Not skipping CQ checks because original CL landed > 1 day ago. Bug: 850682 , 853266 Change-Id: I4b094a512b29b76e12659cba905536118a49208c Reviewed-on: https://chromium-review.googlesource.com/1107137 Commit-Queue: Thomas Anderson <thomasanderson@chromium.org> Reviewed-by: Dirk Pranke <dpranke@chromium.org> Reviewed-by: Thomas Anderson <thomasanderson@chromium.org> Cr-Commit-Position: refs/heads/master@{#568675} [modify] https://crrev.com/d2a6d6bcbeccd540b8a27b4fbb3ed84d5113ea7c/build/config/gcc/BUILD.gn [modify] https://crrev.com/d2a6d6bcbeccd540b8a27b4fbb3ed84d5113ea7c/sandbox/linux/BUILD.gn
,
Jun 20 2018
,
Jun 21 2018
Chrome no longer fai,ling to build on amd64-generic-tot-asan-informational https://cros-goldeneye.corp.google.com/chromeos/healthmonitoring/buildDetails?buildbucketId=8943115556220083152
,
Jun 25 2018
Issue 856300 has been merged into this issue. |
|||||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||||
Comment 1 by jkop@chromium.org
, Jun 19 2018Status: Assigned (was: Untriaged)