Hi All,
I could really use some help here from someone who has a better
understanding of how the config/Makefile system works than I do.
In my libvtv/configure.ac file, I have:
AC_GNU_SOURCE
AC_CHECK_FUNCS([__secure_getenv])
AC_GNU_SOURCE
AC_CHECK_FUNCS([secure_getenv])
This gets translated in my libvtv/configure file to:
for ac_func in __secure_getenv
do :
ac_fn_c_check_func "$LINENO" "__secure_getenv" "ac_cv_func___secure_getenv"
if test "x$ac_cv_func___secure_getenv" = x""yes; then :
cat >>confdefs.h <<_ACEOF
#define HAVE___SECURE_GETENV 1
_ACEOF
fi
done
for ac_func in secure_getenv
do :
ac_fn_c_check_func "$LINENO" "secure_getenv" "ac_cv_func_secure_getenv"
if test "x$ac_cv_func_secure_getenv" = x""yes; then :
cat >>confdefs.h <<_ACEOF
#define HAVE_SECURE_GETENV 1
_ACEOF
fi
done
After running 'make all', I look in the libvtv/config.log, I see
configure:4560: checking for __secure_getenv
configure:4560: /usr/local/google2/cmtice/gcc-fsf.clean.obj/./gcc/xgcc -B/usr/l\
ocal/google2/cmtice/gcc-fsf.clean.obj/./gcc/ -B/usr/local/x86_64-unknown-linux-\
gnu/bin/ -B/usr/local/x86_64-unknown-linux-gnu/lib/ -isystem /usr/local/x86_64-\
unknown-linux-gnu/include -isystem /usr/local/x86_64-unknown-linux-gnu/sys-incl\
ude -o conftest -g -O2 conftest.c >&5
configure:4560: $? = 0
configure:4560: result: yes
configure:4575: checking for secure_getenv
configure:4575: /usr/local/google2/cmtice/gcc-fsf.clean.obj/./gcc/xgcc -B/usr/l\
ocal/google2/cmtice/gcc-fsf.clean.obj/./gcc/ -B/usr/local/x86_64-unknown-linux-\
gnu/bin/ -B/usr/local/x86_64-unknown-linux-gnu/lib/ -isystem /usr/local/x86_64-\
unknown-linux-gnu/include -isystem /usr/local/x86_64-unknown-linux-gnu/sys-incl\
ude -o conftest -g -O2 conftest.c >&5
/tmp/cc2jF2RF.o: In function `main':
/usr/local/google2/cmtice/gcc-fsf.clean.obj/x86_64-unknown-linux-gnu/libvtv/con\
ftest.c:61: undefined reference to `secure_getenv'
collect2: error: ld returned 1 exit status
configure:4575: $? = 1
configure: failed program was:
[snip]
configure:4575: result: no
So it looks to me like the check for __secure_getenv succeeded, so
HAVE___SECURE_GETENV *should* have
been defined in confdefs.h, and the test for it in my program *should* succeed.
The source code in my program looks like this (at the moment):
#define secure_getenv getenv
#ifdef HAVE___SECURE_GETENV
#define secure_getenv __secure_getenv
#endif
[snip]
logs_prefix = secure_getenv ("VTV_LOGS_DIR");
BUT...when I check to see what version of the getenv symbol made it
into libvtv.so, it is the wrong version:
$ readelf -s libvtv.so | grep getenv
4: 0000000000000000 0 FUNC GLOBAL DEFAULT UND
getenv@GLIBC_2.2.5 (2)
76: 0000000000000000 0 FUNC GLOBAL DEFAULT UND getenv@@GLIBC_2.2.5
If I alter the source program to by removing the #ifdef
HAVE___SECURE_GETENV check, and just force it to try to use
__secure_getenv, the program works properly, and the readelf -s
libvtv.so | grep getenv shows __secure_getenv as the function.
WHAT am I doing wrong? Help?
-- Caroline Tice
cmt...@google.com
On Mon, Aug 19, 2013 at 9:37 AM, Florian Weimer <fwei...@redhat.com> wrote:
> On 08/17/2013 12:29 AM, Caroline Tice wrote:
>>
>> OK, I *think* I have done as you requested. I have to try the
>> environment variable before falling back on stderr (there's a program
>> we want to use this on that disables the ability to write to stderr).
>> I have added the secure_getenv stuff as you requested. The fixed patch
>> is attached.
>>
>> Please review the patch and let me know if this is OK to commit. Thanks!
>
>
> I found a packaged version of autoconf 2.64 and bootstrapped with
> --enable-vtable-verify. It's a bit confusing that libvtv is always built,
> but ends up being empty.
>
> It seems that HAVE_*SECURE_GETENV is not properly passed down to the
> compiler invocation:
>
> /bin/bash ./libtool --tag=CXX --mode=compile
> /home/fw/src/gnu/gcc/build/./gcc/xgcc -B/home/fw/src/gnu/gcc/build/./gcc/
> -I. -I../../../git/libvtv -I../../../git/libvtv/../include -D_GNU_SOURCE
> -Wall -Wextra -fno-exceptions -I./../libstdc++-v3/include
> -I./../libstdc++-v3/include/x86_64-unknown-linux-gnu
> -I../../../git/libvtv/../libstdc++-v3/libsupc++
> -Wl,-u_vtable_map_vars_start,-u_vtable_map_vars_end -g -O2 -D_GNU_SOURCE -MT
> vtv_utils.lo -MD -MP -MF .deps/vtv_utils.Tpo -c -o vtv_utils.lo
> ../../../git/libvtv/vtv_utils.cc
> libtool: compile: /home/fw/src/gnu/gcc/build/./gcc/xgcc
> -B/home/fw/src/gnu/gcc/build/./gcc/ -I. -I../../../git/libvtv
> -I../../../git/libvtv/../include -D_GNU_SOURCE -Wall -Wextra -fno-exceptions
> -I./../libstdc++-v3/include
> -I./../libstdc++-v3/include/x86_64-unknown-linux-gnu
> -I../../../git/libvtv/../libstdc++-v3/libsupc++
> -Wl,-u_vtable_map_vars_start,-u_vtable_map_vars_end -g -O2 -D_GNU_SOURCE -MT
> vtv_utils.lo -MD -MP -MF .deps/vtv_utils.Tpo -c
> ../../../git/libvtv/vtv_utils.cc -fPIC -DPIC -o .libs/vtv_utils.o
>
> As a result, the DSO ends up referencing getenv, even though secure_getenv
> is available (and has been detected by the autoconf check).
>
> Sorry, I don't know what's wrong here. I'm not familiar with the GCC
> autoconf machinery. Perhaps you need a config.h.in file?
>
> You can check this yourself with "readelf -s libvtv.so | grep getenv". It
> should print a line containing "secure_getenv" or "__secure_getenv", but not
> plain "getenv".
>
>
> --
> Florian Weimer / Red Hat Product Security Team
