bind update (9.12.4-P1) build failure on aarch64

[samueldr]

The CVE fix in #60249, allegedly, is causing issues with aarch64 builds.

• https://seclists.org/oss-sec/2019/q2/64

This is holding back iso and sd_image for aarch64, thus holding back channel updates for unstable. Once backported (I feel it should be, being a CVE fix) this'll hold 19.03 back too.

Not sure where to go from here, though I'm not sure the previously linked e-mail is a good report enough for upstream.

The failure on ofborg and the check page.

Here's the failure from the hydra log:

libtool: link: gcc -I/build/bind-9.12.4-P1 -I../.. -I./include -I./unix/include -I. -I/build/bind-9.12.4-P1/lib/ns/include -I../../lib/ns/include -I/build/bind-9.12.4-P1/lib/dns/include -I../../lib/dns/include -I/build/bind-9.12.4-P1/lib/bind9/include -I../../lib/bind9/include -I/build/bind-9.12.4-P1/lib/isccfg/include -I../../lib/isccfg/include -I/build/bind-9.12.4-P1/lib/isccc/include -I../../lib/isccc/include -I/build/bind-9.12.4-P1/lib/isc/include -I../../lib/isc -I../../lib/isc/include -I../../lib/isc/unix/include -I../../lib/isc/pthreads/include -I../../lib/isc/noatomic/include -I/nix/store/z3d9c33wjsd51v39qgqpqx55j9avg9a8-openssl-1.0.2r-dev/include -D_REENTRANT -DOPENSSL -DDIG_SIGCHASE=1 -D_GNU_SOURCE -g -O2 -I/nix/store/k9asakbdl56ggq9lipfxsfxhgr9hfs8d-libxml2-2.9.9-dev/include/libxml2 -W -Wall -Wmissing-prototypes -Wcast-qual -Wwrite-strings -Wformat -Wpointer-arith -fno-strict-aliasing -fno-delete-null-pointer-checks -o .libs/named .libs/builtin.o .libs/config.o .libs/control.o .libs/controlconf.o .libs/fuzz.o .libs/log.o .libs/logconf.o .libs/main.o .libs/server.o .libs/statschannel.o .libs/tkeyconf.o .libs/tsigconf.o .libs/zoneconf.o unix/.libs/os.o unix/.libs/dlz_dlopen_driver.o  ../../lib/ns/.libs/libns.so -L/nix/store/z3d9c33wjsd51v39qgqpqx55j9avg9a8-openssl-1.0.2r-dev/lib -L/nix/store/x4lfgvbnlq88ynk0dzv1kxyg43s3dnqy-libxml2-2.9.9/lib ../../lib/dns/.libs/libdns.so ../../lib/bind9/.libs/libbind9.so /build/bind-9.12.4-P1/lib/isccfg/.libs/libisccfg.so ../../lib/isccfg/.libs/libisccfg.so /build/bind-9.12.4-P1/lib/dns/.libs/libdns.so ../../lib/isccc/.libs/libisccc.so /build/bind-9.12.4-P1/lib/isc/.libs/libisc.so ../../lib/isc/.libs/libisc.so -lcrypto -lcap -lpthread /nix/store/x4lfgvbnlq88ynk0dzv1kxyg43s3dnqy-libxml2-2.9.9/lib/libxml2.so -lz -lm -ldl -Wl,-rpath -Wl,/nix/store/7alp97b2r0bg940vxjj3zrlx284nz2nw-bind-9.12.4-P1-lib/lib -Wl,-rpath -Wl,/nix/store/x4lfgvbnlq88ynk0dzv1kxyg43s3dnqy-libxml2-2.9.9/lib
/nix/store/kbz28l7mjcj1s1fpmn1k8n4dhn90lp5r-binutils-2.31.1/bin/ld: ../../lib/ns/.libs/libns.so: undefined reference to `isc_atomic_xadd'
collect2: error: ld returned 1 exit status
make[2]: *** [Makefile:539: named] Error 1
make[2]: Leaving directory '/build/bind-9.12.4-P1/bin/named'
make[1]: *** [Makefile:79: subdirs] Error 1
make[1]: Leaving directory '/build/bind-9.12.4-P1/bin'
make: *** [Makefile:88: subdirs] Error 1
builder for '/nix/store/jc246n4ky0s4ni2sckm7fhqrrqnr9w9b-bind-9.12.4-P1.drv' failed with exit code 2

---

cc @dtzWill

[grahamc]

We could conditionally apply the patch for now

[andir]

We could potentially disable atomics on aarch64. ./configure --help gives me

…
  --enable-atomic         enable machine specific atomic operations
                          [default=autodetect]
…

I am trying with a conditional --disable-atomic just now.

[andir]

Seems like that isn't properly implemented upstream? I am still seeing the same / a similar issue:

client.c: In function 'mark_tcp_active':
client.c:431:3: warning: implicit declaration of function 'isc_atomic_xadd'; did you mean 'isc_time_add'? [-Wimplicit-function-declaration]
   isc_atomic_xadd(&client->interface->ntcpactive, 1);
   ^~~~~~~~~~~~~~~
   isc_time_add

Was worth a shot...

[grahamc]

@andir would you like to email oss-sec with this finding?

[andir]

Can do. Will have to wait until I have access to my mail accounts. A few more hours at least.

I somehow guess that disabling atomics (without resorting to some kind of locks) defeats the purpose of those patches. I only briefly read their description tho..

[andir]

We should be fine with picking https://gitlab.isc.org/isc-projects/bind9/commit/d72f436b7d7c697b262968c48c2d7643069ab17f.diff for the 9.12 based bind packages..

Upstream added that commit right after the release.

The package did build successfully. I am running the bind VM test right now. If everything goes well - and we do not decide against this patch - I'll reply to the oss-sec thread with our workaround/solution.

[grahamc]

https://www.mail-archive.com/bind-users@lists.isc.org/msg27481.html also

[andir]

Good catch! That is essential what I did.. :-)

[vielmetti]

I've reported this back to an open source team at Arm, in the hopes of further sharing any fixes or getting a point release out that has been tested on other architectures before it gets shipped.

[andir]

Fix merged on stable. I prepared backport PRs for the bind update to our current stable branches. Closing this.

[dtzWill]

Thanks for tracking down and the backports! <3

…

On Sat, 27 Apr 2019 13:23:04 -0700, Andreas Rammhold ***@***.***> wrote: Closed #60301. -- You are receiving this because you were mentioned. Reply to this email directly or view it on GitHub: #60301 (comment) part: text/html