Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1548475
Summary: | java-1.8.0-openjdk: Partial build flags injection | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Florian Weimer <fweimer> |
Component: | java-1.8.0-openjdk | Assignee: | Severin Gehwolf <sgehwolf> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 28 | CC: | ahughes, dbhole, fweimer, jerboaa, jvanek, msrb, mvala, omajid, sgehwolf |
Target Milestone: | --- | Keywords: | Reopened |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | java-1.8.0-openjdk-1.8.0.171-4.b10.fc28 java-1.8.0-openjdk-1.8.0.171-4.b10.fc27 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2018-04-30 16:36:40 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1290936, 1570847 | ||
Bug Blocks: | 1539083 |
Description
Florian Weimer
2018-02-23 16:04:50 UTC
This isn't an RPM issue; the flags are being passed to the build. /usr/bin/gcc -Wl,-z,relro -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Xlinker --hash-style=both -Xlinker -z -Xlink er defs -Xlinker -O1 -shared -L/builddir/build/BUILD/java-1.8.0-openjdk-1.8.0.161-9.b14.fc28.x86_64/openjdk/build/jdk8.build/jdk /lib/amd64 -L/builddir/build/BUILD/java-1.8.0-openjdk-1.8.0.161-9.b14.fc28.x86_64/openjdk/build/jdk8.build/jdk/lib/amd64/server -Xlinker -z -Xlinker origin -Xlinker -rpath -Xlinker \$ORIGIN -Xlinker -version-script=/builddir/build/BUILD/java-1.8.0-openjd k-1.8.0.161-9.b14.fc28.x86_64/openjdk/jdk/make/mapfiles/libj2gss/mapfile-vers -Xlinker -soname=libj2gss.so -o /builddir/build/BU ILD/java-1.8.0-openjdk-1.8.0.161-9.b14.fc28.x86_64/openjdk/build/jdk8.build/jdk/lib/amd64/libj2gss.so /builddir/build/BUILD/java -1.8.0-openjdk-1.8.0.161-9.b14.fc28.x86_64/openjdk/build/jdk8.build/jdk/objs/libj2gss/GSSLibStub.o /builddir/build/BUILD/java-1. 8.0-openjdk-1.8.0.161-9.b14.fc28.x86_64/openjdk/build/jdk8.build/jdk/objs/libj2gss/NativeFunc.o /builddir/build/BUILD/java-1.8.0 -openjdk-1.8.0.161-9.b14.fc28.x86_64/openjdk/build/jdk8.build/jdk/objs/libj2gss/NativeUtil.o -ldl The problem is that the HotSpot part of the build isn't using EXTRA_LDFLAGS, so they aren't used for libjvm.so and any other HotSpot libraries. Lines like: LFLAGS += $(EXTRA_CFLAGS) need to be corrected to: LFLAGS += $(EXTRA_CFLAGS) $(EXTRA_LDFLAGS) ping? >
> The problem is that the HotSpot part of the build isn't using EXTRA_LDFLAGS,
> so they aren't used for libjvm.so and any other HotSpot libraries. Lines
> like:
>
> LFLAGS += $(EXTRA_CFLAGS)
>
> need to be corrected to:
>
> LFLAGS += $(EXTRA_CFLAGS) $(EXTRA_LDFLAGS)
Andrew, do you think it is safe to use them? I will try that in meantime.
trying in rawhide. https://koji.fedoraproject.org/koji/taskinfo?taskID=25987978 should have the desired flags. Florian, do you mind to check following build? https://koji.fedoraproject.org/koji/taskinfo?taskID=26003989 imho jdk10 (https://bugzilla.redhat.com/show_bug.cgi?id=1557371) is not affected by this issue (In reply to jiri vanek from comment #7) > imho jdk10 (https://bugzilla.redhat.com/show_bug.cgi?id=1557371) is not > affected by this issue The HotSpot build changed in OpenJDK 9 to integrate better with the build used by the rest of the system from OpenJDK 8, so, in theory, it should be fixed as part of that, but I'd need to see a build log to confirm. OpenJDK 8's HotSpot is still using the same build system as 7 and earlier, with some hacks to have data fed in from the autoconf build. What effect this has depends on what LDFLAGS are being passed. I'd prefer we didn't rush this in without more testing, especially when we're in the middle of working on a security update. java-1.8.0-openjdk-1.8.0.162-2.b12.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-c234944d32 java-1.8.0-openjdk-1.8.0.162-2.b12.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2018-4f5b8311e7 java-1.8.0-openjdk-1.8.0.162-2.b12.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-4f5b8311e7 java-1.8.0-openjdk-1.8.0.162-2.b12.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-c234944d32 java-1.8.0-openjdk-1.8.0.162-3.b12.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2018-a904932bcf java-1.8.0-openjdk-1.8.0.162-3.b12.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-0ab73ba09d java-1.8.0-openjdk-1.8.0.162-3.b12.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-a904932bcf java-1.8.0-openjdk-1.8.0.162-3.b12.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-0ab73ba09d java-1.8.0-openjdk-1.8.0.162-3.b12.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report. Sorry for the delay in checking. /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.162-3.b12.fc28.x86_64/jre/lib/amd64/libsaproc.so in java-1.8.0-openjdk-headless-1.8.0.162-3.b12.fc28.x86_64 is still linked without BIND_NOW: $ readelf -d /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.162-3.b12.fc28.x86_64/jre/lib/amd64/libsaproc.so | grep NOW [nothing] There should be a BIND_NOW/NOW flag there. Same for /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.162-3.b12.fc28.x86_64/jre/lib/amd64/libjsig.so. I see more flag injection problems in java-1.8.0-openjdk-1:1.8.0.162-3.b12.fc28.aarch64 and java-1.8.0-openjdk-1:1.8.0.162-3.b12.fc28.s390x. For example, /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.162-3.b12.fc28.s390x/jre/bin/policytool is not PIE, and neither is /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.162-3.b12.fc28.aarch64/jre/bin/policytool. I looked at an s390x Fedora 28 chroot, and found this: # checksec --file /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.162-3.b12.fc28.s390x/jre/bin/java RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Fortified Fortifiable FILE Partial RELRO No canary found NX enabled No PIE RPATH No RUNPATH No 0 0 /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.162-3.b12.fc28.s390x/jre/bin/java # readelf -n /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.162-3.b12.fc28.s390x/jre/bin/java Displaying notes found in: .note.ABI-tag Owner Data size Description GNU 0x00000010 NT_GNU_ABI_TAG (ABI version tag) OS: Linux, ABI: 3.2.0 Displaying notes found in: .note.gnu.build-id Owner Data size Description GNU 0x00000014 NT_GNU_BUILD_ID (unique build ID bitstring) Build ID: 7fb75c4021577536de2bed7c5a45f765f6f6419a # rpm -qf /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.162-3.b12.fc28.s390x/jre/bin/java java-1.8.0-openjdk-headless-1.8.0.162-3.b12.fc28.s390x So there doesn't seem to be any build flags injection: No PIE, no RELRO, no annobin data. I run it over future jdk10 packages https://bugzilla.redhat.com/show_bug.cgi?id=1557371#c34 : checksec --file bin/java RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Fortified Fortifiable FILE Partial RELRO No canary found NX enabled No PIE RPATH No RUNPATH No 0 0 bin/java readelf -n /bin/java Displaying notes found in: .note.ABI-tag Owner Data size Description GNU 0x00000010 NT_GNU_ABI_TAG (ABI version tag) OS: Linux, ABI: 3.2.0 Displaying notes found in: .note.gnu.build-id Owner Data size Description GNU 0x00000014 NT_GNU_BUILD_ID (unique build ID bitstring) Build ID: 893cfaa319e0cfa0e258a0b3351f28e8f4f8bc23 readelf -d lib/libsaproc.so | grep NOW [nothing] So JDK10 is (in current(default) build) affected too (In reply to Florian Weimer from comment #19) > I looked at an s390x Fedora 28 chroot, and found this: > > # checksec --file > /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.162-3.b12.fc28.s390x/jre/bin/java > RELRO STACK CANARY NX PIE RPATH > RUNPATH FORTIFY Fortified Fortifiable FILE > Partial RELRO No canary found NX enabled No PIE RPATH > No RUNPATH No 0 0 > /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.162-3.b12.fc28.s390x/jre/bin/java > > # readelf -n > /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.162-3.b12.fc28.s390x/jre/bin/java > > Displaying notes found in: .note.ABI-tag > Owner Data size Description > GNU 0x00000010 NT_GNU_ABI_TAG (ABI version tag) > OS: Linux, ABI: 3.2.0 > > Displaying notes found in: .note.gnu.build-id > Owner Data size Description > GNU 0x00000014 NT_GNU_BUILD_ID (unique build ID > bitstring) > Build ID: 7fb75c4021577536de2bed7c5a45f765f6f6419a > # rpm -qf > /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.162-3.b12.fc28.s390x/jre/bin/java > java-1.8.0-openjdk-headless-1.8.0.162-3.b12.fc28.s390x > > So there doesn't seem to be any build flags injection: No PIE, no RELRO, no > annobin data. FWIW, s390x builds of java-1.8.0-openjdk are Zero, which don't use the hardened-build features: https://bugzilla.redhat.com/show_bug.cgi?id=1290936#c3 JDK 10 has a JIT port for s390x. java-1.8.0-openjdk-1.8.0.162-3.b12.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report. (In reply to Florian Weimer from comment #18) > I see more flag injection problems in > java-1.8.0-openjdk-1:1.8.0.162-3.b12.fc28.aarch64 and > java-1.8.0-openjdk-1:1.8.0.162-3.b12.fc28.s390x. For example, > /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.162-3.b12.fc28.s390x/jre/bin/ > policytool is not PIE, and neither is > /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.162-3.b12.fc28.aarch64/jre/bin/ > policytool. Both of these disable the hardened build. aarch64 apparently since it didn't bootcycle-images build with it[1]. s390x because it is Zero and Zero arches also don't have the hardened build flags. I'll look at those. [1] https://src.fedoraproject.org/rpms/java-1.8.0-openjdk/blob/f28/f/java-1.8.0-openjdk.spec#_75 (In reply to jiri vanek from comment #20) > So JDK10 is (in current(default) build) affected too Part of this problem is that it doesn't enable the hardened build as JDK 8 does via sending flags from redhat-rpm-config via EXTRA_CFLAGS[1][2] etc to the OpenJDK build. [1] https://src.fedoraproject.org/rpms/java-openjdk/blob/master/f/java-openjdk.spec#_1248 [2] https://src.fedoraproject.org/rpms/java-1.8.0-openjdk/blob/master/f/java-1.8.0-openjdk.spec#_81 https://src.fedoraproject.org/rpms/java-1.8.0-openjdk/blob/master/f/java-1.8.0-openjdk.spec#_1591 (In reply to Florian Weimer from comment #18) > Sorry for the delay in checking. > > /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.162-3.b12.fc28.x86_64/jre/lib/amd64/ > libsaproc.so in java-1.8.0-openjdk-headless-1.8.0.162-3.b12.fc28.x86_64 is > still linked without BIND_NOW: > > $ readelf -d > /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.162-3.b12.fc28.x86_64/jre/lib/amd64/ > libsaproc.so | grep NOW > [nothing] > > There should be a BIND_NOW/NOW flag there. Same for > /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.162-3.b12.fc28.x86_64/jre/lib/amd64/ > libjsig.so. The fix for this is: https://src.fedoraproject.org/rpms/java-1.8.0-openjdk/pull-request/5 The patch injecting linker flags was incomplete. Please, do you mind to expalin why saproc.make was necessary to adjust too? Also - the original part of the rhbz1548475-LDFLAGSusage.patch is still necessary. right? (In reply to jiri vanek from comment #26) > Please, do you mind to expalin why saproc.make was necessary to adjust too? saproc.make is the make file for building the servicability agent. libsaproc.so is one artifact of the serviciability agent. It needed the same treatment as vm.make et. al. It didn't take EXTRA_LDFLAGS into account. Same for jsig.make. > Also - the original part of the rhbz1548475-LDFLAGSusage.patch is still > necessary. right? Yes, it was just incomplete. libsaproc.so and libjsig.so are built by saproc.make and jsig.make, respectively. In order for them to receive needed linker flags (e.g. -Wl,-z,now) the changes in PR 5 were needed. java-1.8.0-openjdk-1.8.0.171-4.b10.fc28 and better should have all the remaining flag injection issues fixed. Aarch64 has flag injection enabled (bug 1570847). Same for Zero (s390x et. al.). See bug 1290936. java-1.8.0-openjdk-1.8.0.171-4.b10.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-f06de7cbbb java-1.8.0-openjdk-1.8.0.171-4.b10.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-1e5b8a00a0 Tested this on an arm box as this is zero. <mock-chroot> sh-4.4# java -version openjdk version "1.8.0_171" OpenJDK Runtime Environment (build 1.8.0_171-b10) OpenJDK Zero VM (build 25.171-b10, interpreted mode) <mock-chroot> sh-4.4# rpm -q java-1.8.0-openjdk java-1.8.0-openjdk-1.8.0.171-4.b10.fc28.armv7hl <mock-chroot> sh-4.4# rpm -q --changelog java-1.8.0-openjdk | head -n3 * Wed Apr 25 2018 Severin Gehwolf <sgehwolf> - 1:1.8.0.171-4.b10 - Enable hardened build unconditionally (also for Zero). Resolves RHBZ#1290936. <mock-chroot> sh-4.4# checksec --dir /usr/lib/jvm/java-1.8.0-openjdk/bin RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Checked Total Filename Full RELRO No canary found NX enabled PIE enabled RPATH No RUNPATH No 0 0 /usr/lib/jvm/java-1.8.0-openjdk/bin/appletviewer Full RELRO No canary found NX enabled PIE enabled RPATH No RUNPATH No 0 0 /usr/lib/jvm/java-1.8.0-openjdk/bin/extcheck Full RELRO No canary found NX enabled PIE enabled RPATH No RUNPATH No 0 0 /usr/lib/jvm/java-1.8.0-openjdk/bin/idlj Full RELRO No canary found NX enabled PIE enabled RPATH No RUNPATH No 0 0 /usr/lib/jvm/java-1.8.0-openjdk/bin/jar Full RELRO No canary found NX enabled PIE enabled RPATH No RUNPATH No 0 0 /usr/lib/jvm/java-1.8.0-openjdk/bin/jarsigner Full RELRO No canary found NX enabled PIE enabled RPATH No RUNPATH No 0 0 /usr/lib/jvm/java-1.8.0-openjdk/bin/java Full RELRO No canary found NX enabled PIE enabled RPATH No RUNPATH No 0 0 /usr/lib/jvm/java-1.8.0-openjdk/bin/javac Full RELRO No canary found NX enabled PIE enabled RPATH No RUNPATH No 0 0 /usr/lib/jvm/java-1.8.0-openjdk/bin/javadoc Full RELRO No canary found NX enabled PIE enabled RPATH No RUNPATH No 0 0 /usr/lib/jvm/java-1.8.0-openjdk/bin/javah Full RELRO No canary found NX enabled PIE enabled RPATH No RUNPATH No 0 0 /usr/lib/jvm/java-1.8.0-openjdk/bin/javap Full RELRO No canary found NX enabled PIE enabled RPATH No RUNPATH No 0 0 /usr/lib/jvm/java-1.8.0-openjdk/bin/jcmd Full RELRO No canary found NX enabled PIE enabled RPATH No RUNPATH No 0 0 /usr/lib/jvm/java-1.8.0-openjdk/bin/jconsole Full RELRO No canary found NX enabled PIE enabled RPATH No RUNPATH No 0 0 /usr/lib/jvm/java-1.8.0-openjdk/bin/jdb Full RELRO No canary found NX enabled PIE enabled RPATH No RUNPATH No 0 0 /usr/lib/jvm/java-1.8.0-openjdk/bin/jdeps Full RELRO No canary found NX enabled PIE enabled RPATH No RUNPATH No 0 0 /usr/lib/jvm/java-1.8.0-openjdk/bin/jhat Full RELRO No canary found NX enabled PIE enabled RPATH No RUNPATH No 0 0 /usr/lib/jvm/java-1.8.0-openjdk/bin/jinfo Full RELRO No canary found NX enabled PIE enabled RPATH No RUNPATH No 0 0 /usr/lib/jvm/java-1.8.0-openjdk/bin/jjs Full RELRO No canary found NX enabled PIE enabled RPATH No RUNPATH No 0 0 /usr/lib/jvm/java-1.8.0-openjdk/bin/jmap Full RELRO No canary found NX enabled PIE enabled RPATH No RUNPATH No 0 0 /usr/lib/jvm/java-1.8.0-openjdk/bin/jps Full RELRO No canary found NX enabled PIE enabled RPATH No RUNPATH No 0 0 /usr/lib/jvm/java-1.8.0-openjdk/bin/jrunscript Full RELRO No canary found NX enabled PIE enabled RPATH No RUNPATH No 0 0 /usr/lib/jvm/java-1.8.0-openjdk/bin/jsadebugd Full RELRO No canary found NX enabled PIE enabled RPATH No RUNPATH No 0 0 /usr/lib/jvm/java-1.8.0-openjdk/bin/jstack Full RELRO No canary found NX enabled PIE enabled RPATH No RUNPATH No 0 0 /usr/lib/jvm/java-1.8.0-openjdk/bin/jstat Full RELRO No canary found NX enabled PIE enabled RPATH No RUNPATH No 0 0 /usr/lib/jvm/java-1.8.0-openjdk/bin/jstatd Full RELRO No canary found NX enabled PIE enabled RPATH No RUNPATH No 0 0 /usr/lib/jvm/java-1.8.0-openjdk/bin/keytool Full RELRO No canary found NX enabled PIE enabled RPATH No RUNPATH No 0 0 /usr/lib/jvm/java-1.8.0-openjdk/bin/native2ascii Full RELRO No canary found NX enabled PIE enabled RPATH No RUNPATH No 0 0 /usr/lib/jvm/java-1.8.0-openjdk/bin/orbd Full RELRO No canary found NX enabled PIE enabled RPATH No RUNPATH No 0 0 /usr/lib/jvm/java-1.8.0-openjdk/bin/pack200 Full RELRO No canary found NX enabled PIE enabled RPATH No RUNPATH No 0 0 /usr/lib/jvm/java-1.8.0-openjdk/bin/policytool Full RELRO No canary found NX enabled PIE enabled RPATH No RUNPATH No 0 0 /usr/lib/jvm/java-1.8.0-openjdk/bin/rmic Full RELRO No canary found NX enabled PIE enabled RPATH No RUNPATH No 0 0 /usr/lib/jvm/java-1.8.0-openjdk/bin/rmid Full RELRO No canary found NX enabled PIE enabled RPATH No RUNPATH No 0 0 /usr/lib/jvm/java-1.8.0-openjdk/bin/rmiregistry Full RELRO No canary found NX enabled PIE enabled RPATH No RUNPATH No 0 0 /usr/lib/jvm/java-1.8.0-openjdk/bin/schemagen Full RELRO No canary found NX enabled PIE enabled RPATH No RUNPATH No 0 0 /usr/lib/jvm/java-1.8.0-openjdk/bin/serialver Full RELRO No canary found NX enabled PIE enabled RPATH No RUNPATH No 0 0 /usr/lib/jvm/java-1.8.0-openjdk/bin/servertool Full RELRO No canary found NX enabled PIE enabled RPATH No RUNPATH No 0 0 /usr/lib/jvm/java-1.8.0-openjdk/bin/tnameserv Full RELRO Canary found NX enabled PIE enabled RPATH No RUNPATH Yes 4 9 /usr/lib/jvm/java-1.8.0-openjdk/bin/unpack200 Full RELRO No canary found NX enabled PIE enabled RPATH No RUNPATH No 0 0 /usr/lib/jvm/java-1.8.0-openjdk/bin/wsgen Full RELRO No canary found NX enabled PIE enabled RPATH No RUNPATH No 0 0 /usr/lib/jvm/java-1.8.0-openjdk/bin/wsimport Full RELRO No canary found NX enabled PIE enabled RPATH No RUNPATH No 0 0 /usr/lib/jvm/java-1.8.0-openjdk/bin/xjc <mock-chroot> sh-4.4# rpm -ql java-1.8.0-openjdk-headless | grep libjsig /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.171-4.b10.fc28.arm/jre/lib/arm/libjsig.so <mock-chroot> sh-4.4# readelf -d /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.171-4.b10.fc28.arm/jre/lib/arm/libjsig.so | grep NOW 0x00000018 (BIND_NOW) 0x6ffffffb (FLAGS_1) Flags: NOW NOTE: Zero JVM doesn't have the serviceability agent. <mock-chroot> sh-4.4# readelf -n /usr/lib/jvm/java-1.8.0-openjdk/bin/java Displaying notes found in: .note.ABI-tag Owner Data size Description GNU 0x00000010 NT_GNU_ABI_TAG (ABI version tag) OS: Linux, ABI: 3.2.0 Displaying notes found in: .note.gnu.build-id Owner Data size Description GNU 0x00000014 NT_GNU_BUILD_ID (unique build ID bitstring) Build ID: b67e3e4313006d1c783e40130f69c3819320e98e Displaying notes found in: .gnu.build.attributes Owner Data size Description GA$<version>3p5 0x00000008 OPEN Applies to region from 0x760 to 0x760 GA$<tool>gcc 8.0.1 2 0x00000000 OPEN Applies to region from 0x760 GA*GOW:0x000000000472a 0x00000000 OPEN Applies to region from 0x760 GA*<stack prot>stron 0x00000000 OPEN Applies to region from 0x760 GA!stack_clash:false 0x00000000 OPEN Applies to region from 0x760 GA*cf_protection:0x001 0x00000000 OPEN Applies to region from 0x760 GA+GLIBCXX_ASSERTION: 0x00000000 OPEN Applies to region from 0x760 GA*FORTIFY:0x000000002 0x00000000 OPEN Applies to region from 0x760 GA*<PIC>PIC 0x00000000 OPEN Applies to region from 0x760 GA!<short enum>false 0x00000000 OPEN Applies to region from 0x760 And on x86_64 (which does have the SA): <mock-chroot> sh-4.4# java -version openjdk version "1.8.0_171" OpenJDK Runtime Environment (build 1.8.0_171-b10) OpenJDK 64-Bit Server VM (build 25.171-b10, mixed mode) <mock-chroot> sh-4.4# rpm -q java-1.8.0-openjdk java-1.8.0-openjdk-1.8.0.171-4.b10.fc28.x86_64 <mock-chroot> sh-4.4# rpm -ql java-1.8.0-openjdk-headless | grep -E 'libsa|libjsig' /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.171-4.b10.fc28.x86_64/jre/lib/amd64/libjsig.so /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.171-4.b10.fc28.x86_64/jre/lib/amd64/libsaproc.so /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.171-4.b10.fc28.x86_64/jre/lib/amd64/server/libjsig.so <mock-chroot> sh-4.4# readelf -d /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.171-4.b10.fc28.x86_64/jre/lib/amd64/libjsig.so | grep NOW 0x0000000000000018 (BIND_NOW) 0x000000006ffffffb (FLAGS_1) Flags: NOW <mock-chroot> sh-4.4# readelf -d /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.171-4.b10.fc28.x86_64/jre/lib/amd64/server/libjsig.so | grep NOW 0x0000000000000018 (BIND_NOW) 0x000000006ffffffb (FLAGS_1) Flags: NOW <mock-chroot> sh-4.4# readelf -d /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.171-4.b10.fc28.x86_64/jre/lib/amd64/libsaproc.so | grep NOW 0x0000000000000018 (BIND_NOW) 0x000000006ffffffb (FLAGS_1) Flags: NOW <mock-chroot> sh-4.4# readelf -n /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.171-4.b10.fc28.x86_64/jre/lib/amd64/libsaproc.so Displaying notes found in: .note.gnu.build-id Owner Data size Description GNU 0x00000014 NT_GNU_BUILD_ID (unique build ID bitstring) Build ID: 55fad092bcc8d33b1c477c4e605c98ae3a7316a7 Displaying notes found in: .note.gnu.property Owner Data size Description GNU 0x00000020 NT_GNU_PROPERTY_TYPE_0 Properties: x86 ISA used: x86 ISA needed: Displaying notes found in: .gnu.build.attributes Owner Data size Description GA$<version>3p5 0x00000010 OPEN Applies to region from 0x1e89 to 0x2223 GA$<tool>gcc 8.0.1 2 0x00000000 OPEN Applies to region from 0x1e89 to 0x2223 GA*GOW:0x000000000012a 0x00000000 OPEN Applies to region from 0x1e89 to 0x2223 GA*<stack prot>stron 0x00000000 OPEN Applies to region from 0x1e89 to 0x2223 GA+stack_clash:true 0x00000000 OPEN Applies to region from 0x1e89 to 0x2223 GA*cf_protection:0x008 0x00000000 OPEN Applies to region from 0x1e89 to 0x2223 GA+GLIBCXX_ASSERTION: 0x00000000 OPEN Applies to region from 0x1e89 to 0x2223 GA*FORTIFY:0x000000002 0x00000000 OPEN Applies to region from 0x1e89 to 0x2223 GA*<PIC>PIC 0x00000000 OPEN Applies to region from 0x1e89 to 0x2223 GA!<short enum>false 0x00000000 OPEN Applies to region from 0x1e89 to 0x2223 GA*<ABI>0x7001100000012 0x00000000 OPEN Applies to region from 0x1e89 to 0x2223 GA*cet status:0x2020102 0x00000000 OPEN Applies to region from 0x1e89 to 0x2223 GA$<version>3p5 0x00000010 OPEN Applies to region from 0x2223 to 0x33b0 GA$<tool>gcc 8.0.1 2 0x00000000 OPEN Applies to region from 0x2223 to 0x33b0 GA*GOW:0x000000000012a 0x00000000 OPEN Applies to region from 0x2223 to 0x33b0 GA*<stack prot>stron 0x00000000 OPEN Applies to region from 0x2223 to 0x33b0 GA+stack_clash:true 0x00000000 OPEN Applies to region from 0x2223 to 0x33b0 GA*cf_protection:0x008 0x00000000 OPEN Applies to region from 0x2223 to 0x33b0 GA+GLIBCXX_ASSERTION: 0x00000000 OPEN Applies to region from 0x2223 to 0x33b0 GA*FORTIFY:0x000000002 0x00000000 OPEN Applies to region from 0x2223 to 0x33b0 GA*<PIC>PIC 0x00000000 OPEN Applies to region from 0x2223 to 0x33b0 GA!<short enum>false 0x00000000 OPEN Applies to region from 0x2223 to 0x33b0 GA*<ABI>0x7001100000012 0x00000000 OPEN Applies to region from 0x2223 to 0x33b0 GA*cet status:0x2020102 0x00000000 OPEN Applies to region from 0x2223 to 0x33b0 GA$<version>3p5 0x00000010 OPEN Applies to region from 0x33b0 to 0x426d GA$<tool>gcc 8.0.1 2 0x00000000 OPEN Applies to region from 0x33b0 to 0x426d GA*GOW:0x000000000012a 0x00000000 OPEN Applies to region from 0x33b0 to 0x426d GA*<stack prot>stron 0x00000000 OPEN Applies to region from 0x33b0 to 0x426d GA+stack_clash:true 0x00000000 OPEN Applies to region from 0x33b0 to 0x426d GA*cf_protection:0x008 0x00000000 OPEN Applies to region from 0x33b0 to 0x426d GA+GLIBCXX_ASSERTION: 0x00000000 OPEN Applies to region from 0x33b0 to 0x426d GA*FORTIFY:0x000000002 0x00000000 OPEN Applies to region from 0x33b0 to 0x426d GA*<PIC>PIC 0x00000000 OPEN Applies to region from 0x33b0 to 0x426d GA!<short enum>false 0x00000000 OPEN Applies to region from 0x33b0 to 0x426d GA*<ABI>0x7001100000012 0x00000000 OPEN Applies to region from 0x33b0 to 0x426d GA*cet status:0x2020102 0x00000000 OPEN Applies to region from 0x33b0 to 0x426d GA$<version>3p5 0x00000010 OPEN Applies to region from 0x426d to 0x4dea GA$<tool>gcc 8.0.1 2 0x00000000 OPEN Applies to region from 0x426d to 0x4dea GA*GOW:0x000000000012a 0x00000000 OPEN Applies to region from 0x426d to 0x4dea GA*<stack prot>stron 0x00000000 OPEN Applies to region from 0x426d to 0x4dea GA+stack_clash:true 0x00000000 OPEN Applies to region from 0x426d to 0x4dea GA*cf_protection:0x008 0x00000000 OPEN Applies to region from 0x426d to 0x4dea GA+GLIBCXX_ASSERTION: 0x00000000 OPEN Applies to region from 0x426d to 0x4dea GA*FORTIFY:0x000000002 0x00000000 OPEN Applies to region from 0x426d to 0x4dea GA*<PIC>PIC 0x00000000 OPEN Applies to region from 0x426d to 0x4dea GA!<short enum>false 0x00000000 OPEN Applies to region from 0x426d to 0x4dea GA*<ABI>0x7001100000012 0x00000000 OPEN Applies to region from 0x426d to 0x4dea GA*cet status:0x2020102 0x00000000 OPEN Applies to region from 0x426d to 0x4dea GA$<version>3p5 0x00000010 OPEN Applies to region from 0x4dea to 0x7389 GA$<tool>gcc 8.0.1 2 0x00000000 OPEN Applies to region from 0x4dea to 0x7389 GA*GOW:0x000000000012a 0x00000000 OPEN Applies to region from 0x4dea to 0x7389 GA*<stack prot>stron 0x00000000 OPEN Applies to region from 0x4dea to 0x7389 GA+stack_clash:true 0x00000000 OPEN Applies to region from 0x4dea to 0x7389 GA*cf_protection:0x008 0x00000000 OPEN Applies to region from 0x4dea to 0x7389 GA+GLIBCXX_ASSERTION: 0x00000000 OPEN Applies to region from 0x4dea to 0x7389 GA*FORTIFY:0x000000002 0x00000000 OPEN Applies to region from 0x4dea to 0x7389 GA*<PIC>PIC 0x00000000 OPEN Applies to region from 0x4dea to 0x7389 GA!<short enum>false 0x00000000 OPEN Applies to region from 0x4dea to 0x7389 GA*<ABI>0x7001100000012 0x00000000 OPEN Applies to region from 0x4dea to 0x7389 GA*cet status:0x2020102 0x00000000 OPEN Applies to region from 0x4dea to 0x7389 GA$<version>3p5 0x00000010 OPEN Applies to region from 0x7389 to 0x84b3 GA$<tool>gcc 8.0.1 2 0x00000000 OPEN Applies to region from 0x7389 to 0x84b3 GA*GOW:0x000000000012a 0x00000000 OPEN Applies to region from 0x7389 to 0x84b3 GA*<stack prot>stron 0x00000000 OPEN Applies to region from 0x7389 to 0x84b3 GA+stack_clash:true 0x00000000 OPEN Applies to region from 0x7389 to 0x84b3 GA*cf_protection:0x008 0x00000000 OPEN Applies to region from 0x7389 to 0x84b3 GA+GLIBCXX_ASSERTION: 0x00000000 OPEN Applies to region from 0x7389 to 0x84b3 GA*FORTIFY:0x000000002 0x00000000 OPEN Applies to region from 0x7389 to 0x84b3 GA*<PIC>PIC 0x00000000 OPEN Applies to region from 0x7389 to 0x84b3 GA!<short enum>false 0x00000000 OPEN Applies to region from 0x7389 to 0x84b3 GA*<ABI>0x7001100000012 0x00000000 OPEN Applies to region from 0x7389 to 0x84b3 GA*cet status:0x2020102 0x00000000 OPEN Applies to region from 0x7389 to 0x84b3 GA$<version>3p5 0x00000010 OPEN Applies to region from 0x84b3 to 0x8df1 GA$<tool>gcc 8.0.1 2 0x00000000 OPEN Applies to region from 0x84b3 to 0x8df1 GA*GOW:0x000000000012a 0x00000000 OPEN Applies to region from 0x84b3 to 0x8df1 GA*<stack prot>stron 0x00000000 OPEN Applies to region from 0x84b3 to 0x8df1 GA+stack_clash:true 0x00000000 OPEN Applies to region from 0x84b3 to 0x8df1 GA*cf_protection:0x008 0x00000000 OPEN Applies to region from 0x84b3 to 0x8df1 GA+GLIBCXX_ASSERTION: 0x00000000 OPEN Applies to region from 0x84b3 to 0x8df1 GA*FORTIFY:0x000000002 0x00000000 OPEN Applies to region from 0x84b3 to 0x8df1 GA*<PIC>PIC 0x00000000 OPEN Applies to region from 0x84b3 to 0x8df1 GA!<short enum>false 0x00000000 OPEN Applies to region from 0x84b3 to 0x8df1 GA*<ABI>0x7001100000012 0x00000000 OPEN Applies to region from 0x84b3 to 0x8df1 GA*cet status:0x2020102 0x00000000 OPEN Applies to region from 0x84b3 to 0x8df1 java-1.8.0-openjdk-1.8.0.171-4.b10.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-f06de7cbbb java-1.8.0-openjdk-1.8.0.171-4.b10.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-1e5b8a00a0 java-1.8.0-openjdk-1.8.0.171-4.b10.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report. java-1.8.0-openjdk-1.8.0.171-4.b10.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report. |