1548475 – java-1.8.0-openjdk: Partial build flags injection

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1548475 - java-1.8.0-openjdk: Partial build flags injection

Summary: java-1.8.0-openjdk: Partial build flags injection

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	java-1.8.0-openjdk
Sub Component:
Version:	28
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Severin Gehwolf
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:	1290936 1570847
Blocks:	Fedora28BuildFlags
TreeView+	depends on / blocked

Reported:	2018-02-23 16:04 UTC by Florian Weimer
Modified:	2018-06-27 01:53 UTC (History)
CC List:	9 users (show)
Fixed In Version:	java-1.8.0-openjdk-1.8.0.171-4.b10.fc28 java-1.8.0-openjdk-1.8.0.171-4.b10.fc27
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-04-30 16:36:40 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Icedtea Bugzilla	3539	0	None	None	None	2018-06-27 01:53:07 UTC
openjdk bug system	JDK-8205104	0	None	None	None	2018-06-27 01:52:43 UTC

Description Florian Weimer 2018-02-23 16:04:50 UTC

/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.161-8.b14.fc28.x86_64/jre/lib/amd64/libjsig.so, /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.161-8.b14.fc28.x86_64/jre/lib/amd64/libsaproc.so, /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.161-8.b14.fc28.x86_64/jre/lib/amd64/server/libjvm.so in java-1.8.0-openjdk-headless-1:1.8.0.161-8.b14.fc28.x86_64 are not linked with the standard Fedora linker flags (LDFLAGS) from redhat-rpm-config.

It seems that CFLAGS are there, but not LDFLAGS:

/usr/bin/gcc -m64 -Xlinker -O1 -Wl,--hash-style=both -g -pipe -Wformat -Wno-cpp -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -mcet -fcf-protection -std=gnu++98 -Wno-error -fno-delete-null-pointer-checks -fno-lifetime-dse -fno-delete-null-pointer-checks -fno-lifetime-dse -std=gnu++98 -Xlinker -z -Xlinker noexecstack -shared -Xlinker --version-script=mapfile_reorder -Xlinker -soname=libjvm.so -o libjvm.so abstractCompiler.o accessFlags.o ad_x86_64.o […] yieldingWorkgroup.o -lstdc++ -lm -ldl -lpthread

(This also affects equivalent DSOs in java-1.8.0-openjdk-headless-debug-1:1.8.0.161-8.b14.fc28.x86_64.)

See https://src.fedoraproject.org/rpms/redhat-rpm-config/blob/master/f/buildflags.md for information on RPM macros and environment variables provided by the build environment.

Comment 1 Andrew John Hughes 2018-03-14 18:42:33 UTC

This isn't an RPM issue; the flags are being passed to the build.

/usr/bin/gcc -Wl,-z,relro -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Xlinker --hash-style=both -Xlinker -z -Xlink
er defs -Xlinker -O1 -shared -L/builddir/build/BUILD/java-1.8.0-openjdk-1.8.0.161-9.b14.fc28.x86_64/openjdk/build/jdk8.build/jdk
/lib/amd64 -L/builddir/build/BUILD/java-1.8.0-openjdk-1.8.0.161-9.b14.fc28.x86_64/openjdk/build/jdk8.build/jdk/lib/amd64/server 
-Xlinker -z -Xlinker origin -Xlinker -rpath -Xlinker \$ORIGIN   -Xlinker -version-script=/builddir/build/BUILD/java-1.8.0-openjd
k-1.8.0.161-9.b14.fc28.x86_64/openjdk/jdk/make/mapfiles/libj2gss/mapfile-vers -Xlinker -soname=libj2gss.so -o /builddir/build/BU
ILD/java-1.8.0-openjdk-1.8.0.161-9.b14.fc28.x86_64/openjdk/build/jdk8.build/jdk/lib/amd64/libj2gss.so /builddir/build/BUILD/java
-1.8.0-openjdk-1.8.0.161-9.b14.fc28.x86_64/openjdk/build/jdk8.build/jdk/objs/libj2gss/GSSLibStub.o /builddir/build/BUILD/java-1.
8.0-openjdk-1.8.0.161-9.b14.fc28.x86_64/openjdk/build/jdk8.build/jdk/objs/libj2gss/NativeFunc.o /builddir/build/BUILD/java-1.8.0
-openjdk-1.8.0.161-9.b14.fc28.x86_64/openjdk/build/jdk8.build/jdk/objs/libj2gss/NativeUtil.o  -ldl 

The problem is that the HotSpot part of the build isn't using EXTRA_LDFLAGS, so they aren't used for libjvm.so and any other HotSpot libraries. Lines like:

LFLAGS += $(EXTRA_CFLAGS)

need to be corrected to:

LFLAGS += $(EXTRA_CFLAGS) $(EXTRA_LDFLAGS)

Comment 2 Igor Gnatenko 2018-03-26 08:48:18 UTC

ping?

Comment 3 jiri vanek 2018-03-26 09:22:34 UTC

> 
> The problem is that the HotSpot part of the build isn't using EXTRA_LDFLAGS,
> so they aren't used for libjvm.so and any other HotSpot libraries. Lines
> like:
> 
> LFLAGS += $(EXTRA_CFLAGS)
> 
> need to be corrected to:
> 
> LFLAGS += $(EXTRA_CFLAGS) $(EXTRA_LDFLAGS)

Andrew, do you think it is safe to use them? I will try that in meantime.

Comment 4 jiri vanek 2018-03-26 12:26:09 UTC

trying in rawhide.

Comment 5 jiri vanek 2018-03-26 13:34:19 UTC

https://koji.fedoraproject.org/koji/taskinfo?taskID=25987978
should have the desired flags.

Comment 6 jiri vanek 2018-03-27 17:46:38 UTC

Florian, do you mind to check following build?

https://koji.fedoraproject.org/koji/taskinfo?taskID=26003989

Comment 7 jiri vanek 2018-03-28 14:42:47 UTC

imho jdk10 (https://bugzilla.redhat.com/show_bug.cgi?id=1557371)  is not affected by this issue

Comment 8 Andrew John Hughes 2018-03-28 16:06:24 UTC

(In reply to jiri vanek from comment #7)
> imho jdk10 (https://bugzilla.redhat.com/show_bug.cgi?id=1557371)  is not
> affected by this issue

The HotSpot build changed in OpenJDK 9 to integrate better with the build used by the rest of the system from OpenJDK 8, so, in theory, it should be fixed as part of that, but I'd need to see a build log to confirm.

OpenJDK 8's HotSpot is still using the same build system as 7 and earlier, with some hacks to have data fed in from the autoconf build.

What effect this has depends on what LDFLAGS are being passed. I'd prefer we didn't rush this in without more testing, especially when we're in the middle of working on a security update.

Comment 9 Fedora Update System 2018-03-28 16:13:16 UTC

java-1.8.0-openjdk-1.8.0.162-2.b12.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-c234944d32

Comment 10 Fedora Update System 2018-03-28 16:15:12 UTC

java-1.8.0-openjdk-1.8.0.162-2.b12.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2018-4f5b8311e7

Comment 11 Fedora Update System 2018-03-29 00:19:24 UTC

java-1.8.0-openjdk-1.8.0.162-2.b12.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-4f5b8311e7

Comment 12 Fedora Update System 2018-03-29 00:44:39 UTC

java-1.8.0-openjdk-1.8.0.162-2.b12.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-c234944d32

Comment 13 Fedora Update System 2018-03-30 15:16:23 UTC

java-1.8.0-openjdk-1.8.0.162-3.b12.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2018-a904932bcf

Comment 14 Fedora Update System 2018-03-30 15:17:04 UTC

java-1.8.0-openjdk-1.8.0.162-3.b12.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-0ab73ba09d

Comment 15 Fedora Update System 2018-04-01 04:28:46 UTC

java-1.8.0-openjdk-1.8.0.162-3.b12.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-a904932bcf

Comment 16 Fedora Update System 2018-04-01 04:52:31 UTC

java-1.8.0-openjdk-1.8.0.162-3.b12.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-0ab73ba09d

Comment 17 Fedora Update System 2018-04-02 13:02:04 UTC

java-1.8.0-openjdk-1.8.0.162-3.b12.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.

Comment 18 Florian Weimer 2018-04-03 09:24:01 UTC

Sorry for the delay in checking.

/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.162-3.b12.fc28.x86_64/jre/lib/amd64/libsaproc.so in java-1.8.0-openjdk-headless-1.8.0.162-3.b12.fc28.x86_64 is still linked without BIND_NOW:

$ readelf -d /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.162-3.b12.fc28.x86_64/jre/lib/amd64/libsaproc.so | grep NOW
[nothing]

There should be a BIND_NOW/NOW flag there.  Same for /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.162-3.b12.fc28.x86_64/jre/lib/amd64/libjsig.so.

I see more flag injection problems in java-1.8.0-openjdk-1:1.8.0.162-3.b12.fc28.aarch64 and java-1.8.0-openjdk-1:1.8.0.162-3.b12.fc28.s390x.  For example, /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.162-3.b12.fc28.s390x/jre/bin/policytool is not PIE, and neither is /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.162-3.b12.fc28.aarch64/jre/bin/policytool.

Comment 19 Florian Weimer 2018-04-03 09:58:47 UTC

I looked at an s390x Fedora 28 chroot, and found this:

# checksec --file /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.162-3.b12.fc28.s390x/jre/bin/java
RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      FORTIFY Fortified Fortifiable  FILE
Partial RELRO   No canary found   NX enabled    No PIE          RPATH      No RUNPATH   No      0               0       /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.162-3.b12.fc28.s390x/jre/bin/java

# readelf -n /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.162-3.b12.fc28.s390x/jre/bin/java

Displaying notes found in: .note.ABI-tag
  Owner                 Data size       Description
  GNU                  0x00000010       NT_GNU_ABI_TAG (ABI version tag)
    OS: Linux, ABI: 3.2.0

Displaying notes found in: .note.gnu.build-id
  Owner                 Data size       Description
  GNU                  0x00000014       NT_GNU_BUILD_ID (unique build ID bitstring)
    Build ID: 7fb75c4021577536de2bed7c5a45f765f6f6419a
# rpm -qf /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.162-3.b12.fc28.s390x/jre/bin/java
java-1.8.0-openjdk-headless-1.8.0.162-3.b12.fc28.s390x

So there doesn't seem to be any build flags injection: No PIE, no RELRO, no annobin data.

Comment 20 jiri vanek 2018-04-03 13:16:39 UTC

I run it over future jdk10 packages https://bugzilla.redhat.com/show_bug.cgi?id=1557371#c34 :
 checksec  --file bin/java 
RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH	FORTIFY	Fortified Fortifiable  FILE
Partial RELRO   No canary found   NX enabled    No PIE          RPATH      No RUNPATH   No	0		0	bin/java
readelf -n  /bin/java

Displaying notes found in: .note.ABI-tag
  Owner                 Data size	Description
  GNU                  0x00000010	NT_GNU_ABI_TAG (ABI version tag)
    OS: Linux, ABI: 3.2.0

Displaying notes found in: .note.gnu.build-id
  Owner                 Data size	Description
  GNU                  0x00000014	NT_GNU_BUILD_ID (unique build ID bitstring)
    Build ID: 893cfaa319e0cfa0e258a0b3351f28e8f4f8bc23
readelf -d lib/libsaproc.so  | grep NOW
[nothing]


So JDK10 is (in current(default) build) affected too

Comment 21 Severin Gehwolf 2018-04-05 08:29:01 UTC

(In reply to Florian Weimer from comment #19)
> I looked at an s390x Fedora 28 chroot, and found this:
> 
> # checksec --file
> /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.162-3.b12.fc28.s390x/jre/bin/java
> RELRO           STACK CANARY      NX            PIE             RPATH     
> RUNPATH      FORTIFY Fortified Fortifiable  FILE
> Partial RELRO   No canary found   NX enabled    No PIE          RPATH     
> No RUNPATH   No      0               0      
> /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.162-3.b12.fc28.s390x/jre/bin/java
> 
> # readelf -n
> /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.162-3.b12.fc28.s390x/jre/bin/java
> 
> Displaying notes found in: .note.ABI-tag
>   Owner                 Data size       Description
>   GNU                  0x00000010       NT_GNU_ABI_TAG (ABI version tag)
>     OS: Linux, ABI: 3.2.0
> 
> Displaying notes found in: .note.gnu.build-id
>   Owner                 Data size       Description
>   GNU                  0x00000014       NT_GNU_BUILD_ID (unique build ID
> bitstring)
>     Build ID: 7fb75c4021577536de2bed7c5a45f765f6f6419a
> # rpm -qf
> /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.162-3.b12.fc28.s390x/jre/bin/java
> java-1.8.0-openjdk-headless-1.8.0.162-3.b12.fc28.s390x
> 
> So there doesn't seem to be any build flags injection: No PIE, no RELRO, no
> annobin data.

FWIW, s390x builds of java-1.8.0-openjdk are Zero, which don't use the hardened-build features:
https://bugzilla.redhat.com/show_bug.cgi?id=1290936#c3

JDK 10 has a JIT port for s390x.

Comment 22 Fedora Update System 2018-04-05 15:00:59 UTC

java-1.8.0-openjdk-1.8.0.162-3.b12.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.

Comment 23 Severin Gehwolf 2018-04-19 17:48:10 UTC

(In reply to Florian Weimer from comment #18)
> I see more flag injection problems in
> java-1.8.0-openjdk-1:1.8.0.162-3.b12.fc28.aarch64 and
> java-1.8.0-openjdk-1:1.8.0.162-3.b12.fc28.s390x.  For example,
> /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.162-3.b12.fc28.s390x/jre/bin/
> policytool is not PIE, and neither is
> /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.162-3.b12.fc28.aarch64/jre/bin/
> policytool.

Both of these disable the hardened build. aarch64 apparently since it didn't bootcycle-images build with it[1]. s390x because it is Zero and Zero arches also don't have the hardened build flags.

I'll look at those.

[1] https://src.fedoraproject.org/rpms/java-1.8.0-openjdk/blob/f28/f/java-1.8.0-openjdk.spec#_75

Comment 24 Severin Gehwolf 2018-04-19 18:02:25 UTC

(In reply to jiri vanek from comment #20)
> So JDK10 is (in current(default) build) affected too

Part of this problem is that it doesn't enable the hardened build as JDK 8 does via sending flags from redhat-rpm-config via EXTRA_CFLAGS[1][2] etc to the OpenJDK build.

[1] https://src.fedoraproject.org/rpms/java-openjdk/blob/master/f/java-openjdk.spec#_1248
[2] https://src.fedoraproject.org/rpms/java-1.8.0-openjdk/blob/master/f/java-1.8.0-openjdk.spec#_81
    https://src.fedoraproject.org/rpms/java-1.8.0-openjdk/blob/master/f/java-1.8.0-openjdk.spec#_1591

Comment 25 Severin Gehwolf 2018-04-24 09:39:00 UTC

(In reply to Florian Weimer from comment #18)
> Sorry for the delay in checking.
> 
> /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.162-3.b12.fc28.x86_64/jre/lib/amd64/
> libsaproc.so in java-1.8.0-openjdk-headless-1.8.0.162-3.b12.fc28.x86_64 is
> still linked without BIND_NOW:
> 
> $ readelf -d
> /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.162-3.b12.fc28.x86_64/jre/lib/amd64/
> libsaproc.so | grep NOW
> [nothing]
> 
> There should be a BIND_NOW/NOW flag there.  Same for
> /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.162-3.b12.fc28.x86_64/jre/lib/amd64/
> libjsig.so.

The fix for this is:
https://src.fedoraproject.org/rpms/java-1.8.0-openjdk/pull-request/5

The patch injecting linker flags was incomplete.

Comment 26 jiri vanek 2018-04-24 11:52:30 UTC

Please, do you mind to expalin why saproc.make was necessary to adjust too?
Also - the original part of the rhbz1548475-LDFLAGSusage.patch is still necessary. right?

Comment 27 Severin Gehwolf 2018-04-24 12:36:40 UTC

(In reply to jiri vanek from comment #26)
> Please, do you mind to expalin why saproc.make was necessary to adjust too?

saproc.make is the make file for building the servicability agent. libsaproc.so is one artifact of the serviciability agent. It needed the same treatment as vm.make et. al. It didn't take EXTRA_LDFLAGS into account.

Same for jsig.make.

> Also - the original part of the rhbz1548475-LDFLAGSusage.patch is still
> necessary. right?

Yes, it was just incomplete. libsaproc.so and libjsig.so are built by saproc.make and jsig.make, respectively. In order for them to receive needed linker flags (e.g. -Wl,-z,now) the changes in PR 5 were needed.

Comment 28 Severin Gehwolf 2018-04-25 09:39:39 UTC

java-1.8.0-openjdk-1.8.0.171-4.b10.fc28 and better should have all the remaining flag injection issues fixed. Aarch64 has flag injection enabled (bug 1570847). Same for Zero (s390x et. al.). See bug 1290936.

Comment 29 Fedora Update System 2018-04-26 07:18:17 UTC

java-1.8.0-openjdk-1.8.0.171-4.b10.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-f06de7cbbb

Comment 30 Fedora Update System 2018-04-26 07:18:36 UTC

java-1.8.0-openjdk-1.8.0.171-4.b10.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-1e5b8a00a0

Comment 31 Severin Gehwolf 2018-04-26 08:15:04 UTC

Tested this on an arm box as this is zero.

<mock-chroot> sh-4.4# java -version
openjdk version "1.8.0_171"
OpenJDK Runtime Environment (build 1.8.0_171-b10)
OpenJDK Zero VM (build 25.171-b10, interpreted mode)
<mock-chroot> sh-4.4# rpm -q java-1.8.0-openjdk
java-1.8.0-openjdk-1.8.0.171-4.b10.fc28.armv7hl
<mock-chroot> sh-4.4# rpm -q --changelog java-1.8.0-openjdk | head -n3
* Wed Apr 25 2018 Severin Gehwolf <sgehwolf> - 1:1.8.0.171-4.b10
- Enable hardened build unconditionally (also for Zero).
  Resolves RHBZ#1290936.

<mock-chroot> sh-4.4# checksec --dir /usr/lib/jvm/java-1.8.0-openjdk/bin
RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      FORTIFY Checked         Total   Filename
Full RELRO      No canary found   NX enabled    PIE enabled     RPATH      No RUNPATH   No      0               0       /usr/lib/jvm/java-1.8.0-openjdk/bin/appletviewer
Full RELRO      No canary found   NX enabled    PIE enabled     RPATH      No RUNPATH   No      0               0       /usr/lib/jvm/java-1.8.0-openjdk/bin/extcheck
Full RELRO      No canary found   NX enabled    PIE enabled     RPATH      No RUNPATH   No      0               0       /usr/lib/jvm/java-1.8.0-openjdk/bin/idlj
Full RELRO      No canary found   NX enabled    PIE enabled     RPATH      No RUNPATH   No      0               0       /usr/lib/jvm/java-1.8.0-openjdk/bin/jar
Full RELRO      No canary found   NX enabled    PIE enabled     RPATH      No RUNPATH   No      0               0       /usr/lib/jvm/java-1.8.0-openjdk/bin/jarsigner
Full RELRO      No canary found   NX enabled    PIE enabled     RPATH      No RUNPATH   No      0               0       /usr/lib/jvm/java-1.8.0-openjdk/bin/java
Full RELRO      No canary found   NX enabled    PIE enabled     RPATH      No RUNPATH   No      0               0       /usr/lib/jvm/java-1.8.0-openjdk/bin/javac
Full RELRO      No canary found   NX enabled    PIE enabled     RPATH      No RUNPATH   No      0               0       /usr/lib/jvm/java-1.8.0-openjdk/bin/javadoc
Full RELRO      No canary found   NX enabled    PIE enabled     RPATH      No RUNPATH   No      0               0       /usr/lib/jvm/java-1.8.0-openjdk/bin/javah
Full RELRO      No canary found   NX enabled    PIE enabled     RPATH      No RUNPATH   No      0               0       /usr/lib/jvm/java-1.8.0-openjdk/bin/javap
Full RELRO      No canary found   NX enabled    PIE enabled     RPATH      No RUNPATH   No      0               0       /usr/lib/jvm/java-1.8.0-openjdk/bin/jcmd
Full RELRO      No canary found   NX enabled    PIE enabled     RPATH      No RUNPATH   No      0               0       /usr/lib/jvm/java-1.8.0-openjdk/bin/jconsole
Full RELRO      No canary found   NX enabled    PIE enabled     RPATH      No RUNPATH   No      0               0       /usr/lib/jvm/java-1.8.0-openjdk/bin/jdb
Full RELRO      No canary found   NX enabled    PIE enabled     RPATH      No RUNPATH   No      0               0       /usr/lib/jvm/java-1.8.0-openjdk/bin/jdeps
Full RELRO      No canary found   NX enabled    PIE enabled     RPATH      No RUNPATH   No      0               0       /usr/lib/jvm/java-1.8.0-openjdk/bin/jhat
Full RELRO      No canary found   NX enabled    PIE enabled     RPATH      No RUNPATH   No      0               0       /usr/lib/jvm/java-1.8.0-openjdk/bin/jinfo
Full RELRO      No canary found   NX enabled    PIE enabled     RPATH      No RUNPATH   No      0               0       /usr/lib/jvm/java-1.8.0-openjdk/bin/jjs
Full RELRO      No canary found   NX enabled    PIE enabled     RPATH      No RUNPATH   No      0               0       /usr/lib/jvm/java-1.8.0-openjdk/bin/jmap
Full RELRO      No canary found   NX enabled    PIE enabled     RPATH      No RUNPATH   No      0               0       /usr/lib/jvm/java-1.8.0-openjdk/bin/jps
Full RELRO      No canary found   NX enabled    PIE enabled     RPATH      No RUNPATH   No      0               0       /usr/lib/jvm/java-1.8.0-openjdk/bin/jrunscript
Full RELRO      No canary found   NX enabled    PIE enabled     RPATH      No RUNPATH   No      0               0       /usr/lib/jvm/java-1.8.0-openjdk/bin/jsadebugd
Full RELRO      No canary found   NX enabled    PIE enabled     RPATH      No RUNPATH   No      0               0       /usr/lib/jvm/java-1.8.0-openjdk/bin/jstack
Full RELRO      No canary found   NX enabled    PIE enabled     RPATH      No RUNPATH   No      0               0       /usr/lib/jvm/java-1.8.0-openjdk/bin/jstat
Full RELRO      No canary found   NX enabled    PIE enabled     RPATH      No RUNPATH   No      0               0       /usr/lib/jvm/java-1.8.0-openjdk/bin/jstatd
Full RELRO      No canary found   NX enabled    PIE enabled     RPATH      No RUNPATH   No      0               0       /usr/lib/jvm/java-1.8.0-openjdk/bin/keytool
Full RELRO      No canary found   NX enabled    PIE enabled     RPATH      No RUNPATH   No      0               0       /usr/lib/jvm/java-1.8.0-openjdk/bin/native2ascii
Full RELRO      No canary found   NX enabled    PIE enabled     RPATH      No RUNPATH   No      0               0       /usr/lib/jvm/java-1.8.0-openjdk/bin/orbd
Full RELRO      No canary found   NX enabled    PIE enabled     RPATH      No RUNPATH   No      0               0       /usr/lib/jvm/java-1.8.0-openjdk/bin/pack200
Full RELRO      No canary found   NX enabled    PIE enabled     RPATH      No RUNPATH   No      0               0       /usr/lib/jvm/java-1.8.0-openjdk/bin/policytool
Full RELRO      No canary found   NX enabled    PIE enabled     RPATH      No RUNPATH   No      0               0       /usr/lib/jvm/java-1.8.0-openjdk/bin/rmic
Full RELRO      No canary found   NX enabled    PIE enabled     RPATH      No RUNPATH   No      0               0       /usr/lib/jvm/java-1.8.0-openjdk/bin/rmid
Full RELRO      No canary found   NX enabled    PIE enabled     RPATH      No RUNPATH   No      0               0       /usr/lib/jvm/java-1.8.0-openjdk/bin/rmiregistry
Full RELRO      No canary found   NX enabled    PIE enabled     RPATH      No RUNPATH   No      0               0       /usr/lib/jvm/java-1.8.0-openjdk/bin/schemagen
Full RELRO      No canary found   NX enabled    PIE enabled     RPATH      No RUNPATH   No      0               0       /usr/lib/jvm/java-1.8.0-openjdk/bin/serialver
Full RELRO      No canary found   NX enabled    PIE enabled     RPATH      No RUNPATH   No      0               0       /usr/lib/jvm/java-1.8.0-openjdk/bin/servertool
Full RELRO      No canary found   NX enabled    PIE enabled     RPATH      No RUNPATH   No      0               0       /usr/lib/jvm/java-1.8.0-openjdk/bin/tnameserv
Full RELRO      Canary found      NX enabled    PIE enabled     RPATH      No RUNPATH   Yes     4               9       /usr/lib/jvm/java-1.8.0-openjdk/bin/unpack200
Full RELRO      No canary found   NX enabled    PIE enabled     RPATH      No RUNPATH   No      0               0       /usr/lib/jvm/java-1.8.0-openjdk/bin/wsgen
Full RELRO      No canary found   NX enabled    PIE enabled     RPATH      No RUNPATH   No      0               0       /usr/lib/jvm/java-1.8.0-openjdk/bin/wsimport
Full RELRO      No canary found   NX enabled    PIE enabled     RPATH      No RUNPATH   No      0               0       /usr/lib/jvm/java-1.8.0-openjdk/bin/xjc

<mock-chroot> sh-4.4# rpm -ql java-1.8.0-openjdk-headless | grep libjsig
/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.171-4.b10.fc28.arm/jre/lib/arm/libjsig.so
<mock-chroot> sh-4.4# readelf -d /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.171-4.b10.fc28.arm/jre/lib/arm/libjsig.so | grep NOW
 0x00000018 (BIND_NOW)                   
 0x6ffffffb (FLAGS_1)                    Flags: NOW

NOTE: Zero JVM doesn't have the serviceability agent.

<mock-chroot> sh-4.4# readelf -n /usr/lib/jvm/java-1.8.0-openjdk/bin/java

Displaying notes found in: .note.ABI-tag
  Owner                 Data size       Description
  GNU                  0x00000010       NT_GNU_ABI_TAG (ABI version tag)
    OS: Linux, ABI: 3.2.0

Displaying notes found in: .note.gnu.build-id
  Owner                 Data size       Description
  GNU                  0x00000014       NT_GNU_BUILD_ID (unique build ID bitstring)
    Build ID: b67e3e4313006d1c783e40130f69c3819320e98e

Displaying notes found in: .gnu.build.attributes
  Owner                 Data size       Description
  GA$<version>3p5      0x00000008       OPEN
    Applies to region from 0x760 to 0x760
  GA$<tool>gcc 8.0.1 2 0x00000000       OPEN
    Applies to region from 0x760
  GA*GOW:0x000000000472a 0x00000000     OPEN
    Applies to region from 0x760
  GA*<stack prot>stron 0x00000000       OPEN
    Applies to region from 0x760
  GA!stack_clash:false 0x00000000       OPEN
    Applies to region from 0x760
  GA*cf_protection:0x001 0x00000000     OPEN
    Applies to region from 0x760
  GA+GLIBCXX_ASSERTION: 0x00000000      OPEN
    Applies to region from 0x760
  GA*FORTIFY:0x000000002 0x00000000     OPEN
    Applies to region from 0x760
  GA*<PIC>PIC          0x00000000       OPEN
    Applies to region from 0x760
  GA!<short enum>false 0x00000000       OPEN
    Applies to region from 0x760

Comment 32 Severin Gehwolf 2018-04-26 08:25:27 UTC

And on x86_64 (which does have the SA):

<mock-chroot> sh-4.4# java -version
openjdk version "1.8.0_171"
OpenJDK Runtime Environment (build 1.8.0_171-b10)
OpenJDK 64-Bit Server VM (build 25.171-b10, mixed mode)
<mock-chroot> sh-4.4# rpm -q java-1.8.0-openjdk
java-1.8.0-openjdk-1.8.0.171-4.b10.fc28.x86_64
<mock-chroot> sh-4.4# rpm -ql java-1.8.0-openjdk-headless | grep -E 'libsa|libjsig'
/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.171-4.b10.fc28.x86_64/jre/lib/amd64/libjsig.so
/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.171-4.b10.fc28.x86_64/jre/lib/amd64/libsaproc.so
/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.171-4.b10.fc28.x86_64/jre/lib/amd64/server/libjsig.so
<mock-chroot> sh-4.4# readelf -d /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.171-4.b10.fc28.x86_64/jre/lib/amd64/libjsig.so | grep NOW
 0x0000000000000018 (BIND_NOW)           
 0x000000006ffffffb (FLAGS_1)            Flags: NOW
<mock-chroot> sh-4.4# readelf -d /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.171-4.b10.fc28.x86_64/jre/lib/amd64/server/libjsig.so | grep NOW
 0x0000000000000018 (BIND_NOW)           
 0x000000006ffffffb (FLAGS_1)            Flags: NOW
<mock-chroot> sh-4.4# readelf -d /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.171-4.b10.fc28.x86_64/jre/lib/amd64/libsaproc.so | grep NOW
 0x0000000000000018 (BIND_NOW)           
 0x000000006ffffffb (FLAGS_1)            Flags: NOW
<mock-chroot> sh-4.4# readelf -n /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.171-4.b10.fc28.x86_64/jre/lib/amd64/libsaproc.so

Displaying notes found in: .note.gnu.build-id
  Owner                 Data size	Description
  GNU                  0x00000014	NT_GNU_BUILD_ID (unique build ID bitstring)
    Build ID: 55fad092bcc8d33b1c477c4e605c98ae3a7316a7

Displaying notes found in: .note.gnu.property
  Owner                 Data size	Description
  GNU                  0x00000020	NT_GNU_PROPERTY_TYPE_0
      Properties: x86 ISA used: 
	x86 ISA needed: 

Displaying notes found in: .gnu.build.attributes
  Owner                 Data size	Description
  GA$<version>3p5      0x00000010	OPEN
    Applies to region from 0x1e89 to 0x2223
  GA$<tool>gcc 8.0.1 2 0x00000000	OPEN
    Applies to region from 0x1e89 to 0x2223
  GA*GOW:0x000000000012a 0x00000000	OPEN
    Applies to region from 0x1e89 to 0x2223
  GA*<stack prot>stron 0x00000000	OPEN
    Applies to region from 0x1e89 to 0x2223
  GA+stack_clash:true  0x00000000	OPEN
    Applies to region from 0x1e89 to 0x2223
  GA*cf_protection:0x008 0x00000000	OPEN
    Applies to region from 0x1e89 to 0x2223
  GA+GLIBCXX_ASSERTION: 0x00000000	OPEN
    Applies to region from 0x1e89 to 0x2223
  GA*FORTIFY:0x000000002 0x00000000	OPEN
    Applies to region from 0x1e89 to 0x2223
  GA*<PIC>PIC          0x00000000	OPEN
    Applies to region from 0x1e89 to 0x2223
  GA!<short enum>false 0x00000000	OPEN
    Applies to region from 0x1e89 to 0x2223
  GA*<ABI>0x7001100000012 0x00000000	OPEN
    Applies to region from 0x1e89 to 0x2223
  GA*cet status:0x2020102 0x00000000	OPEN
    Applies to region from 0x1e89 to 0x2223
  GA$<version>3p5      0x00000010	OPEN
    Applies to region from 0x2223 to 0x33b0
  GA$<tool>gcc 8.0.1 2 0x00000000	OPEN
    Applies to region from 0x2223 to 0x33b0
  GA*GOW:0x000000000012a 0x00000000	OPEN
    Applies to region from 0x2223 to 0x33b0
  GA*<stack prot>stron 0x00000000	OPEN
    Applies to region from 0x2223 to 0x33b0
  GA+stack_clash:true  0x00000000	OPEN
    Applies to region from 0x2223 to 0x33b0
  GA*cf_protection:0x008 0x00000000	OPEN
    Applies to region from 0x2223 to 0x33b0
  GA+GLIBCXX_ASSERTION: 0x00000000	OPEN
    Applies to region from 0x2223 to 0x33b0
  GA*FORTIFY:0x000000002 0x00000000	OPEN
    Applies to region from 0x2223 to 0x33b0
  GA*<PIC>PIC          0x00000000	OPEN
    Applies to region from 0x2223 to 0x33b0
  GA!<short enum>false 0x00000000	OPEN
    Applies to region from 0x2223 to 0x33b0
  GA*<ABI>0x7001100000012 0x00000000	OPEN
    Applies to region from 0x2223 to 0x33b0
  GA*cet status:0x2020102 0x00000000	OPEN
    Applies to region from 0x2223 to 0x33b0
  GA$<version>3p5      0x00000010	OPEN
    Applies to region from 0x33b0 to 0x426d
  GA$<tool>gcc 8.0.1 2 0x00000000	OPEN
    Applies to region from 0x33b0 to 0x426d
  GA*GOW:0x000000000012a 0x00000000	OPEN
    Applies to region from 0x33b0 to 0x426d
  GA*<stack prot>stron 0x00000000	OPEN
    Applies to region from 0x33b0 to 0x426d
  GA+stack_clash:true  0x00000000	OPEN
    Applies to region from 0x33b0 to 0x426d
  GA*cf_protection:0x008 0x00000000	OPEN
    Applies to region from 0x33b0 to 0x426d
  GA+GLIBCXX_ASSERTION: 0x00000000	OPEN
    Applies to region from 0x33b0 to 0x426d
  GA*FORTIFY:0x000000002 0x00000000	OPEN
    Applies to region from 0x33b0 to 0x426d
  GA*<PIC>PIC          0x00000000	OPEN
    Applies to region from 0x33b0 to 0x426d
  GA!<short enum>false 0x00000000	OPEN
    Applies to region from 0x33b0 to 0x426d
  GA*<ABI>0x7001100000012 0x00000000	OPEN
    Applies to region from 0x33b0 to 0x426d
  GA*cet status:0x2020102 0x00000000	OPEN
    Applies to region from 0x33b0 to 0x426d
  GA$<version>3p5      0x00000010	OPEN
    Applies to region from 0x426d to 0x4dea
  GA$<tool>gcc 8.0.1 2 0x00000000	OPEN
    Applies to region from 0x426d to 0x4dea
  GA*GOW:0x000000000012a 0x00000000	OPEN
    Applies to region from 0x426d to 0x4dea
  GA*<stack prot>stron 0x00000000	OPEN
    Applies to region from 0x426d to 0x4dea
  GA+stack_clash:true  0x00000000	OPEN
    Applies to region from 0x426d to 0x4dea
  GA*cf_protection:0x008 0x00000000	OPEN
    Applies to region from 0x426d to 0x4dea
  GA+GLIBCXX_ASSERTION: 0x00000000	OPEN
    Applies to region from 0x426d to 0x4dea
  GA*FORTIFY:0x000000002 0x00000000	OPEN
    Applies to region from 0x426d to 0x4dea
  GA*<PIC>PIC          0x00000000	OPEN
    Applies to region from 0x426d to 0x4dea
  GA!<short enum>false 0x00000000	OPEN
    Applies to region from 0x426d to 0x4dea
  GA*<ABI>0x7001100000012 0x00000000	OPEN
    Applies to region from 0x426d to 0x4dea
  GA*cet status:0x2020102 0x00000000	OPEN
    Applies to region from 0x426d to 0x4dea
  GA$<version>3p5      0x00000010	OPEN
    Applies to region from 0x4dea to 0x7389
  GA$<tool>gcc 8.0.1 2 0x00000000	OPEN
    Applies to region from 0x4dea to 0x7389
  GA*GOW:0x000000000012a 0x00000000	OPEN
    Applies to region from 0x4dea to 0x7389
  GA*<stack prot>stron 0x00000000	OPEN
    Applies to region from 0x4dea to 0x7389
  GA+stack_clash:true  0x00000000	OPEN
    Applies to region from 0x4dea to 0x7389
  GA*cf_protection:0x008 0x00000000	OPEN
    Applies to region from 0x4dea to 0x7389
  GA+GLIBCXX_ASSERTION: 0x00000000	OPEN
    Applies to region from 0x4dea to 0x7389
  GA*FORTIFY:0x000000002 0x00000000	OPEN
    Applies to region from 0x4dea to 0x7389
  GA*<PIC>PIC          0x00000000	OPEN
    Applies to region from 0x4dea to 0x7389
  GA!<short enum>false 0x00000000	OPEN
    Applies to region from 0x4dea to 0x7389
  GA*<ABI>0x7001100000012 0x00000000	OPEN
    Applies to region from 0x4dea to 0x7389
  GA*cet status:0x2020102 0x00000000	OPEN
    Applies to region from 0x4dea to 0x7389
  GA$<version>3p5      0x00000010	OPEN
    Applies to region from 0x7389 to 0x84b3
  GA$<tool>gcc 8.0.1 2 0x00000000	OPEN
    Applies to region from 0x7389 to 0x84b3
  GA*GOW:0x000000000012a 0x00000000	OPEN
    Applies to region from 0x7389 to 0x84b3
  GA*<stack prot>stron 0x00000000	OPEN
    Applies to region from 0x7389 to 0x84b3
  GA+stack_clash:true  0x00000000	OPEN
    Applies to region from 0x7389 to 0x84b3
  GA*cf_protection:0x008 0x00000000	OPEN
    Applies to region from 0x7389 to 0x84b3
  GA+GLIBCXX_ASSERTION: 0x00000000	OPEN
    Applies to region from 0x7389 to 0x84b3
  GA*FORTIFY:0x000000002 0x00000000	OPEN
    Applies to region from 0x7389 to 0x84b3
  GA*<PIC>PIC          0x00000000	OPEN
    Applies to region from 0x7389 to 0x84b3
  GA!<short enum>false 0x00000000	OPEN
    Applies to region from 0x7389 to 0x84b3
  GA*<ABI>0x7001100000012 0x00000000	OPEN
    Applies to region from 0x7389 to 0x84b3
  GA*cet status:0x2020102 0x00000000	OPEN
    Applies to region from 0x7389 to 0x84b3
  GA$<version>3p5      0x00000010	OPEN
    Applies to region from 0x84b3 to 0x8df1
  GA$<tool>gcc 8.0.1 2 0x00000000	OPEN
    Applies to region from 0x84b3 to 0x8df1
  GA*GOW:0x000000000012a 0x00000000	OPEN
    Applies to region from 0x84b3 to 0x8df1
  GA*<stack prot>stron 0x00000000	OPEN
    Applies to region from 0x84b3 to 0x8df1
  GA+stack_clash:true  0x00000000	OPEN
    Applies to region from 0x84b3 to 0x8df1
  GA*cf_protection:0x008 0x00000000	OPEN
    Applies to region from 0x84b3 to 0x8df1
  GA+GLIBCXX_ASSERTION: 0x00000000	OPEN
    Applies to region from 0x84b3 to 0x8df1
  GA*FORTIFY:0x000000002 0x00000000	OPEN
    Applies to region from 0x84b3 to 0x8df1
  GA*<PIC>PIC          0x00000000	OPEN
    Applies to region from 0x84b3 to 0x8df1
  GA!<short enum>false 0x00000000	OPEN
    Applies to region from 0x84b3 to 0x8df1
  GA*<ABI>0x7001100000012 0x00000000	OPEN
    Applies to region from 0x84b3 to 0x8df1
  GA*cet status:0x2020102 0x00000000	OPEN
    Applies to region from 0x84b3 to 0x8df1

Comment 33 Fedora Update System 2018-04-26 15:33:28 UTC

java-1.8.0-openjdk-1.8.0.171-4.b10.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-f06de7cbbb

Comment 34 Fedora Update System 2018-04-27 07:55:15 UTC

java-1.8.0-openjdk-1.8.0.171-4.b10.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-1e5b8a00a0

Comment 35 Fedora Update System 2018-04-30 16:36:40 UTC

java-1.8.0-openjdk-1.8.0.171-4.b10.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.

Comment 36 Fedora Update System 2018-04-30 21:17:44 UTC

java-1.8.0-openjdk-1.8.0.171-4.b10.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.