← Back to team overview

debcrafters-packages team mailing list archive

  1. debcrafters-packages team
  2. Mailing list archive
  3. Message #05816

[Bug 2119445] Re: arm64 shared libraries built without GCS property note

  Thread PreviousDate PreviousThread Next 
This bug was fixed in the package glibc - 2.42-0ubuntu1

---------------
glibc (2.42-0ubuntu1) questing; urgency=medium

  [ Aurelien Jarno ]
  * New upstream release:
    - debian/copyright: update following upstream changes.
    - debian/symbols.wildcards: add 2.42.
    - debian/control.in/main: bump binutils-for-host Build-Depends to >= 2.39.
    - debian/patches/git-updates.diff: update from upstream stable branch.
    - debian/patches/hurd-i386/git-proc_reauth.diff: upstreamed.
    - debian/patches/hurd-i386/git-mig-strncpy.diff: upstreamed.
    - debian/patches/hurd-i386/git-pthread_sigmask_nothread.diff: upstreamed.
    - debian/patches/hurd-i386/git-rt-timedwait-realtime.diff: upstreamed.
    - debian/patches/hurd-i386/git-pthread_setcancel.diff: upstreamed.
    - debian/patches/hurd-i386/git-dup-refcnt.diff: upstreamed.
    - debian/patches/hurd-i386/git-xstate.diff: upstreamed.
    - debian/patches/hurd-i386/git-utime-EINVAL.diff: upstreamed.
    - debian/patches/hurd-i386/git-xstate-initialized.diff: upstreamed.
    - debian/patches/hurd-i386/git-signal-fpe-exceptions.diff: upstreamed.
    - debian/patches/hurd-i386/git-symlink-eexist.diff: upstreamed.
    - debian/patches/hurd-i386/git-rename.diff: upstreamed.
    - debian/patches/hurd-i386/local-pthread_once.diff-2.42: renamed and
      replace debian/patches/hurd-i386/local-pthread_once.diff.
    - debian/patches/hurd-i386/hurd-i386/local-no_unsupported_ioctls.diff:
      rebased.
    - debian/patches/hurd-i386/local-static_pthread_setcancelstate.diff:
      dropped, obsolete.
    - debian/patches/any/local-tcsetaddr.diff: rebased.
  * debian/debhelper.in/libc.preinst: drop support code for upgrading from
    glibc < 2.34.
  * debian/debhelper.in/libc.preinst: remove kFreeBSD support code.
  * debian/debhelper.in/libc.postinst: remove support code to upgrade to
    trixie.
  *  Drop support for /etc/locales.alias (Closes: #1095101):
    - debian/debhelper.in/locales.install: stop installing /etc/locales.alias
    - debian/debhelper.in/locales.links: remove
    - debian/local/usr_sbin/locale-gen: stop passing locales.alias in the
      localedef call.
    - debian/patches/all/local-alias-et_EE.diff: drop, obsolete.
    - debian/patches/all/local-ru_RU.diff: drop, obsolete
  * debian/rules.d/{build.mk,debhelper.mk}: add makefile dependencies to get
    the package buildable with make --shuffle=reverse.  Closes: #1105334.
  * debian/rules, debian/rules.d/control.mk: remove temporary libc{6,6.1,0.3}
    files after the debian/control rule instead of in the clean rule.
  * debian/rules: drop now useless removal of files from the clean rule.

  [ Samuel Thibault ]
  * debian/testsuite-xfail-debian.mk: Update xfails.  Closes: #1110125.
  * debian/patches/hurd-i386/git-random-malloc.diff: Fix /hurd/random startup.

  [ Simon Chopin ]
  * debian/rules.d/build.mk: use envvars for CFLAGS rather than configparms
    (LP: #2115734)
  * Merge Debian glibc 2.42 branch. Delta adjusted:
    - Ubuntu language pack support: drop locale-gen --aliases option to match
      Debian.
    - libc6 Breaks: bring back the systemd << 256 break as it is valid for
      upgrade paths from Noble
  * Re-add the trixie upgrade support code as we need it for upgrades from
    Noble.
  * d/README.Ubuntu: add some maintainer documentation.
  * Rebuild using GCC 15 to get GCS branch protection on arm64 (LP: #2119445)

 -- Simon Chopin <schopin@xxxxxxxxxx>  Mon, 11 Aug 2025 15:45:16 +0200

** Changed in: glibc (Ubuntu)
       Status: New => Fix Released

-- 
You received this bug notification because you are a member of
Debcrafters packages, which is subscribed to cmake in Ubuntu.
https://bugs.launchpad.net/bugs/2119445

Title:
  arm64 shared libraries built without GCS property note

Status in binutils package in Ubuntu:
  Confirmed
Status in cmake package in Ubuntu:
  Confirmed
Status in dpkg package in Ubuntu:
  Confirmed
Status in gcc-defaults package in Ubuntu:
  Confirmed
Status in glibc package in Ubuntu:
  Fix Released

Bug description:
  Recently, GCC 15 became the default in Ubuntu. With GCC 15 on aarch64,
  "-mbranch-protection has been extended to support the Guarded Control
  Stack (GCS) extension. This support is included in -mbranch-
  protection=standard and can be enabled individually using -mbranch-
  protection=gcs." [1]

  In Ubuntu, we build arm64 with -mbranch-protection=standard by
  default. However, the GCS story appears incomplete. Currently, arm64
  builds are seeing link warnings like this [2][3]:

  cc  -o src/core/libsystemd-core-257.so  -Wl,--as-needed -Wl,--no-
  undefined -shared -fPIC -Wl,-soname,libsystemd-core-257.so -Wl,--
  whole-archive -Wl,--start-group src/core/libsystemd-core-257.a -Wl,--
  no-whole-archive -fstack-protector -Wl,-Bsymbolic-functions -flto=auto
  -ffat-lto-objects -Wl,-z,relro -g -O2 -Werror=implicit-function-
  declaration -fno-omit-frame-pointer -mno-omit-leaf-frame-pointer
  -ffile-prefix-map=/<<PKGBUILDDIR>>=. -flto=auto -ffat-lto-objects
  -fstack-protector-strong -fstack-clash-protection -Wformat
  -Werror=format-security -mbranch-protection=standard -fdebug-prefix-
  map=/<<PKGBUILDDIR>>=/usr/src/systemd-257.7-1ubuntu2 -Wdate-time
  -D_FORTIFY_SOURCE=3 '-Wl,-rpath,$ORIGIN/../shared' -Wl,-rpath-
  link,/<<PKGBUILDDIR>>/obj-aarch64-linux-gnu/src/shared
  src/shared/libsystemd-shared-257.so -shared -Wl,--version-
  script=/<<PKGBUILDDIR>>/src/shared/libshared.sym
  /usr/lib/aarch64-linux-gnu/libacl.so /usr/lib/aarch64-linux-
  gnu/libaudit.so /usr/lib/aarch64-linux-gnu/libblkid.so -ldl -lm
  /usr/lib/aarch64-linux-gnu/libmount.so /usr/lib/aarch64-linux-
  gnu/libpam.so -lrt /usr/lib/aarch64-linux-gnu/libseccomp.so
  /usr/lib/aarch64-linux-gnu/libselinux.so -Wl,--end-group -pthread -Wl,
  --fatal-warnings -Wl,-z,now -Wl,-z,relro -Wl,--warn-common -Wl,--gc-
  sections

  src/shared/libsystemd-shared-257.so: warning: GCS is required by -z gcs, but this shared library lacks the necessary property note. The dynamic loader might not enable GCS or refuse to load the program unless all the shared library dependencies have the GCS marking.
  /usr/lib/aarch64-linux-gnu/libacl.so: warning: GCS is required by -z gcs, but this shared library lacks the necessary property note. The dynamic loader might not enable GCS or refuse to load the program unless all the shared library dependencies have the GCS marking.
  /usr/lib/aarch64-linux-gnu/libaudit.so: warning: GCS is required by -z gcs, but this shared library lacks the necessary property note. The dynamic loader might not enable GCS or refuse to load the program unless all the shared library dependencies have the GCS marking.
  /usr/lib/aarch64-linux-gnu/libblkid.so: warning: GCS is required by -z gcs, but this shared library lacks the necessary property note. The dynamic loader might not enable GCS or refuse to load the program unless all the shared library dependencies have the GCS marking.
  /lib/aarch64-linux-gnu/libm.so.6: warning: GCS is required by -z gcs, but this shared library lacks the necessary property note. The dynamic loader might not enable GCS or refuse to load the program unless all the shared library dependencies have the GCS marking.
  /lib/aarch64-linux-gnu/libmvec.so.1: warning: GCS is required by -z gcs, but this shared library lacks the necessary property note. The dynamic loader might not enable GCS or refuse to load the program unless all the shared library dependencies have the GCS marking.
  /usr/lib/aarch64-linux-gnu/libmount.so: warning: GCS is required by -z gcs, but this shared library lacks the necessary property note. The dynamic loader might not enable GCS or refuse to load the program unless all the shared library dependencies have the GCS marking.
  /usr/lib/aarch64-linux-gnu/libpam.so: warning: GCS is required by -z gcs, but this shared library lacks the necessary property note. The dynamic loader might not enable GCS or refuse to load the program unless all the shared library dependencies have the GCS marking.
  /usr/lib/aarch64-linux-gnu/libseccomp.so: warning: GCS is required by -z gcs, but this shared library lacks the necessary property note. The dynamic loader might not enable GCS or refuse to load the program unless all the shared library dependencies have the GCS marking.
  /usr/lib/aarch64-linux-gnu/libselinux.so: warning: GCS is required by -z gcs, but this shared library lacks the necessary property note. The dynamic loader might not enable GCS or refuse to load the program unless all the shared library dependencies have the GCS marking.
  /lib/aarch64-linux-gnu/libc.so.6: warning: GCS is required by -z gcs, but this shared library lacks the necessary property note. The dynamic loader might not enable GCS or refuse to load the program unless all the shared library dependencies have the GCS marking.
  /lib/ld-linux-aarch64.so.1: warning: GCS is required by -z gcs, but this shared library lacks the necessary property note. The dynamic loader might not enable GCS or refuse to load the program unless all the shared library dependencies have the GCS marking.
  collect2: error: ld returned 1 exit status

  Note that the first warning is for libsystemd-shared-257.so (the
  library actually being built here), but the remainder are for library
  dependencies. This is fatal for systemd, because systemd builds with
  -Wl,--fatal-warnings. For most packages, this linker warning is
  present in arm64 builds, but not fatal.

  Therefore, it seems that while GCS is enabled implicitly on arm64 via
  -mbranch-protection=standard, the feature seems incomplete in Ubuntu
  without (a) re-builds against GCC 15, and (b) potentially additional
  build flags.

  Regarding new build flags that may be required, I found that building
  systemd with -W,-z,gcs=always silenced the warning for libsystemd-
  shared-257.so. In the mean time, I silenced[4] the linker warnings in
  systemd by building with -Wl,-z,gcs-report=none on arm64.

  tl;dr - To me, it *appears* that for GCS to be fully utilized on
  Ubuntu, we need:

  (1) Add `-Wl,-z,gcs=always` to LDFLAGS on arm64; and
  (2) Re-build everything basically

  However, I don't know whether (a) we definitely want GCS enabled by
  default on Ubuntu, or (b) if this is actually just a bug in binutils
  or so.

  [1] https://gcc.gnu.org/gcc-15/changes.html#aarch64
  [2] https://launchpadlibrarian.net/808211460/buildlog_ubuntu-questing-arm64.systemd_257.7-1ubuntu2_BUILDING.txt.gz
  [3] https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/2119100
  [4] https://launchpad.net/ubuntu/+source/systemd/257.7-1ubuntu3

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/binutils/+bug/2119445/+subscriptions
  Thread PreviousDate PreviousThread Next