hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jim Brennan (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (YARN-7857) -fstack-check compilation flag causes binary incompatibility for container-executor between RHEL 6 and RHEL 7
Date Mon, 05 Feb 2018 19:31:00 GMT

    [ https://issues.apache.org/jira/browse/YARN-7857?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16352816#comment-16352816

Jim Brennan commented on YARN-7857:

[~miklos.szegedi@cloudera.com] I have prepared another patch that only adds the {{-fstack-check}}
option for GCC versions > 4.8.
But on further review and reflection, I have come around to the opinion that the security
issue is more important than this incompatibility, especially given that we have addressed
that incompatibility in YARN-7796.

I have not found anything that officially changes the recommendation of using {{-fstack-check}}
to help combat stack clash attacks, and I have not found an alternative command line option
for gcc.   So I am reluctant to remove {{-fstack-check}} for any versions of GCC when it is
currently not causing a problem.   My original motivation of preventing us from running into
the same incompatibility again (due to future changes to container-executor code) does not
seem worth re-opening a significant security hole.

> -fstack-check compilation flag causes binary incompatibility for container-executor between
RHEL 6 and RHEL 7
> -------------------------------------------------------------------------------------------------------------
>                 Key: YARN-7857
>                 URL: https://issues.apache.org/jira/browse/YARN-7857
>             Project: Hadoop YARN
>          Issue Type: Bug
>          Components: nodemanager
>    Affects Versions: 3.0.0
>            Reporter: Jim Brennan
>            Assignee: Jim Brennan
>            Priority: Major
>         Attachments: YARN-7857.001.patch
> The segmentation fault in container-executor reported in [YARN-7796]  appears to be due
to a binary compatibility issue with the {{-fstack-check}} flag that was added in [YARN-6721]
> Based on my testing, a container-executor (without the patch from [YARN-7796]) compiled
on RHEL 6 with the -fstack-check flag always hits this segmentation fault when run on RHEL
7.  But if you compile without this flag, the container-executor runs on RHEL 7 with no problems.
 I also verified this with a simple program that just does the copy_file.
> I think we need to either remove this flag, or find a suitable alternative.

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org

View raw message