aws-lc-rs fails to build fips feature with fortification and hardening

[xnox]

Problem:

Build fails with gcc-14

Relevant details

AWS-LC for Rust versions or commit: (6b1bce0...)

Building using hardened compiler with all of the https://best.openssf.org/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.html options

as in gcc -O2 -fhardened using gcc-14

Build log:

• The log tells compiler and version.

2024/11/23 00:46:24 WARN   [ 38%] Linking C static library libbcm_c_generated_asm.a
2024/11/23 00:46:24 WARN   [ 38%] Built target bcm_c_generated_asm
2024/11/23 00:46:24 WARN
2024/11/23 00:46:24 WARN   --- stderr
2024/11/23 00:46:24 WARN   CMake Deprecation Warning at CMakeLists.txt:4 (cmake_minimum_required):
2024/11/23 00:46:24 WARN     Compatibility with CMake < 3.5 will be removed from a future version of
2024/11/23 00:46:24 WARN     CMake.
2024/11/23 00:46:24 WARN
2024/11/23 00:46:24 WARN     Update the VERSION argument <min> value or use a ...<max> suffix to tell
2024/11/23 00:46:24 WARN     CMake that the project does not need compatibility with older versions.
2024/11/23 00:46:24 WARN
2024/11/23 00:46:24 WARN
2024/11/23 00:46:24 WARN   CMake Deprecation Warning at aws-lc/CMakeLists.txt:1 (cmake_minimum_required):
2024/11/23 00:46:24 WARN     Compatibility with CMake < 3.5 will be removed from a future version of
2024/11/23 00:46:24 WARN     CMake.
2024/11/23 00:46:24 WARN
2024/11/23 00:46:24 WARN     Update the VERSION argument <min> value or use a ...<max> suffix to tell
2024/11/23 00:46:24 WARN     CMake that the project does not need compatibility with older versions.
2024/11/23 00:46:24 WARN
2024/11/23 00:46:24 WARN
2024/11/23 00:46:24 WARN   In file included from /usr/include/string.h:548,
2024/11/23 00:46:24 WARN                    from /home/build/.cargo/registry/src/index.crates.io-6f17d22bba15001f/aws-lc-fips-sys-0.12.13/aws-lc/crypto/asn1/a_bitstr.c:60:
2024/11/23 00:46:24 WARN   In function 'memcpy',
2024/11/23 00:46:24 WARN       inlined from 'OPENSSL_memcpy' at /home/build/.cargo/registry/src/index.crates.io-6f17d22bba15001f/aws-lc-fips-sys-0.12.13/aws-lc/crypto/asn1/../internal.h:823:10,
2024/11/23 00:46:24 WARN       inlined from 'aws_lc_fips_0_12_13_i2c_ASN1_BIT_STRING' at /home/build/.cargo/registry/src/index.crates.io-6f17d22bba15001f/aws-lc-fips-sys-0.12.13/aws-lc/crypto/asn1/a_bitstr.c:130:3:
2024/11/23 00:46:24 WARN   /usr/include/bits/string_fortified.h:29:10: error: '__builtin_memcpy' specified bound between 184467[440](https://github.com/chainguard-dev/enterprise-packages/actions/runs/11982431153/job/33410464617?pr=10142#step:12:441)71562067968 and 18446744073709551615 exceeds maximum object size 9223372036854775807 [-Werror=stringop-overflow=]
2024/11/23 00:46:24 WARN      29 |   return __builtin___memcpy_chk (__dest, __src, __len,
2024/11/23 00:46:24 WARN         |          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2024/11/23 00:46:24 WARN      30 |                                  __glibc_objsize0 (__dest));
2024/11/23 00:46:24 WARN         |                                  ~~~~~~~~~~~~~~~~~~~~~~~~~~
2024/11/23 00:46:24 WARN   cc1: all warnings being treated as errors
2024/11/23 00:46:24 WARN   make[2]: *** [aws-lc/crypto/CMakeFiles/crypto_objects.dir/build.make:176: aws-lc/crypto/CMakeFiles/crypto_objects.dir/asn1/a_bitstr.c.o] Error 1
2024/11/23 00:46:24 WARN   make[2]: *** Waiting for unfinished jobs....
2024/11/23 00:46:24 WARN   make[1]: *** [CMakeFiles/Makefile2:280: aws-lc/crypto/CMakeFiles/crypto_objects.dir/all] Error 2
2024/11/23 00:46:24 WARN   make[1]: *** Waiting for unfinished jobs....
2024/11/23 00:46:24 WARN   make: *** [Makefile:136: all] Error 2
2024/11/23 00:46:24 WARN   thread 'main' panicked at /home/build/.cargo/registry/src/index.crates.io-6f17d22bba15001f/cmake-0.1.50/src/lib.rs:1098:5:
...

[justsmth]

Hello again!

This is a compiler option (-fhardened) and build error that I'm not familiar with.

2024/11/23 00:46:24 WARN /usr/include/bits/string_fortified.h:29:10: error: '__builtin_memcpy' specified bound between 18446771562067968 and 18446744073709551615 exceeds maximum object size 9223372036854775807 [-Werror=stringop-overflow=]

Since I don't see this compiler option used in our current CI, it might take some time to research this and understand the concern the compiler is reporting here. (And like the other gcc-14 FIPS build issue, a fix for this will likely need to be made in AWS-LC.)

We'll follow-up here once we have more information. Thanks for reporting!

[xnox]

Hello again!

This is a compiler option (-fhardened) and build error that I'm not familiar with.

2024/11/23 00:46:24 WARN /usr/include/bits/string_fortified.h:29:10: error: '__builtin_memcpy' specified bound between 18446771562067968 and 18446744073709551615 exceeds maximum object size 9223372036854775807 [-Werror=stringop-overflow=]

Since I don't see this compiler option used in our current CI, it might take some time to research this and understand the concern the compiler is reporting here. (And like the other gcc-14 FIPS build issue, a fix for this will likely need to be made in AWS-LC.)

We'll follow-up here once we have more information. Thanks for reporting!

I can help you reduce that. I think it is the result of applying -D_FORTIFY_SOURCE=3 however, since gcc-14 is overall not supported/failing right now even without hardening, I think this issue should be parked until after gcc-14 is fixed.

I will update this issue, if I manage to reproduce it with gcc-13 and a minimal set of flags to trigger this.

[justsmth]

I will update this issue, if I manage to reproduce it with gcc-13 and a minimal set of flags to trigger this.

Thank! I'm also curious whether our non-FIPS build succeeds with the -fhardened option.