vanilla build of 7.7p1 release on linux/4.17 fails with gcc8 @ "/usr/bin/ld: unrecognized option '-Wl,-z,retpolineplt'"

Darren Tucker dtucker at
Fri Jun 8 10:07:00 AEST 2018

On 8 June 2018 at 09:44, PGNet Dev < at> wrote:
> hi
> On 6/7/18 4:03 PM, Darren Tucker wrote:
>> On 8 June 2018 at 07:09, PGNet Dev < at> wrote:
>>> Verifying a report I just got pinged about, building vanilla openssh 7.7p1 on linux configures ok, but fails build around 'retpoline'
>> [...]
>>> Should the retpoline flag be getting added?  If so, what's needed to make LD happy with it?
>> configure checks to see if the linker accepts those flags, so my guess
>> is that something is added later in configure that causes it to fail.
>> I suggest looking at config.log to see what the actaul compiler
>> messages are from these parts:
>> OSSH_CHECK_CFLAG_COMPILE([-mretpoline]) # clang
>> OSSH_CHECK_LDFLAG_LINK([-Wl,-z,retpolineplt])
>> and the actual compiler output show up in config.log.
>> I wrote and tested this patch against the development versions of gcc
>> and clang which was all that was available at the time, it's possible
>> the released versions don't behave quite the same.
> here's the complete config.log:
> the 'fun' appears to start at line# 652

that one is fine, it's this which fails and is not tried again:
OSSH_CHECK_CFLAG_COMPILE([-mretpoline]) # clang

This one causing the problem is
"OSSH_CHECK_LDFLAG_LINK([-Wl,-z,retpolineplt])" which is is accepted
but ignored by ld, but later causes an error.

configure:6352: checking if /usr/bin/ld supports link flag -Wl,-z,retpolineplt
configure:6375: /usr/bin/gcc-8 -o conftest -g -O2 -pipe -Wall
-Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security
-Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-result
-fno-strict-aliasing -mfunction-return=thunk -mindirect-branch=thunk
-Werror -Wl,-z,retpolineplt conftest.c  >&5
warning: -z retpolineplt ignored.
configure:6375: $? = 0
configure:6376: result: yes

I was able to build on Fedora 28 running gcc version 8.1.1 20180502
(Red Hat 8.1.1-1) (GCC) which gives the following command line:

gcc -o sshd sshd.o auth-rhosts.o auth-passwd.o audit.o audit-bsm.o
audit-linux.o platform.o sshpty.o sshlogin.o servconf.o serverloop.o
auth.o auth2.o auth-options.o session.o auth2-chall.o groupaccess.o
auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o
auth2-none.o auth2-passwd.o auth2-pubkey.o monitor.o monitor_wrap.o
auth-krb5.o auth2-gss.o gss-serv.o gss-serv-krb5.o loginrec.o
auth-pam.o auth-shadow.o auth-sia.o md5crypt.o sftp-server.o
sftp-common.o sandbox-null.o sandbox-rlimit.o sandbox-systrace.o
sandbox-darwin.o sandbox-seccomp-filter.o sandbox-capsicum.o
sandbox-pledge.o sandbox-solaris.o -L. -Lopenbsd-compat/
-Wl,-z,retpolineplt -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack
-fstack-protector-strong -pie  -lssh -lopenbsd-compat  -lcrypto -ldl
-lutil -lz  -lcrypt -lresolv
/usr/bin/ld: warning: -z retpolineplt ignored.

Darren Tucker (dtucker at
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

More information about the openssh-unix-dev mailing list