[Bug 2119445] [NEW] arm64 shared libraries built without GCS property note

Nick Rosbrook 2119445 at bugs.launchpad.net
Mon Aug 4 12:43:35 UTC 2025 

Public bug reported:

Recently, GCC 15 became the default in Ubuntu. With GCC 15 on aarch64,
"-mbranch-protection has been extended to support the Guarded Control
Stack (GCS) extension. This support is included in -mbranch-
protection=standard and can be enabled individually using -mbranch-
protection=gcs." [1]

In Ubuntu, we build arm64 with -mbranch-protection=standard by default.
However, the GCS story appears incomplete. Currently, arm64 builds are
seeing link warnings like this [2][3]:

cc  -o src/core/libsystemd-core-257.so  -Wl,--as-needed -Wl,--no-
undefined -shared -fPIC -Wl,-soname,libsystemd-core-257.so -Wl,--whole-
archive -Wl,--start-group src/core/libsystemd-core-257.a -Wl,--no-whole-
archive -fstack-protector -Wl,-Bsymbolic-functions -flto=auto -ffat-lto-
objects -Wl,-z,relro -g -O2 -Werror=implicit-function-declaration -fno-
omit-frame-pointer -mno-omit-leaf-frame-pointer -ffile-prefix-
map=/<<PKGBUILDDIR>>=. -flto=auto -ffat-lto-objects -fstack-protector-
strong -fstack-clash-protection -Wformat -Werror=format-security
-mbranch-protection=standard -fdebug-prefix-
map=/<<PKGBUILDDIR>>=/usr/src/systemd-257.7-1ubuntu2 -Wdate-time
-D_FORTIFY_SOURCE=3 '-Wl,-rpath,$ORIGIN/../shared' -Wl,-rpath-
link,/<<PKGBUILDDIR>>/obj-aarch64-linux-gnu/src/shared
src/shared/libsystemd-shared-257.so -shared -Wl,--version-
script=/<<PKGBUILDDIR>>/src/shared/libshared.sym /usr/lib/aarch64-linux-
gnu/libacl.so /usr/lib/aarch64-linux-gnu/libaudit.so
/usr/lib/aarch64-linux-gnu/libblkid.so -ldl -lm /usr/lib/aarch64-linux-
gnu/libmount.so /usr/lib/aarch64-linux-gnu/libpam.so -lrt
/usr/lib/aarch64-linux-gnu/libseccomp.so /usr/lib/aarch64-linux-
gnu/libselinux.so -Wl,--end-group -pthread -Wl,--fatal-warnings
-Wl,-z,now -Wl,-z,relro -Wl,--warn-common -Wl,--gc-sections

src/shared/libsystemd-shared-257.so: warning: GCS is required by -z gcs, but this shared library lacks the necessary property note. The dynamic loader might not enable GCS or refuse to load the program unless all the shared library dependencies have the GCS marking.
/usr/lib/aarch64-linux-gnu/libacl.so: warning: GCS is required by -z gcs, but this shared library lacks the necessary property note. The dynamic loader might not enable GCS or refuse to load the program unless all the shared library dependencies have the GCS marking.
/usr/lib/aarch64-linux-gnu/libaudit.so: warning: GCS is required by -z gcs, but this shared library lacks the necessary property note. The dynamic loader might not enable GCS or refuse to load the program unless all the shared library dependencies have the GCS marking.
/usr/lib/aarch64-linux-gnu/libblkid.so: warning: GCS is required by -z gcs, but this shared library lacks the necessary property note. The dynamic loader might not enable GCS or refuse to load the program unless all the shared library dependencies have the GCS marking.
/lib/aarch64-linux-gnu/libm.so.6: warning: GCS is required by -z gcs, but this shared library lacks the necessary property note. The dynamic loader might not enable GCS or refuse to load the program unless all the shared library dependencies have the GCS marking.
/lib/aarch64-linux-gnu/libmvec.so.1: warning: GCS is required by -z gcs, but this shared library lacks the necessary property note. The dynamic loader might not enable GCS or refuse to load the program unless all the shared library dependencies have the GCS marking.
/usr/lib/aarch64-linux-gnu/libmount.so: warning: GCS is required by -z gcs, but this shared library lacks the necessary property note. The dynamic loader might not enable GCS or refuse to load the program unless all the shared library dependencies have the GCS marking.
/usr/lib/aarch64-linux-gnu/libpam.so: warning: GCS is required by -z gcs, but this shared library lacks the necessary property note. The dynamic loader might not enable GCS or refuse to load the program unless all the shared library dependencies have the GCS marking.
/usr/lib/aarch64-linux-gnu/libseccomp.so: warning: GCS is required by -z gcs, but this shared library lacks the necessary property note. The dynamic loader might not enable GCS or refuse to load the program unless all the shared library dependencies have the GCS marking.
/usr/lib/aarch64-linux-gnu/libselinux.so: warning: GCS is required by -z gcs, but this shared library lacks the necessary property note. The dynamic loader might not enable GCS or refuse to load the program unless all the shared library dependencies have the GCS marking.
/lib/aarch64-linux-gnu/libc.so.6: warning: GCS is required by -z gcs, but this shared library lacks the necessary property note. The dynamic loader might not enable GCS or refuse to load the program unless all the shared library dependencies have the GCS marking.
/lib/ld-linux-aarch64.so.1: warning: GCS is required by -z gcs, but this shared library lacks the necessary property note. The dynamic loader might not enable GCS or refuse to load the program unless all the shared library dependencies have the GCS marking.
collect2: error: ld returned 1 exit status

Note that the first warning is for libsystemd-shared-257.so (the library
actually being built here), but the remainder are for library
dependencies. This is fatal for systemd, because systemd builds with
-Wl,--fatal-warnings. For most packages, this linker warning is present
in arm64 builds, but not fatal.

Therefore, it seems that while GCS is enabled implicitly on arm64 via
-mbranch-protection=standard, the feature seems incomplete in Ubuntu
without (a) re-builds against GCC 15, and (b) potentially additional
build flags.

Regarding new build flags that may be required, I found that building
systemd with -W,-z,gcs=always silenced the warning for libsystemd-
shared-257.so. In the mean time, I silenced[4] the linker warnings in
systemd by building with -Wl,-z,gcs-report=none on arm64.

tl;dr - To me, it *appears* that for GCS to be fully utilized on Ubuntu,
we need:

(1) Add `-Wl,-z,gcs=always` to LDFLAGS on arm64; and
(2) Re-build everything basically

However, I don't know whether (a) we definitely want GCS enabled by
default on Ubuntu, or (b) if this is actually just a bug in binutils or
so.

[1] https://gcc.gnu.org/gcc-15/changes.html#aarch64
[2] https://launchpadlibrarian.net/808211460/buildlog_ubuntu-questing-arm64.systemd_257.7-1ubuntu2_BUILDING.txt.gz
[3] https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/2119100
[4] https://launchpad.net/ubuntu/+source/systemd/257.7-1ubuntu3

** Affects: binutils (Ubuntu)
     Importance: Undecided
         Status: New

** Affects: dpkg (Ubuntu)
     Importance: Undecided
         Status: New

** Affects: gcc-defaults (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: rls-qq-incoming

** Also affects: binutils (Ubuntu)
   Importance: Undecided
       Status: New

** Also affects: gcc-defaults (Ubuntu)
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to dpkg in Ubuntu.
https://bugs.launchpad.net/bugs/2119445

Title:
  arm64 shared libraries built without GCS property note

Status in binutils package in Ubuntu:
  New
Status in dpkg package in Ubuntu:
  New
Status in gcc-defaults package in Ubuntu:
  New

Bug description:
  Recently, GCC 15 became the default in Ubuntu. With GCC 15 on aarch64,
  "-mbranch-protection has been extended to support the Guarded Control
  Stack (GCS) extension. This support is included in -mbranch-
  protection=standard and can be enabled individually using -mbranch-
  protection=gcs." [1]

  In Ubuntu, we build arm64 with -mbranch-protection=standard by
  default. However, the GCS story appears incomplete. Currently, arm64
  builds are seeing link warnings like this [2][3]:

  cc  -o src/core/libsystemd-core-257.so  -Wl,--as-needed -Wl,--no-
  undefined -shared -fPIC -Wl,-soname,libsystemd-core-257.so -Wl,--
  whole-archive -Wl,--start-group src/core/libsystemd-core-257.a -Wl,--
  no-whole-archive -fstack-protector -Wl,-Bsymbolic-functions -flto=auto
  -ffat-lto-objects -Wl,-z,relro -g -O2 -Werror=implicit-function-
  declaration -fno-omit-frame-pointer -mno-omit-leaf-frame-pointer
  -ffile-prefix-map=/<<PKGBUILDDIR>>=. -flto=auto -ffat-lto-objects
  -fstack-protector-strong -fstack-clash-protection -Wformat
  -Werror=format-security -mbranch-protection=standard -fdebug-prefix-
  map=/<<PKGBUILDDIR>>=/usr/src/systemd-257.7-1ubuntu2 -Wdate-time
  -D_FORTIFY_SOURCE=3 '-Wl,-rpath,$ORIGIN/../shared' -Wl,-rpath-
  link,/<<PKGBUILDDIR>>/obj-aarch64-linux-gnu/src/shared
  src/shared/libsystemd-shared-257.so -shared -Wl,--version-
  script=/<<PKGBUILDDIR>>/src/shared/libshared.sym
  /usr/lib/aarch64-linux-gnu/libacl.so /usr/lib/aarch64-linux-
  gnu/libaudit.so /usr/lib/aarch64-linux-gnu/libblkid.so -ldl -lm
  /usr/lib/aarch64-linux-gnu/libmount.so /usr/lib/aarch64-linux-
  gnu/libpam.so -lrt /usr/lib/aarch64-linux-gnu/libseccomp.so
  /usr/lib/aarch64-linux-gnu/libselinux.so -Wl,--end-group -pthread -Wl,
  --fatal-warnings -Wl,-z,now -Wl,-z,relro -Wl,--warn-common -Wl,--gc-
  sections

  src/shared/libsystemd-shared-257.so: warning: GCS is required by -z gcs, but this shared library lacks the necessary property note. The dynamic loader might not enable GCS or refuse to load the program unless all the shared library dependencies have the GCS marking.
  /usr/lib/aarch64-linux-gnu/libacl.so: warning: GCS is required by -z gcs, but this shared library lacks the necessary property note. The dynamic loader might not enable GCS or refuse to load the program unless all the shared library dependencies have the GCS marking.
  /usr/lib/aarch64-linux-gnu/libaudit.so: warning: GCS is required by -z gcs, but this shared library lacks the necessary property note. The dynamic loader might not enable GCS or refuse to load the program unless all the shared library dependencies have the GCS marking.
  /usr/lib/aarch64-linux-gnu/libblkid.so: warning: GCS is required by -z gcs, but this shared library lacks the necessary property note. The dynamic loader might not enable GCS or refuse to load the program unless all the shared library dependencies have the GCS marking.
  /lib/aarch64-linux-gnu/libm.so.6: warning: GCS is required by -z gcs, but this shared library lacks the necessary property note. The dynamic loader might not enable GCS or refuse to load the program unless all the shared library dependencies have the GCS marking.
  /lib/aarch64-linux-gnu/libmvec.so.1: warning: GCS is required by -z gcs, but this shared library lacks the necessary property note. The dynamic loader might not enable GCS or refuse to load the program unless all the shared library dependencies have the GCS marking.
  /usr/lib/aarch64-linux-gnu/libmount.so: warning: GCS is required by -z gcs, but this shared library lacks the necessary property note. The dynamic loader might not enable GCS or refuse to load the program unless all the shared library dependencies have the GCS marking.
  /usr/lib/aarch64-linux-gnu/libpam.so: warning: GCS is required by -z gcs, but this shared library lacks the necessary property note. The dynamic loader might not enable GCS or refuse to load the program unless all the shared library dependencies have the GCS marking.
  /usr/lib/aarch64-linux-gnu/libseccomp.so: warning: GCS is required by -z gcs, but this shared library lacks the necessary property note. The dynamic loader might not enable GCS or refuse to load the program unless all the shared library dependencies have the GCS marking.
  /usr/lib/aarch64-linux-gnu/libselinux.so: warning: GCS is required by -z gcs, but this shared library lacks the necessary property note. The dynamic loader might not enable GCS or refuse to load the program unless all the shared library dependencies have the GCS marking.
  /lib/aarch64-linux-gnu/libc.so.6: warning: GCS is required by -z gcs, but this shared library lacks the necessary property note. The dynamic loader might not enable GCS or refuse to load the program unless all the shared library dependencies have the GCS marking.
  /lib/ld-linux-aarch64.so.1: warning: GCS is required by -z gcs, but this shared library lacks the necessary property note. The dynamic loader might not enable GCS or refuse to load the program unless all the shared library dependencies have the GCS marking.
  collect2: error: ld returned 1 exit status

  Note that the first warning is for libsystemd-shared-257.so (the
  library actually being built here), but the remainder are for library
  dependencies. This is fatal for systemd, because systemd builds with
  -Wl,--fatal-warnings. For most packages, this linker warning is
  present in arm64 builds, but not fatal.

  Therefore, it seems that while GCS is enabled implicitly on arm64 via
  -mbranch-protection=standard, the feature seems incomplete in Ubuntu
  without (a) re-builds against GCC 15, and (b) potentially additional
  build flags.

  Regarding new build flags that may be required, I found that building
  systemd with -W,-z,gcs=always silenced the warning for libsystemd-
  shared-257.so. In the mean time, I silenced[4] the linker warnings in
  systemd by building with -Wl,-z,gcs-report=none on arm64.

  tl;dr - To me, it *appears* that for GCS to be fully utilized on
  Ubuntu, we need:

  (1) Add `-Wl,-z,gcs=always` to LDFLAGS on arm64; and
  (2) Re-build everything basically

  However, I don't know whether (a) we definitely want GCS enabled by
  default on Ubuntu, or (b) if this is actually just a bug in binutils
  or so.

  [1] https://gcc.gnu.org/gcc-15/changes.html#aarch64
  [2] https://launchpadlibrarian.net/808211460/buildlog_ubuntu-questing-arm64.systemd_257.7-1ubuntu2_BUILDING.txt.gz
  [3] https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/2119100
  [4] https://launchpad.net/ubuntu/+source/systemd/257.7-1ubuntu3

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/binutils/+bug/2119445/+subscriptions

More information about the foundations-bugs mailing list