Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-43586

Define scope of work: annocheck failures with OCaml binaries

    • Icon: Task Task
    • Resolution: Done
    • Icon: Minor Minor
    • rhel-10.1
    • None
    • annobin
    • None
    • rhel-sst-pt-gcc
    • ssg_platform_tools
    • 13
    • False
    • Hide

      None

      Show
      None

      Below are a collection of annocheck failures found in OCaml binaries in RHEL 10. We should probably attempt to fix these, or maybe ignore them in annocheck if they are not essential.

      From looking it seems as if there are three different sets of errors:

      • OCaml doesn't support CFI. I think it does support landing pads (the easy bit) but not stack hardening (because that's harder). We should implement this.
      • There are warnings about missing LTO. I don't understand if those are important or not. My understanding is that LTO is just an optimization, and therefore not an actual problem. OCaml has been doing LTO for its own code for many decades, but I guess that's not what annocheck is worried about.
      • A mysterious error "BTI_PLT flag is missing from the dynamic tags", whatever that means.

      Actually there was one other build that showed a different set of failures, but I can't find it right now. If it turns up I'll add it to this bug.

      If there are things we should fix, let's create subtasks of this ticket.

      From https://artifacts.osci.redhat.com/testing-farm/8a1bdd4b-4a0b-4cbb-8350-09449030ff22/work-rpminspectmmtavykm/rpminspect/execute/data/guest/default-0/rpminspect-1/data/viewer.html#

      annocheck: Version 12.52.
      Hardened: /usr/bin/virt-v2v: PASS: pie test because the ELF file header has the correct type 
      Hardened: /usr/bin/virt-v2v: info: Command line options not recorded in DWARF DW_AT_producer variable.
      Hardened: /usr/bin/virt-v2v: info: ALSO written in C (source: DW_AT_language string).
      Hardened: /usr/bin/virt-v2v: PASS: pic test because option found in DW_AT_producer string 
      Hardened: /usr/bin/virt-v2v: PASS: stack-prot test because option found in DW_AT_producer string 
      Hardened: /usr/bin/virt-v2v: PASS: optimization test because option found in DW_AT_producer string 
      Hardened: /usr/bin/virt-v2v: PASS: lto test because detected in DW_AT_producer string 
      Hardened: /usr/bin/virt-v2v: PASS: writable-got test 
      Hardened: /usr/bin/virt-v2v: PASS: dynamic-segment test 
      Hardened: /usr/bin/virt-v2v: PASS: bind-now test 
      Hardened: /usr/bin/virt-v2v: PASS: entry test 
      Hardened: /usr/bin/virt-v2v: PASS: gnu-stack test because stack segment exists with the correct permissions 
      Hardened: /usr/bin/virt-v2v: PASS: gnu-relro test 
      Hardened: /usr/bin/virt-v2v: PASS: notes test because annobin notes found in the .annobin.notes section 
      Hardened: /usr/bin/virt-v2v: skip: lto test because function ../sysdeps/x86/abi-note.c is part of the C library which is deliberately built without LTO 
      Hardened: /usr/bin/virt-v2v: info: It is possible that the address range covers special case code for which the test should be skipped.
      Hardened: /usr/bin/virt-v2v: info: But this can only be checked if an address can be connected to a symbol.
      Hardened: /usr/bin/virt-v2v: info: Although the file does contain some symbol information, it does not appear to be enough.
      Hardened: /usr/bin/virt-v2v: PASS: implicit-values test because -Wimplicit-int and -Wimplicit-function-decalration enabled 
      Hardened: /usr/bin/virt-v2v: PASS: stack-clash test because compiled with -fstack-clash-protection 
      Hardened: /usr/bin/virt-v2v: skip: fortify test because function ../sysdeps/x86/abi-note.c is part of the C library, and as such it does not need fortification 
      Hardened: /usr/bin/virt-v2v: PASS: glibcxx-assertions test 
      Hardened: /usr/bin/virt-v2v: skip: fast test because function init.c is part of the C library's startup code, which executes before a security framework is established 
      Hardened: /usr/bin/virt-v2v: info: See previous info messages about symbols and address ranges.
      Hardened: /usr/bin/virt-v2v: PASS: warnings test 
      Hardened: /usr/bin/virt-v2v: PASS: fortify test because fortify note found 
      Hardened: /usr/bin/virt-v2v: MAYB: test: lto, reason: a region of code compiled without LTO was detected (gettextStubCompat_stubs.c)
      Hardened: /usr/bin/virt-v2v: info: For more information visit: https://sourceware.org/annobin/annobin.html/Test-lto.html
      Hardened: /usr/bin/virt-v2v: info: See previous info messages about symbols and address ranges.
      Hardened: /usr/bin/virt-v2v: skip: warnings test because LTO compilation discards preprocessor options 
      Hardened: /usr/bin/virt-v2v: skip: implicit-values test because -Wimplicit-int setting is hidden by LTO 
      Hardened: /usr/bin/virt-v2v: skip: gaps test because string notes imply full coverage 
      Hardened: /usr/bin/virt-v2v: skip: branch-protection test because not an AArch64 binary 
      Hardened: /usr/bin/virt-v2v: FAIL: cf-protection test because .note.gnu.property section did not contain the necessary flags 
      Hardened: /usr/bin/virt-v2v: info: For more information visit: https://sourceware.org/annobin/annobin.html/Test-cf-protection.html
      Hardened: /usr/bin/virt-v2v: skip: dynamic-tags test because AArch64 specific 
      Hardened: /usr/bin/virt-v2v: skip: fips test because not a GO binary 
      Hardened: /usr/bin/virt-v2v: skip: go-revision test because no GO compiled code found 
      Hardened: /usr/bin/virt-v2v: PASS: instrumentation test 
      Hardened: /usr/bin/virt-v2v: PASS: openssl-engine test 
      Hardened: /usr/bin/virt-v2v: PASS: production test 
      Hardened: /usr/bin/virt-v2v: FAIL: property-note test because a property note was found but it shows that cf-protection is not enabled 
      Hardened: /usr/bin/virt-v2v: info: For more information visit: https://sourceware.org/annobin/annobin.html/Test-property-note.html
      Hardened: /usr/bin/virt-v2v: PASS: run-path test 
      Hardened: /usr/bin/virt-v2v: PASS: rwx-seg test 
      Hardened: /usr/bin/virt-v2v: PASS: short-enums test 
      Hardened: /usr/bin/virt-v2v: skip: stack-realign test because not an i686 executable 
      Hardened: /usr/bin/virt-v2v: PASS: textrel test 
      Hardened: /usr/bin/virt-v2v: PASS: threads test 
      Hardened: /usr/bin/virt-v2v: PASS: unicode test 
      Hardened: /usr/bin/virt-v2v: Overall: FAIL.
      

      From https://artifacts.osci.redhat.com/testing-farm/48d8eba7-8721-441d-b13b-f4c0a9fae8d7/

      annocheck: Version 12.52.
      Hardened: /usr/bin/supermin: PASS: pie test because the ELF file header has the correct type 
      Hardened: /usr/bin/supermin: info: Command line options not recorded in DWARF DW_AT_producer variable.
      Hardened: /usr/bin/supermin: info: ALSO written in C (source: DW_AT_language string).
      Hardened: /usr/bin/supermin: PASS: pic test because option found in DW_AT_producer string 
      Hardened: /usr/bin/supermin: PASS: stack-prot test because option found in DW_AT_producer string 
      Hardened: /usr/bin/supermin: PASS: optimization test because option found in DW_AT_producer string 
      Hardened: /usr/bin/supermin: PASS: branch-protection test because correct option found in DW_AT_producer string 
      Hardened: /usr/bin/supermin: PASS: lto test because detected in DW_AT_producer string 
      Hardened: /usr/bin/supermin: PASS: writable-got test 
      Hardened: /usr/bin/supermin: PASS: dynamic-segment test 
      Hardened: /usr/bin/supermin: PASS: bind-now test 
      Hardened: /usr/bin/supermin: FAIL: dynamic-tags test because the BTI_PLT flag is missing from the dynamic tags 
      Hardened: /usr/bin/supermin: info: For more information visit: https://sourceware.org/annobin/annobin.html/Test-dynamic-tags.html
      Hardened: /usr/bin/supermin: PASS: gnu-stack test because stack segment exists with the correct permissions 
      Hardened: /usr/bin/supermin: PASS: gnu-relro test 
      Hardened: /usr/bin/supermin: PASS: notes test because annobin notes found in the .annobin.notes section 
      Hardened: /usr/bin/supermin: skip: lto test because function abi-note.c is part of the C library which is deliberately built without LTO 
      Hardened: /usr/bin/supermin: info: It is possible that the address range covers special case code for which the test should be skipped.
      Hardened: /usr/bin/supermin: info: But this can only be checked if an address can be connected to a symbol.
      Hardened: /usr/bin/supermin: info: Although the file does contain some symbol information, it does not appear to be enough.
      Hardened: /usr/bin/supermin: PASS: implicit-values test because -Wimplicit-int and -Wimplicit-function-decalration enabled 
      Hardened: /usr/bin/supermin: PASS: stack-clash test because compiled with -fstack-clash-protection 
      Hardened: /usr/bin/supermin: skip: fortify test because function abi-note.c is part of the C library, and as such it does not need fortification 
      Hardened: /usr/bin/supermin: PASS: glibcxx-assertions test 
      Hardened: /usr/bin/supermin: skip: fast test because function init.c is part of the C library's startup code, which executes before a security framework is established 
      Hardened: /usr/bin/supermin: info: See previous info messages about symbols and address ranges.
      Hardened: /usr/bin/supermin: PASS: warnings test 
      Hardened: /usr/bin/supermin: MAYB: test: lto, reason: a region of code compiled without LTO was detected (strstubs.c)
      Hardened: /usr/bin/supermin: info: For more information visit: https://sourceware.org/annobin/annobin.html/Test-lto.html
      Hardened: /usr/bin/supermin: info: See previous info messages about symbols and address ranges.
      Hardened: /usr/bin/supermin: PASS: fortify test because fortify note found 
      Hardened: /usr/bin/supermin: skip: warnings test because LTO compilation discards preprocessor options 
      Hardened: /usr/bin/supermin: skip: implicit-values test because -Wimplicit-int setting is hidden by LTO 
      Hardened: /usr/bin/supermin: skip: gaps test because string notes imply full coverage 
      Hardened: /usr/bin/supermin: skip: cf-protection test because not an x86_64 binary 
      Hardened: /usr/bin/supermin: PASS: entry test 
      Hardened: /usr/bin/supermin: skip: fips test because not a GO binary 
      Hardened: /usr/bin/supermin: skip: go-revision test because no GO compiled code found 
      Hardened: /usr/bin/supermin: PASS: instrumentation test 
      Hardened: /usr/bin/supermin: PASS: openssl-engine test 
      Hardened: /usr/bin/supermin: PASS: production test 
      Hardened: /usr/bin/supermin: FAIL: property-note test because properly formatted .note.gnu.property not found (it is needed for branch protection support) 
      Hardened: /usr/bin/supermin: info: For more information visit: https://sourceware.org/annobin/annobin.html/Test-property-note.html
      Hardened: /usr/bin/supermin: PASS: run-path test 
      Hardened: /usr/bin/supermin: PASS: rwx-seg test 
      Hardened: /usr/bin/supermin: PASS: short-enums test 
      Hardened: /usr/bin/supermin: skip: stack-realign test because not an i686 executable 
      Hardened: /usr/bin/supermin: PASS: textrel test 
      Hardened: /usr/bin/supermin: PASS: threads test 
      Hardened: /usr/bin/supermin: PASS: unicode test 
      Hardened: /usr/bin/supermin: Overall: FAIL.
      

              nickc@redhat.com Nick Clifton
              rhn-eng-rjones Richard Jones
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Created:
                Updated:
                Resolved: