-
Task
-
Resolution: Done
-
Minor
-
None
-
None
Below are a collection of annocheck failures found in OCaml binaries in RHEL 10. We should probably attempt to fix these, or maybe ignore them in annocheck if they are not essential.
From looking it seems as if there are three different sets of errors:
- OCaml doesn't support CFI. I think it does support landing pads (the easy bit) but not stack hardening (because that's harder). We should implement this.
- There are warnings about missing LTO. I don't understand if those are important or not. My understanding is that LTO is just an optimization, and therefore not an actual problem. OCaml has been doing LTO for its own code for many decades, but I guess that's not what annocheck is worried about.
- A mysterious error "BTI_PLT flag is missing from the dynamic tags", whatever that means.
Actually there was one other build that showed a different set of failures, but I can't find it right now. If it turns up I'll add it to this bug.
If there are things we should fix, let's create subtasks of this ticket.
annocheck: Version 12.52. Hardened: /usr/bin/virt-v2v: PASS: pie test because the ELF file header has the correct type Hardened: /usr/bin/virt-v2v: info: Command line options not recorded in DWARF DW_AT_producer variable. Hardened: /usr/bin/virt-v2v: info: ALSO written in C (source: DW_AT_language string). Hardened: /usr/bin/virt-v2v: PASS: pic test because option found in DW_AT_producer string Hardened: /usr/bin/virt-v2v: PASS: stack-prot test because option found in DW_AT_producer string Hardened: /usr/bin/virt-v2v: PASS: optimization test because option found in DW_AT_producer string Hardened: /usr/bin/virt-v2v: PASS: lto test because detected in DW_AT_producer string Hardened: /usr/bin/virt-v2v: PASS: writable-got test Hardened: /usr/bin/virt-v2v: PASS: dynamic-segment test Hardened: /usr/bin/virt-v2v: PASS: bind-now test Hardened: /usr/bin/virt-v2v: PASS: entry test Hardened: /usr/bin/virt-v2v: PASS: gnu-stack test because stack segment exists with the correct permissions Hardened: /usr/bin/virt-v2v: PASS: gnu-relro test Hardened: /usr/bin/virt-v2v: PASS: notes test because annobin notes found in the .annobin.notes section Hardened: /usr/bin/virt-v2v: skip: lto test because function ../sysdeps/x86/abi-note.c is part of the C library which is deliberately built without LTO Hardened: /usr/bin/virt-v2v: info: It is possible that the address range covers special case code for which the test should be skipped. Hardened: /usr/bin/virt-v2v: info: But this can only be checked if an address can be connected to a symbol. Hardened: /usr/bin/virt-v2v: info: Although the file does contain some symbol information, it does not appear to be enough. Hardened: /usr/bin/virt-v2v: PASS: implicit-values test because -Wimplicit-int and -Wimplicit-function-decalration enabled Hardened: /usr/bin/virt-v2v: PASS: stack-clash test because compiled with -fstack-clash-protection Hardened: /usr/bin/virt-v2v: skip: fortify test because function ../sysdeps/x86/abi-note.c is part of the C library, and as such it does not need fortification Hardened: /usr/bin/virt-v2v: PASS: glibcxx-assertions test Hardened: /usr/bin/virt-v2v: skip: fast test because function init.c is part of the C library's startup code, which executes before a security framework is established Hardened: /usr/bin/virt-v2v: info: See previous info messages about symbols and address ranges. Hardened: /usr/bin/virt-v2v: PASS: warnings test Hardened: /usr/bin/virt-v2v: PASS: fortify test because fortify note found Hardened: /usr/bin/virt-v2v: MAYB: test: lto, reason: a region of code compiled without LTO was detected (gettextStubCompat_stubs.c) Hardened: /usr/bin/virt-v2v: info: For more information visit: https://sourceware.org/annobin/annobin.html/Test-lto.html Hardened: /usr/bin/virt-v2v: info: See previous info messages about symbols and address ranges. Hardened: /usr/bin/virt-v2v: skip: warnings test because LTO compilation discards preprocessor options Hardened: /usr/bin/virt-v2v: skip: implicit-values test because -Wimplicit-int setting is hidden by LTO Hardened: /usr/bin/virt-v2v: skip: gaps test because string notes imply full coverage Hardened: /usr/bin/virt-v2v: skip: branch-protection test because not an AArch64 binary Hardened: /usr/bin/virt-v2v: FAIL: cf-protection test because .note.gnu.property section did not contain the necessary flags Hardened: /usr/bin/virt-v2v: info: For more information visit: https://sourceware.org/annobin/annobin.html/Test-cf-protection.html Hardened: /usr/bin/virt-v2v: skip: dynamic-tags test because AArch64 specific Hardened: /usr/bin/virt-v2v: skip: fips test because not a GO binary Hardened: /usr/bin/virt-v2v: skip: go-revision test because no GO compiled code found Hardened: /usr/bin/virt-v2v: PASS: instrumentation test Hardened: /usr/bin/virt-v2v: PASS: openssl-engine test Hardened: /usr/bin/virt-v2v: PASS: production test Hardened: /usr/bin/virt-v2v: FAIL: property-note test because a property note was found but it shows that cf-protection is not enabled Hardened: /usr/bin/virt-v2v: info: For more information visit: https://sourceware.org/annobin/annobin.html/Test-property-note.html Hardened: /usr/bin/virt-v2v: PASS: run-path test Hardened: /usr/bin/virt-v2v: PASS: rwx-seg test Hardened: /usr/bin/virt-v2v: PASS: short-enums test Hardened: /usr/bin/virt-v2v: skip: stack-realign test because not an i686 executable Hardened: /usr/bin/virt-v2v: PASS: textrel test Hardened: /usr/bin/virt-v2v: PASS: threads test Hardened: /usr/bin/virt-v2v: PASS: unicode test Hardened: /usr/bin/virt-v2v: Overall: FAIL.
From https://artifacts.osci.redhat.com/testing-farm/48d8eba7-8721-441d-b13b-f4c0a9fae8d7/
annocheck: Version 12.52. Hardened: /usr/bin/supermin: PASS: pie test because the ELF file header has the correct type Hardened: /usr/bin/supermin: info: Command line options not recorded in DWARF DW_AT_producer variable. Hardened: /usr/bin/supermin: info: ALSO written in C (source: DW_AT_language string). Hardened: /usr/bin/supermin: PASS: pic test because option found in DW_AT_producer string Hardened: /usr/bin/supermin: PASS: stack-prot test because option found in DW_AT_producer string Hardened: /usr/bin/supermin: PASS: optimization test because option found in DW_AT_producer string Hardened: /usr/bin/supermin: PASS: branch-protection test because correct option found in DW_AT_producer string Hardened: /usr/bin/supermin: PASS: lto test because detected in DW_AT_producer string Hardened: /usr/bin/supermin: PASS: writable-got test Hardened: /usr/bin/supermin: PASS: dynamic-segment test Hardened: /usr/bin/supermin: PASS: bind-now test Hardened: /usr/bin/supermin: FAIL: dynamic-tags test because the BTI_PLT flag is missing from the dynamic tags Hardened: /usr/bin/supermin: info: For more information visit: https://sourceware.org/annobin/annobin.html/Test-dynamic-tags.html Hardened: /usr/bin/supermin: PASS: gnu-stack test because stack segment exists with the correct permissions Hardened: /usr/bin/supermin: PASS: gnu-relro test Hardened: /usr/bin/supermin: PASS: notes test because annobin notes found in the .annobin.notes section Hardened: /usr/bin/supermin: skip: lto test because function abi-note.c is part of the C library which is deliberately built without LTO Hardened: /usr/bin/supermin: info: It is possible that the address range covers special case code for which the test should be skipped. Hardened: /usr/bin/supermin: info: But this can only be checked if an address can be connected to a symbol. Hardened: /usr/bin/supermin: info: Although the file does contain some symbol information, it does not appear to be enough. Hardened: /usr/bin/supermin: PASS: implicit-values test because -Wimplicit-int and -Wimplicit-function-decalration enabled Hardened: /usr/bin/supermin: PASS: stack-clash test because compiled with -fstack-clash-protection Hardened: /usr/bin/supermin: skip: fortify test because function abi-note.c is part of the C library, and as such it does not need fortification Hardened: /usr/bin/supermin: PASS: glibcxx-assertions test Hardened: /usr/bin/supermin: skip: fast test because function init.c is part of the C library's startup code, which executes before a security framework is established Hardened: /usr/bin/supermin: info: See previous info messages about symbols and address ranges. Hardened: /usr/bin/supermin: PASS: warnings test Hardened: /usr/bin/supermin: MAYB: test: lto, reason: a region of code compiled without LTO was detected (strstubs.c) Hardened: /usr/bin/supermin: info: For more information visit: https://sourceware.org/annobin/annobin.html/Test-lto.html Hardened: /usr/bin/supermin: info: See previous info messages about symbols and address ranges. Hardened: /usr/bin/supermin: PASS: fortify test because fortify note found Hardened: /usr/bin/supermin: skip: warnings test because LTO compilation discards preprocessor options Hardened: /usr/bin/supermin: skip: implicit-values test because -Wimplicit-int setting is hidden by LTO Hardened: /usr/bin/supermin: skip: gaps test because string notes imply full coverage Hardened: /usr/bin/supermin: skip: cf-protection test because not an x86_64 binary Hardened: /usr/bin/supermin: PASS: entry test Hardened: /usr/bin/supermin: skip: fips test because not a GO binary Hardened: /usr/bin/supermin: skip: go-revision test because no GO compiled code found Hardened: /usr/bin/supermin: PASS: instrumentation test Hardened: /usr/bin/supermin: PASS: openssl-engine test Hardened: /usr/bin/supermin: PASS: production test Hardened: /usr/bin/supermin: FAIL: property-note test because properly formatted .note.gnu.property not found (it is needed for branch protection support) Hardened: /usr/bin/supermin: info: For more information visit: https://sourceware.org/annobin/annobin.html/Test-property-note.html Hardened: /usr/bin/supermin: PASS: run-path test Hardened: /usr/bin/supermin: PASS: rwx-seg test Hardened: /usr/bin/supermin: PASS: short-enums test Hardened: /usr/bin/supermin: skip: stack-realign test because not an i686 executable Hardened: /usr/bin/supermin: PASS: textrel test Hardened: /usr/bin/supermin: PASS: threads test Hardened: /usr/bin/supermin: PASS: unicode test Hardened: /usr/bin/supermin: Overall: FAIL.
- is triggering
-
RHEL-43598 Add CFI protection to OCaml binaries
- New
-
RHEL-43754 The AArch64 version of supermin should be built with BTI protection enabled
- New
-
RHEL-43753 Enable LTO optimization when building libvirt
- Closed