Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-43586

Define scope of work: annocheck failures with OCaml binaries

XMLWordPrintable

    • Icon: Task Task
    • Resolution: Done
    • Icon: Minor Minor
    • rhel-10.1
    • None
    • annobin
    • None
    • rhel-sst-pt-gcc
    • ssg_platform_tools
    • 13
    • False
    • Hide

      None

      Show
      None

      Below are a collection of annocheck failures found in OCaml binaries in RHEL 10. We should probably attempt to fix these, or maybe ignore them in annocheck if they are not essential.

      From looking it seems as if there are three different sets of errors:

      • OCaml doesn't support CFI. I think it does support landing pads (the easy bit) but not stack hardening (because that's harder). We should implement this.
      • There are warnings about missing LTO. I don't understand if those are important or not. My understanding is that LTO is just an optimization, and therefore not an actual problem. OCaml has been doing LTO for its own code for many decades, but I guess that's not what annocheck is worried about.
      • A mysterious error "BTI_PLT flag is missing from the dynamic tags", whatever that means.

      Actually there was one other build that showed a different set of failures, but I can't find it right now. If it turns up I'll add it to this bug.

      If there are things we should fix, let's create subtasks of this ticket.

      From https://artifacts.osci.redhat.com/testing-farm/8a1bdd4b-4a0b-4cbb-8350-09449030ff22/work-rpminspectmmtavykm/rpminspect/execute/data/guest/default-0/rpminspect-1/data/viewer.html#

      annocheck: Version 12.52.
Hardened: /usr/bin/virt-v2v: PASS: pie test because the ELF file header has the correct type 
Hardened: /usr/bin/virt-v2v: info: Command line options not recorded in DWARF DW_AT_producer variable.
Hardened: /usr/bin/virt-v2v: info: ALSO written in C (source: DW_AT_language string).
Hardened: /usr/bin/virt-v2v: PASS: pic test because option found in DW_AT_producer string 
Hardened: /usr/bin/virt-v2v: PASS: stack-prot test because option found in DW_AT_producer string 
Hardened: /usr/bin/virt-v2v: PASS: optimization test because option found in DW_AT_producer string 
Hardened: /usr/bin/virt-v2v: PASS: lto test because detected in DW_AT_producer string 
Hardened: /usr/bin/virt-v2v: PASS: writable-got test 
Hardened: /usr/bin/virt-v2v: PASS: dynamic-segment test 
Hardened: /usr/bin/virt-v2v: PASS: bind-now test 
Hardened: /usr/bin/virt-v2v: PASS: entry test 
Hardened: /usr/bin/virt-v2v: PASS: gnu-stack test because stack segment exists with the correct permissions 
Hardened: /usr/bin/virt-v2v: PASS: gnu-relro test 
Hardened: /usr/bin/virt-v2v: PASS: notes test because annobin notes found in the .annobin.notes section 
Hardened: /usr/bin/virt-v2v: skip: lto test because function ../sysdeps/x86/abi-note.c is part of the C library which is deliberately built without LTO 
Hardened: /usr/bin/virt-v2v: info: It is possible that the address range covers special case code for which the test should be skipped.
Hardened: /usr/bin/virt-v2v: info: But this can only be checked if an address can be connected to a symbol.
Hardened: /usr/bin/virt-v2v: info: Although the file does contain some symbol information, it does not appear to be enough.
Hardened: /usr/bin/virt-v2v: PASS: implicit-values test because -Wimplicit-int and -Wimplicit-function-decalration enabled 
Hardened: /usr/bin/virt-v2v: PASS: stack-clash test because compiled with -fstack-clash-protection 
Hardened: /usr/bin/virt-v2v: skip: fortify test because function ../sysdeps/x86/abi-note.c is part of the C library, and as such it does not need fortification 
Hardened: /usr/bin/virt-v2v: PASS: glibcxx-assertions test 
Hardened: /usr/bin/virt-v2v: skip: fast test because function init.c is part of the C library's startup code, which executes before a security framework is established 
Hardened: /usr/bin/virt-v2v: info: See previous info messages about symbols and address ranges.
Hardened: /usr/bin/virt-v2v: PASS: warnings test 
Hardened: /usr/bin/virt-v2v: PASS: fortify test because fortify note found 
Hardened: /usr/bin/virt-v2v: MAYB: test: lto, reason: a region of code compiled without LTO was detected (gettextStubCompat_stubs.c)
Hardened: /usr/bin/virt-v2v: info: For more information visit: https://sourceware.org/annobin/annobin.html/Test-lto.html
Hardened: /usr/bin/virt-v2v: info: See previous info messages about symbols and address ranges.
Hardened: /usr/bin/virt-v2v: skip: warnings test because LTO compilation discards preprocessor options 
Hardened: /usr/bin/virt-v2v: skip: implicit-values test because -Wimplicit-int setting is hidden by LTO 
Hardened: /usr/bin/virt-v2v: skip: gaps test because string notes imply full coverage 
Hardened: /usr/bin/virt-v2v: skip: branch-protection test because not an AArch64 binary 
Hardened: /usr/bin/virt-v2v: FAIL: cf-protection test because .note.gnu.property section did not contain the necessary flags 
Hardened: /usr/bin/virt-v2v: info: For more information visit: https://sourceware.org/annobin/annobin.html/Test-cf-protection.html
Hardened: /usr/bin/virt-v2v: skip: dynamic-tags test because AArch64 specific 
Hardened: /usr/bin/virt-v2v: skip: fips test because not a GO binary 
Hardened: /usr/bin/virt-v2v: skip: go-revision test because no GO compiled code found 
Hardened: /usr/bin/virt-v2v: PASS: instrumentation test 
Hardened: /usr/bin/virt-v2v: PASS: openssl-engine test 
Hardened: /usr/bin/virt-v2v: PASS: production test 
Hardened: /usr/bin/virt-v2v: FAIL: property-note test because a property note was found but it shows that cf-protection is not enabled 
Hardened: /usr/bin/virt-v2v: info: For more information visit: https://sourceware.org/annobin/annobin.html/Test-property-note.html
Hardened: /usr/bin/virt-v2v: PASS: run-path test 
Hardened: /usr/bin/virt-v2v: PASS: rwx-seg test 
Hardened: /usr/bin/virt-v2v: PASS: short-enums test 
Hardened: /usr/bin/virt-v2v: skip: stack-realign test because not an i686 executable 
Hardened: /usr/bin/virt-v2v: PASS: textrel test 
Hardened: /usr/bin/virt-v2v: PASS: threads test 
Hardened: /usr/bin/virt-v2v: PASS: unicode test 
Hardened: /usr/bin/virt-v2v: Overall: FAIL.

      From https://artifacts.osci.redhat.com/testing-farm/48d8eba7-8721-441d-b13b-f4c0a9fae8d7/

      annocheck: Version 12.52.
Hardened: /usr/bin/supermin: PASS: pie test because the ELF file header has the correct type 
Hardened: /usr/bin/supermin: info: Command line options not recorded in DWARF DW_AT_producer variable.
Hardened: /usr/bin/supermin: info: ALSO written in C (source: DW_AT_language string).
Hardened: /usr/bin/supermin: PASS: pic test because option found in DW_AT_producer string 
Hardened: /usr/bin/supermin: PASS: stack-prot test because option found in DW_AT_producer string 
Hardened: /usr/bin/supermin: PASS: optimization test because option found in DW_AT_producer string 
Hardened: /usr/bin/supermin: PASS: branch-protection test because correct option found in DW_AT_producer string 
Hardened: /usr/bin/supermin: PASS: lto test because detected in DW_AT_producer string 
Hardened: /usr/bin/supermin: PASS: writable-got test 
Hardened: /usr/bin/supermin: PASS: dynamic-segment test 
Hardened: /usr/bin/supermin: PASS: bind-now test 
Hardened: /usr/bin/supermin: FAIL: dynamic-tags test because the BTI_PLT flag is missing from the dynamic tags 
Hardened: /usr/bin/supermin: info: For more information visit: https://sourceware.org/annobin/annobin.html/Test-dynamic-tags.html
Hardened: /usr/bin/supermin: PASS: gnu-stack test because stack segment exists with the correct permissions 
Hardened: /usr/bin/supermin: PASS: gnu-relro test 
Hardened: /usr/bin/supermin: PASS: notes test because annobin notes found in the .annobin.notes section 
Hardened: /usr/bin/supermin: skip: lto test because function abi-note.c is part of the C library which is deliberately built without LTO 
Hardened: /usr/bin/supermin: info: It is possible that the address range covers special case code for which the test should be skipped.
Hardened: /usr/bin/supermin: info: But this can only be checked if an address can be connected to a symbol.
Hardened: /usr/bin/supermin: info: Although the file does contain some symbol information, it does not appear to be enough.
Hardened: /usr/bin/supermin: PASS: implicit-values test because -Wimplicit-int and -Wimplicit-function-decalration enabled 
Hardened: /usr/bin/supermin: PASS: stack-clash test because compiled with -fstack-clash-protection 
Hardened: /usr/bin/supermin: skip: fortify test because function abi-note.c is part of the C library, and as such it does not need fortification 
Hardened: /usr/bin/supermin: PASS: glibcxx-assertions test 
Hardened: /usr/bin/supermin: skip: fast test because function init.c is part of the C library's startup code, which executes before a security framework is established 
Hardened: /usr/bin/supermin: info: See previous info messages about symbols and address ranges.
Hardened: /usr/bin/supermin: PASS: warnings test 
Hardened: /usr/bin/supermin: MAYB: test: lto, reason: a region of code compiled without LTO was detected (strstubs.c)
Hardened: /usr/bin/supermin: info: For more information visit: https://sourceware.org/annobin/annobin.html/Test-lto.html
Hardened: /usr/bin/supermin: info: See previous info messages about symbols and address ranges.
Hardened: /usr/bin/supermin: PASS: fortify test because fortify note found 
Hardened: /usr/bin/supermin: skip: warnings test because LTO compilation discards preprocessor options 
Hardened: /usr/bin/supermin: skip: implicit-values test because -Wimplicit-int setting is hidden by LTO 
Hardened: /usr/bin/supermin: skip: gaps test because string notes imply full coverage 
Hardened: /usr/bin/supermin: skip: cf-protection test because not an x86_64 binary 
Hardened: /usr/bin/supermin: PASS: entry test 
Hardened: /usr/bin/supermin: skip: fips test because not a GO binary 
Hardened: /usr/bin/supermin: skip: go-revision test because no GO compiled code found 
Hardened: /usr/bin/supermin: PASS: instrumentation test 
Hardened: /usr/bin/supermin: PASS: openssl-engine test 
Hardened: /usr/bin/supermin: PASS: production test 
Hardened: /usr/bin/supermin: FAIL: property-note test because properly formatted .note.gnu.property not found (it is needed for branch protection support) 
Hardened: /usr/bin/supermin: info: For more information visit: https://sourceware.org/annobin/annobin.html/Test-property-note.html
Hardened: /usr/bin/supermin: PASS: run-path test 
Hardened: /usr/bin/supermin: PASS: rwx-seg test 
Hardened: /usr/bin/supermin: PASS: short-enums test 
Hardened: /usr/bin/supermin: skip: stack-realign test because not an i686 executable 
Hardened: /usr/bin/supermin: PASS: textrel test 
Hardened: /usr/bin/supermin: PASS: threads test 
Hardened: /usr/bin/supermin: PASS: unicode test 
Hardened: /usr/bin/supermin: Overall: FAIL.

              nickc@redhat.com Nick Clifton
              rhn-eng-rjones Richard Jones
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Created:
                Updated:
                Resolved: