Re: Issues with cgo and stack protection

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

So, I found out the stack-prot test was passing before simply because the static analysis was skipping it: 

```
Hardened: /usr/sbin/captree: skip: stack-prot test because GO is stack safe
```
However, it appears the new changes attempting to bring hardening to go builds has made the static analysis test check the binary and find issues. 

```
-%make_build prefix=%{_prefix} lib=%{_lib} SBINDIR=%{_sbindir} CGO_REQUIRED=1 GO_BUILD_FLAGS="-buildmode=pie -ldflags='-B gobuildid'" all +%make_build prefix=%{_prefix} lib=%{_lib} SBINDIR=%{_sbindir} CGO_REQUIRED=1 CGO_CFLAGS="${CFLAGS}" CGO_LDFLAGS="${LDFLAGS}" GO_BUILD_FLAGS="-buildmode=pie -a -v -x -ldflags='-compressdwarf=false -B gobuildid'" all 
```

Regards,
Carlos R.F.

On 6/13/24 09:30, Carlos Rodriguez-Fernandez wrote:

Hi All,
The build of libcap in Rawhide is failing the static analysis because of the stack protection not enabled [1]. 

```
Hardened: /usr/sbin/captree: FAIL: stack-prot test because stack protection not enabled (lto:threadentry) Hardened: /usr/sbin/captree: FAIL: stack-prot test because stack protection not enabled (lto:fatalf) 
```

captree is a go application included in the libcap package. It uses cgo.
When you compile with cgo with the -x flag to show the commands being used, you see a lot of -fno-stack-protector, which is coming from the #cgo directive in the cgo files [2]. That's intentional, and has been there for some time. At least since 1.21.9, which is in Fedora 39, and where libcap didn't have those static analysis errors.
Has there been recent hardening efforts in Rawhide that can explain why this is happening now? 

Thank you!

1. https://bodhi.fedoraproject.org/updates/FEDORA-2024-7da5d4e363
2. https://cs.opensource.google/go/go/+/master:src/runtime/cgo/cgo.go;l=26

Attachment: OpenPGP_signature.asc
Description: OpenPGP digital signature

--
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux