Another change I found is in annocheck between Fedora 40 and 41. It goes from version 12.51 to 12.59. A diff upstream shows several changes related with Go.

I'm also unable to reproduce it locally. I build it for rawhide, and run the annocheck from rawhide on captree and I still get PASS.

For reading the annocheck hardened.c code, and looking at the logs, it looks like "go" was properly detected, but it should have skipped the stack protection for the "threadentry" and "fatalf" component names, and print the reason. It is like if skip_test which is called right before the stack protection check is missing a check for "STATE_SKIPPED", but I may be wrong.

Anyway, I'll be submitting a BUG for annobin-annocheck.

Regards,
Carlos R.F.


On 6/14/24 07:41, Carlos Rodriguez-Fernandez wrote:
So, I found out the stack-prot test was passing before simply because the static analysis was skipping it:

```
Hardened: /usr/sbin/captree: skip: stack-prot test because GO is stack safe
```

However, it appears the new changes attempting to bring hardening to go builds has made the static analysis test check the binary and find issues.

```
-%make_build prefix=%{_prefix} lib=%{_lib} SBINDIR=%{_sbindir} CGO_REQUIRED=1 GO_BUILD_FLAGS="-buildmode=pie -ldflags='-B gobuildid'" all +%make_build prefix=%{_prefix} lib=%{_lib} SBINDIR=%{_sbindir} CGO_REQUIRED=1 CGO_CFLAGS="${CFLAGS}" CGO_LDFLAGS="${LDFLAGS}" GO_BUILD_FLAGS="-buildmode=pie -a -v -x -ldflags='-compressdwarf=false -B gobuildid'" all
```

Regards,
Carlos R.F.

On 6/13/24 09:30, Carlos Rodriguez-Fernandez wrote:
Hi All,

The build of libcap in Rawhide is failing the static analysis because of the stack protection not enabled [1].

```
Hardened: /usr/sbin/captree: FAIL: stack-prot test because stack protection not enabled (lto:threadentry) Hardened: /usr/sbin/captree: FAIL: stack-prot test because stack protection not enabled (lto:fatalf)
```

captree is a go application included in the libcap package. It uses cgo.


When you compile with cgo with the -x flag to show the commands being used, you see a lot of -fno-stack-protector, which is coming from the #cgo directive in the cgo files [2]. That's intentional, and has been there for some time. At least since 1.21.9, which is in Fedora 39, and where libcap didn't have those static analysis errors.

Has there been recent hardening efforts in Rawhide that can explain why this is happening now?

Thank you!

1. https://bodhi.fedoraproject.org/updates/FEDORA-2024-7da5d4e363
2. https://cs.opensource.google/go/go/+/master:src/runtime/cgo/cgo.go;l=26

Attachment: OpenPGP_signature.asc
Description: OpenPGP digital signature

--
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Reply via email to