-
Notifications
You must be signed in to change notification settings - Fork 35.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
security-check: test for _FORTIFY_SOURCE
usage in release binaries
#27038
base: master
Are you sure you want to change the base?
Conversation
The following sections might be updated with supplementary metadata relevant to reviewers and maintainers. Code CoverageFor detailed information about the code coverage, see the test coverage report. ReviewsSee the guideline for information on the review process.
If your review is incorrectly listed, please react with 👎 to this comment and the bot will ignore it on the next update. ConflictsReviewers, this pull request conflicts with the following ones:
If you consider this pull request important, please also help to review the conflicting pull requests. Ideally, start with the one that should be merged first. |
|
f4de92e
to
0ed3654
Compare
Rebased on #27118 |
ff4a73a depends: use FORTIFY_SOURCE=3 with libevent (fanquake) Pull request description: Use `FORTIFY_SOURCE=3` when building libevent in depends. I've upstreamed a change to switch libevent from using =2 to =3 as well: libevent/libevent#1418. Solves half of #27038, by giving us some fortified funcs in `bitcoin-cli`. ACKs for top commit: TheCharlatan: ACK ff4a73a Tree-SHA512: eaf692ec92b288f0cb524c011fc81529f58efa4c43d418a7b3ae7108eba2bccba708a81a28ac6d063267be80ca615637c6e3fccc02497d7367af2eaae0e8d812
0ed3654
to
4fea80e
Compare
Rebased post #27118. |
ff4a73a depends: use FORTIFY_SOURCE=3 with libevent (fanquake) Pull request description: Use `FORTIFY_SOURCE=3` when building libevent in depends. I've upstreamed a change to switch libevent from using =2 to =3 as well: libevent/libevent#1418. Solves half of bitcoin#27038, by giving us some fortified funcs in `bitcoin-cli`. ACKs for top commit: TheCharlatan: ACK ff4a73a Tree-SHA512: eaf692ec92b288f0cb524c011fc81529f58efa4c43d418a7b3ae7108eba2bccba708a81a28ac6d063267be80ca615637c6e3fccc02497d7367af2eaae0e8d812
4fea80e
to
0ff65e0
Compare
0ff65e0
to
4f4ba44
Compare
4f4ba44
to
2d0324f
Compare
2d0324f
to
80e1df5
Compare
Concept ACK. |
Does it make sense to provide a list of expected symbols for every binary been tested? It would be an empty one for |
I don't think so, and that would likely require constant maintenance (plus guix builds to be run on every code change). |
80e1df5
to
829f19e
Compare
829f19e
to
0295a78
Compare
Concept ACK |
chk_funcs = set() | ||
|
||
for sym in binary.symbols: | ||
match = re.search(r'__[a-z]*_chk', sym.name) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Might want to check .imported
to make sure it's an imported symbol, just to be sure.
i'd be okay with skipping the check for |
Test for the existence of fortified functions in the ELF release binaries. Related to #27027.
Can't be done yet because we don't end up with any fortified funcs in
bitcoin-util
.