Open Bug 1747236 Opened 4 years ago Updated 2 years ago

annocheck fail for libmozavcodec.so and libmozavutil.so with cf-protection

Categories

(Core :: Audio/Video: Playback, defect, P4)

Product:
Core
Component:
Audio/Video: Playback
Type:
defect

Tracking

()

People

(Reporter: jhorak, Unassigned)

Details

Hardened: /usr/lib64/firefox/libmozavcodec.so: FAIL: cf-protection test because no .note.gnu.property section = no control flow information
Hardened: /usr/lib64/firefox/libmozavcodec.so: info: For more information visit: https://sourceware.org/annobin/annobin.html/Test-cf-protection.html

Hardened: /usr/lib64/firefox/libmozavcodec.so: FAIL: property-note test because no .note.gnu.property section found
Hardened: /usr/lib64/firefox/libmozavcodec.so: info: For more information visit: https://sourceware.org/annobin/annobin.html/Test-property-note.html

Hardened: /usr/lib64/firefox/libmozavutil.so: FAIL: cf-protection test because no .note.gnu.property section = no control flow information
Hardened: /usr/lib64/firefox/libmozavutil.so: info: For more information visit: https://sourceware.org/annobin/annobin.html/Test-cf-protection.html
Hardened: /usr/lib64/firefox/libmozavutil.so: FAIL: property-note test because no .note.gnu.property section found
Hardened: /usr/lib64/firefox/libmozavutil.so: info: For more information visit: https://sourceware.org/annobin/annobin.html/Test-property-note.html

It seems that some asm sources miss the Intel's CET section.

Triaging, could use some help with if the numbers are appropriate. Daniel, could you help me assess this?

Severity: -- → S3
Flags: needinfo?(dveditz)
Priority: -- → P3

Reporter, was Firefox built with specific flags? My understanding is that Mozilla builds don't set these flags normally, so annocheck would be unhapy more broadly. If you are setting flags, could you please let me know which?

Flags: needinfo?(jhorak)

Hi, we build the firefox with following compiler flags:

CFLAGS=-O2 -fexceptions -g -grecord-gcc-switches -pipe -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -march=x86-64-v2 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -Wformat-security -Wformat -Werror=format-security -fPIC -Wl,-z,relro -Wl,-z,now -DNSS_PKCS11_3_0_STRICT

CXXFLAGS=-O2 -fexceptions -g -grecord-gcc-switches -pipe -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -march=x86-64-v2 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -Wformat-security -Wformat -Werror=format-security -fPIC -Wl,-z,relro -Wl,-z,now -DNSS_PKCS11_3_0_STRICT

LDFLAGS=-Wl,--no-keep-memory -Wl,--reduce-memory-overheads

Linking command for libmozavcodec.so:

/usr/bin/gcc -std=gnu99 -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -fstack-protector-strong -O2 -fexceptions -g -grecord-gcc-switches -pipe -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -march=x86-64-v2 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -Wformat-security -Wformat -Werror=format-security -fPIC -Wl,-z,relro -Wl,-z,now -DNSS_PKCS11_3_0_STRICT -fno-strict-aliasing -fPIC -ffunction-sections -fdata-sections -fno-math-errno -pthread -pipe -g -O2 -fomit-frame-pointer -funwind-tables -Wall -Wempty-body -Wignored-qualifiers -Wpointer-arith -Wsign-compare -Wtype-limits -Wunreachable-code -Wduplicated-cond -Wno-error=maybe-uninitialized -Wno-error=deprecated-declarations -Wno-error=array-bounds -Wno-error=coverage-mismatch -Wno-error=free-nonheap-object -Wno-multistatement-macros -Wno-error=class-memaccess -Wno-error=deprecated-copy -Wno-error=unused-but-set-variable -Wformat -Wformat-overflow=2 -Werror=implicit-function-declaration -Wno-psabi -shared -Wl,-z,defs -Wl,--gc-sections -Wl,-h,libmozavcodec.so -o libmozavcodec.so /builddir/build/BUILD/firefox-91.4.0/objdir/media/ffvpx/libavcodec/libmozavcodec_so.list -lpthread -Wl,--no-keep-memory -Wl,--reduce-memory-overheads -Wl,-z,noexecstack -Wl,-z,text -Wl,-z,relro -Wl,-z,nocopyreloc -Wl,-Bsymbolic-functions -Wl,--build-id=sha1 -fstack-protector-strong -Wl,-rpath-link,/builddir/build/BUILD/firefox-91.4.0/objdir/dist/bin -Wl,-rpath-link,/usr/lib ../libavutil/libmozavutil.so -Wl,--version-script,libmozavcodec.so.symbols -lm

For example the h264_intrapred.asm file is compiled by following way:

/usr/bin/nasm -o h264_intrapred.o -f elf64 -D__x86_64__ -DPIC -DELF -Pconfig_unix64.asm -Pdefaults_disabled.asm -I/builddir/build/BUILD/firefox-91.4.0/media/ffvpx/ -I/builddir/build/BUILD/firefox-91.4.0/media/ffvpx/libavcodec/x86/ -I/builddir/build/BUILD/firefox-91.4.0/media/ffvpx/libavutil/x86/ /builddir/build/BUILD/firefox-91.4.0/media/ffvpx/libavcodec/x86/h264_intrapred.asm

If you need something more, please let me know.

Flags: needinfo?(jhorak)

non-standard build flags. More build config than anything else.

The particular example here (h264_intrapred.o) probably should get built by default. Might worth looking at at some point.

No longer blocks: media-triage
Severity: S3 → S4
Priority: P3 → P4
Flags: needinfo?(dveditz)
You need to log in before you can comment on or make changes to this bug.