You are not logged in.
- Topics: Active | Unanswered
#1 2024-01-23 23:58:56
- josephg
- Member
- From: Brazil
- Registered: 2009-09-28
- Posts: 118
namcap reports GNU_PROPERTY_X86_FEATURE_1_SHSTK, what action to take?
Updating my AUR package ddnet using clean chroot, namcap is now reporting:
$ namcap ddnet-18.0.1-1-x86_64.pkg.tar.zst
ddnet W: ELF file ('usr/bin/DDNet') lacks GNU_PROPERTY_X86_FEATURE_1_SHSTK.
ddnet W: ELF file ('usr/bin/DDNet-Server') lacks GNU_PROPERTY_X86_FEATURE_1_SHSTK.
...Searching the webs about "GNU_PROPERTY_X86_FEATURE_1_SHSTK" I found this mailing list thread that provides some nice info this "Shadow Stack" flag.
However I'm still confuse on what action I should take. Passing -z,itb,-z,shstk to LDFLAGS adds these flags to the resulting ELF file, but I don't know whether I (as package maintainer) should add it, whether the upstream should add it, or if I should leave as is.
Anyone help on this issue?
Offline
#2 2024-01-24 14:14:27
- loqs
- Member
- Registered: 2014-03-06
- Posts: 18,032
Re: namcap reports GNU_PROPERTY_X86_FEATURE_1_SHSTK, what action to take?
I would suggest the following to try and determine what is lacking the symbols.
LDFLAGS+=' -Wl,-z,cet-report=error'It can be caused by for example-fcf-protection not being passed to the compiler or use of assembler without annotations or statically linking to a library which has not been built with support. It is not an issue at the moment as shadow stack in userspace support has not yet been added to glibc. That will come in glibc 2.39 and then you will still need a CPU that supports it and the executable and all its libraries to support it and to opt into support export GLIBC_TUNABLES=glibc.cpu.hwcaps=SHSTK.
Last edited by loqs (2024-01-24 14:33:31)
Offline
#3 2024-01-28 22:21:04
- josephg
- Member
- From: Brazil
- Registered: 2009-09-28
- Posts: 118
Re: namcap reports GNU_PROPERTY_X86_FEATURE_1_SHSTK, what action to take?
Thanks for the valuable information.
I set this LDFLAGS and linking failed with some occurrences of 'error: missing IBT and SHSTK properties'. See the error output: http://0x0.st/HDoS.txt. Please notice '-fcf-protection' is listed.
Should I report upstream or this can wait glibc 2.39 etc.?
Offline
#4 2024-02-20 10:06:01
- C0rn3j
- Member
- Registered: 2016-02-14
- Posts: 24
Re: namcap reports GNU_PROPERTY_X86_FEATURE_1_SHSTK, what action to take?
Same problem with AUR/oauth2-proxy. Curiously haven't been able to find anything that mentions IBT+Shadowstacks together with Golang.
oauth2_proxy W: ELF file ('usr/bin/oauth2-proxy') lacks GNU_PROPERTY_X86_FEATURE_1_SHSTK.
```
#/usr/lib/go/pkg/tool/linux_amd64/link: running gcc failed: exit status 1
#/usr/bin/ld: /tmp/go-link-1117948769/go.o: error: missing IBT and SHSTK properties
#/usr/bin/ld: /tmp/go-link-1117948769/000019.o: error: missing IBT and SHSTK properties
```
Offline
#5 2024-02-20 15:29:51
- loqs
- Member
- Registered: 2014-03-06
- Posts: 18,032
Re: namcap reports GNU_PROPERTY_X86_FEATURE_1_SHSTK, what action to take?
Same problem with AUR/oauth2-proxy. Curiously haven't been able to find anything that mentions IBT+Shadowstacks together with Golang.
Is there an upstream issue tracking go's lack of run time shadow stack support? https://gitlab.archlinux.org/pacman/nam … ote_159383
Offline
#6 2024-09-24 15:39:41
- Andrei Korshikov
- Member
- Registered: 2024-02-10
- Posts: 6
- Website
Re: namcap reports GNU_PROPERTY_X86_FEATURE_1_SHSTK, what action to take?
whether I (as package maintainer) should add it, whether the upstream should add it, or if I should leave as is.
Thank you for starting this thread. I've created vpcs-git package and had the very same problem. In my case, the problem was in makefile, upstream does not respect CFLAGS and LDFLAGS environment variables. I decided to do two things:
1. Add a patch to my package.
2. Report upstream.
I'm not TU or active Arch community member, so that's just my two cents.
Last edited by Andrei Korshikov (2024-09-24 15:41:55)
Offline