namcap reports GNU_PROPERTY_X86_FEATURE_1_SHSTK, what action to take?

josephg · 2024-01-23 23:58:56

Updating my AUR package ddnet using clean chroot, namcap is now reporting:

$ namcap ddnet-18.0.1-1-x86_64.pkg.tar.zst
ddnet W: ELF file ('usr/bin/DDNet') lacks GNU_PROPERTY_X86_FEATURE_1_SHSTK.
ddnet W: ELF file ('usr/bin/DDNet-Server') lacks GNU_PROPERTY_X86_FEATURE_1_SHSTK.
...

Searching the webs about "GNU_PROPERTY_X86_FEATURE_1_SHSTK" I found this mailing list thread that provides some nice info this "Shadow Stack" flag.

However I'm still confuse on what action I should take. Passing -z,itb,-z,shstk to LDFLAGS adds these flags to the resulting ELF file, but I don't know whether I (as package maintainer) should add it, whether the upstream should add it, or if I should leave as is.

Anyone help on this issue?

loqs · 2024-01-24 14:14:27

I would suggest the following to try and determine what is lacking the symbols.

LDFLAGS+=' -Wl,-z,cet-report=error'

It can be caused by for example-fcf-protection not being passed to the compiler or use of assembler without annotations or statically linking to a library which has not been built with support. It is not an issue at the moment as shadow stack in userspace support has not yet been added to glibc. That will come in glibc 2.39 and then you will still need a CPU that supports it and the executable and all its libraries to support it and to opt into support export GLIBC_TUNABLES=glibc.cpu.hwcaps=SHSTK.

Last edited by loqs (2024-01-24 14:33:31)

josephg · 2024-01-28 22:21:04

Thanks for the valuable information.

I set this LDFLAGS and linking failed with some occurrences of 'error: missing IBT and SHSTK properties'. See the error output: http://0x0.st/HDoS.txt. Please notice '-fcf-protection' is listed.

Should I report upstream or this can wait glibc 2.39 etc.?

C0rn3j · 2024-02-20 10:06:01

Same problem with AUR/oauth2-proxy. Curiously haven't been able to find anything that mentions IBT+Shadowstacks together with Golang.

oauth2_proxy W: ELF file ('usr/bin/oauth2-proxy') lacks GNU_PROPERTY_X86_FEATURE_1_SHSTK.
```
#/usr/lib/go/pkg/tool/linux_amd64/link: running gcc failed: exit status 1
#/usr/bin/ld: /tmp/go-link-1117948769/go.o: error: missing IBT and SHSTK properties
#/usr/bin/ld: /tmp/go-link-1117948769/000019.o: error: missing IBT and SHSTK properties
```

loqs · 2024-02-20 15:29:51

C0rn3j wrote:

Same problem with AUR/oauth2-proxy. Curiously haven't been able to find anything that mentions IBT+Shadowstacks together with Golang.

Is there an upstream issue tracking go's lack of run time shadow stack support? https://gitlab.archlinux.org/pacman/nam … ote_159383

Arch Linux

#1 2024-01-23 23:58:56

namcap reports GNU_PROPERTY_X86_FEATURE_1_SHSTK, what action to take?

#2 2024-01-24 14:14:27

Re: namcap reports GNU_PROPERTY_X86_FEATURE_1_SHSTK, what action to take?

#3 2024-01-28 22:21:04

Re: namcap reports GNU_PROPERTY_X86_FEATURE_1_SHSTK, what action to take?

#4 2024-02-20 10:06:01

Re: namcap reports GNU_PROPERTY_X86_FEATURE_1_SHSTK, what action to take?

#5 2024-02-20 15:29:51

Re: namcap reports GNU_PROPERTY_X86_FEATURE_1_SHSTK, what action to take?

Board footer