You are not logged in.

#1 2024-01-23 23:58:56

josephg
Member
From: Brazil
Registered: 2009-09-28
Posts: 118

namcap reports GNU_PROPERTY_X86_FEATURE_1_SHSTK, what action to take?

Updating my AUR package ddnet using clean chroot, namcap is now reporting:

$ namcap ddnet-18.0.1-1-x86_64.pkg.tar.zst
ddnet W: ELF file ('usr/bin/DDNet') lacks GNU_PROPERTY_X86_FEATURE_1_SHSTK.
ddnet W: ELF file ('usr/bin/DDNet-Server') lacks GNU_PROPERTY_X86_FEATURE_1_SHSTK.
...

Searching the webs about "GNU_PROPERTY_X86_FEATURE_1_SHSTK" I found this mailing list thread that provides some nice info this "Shadow Stack" flag.

However I'm still confuse on what action I should take. Passing -z,itb,-z,shstk to LDFLAGS adds these flags to the resulting ELF file, but I don't know whether I (as package maintainer) should add it, whether the upstream should add it, or if I should leave as is.

Anyone help on this issue?

Offline

#2 2024-01-24 14:14:27

loqs
Member
Registered: 2014-03-06
Posts: 18,633

Re: namcap reports GNU_PROPERTY_X86_FEATURE_1_SHSTK, what action to take?

I would suggest the following to try and determine what is lacking the symbols.

LDFLAGS+=' -Wl,-z,cet-report=error'

It can be caused by for example-fcf-protection not being passed to the compiler or use of assembler without annotations or statically linking to a library which has not been built with support.  It is not an issue at the moment as shadow stack in userspace support has not yet been added to glibc.  That will come in glibc 2.39 and then you will still need a CPU that supports it and the executable and all its libraries to support it and to opt into support export GLIBC_TUNABLES=glibc.cpu.hwcaps=SHSTK.

Last edited by loqs (2024-01-24 14:33:31)

Offline

#3 2024-01-28 22:21:04

josephg
Member
From: Brazil
Registered: 2009-09-28
Posts: 118

Re: namcap reports GNU_PROPERTY_X86_FEATURE_1_SHSTK, what action to take?

Thanks for the valuable information.

I set this LDFLAGS and linking failed with some occurrences of 'error: missing IBT and SHSTK properties'. See the error output: http://0x0.st/HDoS.txt. Please notice '-fcf-protection' is listed.

Should I report upstream or this can wait glibc 2.39 etc.?

Offline

#4 2024-02-20 10:06:01

C0rn3j
Package Maintainer (PM)
Registered: 2016-02-14
Posts: 25
Website

Re: namcap reports GNU_PROPERTY_X86_FEATURE_1_SHSTK, what action to take?

Same problem with AUR/oauth2-proxy. Curiously haven't been able to find anything that mentions IBT+Shadowstacks together with Golang.

oauth2_proxy W: ELF file ('usr/bin/oauth2-proxy') lacks GNU_PROPERTY_X86_FEATURE_1_SHSTK.
```
#/usr/lib/go/pkg/tool/linux_amd64/link: running gcc failed: exit status 1
#/usr/bin/ld: /tmp/go-link-1117948769/go.o: error: missing IBT and SHSTK properties
#/usr/bin/ld: /tmp/go-link-1117948769/000019.o: error: missing IBT and SHSTK properties
```

Offline

#5 2024-02-20 15:29:51

loqs
Member
Registered: 2014-03-06
Posts: 18,633

Re: namcap reports GNU_PROPERTY_X86_FEATURE_1_SHSTK, what action to take?

C0rn3j wrote:

Same problem with AUR/oauth2-proxy. Curiously haven't been able to find anything that mentions IBT+Shadowstacks together with Golang.

Is there an upstream issue tracking go's lack of run time shadow stack support? https://gitlab.archlinux.org/pacman/nam … ote_159383

Offline

#6 2024-09-24 15:39:41

Andrei Korshikov
Member
Registered: 2024-02-10
Posts: 7
Website

Re: namcap reports GNU_PROPERTY_X86_FEATURE_1_SHSTK, what action to take?

josephg wrote:

whether I (as package maintainer) should add it, whether the upstream should add it, or if I should leave as is.

Thank you for starting this thread. I've created vpcs-git package and had the very same problem. In my case, the problem was in makefile, upstream does not respect CFLAGS and LDFLAGS environment variables. I decided to do two things:

1. Add a patch to my package.

2. Report upstream.

I'm not TU or active Arch community member, so that's just my two cents.

Last edited by Andrei Korshikov (2024-09-24 15:41:55)

Offline

Board footer

Powered by FluxBB