Bug 2148125

Summary: annocheck reports /usr/sbin/grub2-set-bootflag not compiled C/C++ code
Product: Red Hat Enterprise Linux 9 Reporter: Jan Pazdziora <jpazdziora>
Component: grub2Assignee: Bootloader engineering team <bootloader-eng-team>
Status: POST --- QA Contact: Release Test Team <release-test-team>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 9.0CC: bootloader-eng-team, jpazdziora, mhaicman, mlewando, nickc, raravind
Target Milestone: rcKeywords: Triaged, ZStream
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 2221173 2221174 (view as bug list) Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2221173, 2221174    

Description Jan Pazdziora 2022-11-24 13:01:01 UTC 
Description of problem:

Attempting to test if grub2 binaries were properly built with stack protection via -fstack-protector-strong yields skip: stack-prot test because not compiled C/C++ code.

Version-Release number of selected component (if applicable):

grub2-tools-minimal-2.06-27.el9_0.x86_64
annobin-annocheck-10.54-2.el9.x86_64

How reproducible:

Deterministic.

Steps to Reproduce:
1. dnf install -y annobin-annocheck grub2-tools-minimal
2. dnf debuginfo-install -y grub2-tools-minimal
3. rpm -ql grub2-tools-minimal | grep -E '/usr/s?bin/' | while read f ; do test -L $f || echo $f ; done | xargs -- annocheck --verbose --skip-all --test-stack-prot

Actual results:

annocheck: Version 10.54.
Hardened: /usr/bin/grub2-editenv: PASS: stack-prot test 
Hardened: /usr/bin/grub2-editenv: Overall: PASS.
Hardened: /usr/bin/grub2-mkpasswd-pbkdf2: PASS: stack-prot test 
Hardened: /usr/bin/grub2-mkpasswd-pbkdf2: Overall: PASS.
Hardened: /usr/bin/grub2-mount: PASS: stack-prot test 
Hardened: /usr/bin/grub2-mount: Overall: PASS.
annocheck: Warning: /usr/sbin/grub2-get-kernel-settings: is not an ELF format file.
Hardened: /usr/sbin/grub2-probe: PASS: stack-prot test 
Hardened: /usr/sbin/grub2-probe: Overall: PASS.
Hardened: /usr/sbin/grub2-set-bootflag: skip: stack-prot test because not compiled C/C++ code 
Hardened: /usr/sbin/grub2-set-bootflag: Overall: PASS.
annocheck: Warning: /usr/sbin/grub2-set-default: is not an ELF format file.
annocheck: Warning: /usr/sbin/grub2-set-password: is not an ELF format file.

Expected results:

No "skip: stack-prot test because not compiled C/C++ code" on the /usr/sbin/grub2-set-bootflag binary.

Additional info:

Adding Nick to Cc in case this turns out to be an issue in annocheck itself.
Comment 1 Jan Pazdziora 2022-11-24 13:02:04 UTC 
Checking with

readelf -Ws /usr/sbin/grub2-set-bootflag | grep '__stack_chk_fail'

does not find anything, meaning the function to be called when the stack protection detects a corrupted stack is not referenced. So it seems to suggest -fstack-protector-strong was indeed not used.
Comment 3 Jan Pazdziora 2022-11-24 13:20:15 UTC 
Given grub2-set-bootflag is setuid (bug 2007431), the potential lack of standard compiler hardening is even more worrying.
Comment 4 Nick Clifton 2022-11-28 11:09:32 UTC 
(In reply to Jan Pazdziora from comment #0)
> Description of problem:
 
> Hardened: /usr/sbin/grub2-set-bootflag: skip: stack-prot test because not
> compiled C/C++ code 

Just to explain further here.  This message means that annocheck was unable to prove that the file being checked was created by compiling C or C++ source code.  Since code written in other high level languages does not need stack protection (at least as an optionally enabled security feature) failing the test would be inappropriate.

On the other hand, being unable to prove that the source code was written in C/C++ when in fact this is the case indicates a problem with how the program is being compiled.  In particular it means that annobin annotation has not been enabled, and probably that the security hardening options and debug info generation options have not been enabled either.