Bug 2224049

Summary: libaom: does not properly support CET
Product: [Fedora] Fedora Reporter: Siddhesh Poyarekar <sipoyare>
Component: aomAssignee: Multimedia SIG <multimedia-sig>
Status: NEW --- QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 39CC: decathorpe, multimedia-sig, ngompa13, zebob.m
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Siddhesh Poyarekar 2023-07-19 16:41:12 UTC 
The assembly files in libaom (*.asm) get built with nasm and are not built with CET support. As a result the final library libaom.so does not get built with shadow stack and IBT markup. To enable shadow stack support one must:

1. Emit the ENDBR instruction at the top of every function that is the target of an indirect branch.

2. Add a .gnu.property note that indicates support for SHSTK and IBT, either by adding assembler directives (see /usr/lib/gcc/x86_64-redhat-linux/13/include/cet.h for example) or by forcing the annotation in the linker using -Wl,-z,shstk -Wl,-z,ibt

AFAICT, none of the assembler code switches stacks, but if it does, it would need a more involved fix to update the shadow stack pointer.

Without this, when Fedora is booted with a shadow stack enabled kernel (patches are currently in review upstream[1]), a number of php and python packages fail to build because of lacking SHSTK support in libaor.

[1] https://lore.kernel.org/lkml/20230613001108.3040476-1-rick.p.edgecombe@intel.com/

Reproducible: Always
Comment 1 Fabio Valentini 2023-07-19 18:23:48 UTC 
I don't think any of the package maintainers are qualified to *correctly* do what's asked here (without introducing bugs), at least not without significant help from upstream. And since that upstream is Google ... well, I'm wouldn't be holding my breath.
Comment 2 Robert-André Mauchin 🐧 2023-07-20 03:45:30 UTC 
Sent upstream: https://bugs.chromium.org/p/aomedia/issues/detail?id=3466
Comment 3 Fedora Release Engineering 2023-08-16 07:19:43 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora Linux 39 development cycle.
Changing version to 39.