Bug 2284605

Summary:	Ruby is not recognized as hardened
Product:	[Fedora] Fedora	Reporter:	Vít Ondruch <vondruch>
Component:	annobin	Assignee:	Nick Clifton <nickc>
Status:	CLOSED NOTABUG	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	medium	Docs Contact:
Priority:	unspecified
Version:	rawhide	CC:	fweimer, jakub, josmyers, nickc, sipoyare, yahmad
Target Milestone:	---
Target Release:	---
Hardware:	Unspecified
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2024-07-11 07:56:30 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Vít Ondruch 2024-06-03 14:52:29 UTC

Just checking fedora-ci.koji-build.rpminspect.static-analysis results [1] for latest Ruby build, I have noticed that Ruby is not reported as hardened anymore. Specifically, this is the error:

~~~
Command: annocheck --ignore-unknown --verbose --profile=rawhide /usr/lib64/libruby.so.3.3.0
Exit Code: 0
    compared with the output of:
Command: annocheck --ignore-unknown --verbose --profile=rawhide --debug-dir=/usr/lib/debug/ /usr/lib64/libruby.so.3.3.1
Exit Code: 1

annocheck: Version 12.48.
Hardened: /usr/lib64/libruby.so.3.3.1: PASS: pie test because the ELF file header has the correct type 
Hardened: /usr/lib64/libruby.so.3.3.1: PASS: pic test because option found in DW_AT_producer string 
Hardened: /usr/lib64/libruby.so.3.3.1: PASS: stack-prot test because option found in DW_AT_producer string 
Hardened: /usr/lib64/libruby.so.3.3.1: PASS: optimization test because option found in DW_AT_producer string 
Hardened: /usr/lib64/libruby.so.3.3.1: PASS: lto test because detected in DW_AT_producer string 
Hardened: /usr/lib64/libruby.so.3.3.1: info: ALSO written in Rust (source: DW_AT_language string).
Hardened: /usr/lib64/libruby.so.3.3.1: info: Command line options not recorded in DWARF DW_AT_producer variable.
Hardened: /usr/lib64/libruby.so.3.3.1: PASS: writable-got test 
Hardened: /usr/lib64/libruby.so.3.3.1: PASS: dynamic-segment test 
Hardened: /usr/lib64/libruby.so.3.3.1: PASS: bind-now test 
Hardened: /usr/lib64/libruby.so.3.3.1: skip: entry test because shared libraries do not use entry points 
Hardened: /usr/lib64/libruby.so.3.3.1: PASS: gnu-stack test because stack segment exists with the correct permissions 
Hardened: /usr/lib64/libruby.so.3.3.1: PASS: gnu-relro test 
Hardened: /usr/lib64/libruby.so.3.3.1: PASS: notes test because annobin notes found in the .annobin.notes section 
Hardened: /usr/lib64/libruby.so.3.3.1: skip: warnings test because LTO compilation discards preprocessor options 
Hardened: /usr/lib64/libruby.so.3.3.1: skip: implicit-values test because -Wimplicit-int setting is hidden by LTO 
Hardened: /usr/lib64/libruby.so.3.3.1: PASS: stack-clash test because compiled with -fstack-clash-protection 
Hardened: /usr/lib64/libruby.so.3.3.1: skip: fortify test because LTO compilation discards preprocessor options 
Hardened: /usr/lib64/libruby.so.3.3.1: PASS: glibcxx-assertions test 
Hardened: /usr/lib64/libruby.so.3.3.1: skip: gaps test because string notes imply full coverage 
Hardened: /usr/lib64/libruby.so.3.3.1: skip: branch-protection test because not an AArch64 binary 
Hardened: /usr/lib64/libruby.so.3.3.1: FAIL: cf-protection test because .note.gnu.property section did not contain the necessary flags 
Hardened: /usr/lib64/libruby.so.3.3.1: info: For more information visit: https://sourceware.org/annobin/annobin.html/Test-cf-protection.html
Hardened: /usr/lib64/libruby.so.3.3.1: skip: dynamic-tags test because AArch64 specific 
Hardened: /usr/lib64/libruby.so.3.3.1: PASS: fast test 
Hardened: /usr/lib64/libruby.so.3.3.1: skip: go-revision test because no GO compiled code found 
Hardened: /usr/lib64/libruby.so.3.3.1: PASS: instrumentation test 
Hardened: /usr/lib64/libruby.so.3.3.1: PASS: production test 
Hardened: /usr/lib64/libruby.so.3.3.1: PASS: run-path test 
Hardened: /usr/lib64/libruby.so.3.3.1: PASS: rwx-seg test 
Hardened: /usr/lib64/libruby.so.3.3.1: PASS: short-enums test 
Hardened: /usr/lib64/libruby.so.3.3.1: skip: stack-realign test because not an i686 executable 
Hardened: /usr/lib64/libruby.so.3.3.1: PASS: textrel test 
Hardened: /usr/lib64/libruby.so.3.3.1: PASS: threads test 
Hardened: /usr/lib64/libruby.so.3.3.1: PASS: unicode test 
Hardened: /usr/lib64/libruby.so.3.3.1: Overall: FAIL.
~~~

Comparing to older results [2], it seems that `annocheck` changed its output. Previously, the test was skipped:

~~~
Hardened: /usr/lib/libruby.so.3.3.0: skip: cf-protection test because not an x86_64 binary
~~~

So it is likely issue in Ruby after all. Checking the `.note.gnu.property` it is not there:

~~~
$ eu-readelf -x .note.gnu.property redhat-linux-build/libruby.so.3.3.1 
eu-readelf: 
section '.note.gnu.property' does not exist
~~~

But why not? Trying to check the object files, here is where there are failures:

~~~
$ annocheck redhat-linux-build/* 2>/dev/null | grep FAIL 
Hardened: Context.o: Overall: FAIL (due to MAYB results).
Hardened: libruby-static.a:libyjit.o: Overall: FAIL (due to MAYB results).
Hardened: libruby-static.a:Context.o: Overall: FAIL (due to MAYB results).
Hardened: libruby.so.3.3.1: FAIL: cf-protection test because .note.gnu.property section did not contain the necessary flags 
Hardened: libruby.so.3.3.1: Overall: FAIL.
Hardened: miniruby: FAIL: cf-protection test because .note.gnu.property section did not contain the necessary flags 
Hardened: miniruby: FAIL: property-note test because a property note was found but it shows that cf-protection is not enabled 
Hardened: miniruby: Overall: FAIL.
Hardened: libyjit.a:yjit.2smi49kzl3fjj2r4.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:yjit.addr2line-a1c87ceddc705939.addr2line.978f7dd3ddfb82c5-cgu.0.rcgu.o.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:yjit.adler-4339330d23b0d930.adler.4f95cad2d7b6b981-cgu.0.rcgu.o.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:yjit.alloc-d8b879af94a8daeb.alloc.e17a89d9c209b1fe-cgu.0.rcgu.o.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:yjit.cfg_if-16e84af0af64bc34.cfg_if.6dd57c4589ae57c8-cgu.0.rcgu.o.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:yjit.core-ff1deb4b0f770ad7.core.39b23fe119f59755-cgu.0.rcgu.o.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:yjit.gimli-9f8760bfa7985c75.gimli.8af1f50c51fa78e7-cgu.0.rcgu.o.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:yjit.hashbrown-f679b176c22d6396.hashbrown.7c40867f2f1d3785-cgu.0.rcgu.o.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:yjit.libc-8ec1b02c9624f05a.libc.abd0a7dbfb705955-cgu.0.rcgu.o.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:yjit.memchr-37f020a73c4fe5cb.memchr.a2ea385c6bec0a05-cgu.0.rcgu.o.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:yjit.miniz_oxide-1d9071f8d16e2a89.miniz_oxide.4e62bc319a193138-cgu.0.rcgu.o.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:yjit.object-17a521537c77cb78.object.63fbad1a844040a4-cgu.0.rcgu.o.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:yjit.panic_unwind-6c607df797888ab7.panic_unwind.c02d57d52e5a6551-cgu.0.rcgu.o.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:yjit.rustc_demangle-b6592afd7704fa2b.rustc_demangle.25aa8af23689ea4e-cgu.0.rcgu.o.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:yjit.rustc_std_workspace_alloc-b48e7bcc4b27a5ce.rustc_std_workspace_alloc.e3a77faa5f0486af-cgu.0.rcgu.o.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:yjit.rustc_std_workspace_core-912c2376bed51640.rustc_std_workspace_core.4adb4bd62d53d2a5-cgu.0.rcgu.o.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:yjit.std-e30dfe819ff437fd.std.40559cf62f9a813e-cgu.0.rcgu.o.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:yjit.std_detect-1499929962da2b22.std_detect.84e2461c5d23a45e-cgu.0.rcgu.o.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:yjit.unwind-acd66b53245f08a7.unwind.95caddcbd07a88e7-cgu.0.rcgu.o.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:yjit.yjit.d7adab581cf53ec3-cgu.00.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:yjit.yjit.d7adab581cf53ec3-cgu.01.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:yjit.yjit.d7adab581cf53ec3-cgu.02.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:yjit.yjit.d7adab581cf53ec3-cgu.03.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:yjit.yjit.d7adab581cf53ec3-cgu.04.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:yjit.yjit.d7adab581cf53ec3-cgu.05.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:yjit.yjit.d7adab581cf53ec3-cgu.06.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:yjit.yjit.d7adab581cf53ec3-cgu.07.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:yjit.yjit.d7adab581cf53ec3-cgu.08.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:yjit.yjit.d7adab581cf53ec3-cgu.09.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:yjit.yjit.d7adab581cf53ec3-cgu.10.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:yjit.yjit.d7adab581cf53ec3-cgu.11.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:yjit.yjit.d7adab581cf53ec3-cgu.12.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:yjit.yjit.d7adab581cf53ec3-cgu.13.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:yjit.yjit.d7adab581cf53ec3-cgu.14.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:yjit.yjit.d7adab581cf53ec3-cgu.15.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:compiler_builtins-8e9ed72542afa80e.compiler_builtins.1ec8e32bf4a0f577-cgu.000.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:compiler_builtins-8e9ed72542afa80e.compiler_builtins.1ec8e32bf4a0f577-cgu.001.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:compiler_builtins-8e9ed72542afa80e.compiler_builtins.1ec8e32bf4a0f577-cgu.002.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:compiler_builtins-8e9ed72542afa80e.compiler_builtins.1ec8e32bf4a0f577-cgu.003.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:compiler_builtins-8e9ed72542afa80e.compiler_builtins.1ec8e32bf4a0f577-cgu.004.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:compiler_builtins-8e9ed72542afa80e.compiler_builtins.1ec8e32bf4a0f577-cgu.005.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:compiler_builtins-8e9ed72542afa80e.compiler_builtins.1ec8e32bf4a0f577-cgu.006.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:compiler_builtins-8e9ed72542afa80e.compiler_builtins.1ec8e32bf4a0f577-cgu.007.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:compiler_builtins-8e9ed72542afa80e.compiler_builtins.1ec8e32bf4a0f577-cgu.008.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:compiler_builtins-8e9ed72542afa80e.compiler_builtins.1ec8e32bf4a0f577-cgu.009.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:compiler_builtins-8e9ed72542afa80e.compiler_builtins.1ec8e32bf4a0f577-cgu.010.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:compiler_builtins-8e9ed72542afa80e.compiler_builtins.1ec8e32bf4a0f577-cgu.011.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:compiler_builtins-8e9ed72542afa80e.compiler_builtins.1ec8e32bf4a0f577-cgu.012.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:compiler_builtins-8e9ed72542afa80e.compiler_builtins.1ec8e32bf4a0f577-cgu.013.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:compiler_builtins-8e9ed72542afa80e.compiler_builtins.1ec8e32bf4a0f577-cgu.014.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:compiler_builtins-8e9ed72542afa80e.compiler_builtins.1ec8e32bf4a0f577-cgu.015.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:compiler_builtins-8e9ed72542afa80e.compiler_builtins.1ec8e32bf4a0f577-cgu.016.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:compiler_builtins-8e9ed72542afa80e.compiler_builtins.1ec8e32bf4a0f577-cgu.017.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:compiler_builtins-8e9ed72542afa80e.compiler_builtins.1ec8e32bf4a0f577-cgu.018.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:compiler_builtins-8e9ed72542afa80e.compiler_builtins.1ec8e32bf4a0f577-cgu.019.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:compiler_builtins-8e9ed72542afa80e.compiler_builtins.1ec8e32bf4a0f577-cgu.020.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:compiler_builtins-8e9ed72542afa80e.compiler_builtins.1ec8e32bf4a0f577-cgu.021.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:compiler_builtins-8e9ed72542afa80e.compiler_builtins.1ec8e32bf4a0f577-cgu.022.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:compiler_builtins-8e9ed72542afa80e.compiler_builtins.1ec8e32bf4a0f577-cgu.023.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:compiler_builtins-8e9ed72542afa80e.compiler_builtins.1ec8e32bf4a0f577-cgu.024.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:compiler_builtins-8e9ed72542afa80e.compiler_builtins.1ec8e32bf4a0f577-cgu.025.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:compiler_builtins-8e9ed72542afa80e.compiler_builtins.1ec8e32bf4a0f577-cgu.026.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:compiler_builtins-8e9ed72542afa80e.compiler_builtins.1ec8e32bf4a0f577-cgu.027.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:compiler_builtins-8e9ed72542afa80e.compiler_builtins.1ec8e32bf4a0f577-cgu.028.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:compiler_builtins-8e9ed72542afa80e.compiler_builtins.1ec8e32bf4a0f577-cgu.029.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:compiler_builtins-8e9ed72542afa80e.compiler_builtins.1ec8e32bf4a0f577-cgu.030.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:compiler_builtins-8e9ed72542afa80e.compiler_builtins.1ec8e32bf4a0f577-cgu.031.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:compiler_builtins-8e9ed72542afa80e.compiler_builtins.1ec8e32bf4a0f577-cgu.032.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:compiler_builtins-8e9ed72542afa80e.compiler_builtins.1ec8e32bf4a0f577-cgu.033.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:compiler_builtins-8e9ed72542afa80e.compiler_builtins.1ec8e32bf4a0f577-cgu.034.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:compiler_builtins-8e9ed72542afa80e.compiler_builtins.1ec8e32bf4a0f577-cgu.035.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:compiler_builtins-8e9ed72542afa80e.compiler_builtins.1ec8e32bf4a0f577-cgu.036.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:compiler_builtins-8e9ed72542afa80e.compiler_builtins.1ec8e32bf4a0f577-cgu.037.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:compiler_builtins-8e9ed72542afa80e.compiler_builtins.1ec8e32bf4a0f577-cgu.038.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:compiler_builtins-8e9ed72542afa80e.compiler_builtins.1ec8e32bf4a0f577-cgu.039.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:compiler_builtins-8e9ed72542afa80e.compiler_builtins.1ec8e32bf4a0f577-cgu.040.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:compiler_builtins-8e9ed72542afa80e.compiler_builtins.1ec8e32bf4a0f577-cgu.041.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:compiler_builtins-8e9ed72542afa80e.compiler_builtins.1ec8e32bf4a0f577-cgu.042.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:compiler_builtins-8e9ed72542afa80e.compiler_builtins.1ec8e32bf4a0f577-cgu.043.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:compiler_builtins-8e9ed72542afa80e.compiler_builtins.1ec8e32bf4a0f577-cgu.044.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:compiler_builtins-8e9ed72542afa80e.compiler_builtins.1ec8e32bf4a0f577-cgu.045.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:compiler_builtins-8e9ed72542afa80e.compiler_builtins.1ec8e32bf4a0f577-cgu.046.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:compiler_builtins-8e9ed72542afa80e.compiler_builtins.1ec8e32bf4a0f577-cgu.047.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:compiler_builtins-8e9ed72542afa80e.compiler_builtins.1ec8e32bf4a0f577-cgu.048.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:compiler_builtins-8e9ed72542afa80e.compiler_builtins.1ec8e32bf4a0f577-cgu.049.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:compiler_builtins-8e9ed72542afa80e.compiler_builtins.1ec8e32bf4a0f577-cgu.050.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:compiler_builtins-8e9ed72542afa80e.compiler_builtins.1ec8e32bf4a0f577-cgu.051.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:compiler_builtins-8e9ed72542afa80e.compiler_builtins.1ec8e32bf4a0f577-cgu.052.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:compiler_builtins-8e9ed72542afa80e.compiler_builtins.1ec8e32bf4a0f577-cgu.053.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:compiler_builtins-8e9ed72542afa80e.compiler_builtins.1ec8e32bf4a0f577-cgu.054.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:compiler_builtins-8e9ed72542afa80e.compiler_builtins.1ec8e32bf4a0f577-cgu.055.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:compiler_builtins-8e9ed72542afa80e.compiler_builtins.1ec8e32bf4a0f577-cgu.056.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:compiler_builtins-8e9ed72542afa80e.compiler_builtins.1ec8e32bf4a0f577-cgu.057.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:compiler_builtins-8e9ed72542afa80e.compiler_builtins.1ec8e32bf4a0f577-cgu.058.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:compiler_builtins-8e9ed72542afa80e.compiler_builtins.1ec8e32bf4a0f577-cgu.059.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:compiler_builtins-8e9ed72542afa80e.compiler_builtins.1ec8e32bf4a0f577-cgu.060.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:compiler_builtins-8e9ed72542afa80e.compiler_builtins.1ec8e32bf4a0f577-cgu.061.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:compiler_builtins-8e9ed72542afa80e.compiler_builtins.1ec8e32bf4a0f577-cgu.062.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:compiler_builtins-8e9ed72542afa80e.compiler_builtins.1ec8e32bf4a0f577-cgu.063.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:compiler_builtins-8e9ed72542afa80e.compiler_builtins.1ec8e32bf4a0f577-cgu.064.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:compiler_builtins-8e9ed72542afa80e.compiler_builtins.1ec8e32bf4a0f577-cgu.065.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:compiler_builtins-8e9ed72542afa80e.compiler_builtins.1ec8e32bf4a0f577-cgu.066.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:compiler_builtins-8e9ed72542afa80e.compiler_builtins.1ec8e32bf4a0f577-cgu.067.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:compiler_builtins-8e9ed72542afa80e.compiler_builtins.1ec8e32bf4a0f577-cgu.068.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:compiler_builtins-8e9ed72542afa80e.compiler_builtins.1ec8e32bf4a0f577-cgu.069.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:compiler_builtins-8e9ed72542afa80e.compiler_builtins.1ec8e32bf4a0f577-cgu.070.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:compiler_builtins-8e9ed72542afa80e.compiler_builtins.1ec8e32bf4a0f577-cgu.071.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:compiler_builtins-8e9ed72542afa80e.compiler_builtins.1ec8e32bf4a0f577-cgu.072.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:compiler_builtins-8e9ed72542afa80e.compiler_builtins.1ec8e32bf4a0f577-cgu.073.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:compiler_builtins-8e9ed72542afa80e.compiler_builtins.1ec8e32bf4a0f577-cgu.074.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:compiler_builtins-8e9ed72542afa80e.compiler_builtins.1ec8e32bf4a0f577-cgu.075.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:compiler_builtins-8e9ed72542afa80e.compiler_builtins.1ec8e32bf4a0f577-cgu.076.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:compiler_builtins-8e9ed72542afa80e.compiler_builtins.1ec8e32bf4a0f577-cgu.077.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:compiler_builtins-8e9ed72542afa80e.compiler_builtins.1ec8e32bf4a0f577-cgu.078.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:compiler_builtins-8e9ed72542afa80e.compiler_builtins.1ec8e32bf4a0f577-cgu.079.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:compiler_builtins-8e9ed72542afa80e.compiler_builtins.1ec8e32bf4a0f577-cgu.080.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:compiler_builtins-8e9ed72542afa80e.compiler_builtins.1ec8e32bf4a0f577-cgu.081.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:compiler_builtins-8e9ed72542afa80e.compiler_builtins.1ec8e32bf4a0f577-cgu.082.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:compiler_builtins-8e9ed72542afa80e.compiler_builtins.1ec8e32bf4a0f577-cgu.083.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:compiler_builtins-8e9ed72542afa80e.compiler_builtins.1ec8e32bf4a0f577-cgu.084.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:compiler_builtins-8e9ed72542afa80e.compiler_builtins.1ec8e32bf4a0f577-cgu.085.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:compiler_builtins-8e9ed72542afa80e.compiler_builtins.1ec8e32bf4a0f577-cgu.086.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:compiler_builtins-8e9ed72542afa80e.compiler_builtins.1ec8e32bf4a0f577-cgu.087.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:compiler_builtins-8e9ed72542afa80e.compiler_builtins.1ec8e32bf4a0f577-cgu.088.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:compiler_builtins-8e9ed72542afa80e.compiler_builtins.1ec8e32bf4a0f577-cgu.089.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:compiler_builtins-8e9ed72542afa80e.compiler_builtins.1ec8e32bf4a0f577-cgu.090.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:compiler_builtins-8e9ed72542afa80e.compiler_builtins.1ec8e32bf4a0f577-cgu.091.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:compiler_builtins-8e9ed72542afa80e.compiler_builtins.1ec8e32bf4a0f577-cgu.092.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:compiler_builtins-8e9ed72542afa80e.compiler_builtins.1ec8e32bf4a0f577-cgu.093.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:compiler_builtins-8e9ed72542afa80e.compiler_builtins.1ec8e32bf4a0f577-cgu.094.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:compiler_builtins-8e9ed72542afa80e.compiler_builtins.1ec8e32bf4a0f577-cgu.095.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:compiler_builtins-8e9ed72542afa80e.compiler_builtins.1ec8e32bf4a0f577-cgu.096.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:compiler_builtins-8e9ed72542afa80e.compiler_builtins.1ec8e32bf4a0f577-cgu.097.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:compiler_builtins-8e9ed72542afa80e.compiler_builtins.1ec8e32bf4a0f577-cgu.098.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:compiler_builtins-8e9ed72542afa80e.compiler_builtins.1ec8e32bf4a0f577-cgu.099.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:compiler_builtins-8e9ed72542afa80e.compiler_builtins.1ec8e32bf4a0f577-cgu.100.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:compiler_builtins-8e9ed72542afa80e.compiler_builtins.1ec8e32bf4a0f577-cgu.101.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:compiler_builtins-8e9ed72542afa80e.compiler_builtins.1ec8e32bf4a0f577-cgu.102.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:compiler_builtins-8e9ed72542afa80e.compiler_builtins.1ec8e32bf4a0f577-cgu.103.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:compiler_builtins-8e9ed72542afa80e.compiler_builtins.1ec8e32bf4a0f577-cgu.104.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:compiler_builtins-8e9ed72542afa80e.compiler_builtins.1ec8e32bf4a0f577-cgu.105.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:compiler_builtins-8e9ed72542afa80e.compiler_builtins.1ec8e32bf4a0f577-cgu.106.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:compiler_builtins-8e9ed72542afa80e.compiler_builtins.1ec8e32bf4a0f577-cgu.107.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:compiler_builtins-8e9ed72542afa80e.compiler_builtins.1ec8e32bf4a0f577-cgu.108.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:compiler_builtins-8e9ed72542afa80e.compiler_builtins.1ec8e32bf4a0f577-cgu.109.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:compiler_builtins-8e9ed72542afa80e.compiler_builtins.1ec8e32bf4a0f577-cgu.110.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:compiler_builtins-8e9ed72542afa80e.compiler_builtins.1ec8e32bf4a0f577-cgu.111.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:compiler_builtins-8e9ed72542afa80e.compiler_builtins.1ec8e32bf4a0f577-cgu.112.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:compiler_builtins-8e9ed72542afa80e.compiler_builtins.1ec8e32bf4a0f577-cgu.113.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:compiler_builtins-8e9ed72542afa80e.compiler_builtins.1ec8e32bf4a0f577-cgu.114.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:compiler_builtins-8e9ed72542afa80e.compiler_builtins.1ec8e32bf4a0f577-cgu.115.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:compiler_builtins-8e9ed72542afa80e.compiler_builtins.1ec8e32bf4a0f577-cgu.116.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:compiler_builtins-8e9ed72542afa80e.compiler_builtins.1ec8e32bf4a0f577-cgu.117.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:compiler_builtins-8e9ed72542afa80e.compiler_builtins.1ec8e32bf4a0f577-cgu.118.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:compiler_builtins-8e9ed72542afa80e.compiler_builtins.1ec8e32bf4a0f577-cgu.119.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:compiler_builtins-8e9ed72542afa80e.compiler_builtins.1ec8e32bf4a0f577-cgu.120.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:compiler_builtins-8e9ed72542afa80e.compiler_builtins.1ec8e32bf4a0f577-cgu.121.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:compiler_builtins-8e9ed72542afa80e.compiler_builtins.1ec8e32bf4a0f577-cgu.122.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:compiler_builtins-8e9ed72542afa80e.compiler_builtins.1ec8e32bf4a0f577-cgu.123.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:compiler_builtins-8e9ed72542afa80e.compiler_builtins.1ec8e32bf4a0f577-cgu.124.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:compiler_builtins-8e9ed72542afa80e.compiler_builtins.1ec8e32bf4a0f577-cgu.125.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.a:compiler_builtins-8e9ed72542afa80e.compiler_builtins.1ec8e32bf4a0f577-cgu.126.rcgu.o: Overall: FAIL (due to MAYB results).
Hardened: libyjit.o: Overall: FAIL (due to MAYB results).
~~~

This is detailed output for the `Context.o`:

~~~
$ annocheck redhat-linux-build/coroutine/amd64/Context.o --verbose
annocheck: Version 12.54.
Hardened: redhat-linux-build/coroutine/amd64/Context.o: info: No matching profile found.
Hardened: redhat-linux-build/coroutine/amd64/Context.o: PASS: pie test because the ELF file header has the correct type 
Hardened: redhat-linux-build/coroutine/amd64/Context.o: PASS: gnu-stack test because non-executable .note.GNU-stack section found 
Hardened: redhat-linux-build/coroutine/amd64/Context.o: skip: gaps test because no notes found - therefore there are no gaps! 
Hardened: redhat-linux-build/coroutine/amd64/Context.o: MAYB: test: notes, reason: notes not found and no DWARF info found (could there be a separate debuginfo file ?)
Hardened: redhat-linux-build/coroutine/amd64/Context.o: info: For more information visit: https://sourceware.org/annobin/annobin.html/Test-notes.html
Hardened: redhat-linux-build/coroutine/amd64/Context.o: skip: bind-now test because only needed for executables 
Hardened: redhat-linux-build/coroutine/amd64/Context.o: skip: branch-protection test because not an AArch64 binary 
Hardened: redhat-linux-build/coroutine/amd64/Context.o: skip: cf-protection test because not an x86_64 executable 
Hardened: redhat-linux-build/coroutine/amd64/Context.o: PASS: dynamic-segment test 
Hardened: redhat-linux-build/coroutine/amd64/Context.o: skip: dynamic-tags test because AArch64 specific 
Hardened: redhat-linux-build/coroutine/amd64/Context.o: PASS: entry test 
Hardened: redhat-linux-build/coroutine/amd64/Context.o: PASS: fast test 
Hardened: redhat-linux-build/coroutine/amd64/Context.o: skip: fips test because not a GO binary 
Hardened: redhat-linux-build/coroutine/amd64/Context.o: skip: fortify test because no compiled C/C++ code found 
Hardened: redhat-linux-build/coroutine/amd64/Context.o: skip: glibcxx-assertions test because no compiled C/C++ code found 
Hardened: redhat-linux-build/coroutine/amd64/Context.o: skip: gnu-relro test because not needed in object files 
Hardened: redhat-linux-build/coroutine/amd64/Context.o: skip: go-revision test because no GO compiled code found 
Hardened: redhat-linux-build/coroutine/amd64/Context.o: skip: implicit-values test because  These tests are only relevent to C source code 
Hardened: redhat-linux-build/coroutine/amd64/Context.o: PASS: instrumentation test 
Hardened: redhat-linux-build/coroutine/amd64/Context.o: skip: lto test because not compiled from C/C++ code 
Hardened: redhat-linux-build/coroutine/amd64/Context.o: PASS: openssl-engine test 
Hardened: redhat-linux-build/coroutine/amd64/Context.o: MAYB: test: optimization, reason: could not determine how the code was created
Hardened: redhat-linux-build/coroutine/amd64/Context.o: info: For more information visit: https://sourceware.org/annobin/annobin.html/Test-optimization.html
Hardened: redhat-linux-build/coroutine/amd64/Context.o: WARN: This can happen if the program is compiled from a language unknown to annocheck
Hardened: redhat-linux-build/coroutine/amd64/Context.o: WARN:  or because there are no annobin build notes (could they be in a separate file ?)
Hardened: redhat-linux-build/coroutine/amd64/Context.o: WARN: For more details see https://sourceware.org/annobin/annobin.html/Absence-of-compiled-code.html
Hardened: redhat-linux-build/coroutine/amd64/Context.o: MAYB: test: pic, reason: no valid notes found regarding this test
Hardened: redhat-linux-build/coroutine/amd64/Context.o: info: For more information visit: https://sourceware.org/annobin/annobin.html/Test-pic.html
Hardened: redhat-linux-build/coroutine/amd64/Context.o: PASS: production test 
Hardened: redhat-linux-build/coroutine/amd64/Context.o: skip: property-note test because property notes not needed in object files 
Hardened: redhat-linux-build/coroutine/amd64/Context.o: PASS: run-path test 
Hardened: redhat-linux-build/coroutine/amd64/Context.o: PASS: rwx-seg test 
Hardened: redhat-linux-build/coroutine/amd64/Context.o: PASS: short-enums test 
Hardened: redhat-linux-build/coroutine/amd64/Context.o: MAYB: test: stack-clash, reason: could not determine how the code was created
Hardened: redhat-linux-build/coroutine/amd64/Context.o: info: For more information visit: https://sourceware.org/annobin/annobin.html/Test-stack-clash.html
Hardened: redhat-linux-build/coroutine/amd64/Context.o: WARN: This can happen if the program is compiled from a language unknown to annocheck
Hardened: redhat-linux-build/coroutine/amd64/Context.o: WARN:  or because there are no annobin build notes (could they be in a separate file ?)
Hardened: redhat-linux-build/coroutine/amd64/Context.o: WARN: For more details see https://sourceware.org/annobin/annobin.html/Absence-of-compiled-code.html
Hardened: redhat-linux-build/coroutine/amd64/Context.o: MAYB: test: stack-prot, reason: could not determine how the code was created
Hardened: redhat-linux-build/coroutine/amd64/Context.o: info: For more information visit: https://sourceware.org/annobin/annobin.html/Test-stack-prot.html
Hardened: redhat-linux-build/coroutine/amd64/Context.o: WARN: This can happen if the program is compiled from a language unknown to annocheck
Hardened: redhat-linux-build/coroutine/amd64/Context.o: WARN:  or because there are no annobin build notes (could they be in a separate file ?)
Hardened: redhat-linux-build/coroutine/amd64/Context.o: WARN: For more details see https://sourceware.org/annobin/annobin.html/Absence-of-compiled-code.html
Hardened: redhat-linux-build/coroutine/amd64/Context.o: skip: stack-realign test because not an i686 executable 
Hardened: redhat-linux-build/coroutine/amd64/Context.o: PASS: textrel test 
Hardened: redhat-linux-build/coroutine/amd64/Context.o: PASS: threads test 
Hardened: redhat-linux-build/coroutine/amd64/Context.o: PASS: unicode test 
Hardened: redhat-linux-build/coroutine/amd64/Context.o: skip: warnings test because no compiled C/C++ code found 
Hardened: redhat-linux-build/coroutine/amd64/Context.o: PASS: writable-got test 
Hardened: redhat-linux-build/coroutine/amd64/Context.o: Overall: FAIL (due to MAYB results).
~~~

But this file is written in assembly:

https://github.com/ruby/ruby/blob/17b89849c6076777ccfd014f191f8c97f81f8cae/coroutine/amd64/Context.S

The libyjit.o is written in Rust AFAIK:

https://github.com/ruby/ruby/tree/17b89849c6076777ccfd014f191f8c97f81f8cae/yjit

I need help, because I am complete noob. Thank you in advance

[1] https://bodhi.fedoraproject.org/updates/FEDORA-2024-14db7b21a2
[2] https://bodhi.fedoraproject.org/updates/FEDORA-2024-139fe99e3f

Reproducible: Always

Comment 1 Nick Clifton 2024-06-04 11:30:53 UTC

(In reply to Vít Ondruch from comment #0)
Hi Vit,

> Just checking fedora-ci.koji-build.rpminspect.static-analysis results [1]
> for latest Ruby build, I have noticed that Ruby is not reported as hardened
> anymore. Specifically, this is the error:

> Hardened: /usr/lib64/libruby.so.3.3.1: FAIL: cf-protection test because
> .note.gnu.property section did not contain the necessary flags 

Yeah - this is sort of an annocheck bug and sort of a Rust problem.

The lack of a .note.gnu.property section does indeed mean that that control
flow protection is disabled.  For Rust code this should not matter as rust
is safe enough that it does not need control flow protection.  (Well in theory
at least).  The problem is that libruby.so.3.3.1 contains both code written
in Rust and code written in C.  The C parts are vulnerable and so control 
flow protection is a good idea for them.

But ... control flow protection is an all or nothing feature.  All of the 
code must be compiled with control flow enabled - and then the protection can
be enabled.  But if even a single piece of code is compiled without the
feature then the protection cannot be enabled.  (This is because the feature
inserts new instructions at the destination of all branches and procedure
calls.  If the CPU detects a branch/call to a location that is missing this
new instruction it aborts the process.  Hence all code must be compiled 
correctly for the feature to work).

So essentially, until the Rust compiler supports the x86_64 control flow
feature any part-C/part-Rust executables are going to be vulnerable.
Annocheck is supposed to know about this and SKIP the cf-protection test
when it finds mixed Rust/C code, but currently it doesn't.  (It does skip
the test for entirely for executables that are entirely written in Rust). 

For now I recommend that you waive this result. (I am working on an
update to annocheck which will fix the cf-protection test so that it
is skipped for mixed C/Rust binaries).

 
> This is detailed output for the `Context.o`: 
> But this file is written in assembly: 
> https://github.com/ruby/ruby/blob/17b89849c6076777ccfd014f191f8c97f81f8cae/
> coroutine/amd64/Context.S
 
This is going to be a future problem.  Once Rust does support generating
the control flow instructions, the Context.S file will still stop the
feature from being enabled, since it too needs to be updated.  Fortunately
there are instructions on how to do this here:

https://sourceware.org/annobin/annobin.html/Test-cf-protection.html

I hope that this helps.

Cheers
  Nick

Comment 2 Vít Ondruch 2024-06-04 12:08:09 UTC

(In reply to Nick Clifton from comment #1)
> (In reply to Vít Ondruch from comment #0)
> Hi Vit,
> 
> > Just checking fedora-ci.koji-build.rpminspect.static-analysis results [1]
> > for latest Ruby build, I have noticed that Ruby is not reported as hardened
> > anymore. Specifically, this is the error:
> 
> > Hardened: /usr/lib64/libruby.so.3.3.1: FAIL: cf-protection test because
> > .note.gnu.property section did not contain the necessary flags 
> 
> Yeah - this is sort of an annocheck bug and sort of a Rust problem.

But this is then also sort of Ruby problem, because use of Rust in the code base is new thing. IOW I can report to Ruby upstream that since the moment Rust was added to the mix, CF is disabled an that is undesirable.

> For now I recommend that you waive this result. (I am working on an
> update to annocheck which will fix the cf-protection test so that it
> is skipped for mixed C/Rust binaries).

Do you by a chance have any timeframe for this?

> > This is detailed output for the `Context.o`: 
> > But this file is written in assembly: 
> > https://github.com/ruby/ruby/blob/17b89849c6076777ccfd014f191f8c97f81f8cae/
> > coroutine/amd64/Context.S
>  
> This is going to be a future problem.  Once Rust does support generating
> the control flow instructions

I think that the Rust bits can be disabled via configuration option. I'll probably try that and report this upstream separately (and attach the link bellow).

> the Context.S file will still stop the
> feature from being enabled, since it too needs to be updated.  Fortunately
> there are instructions on how to do this here:
> 
> https://sourceware.org/annobin/annobin.html/Test-cf-protection.html
> 
> I hope that this helps.

Definitely. Thx a lot!

Comment 3 Nick Clifton 2024-06-04 12:17:56 UTC

(In reply to Vít Ondruch from comment #2)
 
> But this is then also sort of Ruby problem, because use of Rust in the code
> base is new thing. IOW I can report to Ruby upstream that since the moment
> Rust was added to the mix, CF is disabled an that is undesirable.

If you think that it will help, then please do.  I am not sure how much pressure 
the Ruby community can exert on the Rust compiler development process, but any
 

> Do you by a chance have any timeframe for this?

Today-ish :-)

The rawhide build is complete: annobin-12.57-1.fc41

I assume that it will hit the buildroot soon and then pulled into the rpminspect
framework (for rawhide).

The F40 and F39 builds are in progress, but once they are complete there will
still be the Bodhi process to complete, so they will probably become available
next week.

Cheers
  Nick

Comment 4 Vít Ondruch 2024-06-04 12:29:20 UTC

(In reply to Nick Clifton from comment #3)
> (In reply to Vít Ondruch from comment #2)
>  
> > But this is then also sort of Ruby problem, because use of Rust in the code
> > base is new thing. IOW I can report to Ruby upstream that since the moment
> > Rust was added to the mix, CF is disabled an that is undesirable.
> 
> If you think that it will help, then please do.  I am not sure how much
> pressure 
> the Ruby community can exert on the Rust compiler development process, but
> any

The thing is Ruby is supposed to support hardening, but apparently nobody checks in the upstream. That is the main problem. And if Rust is problematic, it should have been one of consideration and I doubt it was.

And of course, just wider knowledge of the problem might put some pressure on Rust.
 
> > Do you by a chance have any timeframe for this?
> 
> Today-ish :-)
> 
> The rawhide build is complete: annobin-12.57-1.fc41
> 
> I assume that it will hit the buildroot soon and then pulled into the
> rpminspect
> framework (for rawhide).
> 
> The F40 and F39 builds are in progress, but once they are complete there will
> still be the Bodhi process to complete, so they will probably become
> available
> next week.

Oh wow, you rocks!

Comment 5 Siddhesh Poyarekar 2024-06-04 17:38:02 UTC

(In reply to Vít Ondruch from comment #2)
> > This is going to be a future problem.  Once Rust does support generating
> > the control flow instructions
> 
> I think that the Rust bits can be disabled via configuration option. I'll
> probably try that and report this upstream separately (and attach the link
> bellow).

The rust flag to enable cf-protection is unstable at the moment, which is why it is not yet in use by default in Fedora.

Comment 6 Vít Ondruch 2024-06-05 15:50:07 UTC

(In reply to Vít Ondruch from comment #2)
> (In reply to Nick Clifton from comment #1)
> > (In reply to Vít Ondruch from comment #0)
> > > This is detailed output for the `Context.o`: 
> > > But this file is written in assembly: 
> > > https://github.com/ruby/ruby/blob/17b89849c6076777ccfd014f191f8c97f81f8cae/
> > > coroutine/amd64/Context.S
> >  
> > This is going to be a future problem.  Once Rust does support generating
> > the control flow instructions
> 
> I think that the Rust bits can be disabled via configuration option. I'll
> probably try that and report this upstream separately (and attach the link
> bellow).

I have build Ruby RPM with `--without=yjit`, that excludes the Rust bits and yes, it seems the `Context.o` is the only problem then:

~~~
$ annocheck redhat-linux-build/* 2>/dev/null | grep FAIL | less
Hardened: Context.o: Overall: FAIL (due to MAYB results).
Hardened: libruby-static.a:Context.o: Overall: FAIL (due to MAYB results).
Hardened: libruby.so.3.3.1: FAIL: cf-protection test because .note.gnu.property section did not contain the necessary flags 
Hardened: libruby.so.3.3.1: FAIL: property-note test because a property note was found but it shows that cf-protection is not enabled 
Hardened: libruby.so.3.3.1: Overall: FAIL.
Hardened: miniruby: FAIL: cf-protection test because .note.gnu.property section did not contain the necessary flags 
Hardened: miniruby: FAIL: property-note test because a property note was found but it shows that cf-protection is not enabled 
Hardened: miniruby: Overall: FAIL.
~~~

Reported upstream: https://bugs.ruby-lang.org/issues/20527

Comment 7 Vít Ondruch 2024-06-05 16:39:03 UTC

(In reply to Vít Ondruch from comment #6)
> Reported upstream: https://bugs.ruby-lang.org/issues/20527

There is actually older report:

https://bugs.ruby-lang.org/issues/18061

Comment 8 Vít Ondruch 2024-07-10 07:52:01 UTC

(In reply to Siddhesh Poyarekar from comment #5)
> The rust flag to enable cf-protection is unstable at the moment, which is
> why it is not yet in use by default in Fedora.

Is this tracked somewhere?

Comment 9 Vít Ondruch 2024-07-11 07:56:30 UTC

(In reply to Vít Ondruch from comment #8)
> (In reply to Siddhesh Poyarekar from comment #5)
> > The rust flag to enable cf-protection is unstable at the moment, which is
> > why it is not yet in use by default in Fedora.
> 
> Is this tracked somewhere?

Setting need info just to get answer for this.

Because otherwise, this is resolved:

https://bodhi.fedoraproject.org/updates/FEDORA-2024-0cfdd7d439
https://artifacts.dev.testing-farm.io/23ebe952-c1cd-4597-a0d6-73d9a0aa1297/

Comment 10 Siddhesh Poyarekar 2024-07-16 12:13:57 UTC

Here's the upstream issue that tracks stabilization of the cf-protection flag: https://github.com/rust-lang/rust/issues/93754

Comment 11 Vít Ondruch 2024-07-17 16:48:20 UTC

(In reply to Siddhesh Poyarekar from comment #10)
> Here's the upstream issue that tracks stabilization of the cf-protection
> flag: https://github.com/rust-lang/rust/issues/93754

Thx a lot 👍