1970161 – Not built with CFI

Bug 1970161 - Not built with CFI

Summary: Not built with CFI

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	chromium
Sub Component:
Version:	34
Hardware:	x86_64
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Tom "spot" Callaway
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2021-06-09 23:16 UTC by ThisIsXenu
Modified:	2021-06-23 21:23 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2021-06-23 21:23:50 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description ThisIsXenu 2021-06-09 23:16:51 UTC

Description of problem:
Chromium should be built with control flow integrity (CFI) support, which helps prevent attackers from modifying the program's control flow. According to the build log for the latest chromium build:
https://kojipkgs.fedoraproject.org//packages/chromium/91.0.4472.77/1.fc34/data/logs/x86_64/build.log

the option "cfi=false" is used, but it should be "cfi=true". Note that this does mean that clang will need to be used to compile chromium.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Comment 1 Tom "spot" Callaway 2021-06-23 21:23:50 UTC

I do not plan to use clang to build Chromium at this time. If that changes (or if CFI support is added to GCC), I will revisit this.

Note You need to log in before you can comment on or make changes to this bug.