[hjl@gnu-tgl-3 binutils]$ readelf -n /lib64/libzstd.so.1.5.1 | head -10 readelf: Warning: Gap in build notes detected from 0x93be1 to 0x93bff readelf: Warning: Gap in build notes detected from 0xa44a8 to 0xa44bf Displaying notes found in: .note.gnu.property Owner Data size Description GNU 0x00000020 NT_GNU_PROPERTY_TYPE_0 Properties: x86 feature used: x86, XMM x86 ISA used: x86-64-baseline, x86-64-v3 Displaying notes found in: .note.gnu.build-id Owner Data size Description GNU 0x00000014 NT_GNU_BUILD_ID (unique build ID bitstring) [hjl@gnu-tgl-3 binutils]$ rpm -qfi /lib64/libzstd.so.1.5.1 Name : libzstd Version : 1.5.1 Release : 4.fc35 Architecture: x86_64 Install Date: Tue 04 Jan 2022 07:28:01 PM PST Group : Unspecified Size : 898211 License : BSD and GPLv2 Signature : RSA/SHA256, Mon 03 Jan 2022 11:39:10 AM PST, Key ID db4639719867c58f Source RPM : zstd-1.5.1-4.fc35.src.rpm Build Date : Mon 03 Jan 2022 09:38:19 AM PST Build Host : buildvm-x86-18.iad2.fedoraproject.org Packager : Fedora Project Vendor : Fedora Project URL : https://github.com/facebook/zstd Bug URL : https://bugz.fedoraproject.org/zstd Summary : Zstd shared library Description : Zstandard compression shared library. [hjl@gnu-tgl-3 binutils]$
lib/decompress/huf_decompress_amd64.S isn't CET enabled.
*** Bug 2036740 has been marked as a duplicate of this bug. ***
Build is here: https://koji.fedoraproject.org/koji/buildinfo?buildID=1872345 annocheck says it has passed: annocheck -v libzstd-1.5.1-4.fc35.x86_64.rpm annocheck: Version 9.79. ... Hardened: ./usr/lib64/libzstd.so.1.5.1: PASS: property-note test ... Hardened: ./usr/lib64/libzstd.so.1.5.1: PASS: cf-protection test ... This check is what we use to detect regressions in the releases. However, the note is missing SHSTK and IBT: Displaying notes found in: .note.gnu.property Owner Data size Description GNU 0x00000020 NT_GNU_PROPERTY_TYPE_0 Properties: x86 feature used: x86, XMM, x86 ISA used: x86-64-baseline, x86-64-v3 In libzstd-1.5.0-1.fc34.x86_64: Displaying notes found in: .note.gnu.property Owner Data size Description GNU 0x00000010 NT_GNU_PROPERTY_TYPE_0 Properties: x86 feature: IBT, SHSTK This looks like an annocheck failure. Asking Nick Clifton for feedback. Nick, What do you think?
Hmm, using a newer annocheck produces a slightly better result: % annocheck libzstd-1.5.1-4.fc35.x86_64.rpm --debug-rpm libzstd-debuginfo-1.5.1-4.fc35.x86_64.rpm annocheck: Version 10.45. Hardened: libzstd.so.1.5.1: FAIL: cf-protection test because .note.gnu.property section did not contain the necessary flags Hardened: Rerun annocheck with --verbose to see more information on the tests. Hardened: libzstd.so.1.5.1: Overall: FAIL. But, the property note test is still PASSing. This is obviously a bug in annocheck. I will fix it tomorrow...
Addendum. I have found out why the property note test is passing. You can have binaries that are built from combined GO and C sources. GO does not support CET, so annocheck does not complain if it finds a property note, but the note does not indicate that CET is enabled. (The detection of GO compiled binaries relies upon finding a .note.go.build note section which may occur after the .gnu_build_attributes section). A bit flaky I feel. I will work on improving it.
Rebuilding for f34, f35, f36
https://bodhi.fedoraproject.org/updates/FEDORA-2022-96c490ce12 #f34 https://bodhi.fedoraproject.org/updates/FEDORA-2022-201509474f #f35