Bug 2224049 - libaom: does not properly support CET
Summary: libaom: does not properly support CET
Keywords:
Status: NEW
Alias: None
Product: Fedora
Classification: Fedora
Component: aom
Version: 39
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Multimedia SIG
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2023-07-19 16:41 UTC by Siddhesh Poyarekar
Modified: 2023-08-16 07:19 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Type: Bug
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
chromium.org aomedia 3466 0 None None None 2023-07-20 03:45:29 UTC

Description Siddhesh Poyarekar 2023-07-19 16:41:12 UTC
The assembly files in libaom (*.asm) get built with nasm and are not built with CET support. As a result the final library libaom.so does not get built with shadow stack and IBT markup. To enable shadow stack support one must:

1. Emit the ENDBR instruction at the top of every function that is the target of an indirect branch.

2. Add a .gnu.property note that indicates support for SHSTK and IBT, either by adding assembler directives (see /usr/lib/gcc/x86_64-redhat-linux/13/include/cet.h for example) or by forcing the annotation in the linker using -Wl,-z,shstk -Wl,-z,ibt

AFAICT, none of the assembler code switches stacks, but if it does, it would need a more involved fix to update the shadow stack pointer.

Without this, when Fedora is booted with a shadow stack enabled kernel (patches are currently in review upstream[1]), a number of php and python packages fail to build because of lacking SHSTK support in libaor.

[1] https://lore.kernel.org/lkml/20230613001108.3040476-1-rick.p.edgecombe@intel.com/

Reproducible: Always

Comment 1 Fabio Valentini 2023-07-19 18:23:48 UTC
I don't think any of the package maintainers are qualified to *correctly* do what's asked here (without introducing bugs), at least not without significant help from upstream. And since that upstream is Google ... well, I'm wouldn't be holding my breath.

Comment 2 Robert-André Mauchin 🐧 2023-07-20 03:45:30 UTC
Sent upstream: https://bugs.chromium.org/p/aomedia/issues/detail?id=3466

Comment 3 Fedora Release Engineering 2023-08-16 07:19:43 UTC
This bug appears to have been reported against 'rawhide' during the Fedora Linux 39 development cycle.
Changing version to 39.


Note You need to log in before you can comment on or make changes to this bug.