The assembly files in libaom (*.asm) get built with nasm and are not built with CET support. As a result the final library libaom.so does not get built with shadow stack and IBT markup. To enable shadow stack support one must: 1. Emit the ENDBR instruction at the top of every function that is the target of an indirect branch. 2. Add a .gnu.property note that indicates support for SHSTK and IBT, either by adding assembler directives (see /usr/lib/gcc/x86_64-redhat-linux/13/include/cet.h for example) or by forcing the annotation in the linker using -Wl,-z,shstk -Wl,-z,ibt AFAICT, none of the assembler code switches stacks, but if it does, it would need a more involved fix to update the shadow stack pointer. Without this, when Fedora is booted with a shadow stack enabled kernel (patches are currently in review upstream[1]), a number of php and python packages fail to build because of lacking SHSTK support in libaor. [1] https://lore.kernel.org/lkml/20230613001108.3040476-1-rick.p.edgecombe@intel.com/ Reproducible: Always
I don't think any of the package maintainers are qualified to *correctly* do what's asked here (without introducing bugs), at least not without significant help from upstream. And since that upstream is Google ... well, I'm wouldn't be holding my breath.
Sent upstream: https://bugs.chromium.org/p/aomedia/issues/detail?id=3466
This bug appears to have been reported against 'rawhide' during the Fedora Linux 39 development cycle. Changing version to 39.