Now that clang is the default, https://src.fedoraproject.org/rpms/chromium/blob/rawhide/f/chromium.spec#_153 CFI should be enabled when possible. Chromium should be built with control flow integrity (CFI) support, which helps prevent attackers from modifying the program's control flow. The previous reason for not doing this is no longer the case: https://bugzilla.redhat.com/show_bug.cgi?id=1970161#c1 Reproducible: Always Steps to Reproduce: 1. Go to https://src.fedoraproject.org/rpms/chromium/blob/rawhide/f/chromium.spec#_1173 2. is_cfi is false Actual Results: is_cfi is false Expected Results: is_cfi is true
i built chromium-120.0.6099.62 with control flow integrity support is_cfi=true and noticed that the binary size (chromium-bowser) has increased by about 49MB. It is really bad on the system with little memory. So i am not sure if we should enable it
(In reply to Than Ngo from comment #1) > i built chromium-120.0.6099.62 with control flow integrity support > is_cfi=true and noticed that the binary size (chromium-bowser) has increased > by about 49MB. > It is really bad on the system with little memory. So i am not sure if we > should enable it A couple things to keep in mind: - CFI is already default and has been used in official Chrome for Linux builds for many years now: https://www.chromium.org/developers/testing/control-flow-integrity/ - Also according to the same link above, even though the binary will be larger, the memory impact will be a small constant: "(read-only tables inside the binary shared between all chrome processes)" - Keeping this feature disabled is a significant security degradation compared to upstream. The current settings are taking a security feature that exists and is default upstream and disabling it. This seems unjustified especially since this ask is not to add new security functionality that upstream doesn't already have. Given the above, the memory impact should be less than expected and the security gains are significant.
FEDORA-2023-5d1b8507b8 has been submitted as an update to Fedora 39. https://bodhi.fedoraproject.org/updates/FEDORA-2023-5d1b8507b8
FEDORA-2023-5d1b8507b8 has been pushed to the Fedora 39 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-5d1b8507b8` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-5d1b8507b8 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2023-a32ad3e643 has been submitted as an update to Fedora 38. https://bodhi.fedoraproject.org/updates/FEDORA-2023-a32ad3e643
FEDORA-2023-5d1b8507b8 has been pushed to the Fedora 39 stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-2023-a32ad3e643 has been pushed to the Fedora 38 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-a32ad3e643` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-a32ad3e643 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2023-a32ad3e643 has been pushed to the Fedora 38 stable repository. If problem still persists, please make note of it in this bug report.
It looks like cfi is no longer ever enabled, it is only disabled if cfi is 0, but cfi being 1 does nothing: https://src.fedoraproject.org/rpms/chromium/blob/rawhide/f/chromium.spec#_1498 At first I thought that maybe the defaults for is_cfi and use_thin_lto had changed, but I ran gn args locally and saw that they were still false: ``` is_cfi Current value (from the default) = false From //build/config/sanitizers/sanitizers.gni:59 Compile with Control Flow Integrity to protect virtual calls and casts. See http://clang.llvm.org/docs/ControlFlowIntegrity.html TODO(pcc): Remove this flag if/when CFI is enabled in all official builds. ``` ``` use_thin_lto Current value (from the default) = false From //build/config/compiler/compiler.gni:88 ``` Am I missing something here? If not, can CFI please be re-enabled? Thanks.
I checked it on my local machine (latest chromium-chromium-126.0.6478.182), both are enabled. gn args -C out/Release/ --list --short | grep -e "use_thin_lto" -e "is_cfi" is_cfi = true use_thin_lto = true I am not sure why it's disabled in your local build.
I also did scratch build to check whether both flags are enabled. https://kojipkgs.fedoraproject.org//work/tasks/7901/120687901/build.log + echo '*** check is_cfi and use_thin_lto flags ***' + echo '**********************************************' *** check is_cfi and use_thin_lto flags *** ********************************************** + gn args -C out/Release/ --list --short grep -e use_thin_lto -e is_cfi is_cfi = true use_thin_lto = true ********************************************** I confirmed that both flags are enabled!
I have checked is_cfi flag in ppc64le and aarch64 build, it is indeed that the is_cfi flag is set to false. @secureblueadmin: Did you check this in your report above for aarch64/ppc64le?
I was checking for x86_64, but perhaps I configured something wrong when generating args?