Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix swss-common binskim errors #817

Merged
merged 2 commits into from
Sep 14, 2023

Conversation

liuh-80
Copy link
Contributor

@liuh-80 liuh-80 commented Sep 7, 2023

Fix swss-common binskim errors.

Work item tracking

Microsoft ADO (number only): 25090081

Why I did it

binskim scan report error BA3003, BA3004 and BA3011:

BA3003: The stack protector was not found. This may be because '--stack-protector-strong' was not used, or because it was explicitly disabled by '-fno-stack-protectors'.

BA3004: using debugging dwarf version '{1}'. The dwarf version 5 contains more information and should be used. To enable the debugging version 5 use '-gdwarf-5'.

BA3011: The BIND_NOW flag is missing from this binary, so relocation sections will not be marked as read only after the binary is loaded. An attacker can overwrite these to redirect control flow. Ensure you are compiling with the compiler flags '-Wl,-z,now' to address this.

How I did it

Add compiler flag and ld flag according to following document:

https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md

For BA3003, add '-fstack-protector-strong' to configure.ac, which will enable GCC strong stack protect feature.
For BA3011, add LD flag '-Wl,-z,now' to every make file, this is because azure pipeline will overwrite global LD flag defined in config.ac for code coverage.
For BA3004, add '-gdwarf-5' to makefile.am for debug build generate better debug information.

How to verify it

Pass all UT.

Manually verify issue fixed with following steps:

  1. clone latest code from https://github.com/microsoft/binskim/tree/main
  2. build by run 'BuildAndTest.cmd' command
  3. Open this PR build aritfact, download all x86 debs and extract file to local device.
  4. Run scan with following command and confirm issue fixed:
    .\bld\bin\x64_Release\net6.0\BinSkim.exe analyze .\sonic-swss-common\usr\bin*
    .\bld\bin\x64_Release\net6.0\BinSkim.exe analyze .\sonic-swss-common\usr\lib*

Which release branch to backport (provide reason below if selected)

  • 201811
  • 201911
  • 202006
  • 202012
  • 202106
  • 202111

Description for the changelog

Fix swss-common binskim errors.

Link to config_db schema for YANG module changes

A picture of a cute animal (not mandatory but encouraged)

@liuh-80 liuh-80 force-pushed the dev/liuh/fix-security-warning branch from 970a34c to bcd2d4b Compare September 7, 2023 09:12
@liuh-80 liuh-80 marked this pull request as ready for review September 7, 2023 09:13
@liuh-80 liuh-80 requested a review from qiluo-msft September 7, 2023 09:13
@qiluo-msft
Copy link
Contributor

Did you verify that binskim scan will be clean after this PR?

@liuh-80
Copy link
Contributor Author

liuh-80 commented Sep 14, 2023

Did you verify that binskim scan will be clean after this PR?

Yes, I verified manually, and update verify steps to PR description. also add binskim document link to PR description and explain how I fix the warning.

@qiluo-msft qiluo-msft merged commit 91677eb into sonic-net:master Sep 14, 2023
13 checks passed
SviatoslavBoichuk pushed a commit to SviatoslavBoichuk/sonic-swss-common that referenced this pull request Sep 14, 2023
Fix swss-common binskim errors.

#### Work item tracking
Microsoft ADO (number only): 25090081

#### Why I did it
binskim scan report error BA3003, BA3004 and BA3011:

BA3003: The stack protector was not found. This may be because '--stack-protector-strong' was not used, or because it was explicitly disabled by '-fno-stack-protectors'.

BA3004: using debugging dwarf version '{1}'. The dwarf version 5 contains more information and should be used. To enable the debugging version 5 use '-gdwarf-5'.

BA3011: The BIND_NOW flag is missing from this binary, so relocation sections will not be marked as read only after the binary is loaded.  An attacker can overwrite these to redirect control flow.  Ensure you are compiling with the compiler flags '-Wl,-z,now' to address this.

#### How I did it
Add compiler flag and ld flag according to following document:

https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md

For BA3003, add '-fstack-protector-strong' to configure.ac, which will enable GCC strong stack protect feature.
For BA3011, add LD flag '-Wl,-z,now' to every make file, this is because azure pipeline will overwrite global LD flag defined in config.ac for code coverage.
For BA3004, add '-gdwarf-5' to makefile.am for debug build generate better debug information.

#### How to verify it
Pass all UT.

Manually verify issue fixed with following steps:
1. clone latest code from https://github.com/microsoft/binskim/tree/main
2. build by run 'BuildAndTest.cmd' command
3. Open this PR build aritfact, download all x86 debs and extract file to local device.
4. Run scan with following command and confirm issue fixed:
.\bld\bin\x64_Release\net6.0\BinSkim.exe analyze .\sonic-swss-common\usr\bin\*
.\bld\bin\x64_Release\net6.0\BinSkim.exe analyze .\sonic-swss-common\usr\lib\*

### Description for the changelog
Fix swss-common binskim errors.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants