security-check: test for `_FORTIFY_SOURCE` usage in release binaries

fanquake commented at 5:05 pm on February 3, 2023: member

Test for the existence of fortified functions in the ELF release binaries. Currently skips bitcoin-util and checks for RISC-V.

DrahtBot commented at 5:05 pm on February 3, 2023: contributor

The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.

Code Coverage

For detailed information about the code coverage, see the test coverage report.

Reviews

See the guideline for information on the review process.

Type	Reviewers
ACK	TheCharlatan
Concept ACK	hebasto
Stale ACK	laanwj

If your review is incorrectly listed, please react with 👎 to this comment and the bot will ignore it on the next update.

Conflicts

No conflicts as of last run.

fanquake commented at 3:46 pm on February 13, 2023: member

we don’t end up with any foritfied funcs in bitcoin-util or bitcoin-cli.

bitcoin-cli is fixed once we fortify libevent.

fanquake force-pushed on Feb 17, 2023

fanquake commented at 2:36 pm on February 17, 2023: member

bitcoin-cli is fixed once we fortify libevent.

Rebased on #27118

fanquake referenced this in commit e60a58f191 on Feb 28, 2023

fanquake force-pushed on Feb 28, 2023

fanquake commented at 10:30 am on February 28, 2023: member

Rebased post #27118.

sidhujag referenced this in commit 5f087db8ed on Feb 28, 2023

fanquake force-pushed on Mar 31, 2023

fanquake force-pushed on Jul 27, 2023

fanquake force-pushed on Sep 6, 2023

fanquake force-pushed on Oct 2, 2023

hebasto commented at 12:27 pm on October 25, 2023: member

Concept ACK.

hebasto commented at 12:53 pm on October 25, 2023: member

Can’t be done yet because we don’t end up with any fortified funcs in bitcoin-util.

Does it make sense to provide a list of expected symbols for every binary been tested? It would be an empty one for bitcoin-util.

fanquake commented at 1:05 pm on October 25, 2023: member

Does it make sense to provide a list of expected symbols for every binary been tested?

I don’t think so, and that would likely require constant maintenance (plus guix builds to be run on every code change).

DrahtBot added the label CI failed on Oct 29, 2023

DrahtBot removed the label CI failed on Nov 3, 2023

fanquake force-pushed on Dec 8, 2023

DrahtBot added the label CI failed on Jan 13, 2024

fanquake force-pushed on Mar 19, 2024

DrahtBot removed the label CI failed on Mar 19, 2024

laanwj commented at 7:13 am on April 24, 2024: member

Concept ACK

in contrib/devtools/security-check.py:129 in 0295a7857f outdated

116@@ -116,6 +117,21 @@ def check_ELF_control_flow(binary) -> bool:
117         return True
118     return False
119 
120+def check_ELF_FORTIFY(binary) -> bool:
121+
122+    chk_funcs = set()
123+
124+    for sym in binary.symbols:
125+        match = re.search(r'__[a-z]*_chk', sym.name)

laanwj commented at 7:17 am on April 24, 2024:

Might want to check .imported to make sure it’s an imported symbol, just to be sure.

fanquake commented at 1:54 pm on July 24, 2024:

Added.

laanwj commented at 7:20 am on April 24, 2024: member

i’d be okay with skipping the check for bitcoin-util: it’s the least relevant binary for fortification (no network access, not even file format access). Could reconsider it later if it actually gains some useful functionality 😄

fanquake force-pushed on Jun 26, 2024

fanquake force-pushed on Jul 16, 2024

DrahtBot added the label CI failed on Jul 16, 2024

DrahtBot added the label Needs rebase on Jul 24, 2024

fanquake force-pushed on Jul 24, 2024

DrahtBot removed the label Needs rebase on Jul 24, 2024

DrahtBot removed the label CI failed on Jul 24, 2024

fanquake force-pushed on Jul 24, 2024

fanquake commented at 1:54 pm on July 24, 2024: member

i’d be okay with skipping the check for bitcoin-util: it’s the least relevant binary for fortification (no network access, not even file format access). Could reconsider it later if it actually gains some useful functionality 😄

I think I agree, and I’ve added that skipping now.

fanquake marked this as ready for review on Jul 24, 2024

fanquake added the label DrahtBot Guix build requested on Jul 24, 2024

DrahtBot commented at 9:22 pm on July 24, 2024: contributor

Guix builds (on x86_64) [untrusted test-only build, possibly unsafe, not for production use]

File	commit fa0b5d68823b69f4861b002bbfac2fd36ed46356(master)	commit 3733b4b088ff94c6b8c67ff7d88e8eb135abbfb3(master and this pull)
SHA256SUMS.part	`7a352dc327a3ba7d...`	`7a15c6f53f1ac3e5...`
*-aarch64-linux-gnu-debug.tar.gz	`45c633ad2ea1589c...`	`799c717db1619d70...`
*-aarch64-linux-gnu.tar.gz	`826f71f0a6e60d38...`	`3bc81cd9cb716a46...`
*-arm-linux-gnueabihf-debug.tar.gz	`d6b802771da7503e...`	`b230f6176739fdca...`
*-arm-linux-gnueabihf.tar.gz	`ff69976db6a377a5...`	`025f23ab5d1bf74b...`
*-arm64-apple-darwin-unsigned.tar.gz	`b9735db910e72417...`
*-arm64-apple-darwin-unsigned.zip	`ca4404ce38f70756...`
*-arm64-apple-darwin.tar.gz	`59f547bf068c2e07...`
*-powerpc64-linux-gnu-debug.tar.gz	`bbf043c260328961...`
*-powerpc64-linux-gnu.tar.gz	`bf6246fe6a3794b5...`
*-riscv64-linux-gnu-debug.tar.gz	`29b4261dcb3fd20f...`
*-riscv64-linux-gnu.tar.gz	`5a82e9c2a8796bda...`
*-x86_64-apple-darwin-unsigned.tar.gz	`bd31c1ca258f4304...`
*-x86_64-apple-darwin-unsigned.zip	`7615cf7d77471767...`
*-x86_64-apple-darwin.tar.gz	`e29caf84ac0e04f8...`
*-x86_64-linux-gnu-debug.tar.gz	`99376a2c4834d9de...`	`9edd4bea8e20eba1...`
*-x86_64-linux-gnu.tar.gz	`02d68530d0ffcd1b...`	`2b4f45db7f666b92...`
*.tar.gz	`512617514e0e78d0...`	`df1cceb27e1d64e3...`
guix_build.log	`11c162bef2a2d548...`	`c6a80a85f93e8ba4...`
guix_build.log.diff		`f96ccf23661471f7...`

DrahtBot removed the label DrahtBot Guix build requested on Jul 24, 2024

fanquake commented at 9:21 am on July 25, 2024: member

RISCV build failed here:

 0Traceback (most recent call last):
 1  File "/distsrc-base/distsrc-3733b4b088ff-riscv64-linux-gnu/./contrib/devtools/test-security-check.py", line 73, in test_ELF
 2    self.assertEqual(call_security_check(cxx, source, executable, pass_flags + ['-no-pie','-fno-PIE']), (1, executable + ': failed PIE'))
 3AssertionError: Tuples differ: (1, 'test1: failed PIE FORTIFY') != (1, 'test1: failed PIE')
 4
 5First differing element 1:
 6'test1: failed PIE FORTIFY'
 7'test1: failed PIE'
 8
 9- (1, 'test1: failed PIE FORTIFY')
10?                       --------
11
12+ (1, 'test1: failed PIE')

DrahtBot added the label CI failed on Jul 29, 2024

fanquake force-pushed on Jul 30, 2024

fanquake commented at 12:10 pm on July 30, 2024: member

RISCV build failed here:

This might be a bug in LIEF. Opened https://github.com/lief-project/LIEF/issues/1082 upstream. Pushed up a verison with a workaround for RISC-V. Guix Build (aarch64):

 071aadd4cdca388e39742911d0a9a8f858cc796d1037ff4ff05f383bf74b6dfc6  guix-build-573db37893d8/output/aarch64-linux-gnu/SHA256SUMS.part
 1723ab391cadeda9afd12d832db26c65f2d69e9e41c92b20a2453821e5fe13dc2  guix-build-573db37893d8/output/aarch64-linux-gnu/bitcoin-573db37893d8-aarch64-linux-gnu-debug.tar.gz
 2d04eed5f8d5fadca37c57d18dcd908b71fa66425ee2388227b018f8df7d7cf5e  guix-build-573db37893d8/output/aarch64-linux-gnu/bitcoin-573db37893d8-aarch64-linux-gnu.tar.gz
 3e7757d05fce2b0a36e6f5785f3f7dbc52985fd4baeb111fc6745ad302ebf1afd  guix-build-573db37893d8/output/arm-linux-gnueabihf/SHA256SUMS.part
 49f614712ae2dfd1dd5a6f15d4dc96349bbf81372245ef7b835cc0366a4f87e16  guix-build-573db37893d8/output/arm-linux-gnueabihf/bitcoin-573db37893d8-arm-linux-gnueabihf-debug.tar.gz
 546d7992241831d4a2a233ec1e984f93f95623672956e80b9bcf4a163ae6a9c9a  guix-build-573db37893d8/output/arm-linux-gnueabihf/bitcoin-573db37893d8-arm-linux-gnueabihf.tar.gz
 64da3fc982733ac3b5b7214408483ae7626e696ce533862d990e4124c59511fcd  guix-build-573db37893d8/output/arm64-apple-darwin/SHA256SUMS.part
 7e394ea1b46ee992b7e91d397f4b307f4d9e51bf1019b9c184eae8edbd07ddd9f  guix-build-573db37893d8/output/arm64-apple-darwin/bitcoin-573db37893d8-arm64-apple-darwin-unsigned.tar.gz
 8602e8a4e3f2b9b55a55f9266e496230d0c049f8fbea1cbda074d2fb2cc0a7549  guix-build-573db37893d8/output/arm64-apple-darwin/bitcoin-573db37893d8-arm64-apple-darwin-unsigned.zip
 92172545ab072c79b248e887652a0ea8f375f6907f92d0a593c2cdb57ad03462c  guix-build-573db37893d8/output/arm64-apple-darwin/bitcoin-573db37893d8-arm64-apple-darwin.tar.gz
10a9639798be0797c05e05fb2a337ef69dcb64572456a6c9d754f309c4f4870745  guix-build-573db37893d8/output/dist-archive/bitcoin-573db37893d8.tar.gz
1160b2c1abfda3981d973ffdc189892110d54d2d161e9dfc690bbbc32dd7d12397  guix-build-573db37893d8/output/powerpc64-linux-gnu/SHA256SUMS.part
12dea8e5ae3401e8901775aa5a1b8bcbbd64967fe3dc2dc62174f8ad3bfc7f5c39  guix-build-573db37893d8/output/powerpc64-linux-gnu/bitcoin-573db37893d8-powerpc64-linux-gnu-debug.tar.gz
138c4e3561759f92e9e03fdf4305da1a42b58f71711a999f33064c39bfeca725a7  guix-build-573db37893d8/output/powerpc64-linux-gnu/bitcoin-573db37893d8-powerpc64-linux-gnu.tar.gz
149c35b41b09a70d843c6753f1e4d5e8d40c80bd17f9348b8e852a2142a07973ee  guix-build-573db37893d8/output/riscv64-linux-gnu/SHA256SUMS.part
1577f84e572d8f931572f5d60e2d61c083232b09cf2232a73d05931664ced815c0  guix-build-573db37893d8/output/riscv64-linux-gnu/bitcoin-573db37893d8-riscv64-linux-gnu-debug.tar.gz
16ef965579cbc9647d0c92b8200520e746b602769a0728c61c36621cae6af7a687  guix-build-573db37893d8/output/riscv64-linux-gnu/bitcoin-573db37893d8-riscv64-linux-gnu.tar.gz
17161a95df9654dfee9a94500c5cc03696502a0d7455538cc498c08cbdb99c56b1  guix-build-573db37893d8/output/x86_64-apple-darwin/SHA256SUMS.part
181626b5d6691a6710d171090c4d8036c44c8585a0b3c2899a6ea30c6333d1e923  guix-build-573db37893d8/output/x86_64-apple-darwin/bitcoin-573db37893d8-x86_64-apple-darwin-unsigned.tar.gz
1923bdd9f1da7be43f86ab47b889efe73dc7e32dd1bfd8a44a610a86b2e872d320  guix-build-573db37893d8/output/x86_64-apple-darwin/bitcoin-573db37893d8-x86_64-apple-darwin-unsigned.zip
20f18231be4b667917a8a75ce539dbec3fcf2f3279abe3cbf69104ba90da0154ca  guix-build-573db37893d8/output/x86_64-apple-darwin/bitcoin-573db37893d8-x86_64-apple-darwin.tar.gz
21660054c7cc08d9d10fbd15ec4e818ee0193a15ad5a274c464154e8ea4f122348  guix-build-573db37893d8/output/x86_64-linux-gnu/SHA256SUMS.part
22da66029304a66a0534930b7afaa561354d6b147aed3eafe2e5c2a44959b04cf5  guix-build-573db37893d8/output/x86_64-linux-gnu/bitcoin-573db37893d8-x86_64-linux-gnu-debug.tar.gz
230ab1514591fd1b74e2089e67ff0ef9f81fe72dcfe5932eaf3e9b4b9f96d3d96f  guix-build-573db37893d8/output/x86_64-linux-gnu/bitcoin-573db37893d8-x86_64-linux-gnu.tar.gz
2430cad6948053c905234e51996f6512b59faaedbe7e7eb186559611a22c186df4  guix-build-573db37893d8/output/x86_64-w64-mingw32/SHA256SUMS.part
254753f415470f2c816b8ae1be04e09705e51ab57129dc22c680525cf5bb26f40e  guix-build-573db37893d8/output/x86_64-w64-mingw32/bitcoin-573db37893d8-win64-debug.zip
2680bf9135f34faec17b962d94b61cf62d5a118908d5544194a416823c57afe015  guix-build-573db37893d8/output/x86_64-w64-mingw32/bitcoin-573db37893d8-win64-setup-unsigned.exe
27516d5499655c57cc07cb7df67bbbd4d4d10260bdfa838229e33ba627cf2c3442  guix-build-573db37893d8/output/x86_64-w64-mingw32/bitcoin-573db37893d8-win64-unsigned.tar.gz
28d5f4ced701f65bddd6ac46621d295d8c98a6ff6d73584452fa9d7ddfa14481cb  guix-build-573db37893d8/output/x86_64-w64-mingw32/bitcoin-573db37893d8-win64.zip

fanquake added the label DrahtBot Guix build requested on Jul 30, 2024

DrahtBot removed the label CI failed on Jul 30, 2024

DrahtBot commented at 11:11 pm on July 30, 2024: contributor

Guix builds (on x86_64) [untrusted test-only build, possibly unsafe, not for production use]

File	commit 4c62f4b53561bce5b2eb8639cdc24d284be537eb(master)	commit e22f88e355e184fb5022009763da367131ae400e(master and this pull)
SHA256SUMS.part	`be374ddea874f25e...`	`d2dd5b871085b6ff...`
*-aarch64-linux-gnu-debug.tar.gz	`ec4b3da8d21cb8c3...`	`41202dadfa1b1c65...`
*-aarch64-linux-gnu.tar.gz	`c42423fd5b13c510...`	`2a848e366036b801...`
*-arm-linux-gnueabihf-debug.tar.gz	`6b8b241d0de0de14...`	`076eb5c650e30a00...`
*-arm-linux-gnueabihf.tar.gz	`e49a6bbad8c8e313...`	`7bd93f3b362357fe...`
*-arm64-apple-darwin-unsigned.tar.gz	`24069ed0e16f36f8...`	`1e4e1bafc4d6c90b...`
*-arm64-apple-darwin-unsigned.zip	`86b0315714fe2c68...`	`ef8d4814747968a8...`
*-arm64-apple-darwin.tar.gz	`2869984c6618c82e...`	`0504e582092dd7d1...`
*-powerpc64-linux-gnu-debug.tar.gz	`98dabbae6010423d...`	`47baed9e101dc126...`
*-powerpc64-linux-gnu.tar.gz	`865a46f30deefa08...`	`69167b80e76e22a2...`
*-riscv64-linux-gnu-debug.tar.gz	`016276c375f24ac1...`	`e4f709aeef940bc2...`
*-riscv64-linux-gnu.tar.gz	`7a1c86d6f503717c...`	`3af68b76cfa4d449...`
*-x86_64-apple-darwin-unsigned.tar.gz	`e6a48ceaf8e5ff90...`	`b163c782111ab7ea...`
*-x86_64-apple-darwin-unsigned.zip	`d2427ae6c1b59107...`	`2a7984cab4a3b377...`
*-x86_64-apple-darwin.tar.gz	`489d1a77dd834252...`	`c74c1506d9890348...`
*-x86_64-linux-gnu-debug.tar.gz	`1fcb9589f30285e4...`	`4e872536bb41d26c...`
*-x86_64-linux-gnu.tar.gz	`7c4195bdb6205706...`	`26305ff03017c307...`
*.tar.gz	`911a2f1429a02583...`	`198bf1eeecc5a949...`
guix_build.log	`a9cad45f6d634755...`	`008004d11a450031...`
guix_build.log.diff		`e728da62e440d4b5...`

DrahtBot removed the label DrahtBot Guix build requested on Jul 30, 2024

fanquake commented at 8:04 pm on August 21, 2024: member

This might be a bug in LIEF. Opened https://github.com/lief-project/LIEF/issues/1082 upstream.

I haven’t yet tested, but the bug should now be fixed, as of https://github.com/lief-project/LIEF/commit/ab85865f279cf02648018417ec8afa12bd0bef24.

fanquake force-pushed on Aug 28, 2024

fanquake force-pushed on Aug 30, 2024

fanquake force-pushed on Sep 6, 2024

fanquake commented at 10:12 am on September 6, 2024: member

Guix Build (aarch64):

 0f21ba8dde52ecf7fd1e76b5f6efe7d620a7a0baf8099eb6d25d09161a73f2030  guix-build-6c9000cfbfab/output/aarch64-linux-gnu/SHA256SUMS.part
 15e89a83e025bfbc37118a1ca0d386b0ffbde22bd3357b06d7e4c3587e10b0ed6  guix-build-6c9000cfbfab/output/aarch64-linux-gnu/bitcoin-6c9000cfbfab-aarch64-linux-gnu-debug.tar.gz
 2d0b7acb03204f077bc88d0d9008041c1aa854a6e0fd244210099ae2f2b8b4ca3  guix-build-6c9000cfbfab/output/aarch64-linux-gnu/bitcoin-6c9000cfbfab-aarch64-linux-gnu.tar.gz
 3e4619881f66bbefd26cc4e28723c3ebb9b6720f4a3f83ee4733e41246a72eff6  guix-build-6c9000cfbfab/output/arm-linux-gnueabihf/SHA256SUMS.part
 40d3fcb044b41e7b9146329f9a9a2113fd55acab2f2129d58c2b56fca2cf08b0d  guix-build-6c9000cfbfab/output/arm-linux-gnueabihf/bitcoin-6c9000cfbfab-arm-linux-gnueabihf-debug.tar.gz
 50dde42354c7322480a43281655c6a337429522b6cf845f8dcf154eb87cb4077d  guix-build-6c9000cfbfab/output/arm-linux-gnueabihf/bitcoin-6c9000cfbfab-arm-linux-gnueabihf.tar.gz
 642b54602d398545561dc2fdc9d8ba255333a24a1c3d61e7455e79c1ac89d0388  guix-build-6c9000cfbfab/output/arm64-apple-darwin/SHA256SUMS.part
 7862b895a04b29266e8677d12ec3ed86c90d697e565bfe09b60e7fd987579ddb0  guix-build-6c9000cfbfab/output/arm64-apple-darwin/bitcoin-6c9000cfbfab-arm64-apple-darwin-unsigned.tar.gz
 8f30b60f67b6415c6598a64aeb64f5653349e9dfdeacb901c4173a73fb725904f  guix-build-6c9000cfbfab/output/arm64-apple-darwin/bitcoin-6c9000cfbfab-arm64-apple-darwin-unsigned.zip
 98024ed97ffb3d639882b399dca0c8e305627663d25bc7afc0a3b408a2054590f  guix-build-6c9000cfbfab/output/arm64-apple-darwin/bitcoin-6c9000cfbfab-arm64-apple-darwin.tar.gz
10f69554b8a178d80980a0235bb1380dfc7bfff51bffc8d5861540623c26f2088d  guix-build-6c9000cfbfab/output/dist-archive/bitcoin-6c9000cfbfab.tar.gz
11e3fe7b51ae096171b0c1f5cadc3f81809b704dc443f4cdcbfdf4da314b308367  guix-build-6c9000cfbfab/output/powerpc64-linux-gnu/SHA256SUMS.part
124ed6abfc07cee15820ef0b82cf627d743eda7c1bf949f91a7259adbfcc908972  guix-build-6c9000cfbfab/output/powerpc64-linux-gnu/bitcoin-6c9000cfbfab-powerpc64-linux-gnu-debug.tar.gz
1372c28fe0d63ca94df4629b05530576f432fa170d5dff9117c7e1fe177df1e33e  guix-build-6c9000cfbfab/output/powerpc64-linux-gnu/bitcoin-6c9000cfbfab-powerpc64-linux-gnu.tar.gz
1436efec196510892ae01bfbae75d6fd624be97fba9cdfe98a84f4b743c58e7914  guix-build-6c9000cfbfab/output/riscv64-linux-gnu/SHA256SUMS.part
15713afe90c3fbb54d42d16636b4cc66f94956498e043580510cb0cbcbf1cb0b72  guix-build-6c9000cfbfab/output/riscv64-linux-gnu/bitcoin-6c9000cfbfab-riscv64-linux-gnu-debug.tar.gz
169dc73a4f7fabf55853cb55bcdb7dc64b4670345d2c00d40aea827c62e8dcb8f6  guix-build-6c9000cfbfab/output/riscv64-linux-gnu/bitcoin-6c9000cfbfab-riscv64-linux-gnu.tar.gz
175d059bb7188b104b530c6a21108f94942d6f7acaabf469f1205e3a815721449e  guix-build-6c9000cfbfab/output/x86_64-apple-darwin/SHA256SUMS.part
18e7a2b21f3f0737cc5a04a0e4cb7b64afc254347758be97f6312700e85932de2a  guix-build-6c9000cfbfab/output/x86_64-apple-darwin/bitcoin-6c9000cfbfab-x86_64-apple-darwin-unsigned.tar.gz
19a45a52a60dd218cae67faaca037d4004da8b1ba299b04e80780d5a416ed6596a  guix-build-6c9000cfbfab/output/x86_64-apple-darwin/bitcoin-6c9000cfbfab-x86_64-apple-darwin-unsigned.zip
20460ea30d33f604ed044b9ee66dfbecbc0fb7049a18a899d365420d8c3bc31d35  guix-build-6c9000cfbfab/output/x86_64-apple-darwin/bitcoin-6c9000cfbfab-x86_64-apple-darwin.tar.gz
216dca6e13803d9ea07c20e9e865b48aae4e5e5e7ac0e0dd6f5699990769e165f3  guix-build-6c9000cfbfab/output/x86_64-linux-gnu/SHA256SUMS.part
22e4be9ef51c5fecfbf6bdf31508dc8f6aaaf31d46d49101da2b3a2e86c30513d8  guix-build-6c9000cfbfab/output/x86_64-linux-gnu/bitcoin-6c9000cfbfab-x86_64-linux-gnu-debug.tar.gz
23686499d3990e762945279536aa9c84e6c79fc8e85d1e4ecedbb0ce9c70c3154c  guix-build-6c9000cfbfab/output/x86_64-linux-gnu/bitcoin-6c9000cfbfab-x86_64-linux-gnu.tar.gz
24efe2376411ac6979dfe6e542b4bd1d5e950f069ba057755cf3a1cfac9aa3b619  guix-build-6c9000cfbfab/output/x86_64-w64-mingw32/SHA256SUMS.part
25b3fcd800835eea1430e19f7cab82006c96f15b86985d9582d81e62de3fe6c195  guix-build-6c9000cfbfab/output/x86_64-w64-mingw32/bitcoin-6c9000cfbfab-win64-debug.zip
262b8e9e6cc2a0f2215d21599db5b03d2c9f7a158f3182908682b23df4b643976f  guix-build-6c9000cfbfab/output/x86_64-w64-mingw32/bitcoin-6c9000cfbfab-win64-setup-unsigned.exe
273e476530d1321acb2561027ce8ea05fc9a98430c6afc6a50ccd60ace72445f5b  guix-build-6c9000cfbfab/output/x86_64-w64-mingw32/bitcoin-6c9000cfbfab-win64-unsigned.tar.gz
28bb55ef5ebc3e768899c71033dae45fbb45e26c415209047f460d5d6f3e98529c  guix-build-6c9000cfbfab/output/x86_64-w64-mingw32/bitcoin-6c9000cfbfab-win64.zip

laanwj commented at 9:34 am on September 8, 2024: member

ACK 6c9000cfbfab1cd3b48efebd8e0e90ae597cf561

Building on x86_64 gets different guix output for MacOS. But this is unrelated to this PR.

0-129b365bba906f50926218d5b8bb76921f5f637549fe44941e01eb8ba5d5d5f0  guix-build-6c9000cfbfab/output/arm64-apple-darwin/bitcoin-6c9000cfbfab-arm64-apple-darwin-unsigned.zip
1+f30b60f67b6415c6598a64aeb64f5653349e9dfdeacb901c4173a73fb725904f  guix-build-6c9000cfbfab/output/arm64-apple-darwin/bitcoin-6c9000cfbfab-arm64-apple-darwin-unsigned.zip
2-f836231d54d171cd98589519166200ed6a65741ff249e6e2144e94cf0e964ce5  guix-build-6c9000cfbfab/output/x86_64-apple-darwin/bitcoin-6c9000cfbfab-x86_64-apple-darwin-unsigned.zip
3+a45a52a60dd218cae67faaca037d4004da8b1ba299b04e80780d5a416ed6596a  guix-build-6c9000cfbfab/output/x86_64-apple-darwin/bitcoin-6c9000cfbfab-x86_64-apple-darwin-unsigned.zip

DrahtBot requested review from hebasto on Sep 8, 2024

contrib: test for FORTIFY_SOURCE in security-check.py be4f78275f

fanquake force-pushed on Sep 9, 2024

fanquake added the label DrahtBot Guix build requested on Sep 9, 2024

fanquake commented at 2:01 pm on September 9, 2024: member

Guix build (x86_64) note that macOS builds (probably) wont match:

 0b3bcd9f7508b35b3f4a187e9f1e4c87648bf3897575c0c4db8664f1fe08c2cf4  guix-build-be4f78275fa6/output/aarch64-linux-gnu/SHA256SUMS.part
 1356c7b9493887fc839e6b7951a3396085bfea33efce91070f972a69f60aac1f4  guix-build-be4f78275fa6/output/aarch64-linux-gnu/bitcoin-be4f78275fa6-aarch64-linux-gnu-debug.tar.gz
 2e2887613ca5d1f929294487f86bd36ab6af0739d12625c6c661a35781c4f1523  guix-build-be4f78275fa6/output/aarch64-linux-gnu/bitcoin-be4f78275fa6-aarch64-linux-gnu.tar.gz
 392514b0968dbc869cc40fa618576d92aeedebcc7b93b08355ce7e0ced96e8992  guix-build-be4f78275fa6/output/arm-linux-gnueabihf/SHA256SUMS.part
 41e692efe2151693cd353ad584678718431aed1f3b26550b7708774c32f8f11b8  guix-build-be4f78275fa6/output/arm-linux-gnueabihf/bitcoin-be4f78275fa6-arm-linux-gnueabihf-debug.tar.gz
 53182761dacaac998d2f4bf3c40d8f459ab6c61ea3912895e4fb4f5ef78814b0c  guix-build-be4f78275fa6/output/arm-linux-gnueabihf/bitcoin-be4f78275fa6-arm-linux-gnueabihf.tar.gz
 6fb15e70c205133aaaf71211260a94914bb2721adc249a14cc39d2be211265dae  guix-build-be4f78275fa6/output/arm64-apple-darwin/SHA256SUMS.part
 722999d45e4c5e22b1279a4362abda833d51bed2f5c1d478ad8f9f73b8878def5  guix-build-be4f78275fa6/output/arm64-apple-darwin/bitcoin-be4f78275fa6-arm64-apple-darwin-unsigned.tar.gz
 88e295048be58a10b7a5c239baa84a7b04b84d523f5149884127b1a403636fba8  guix-build-be4f78275fa6/output/arm64-apple-darwin/bitcoin-be4f78275fa6-arm64-apple-darwin-unsigned.zip
 91dd8fb0de68f9598f245d2565d634fbae232ce2507019de83724f72c3835f8b8  guix-build-be4f78275fa6/output/arm64-apple-darwin/bitcoin-be4f78275fa6-arm64-apple-darwin.tar.gz
107e48a49b04818bab314d872cffd11aa41650b01717bc01edc461e50d5afcb428  guix-build-be4f78275fa6/output/dist-archive/bitcoin-be4f78275fa6.tar.gz
1165fae266d1a0bee5654bde79d02d9df9d0e0a35b517da1d8f227edb889171b8b  guix-build-be4f78275fa6/output/powerpc64-linux-gnu/SHA256SUMS.part
1296ab98442b875cec7aa7ef927ae1ffb3ea047c1827f82e97ce3e2b5d942c8998  guix-build-be4f78275fa6/output/powerpc64-linux-gnu/bitcoin-be4f78275fa6-powerpc64-linux-gnu-debug.tar.gz
13fdb0639b6efe2baee6266c516f482ed36ed71965ba21a3706d0a61444792a700  guix-build-be4f78275fa6/output/powerpc64-linux-gnu/bitcoin-be4f78275fa6-powerpc64-linux-gnu.tar.gz
142ea0fa8ee3e33350a43cb153223ab9d11cb6520f300c08010784df2cdfd9e9b2  guix-build-be4f78275fa6/output/riscv64-linux-gnu/SHA256SUMS.part
1562c8961a668bee937eb9afa3ddf532a43f81402d55db4c9b16aeb3025e1f1a6a  guix-build-be4f78275fa6/output/riscv64-linux-gnu/bitcoin-be4f78275fa6-riscv64-linux-gnu-debug.tar.gz
160fa073206c1b5723242317ff4564d1c78e2f2184464552c896fcd90a6fcc98fa  guix-build-be4f78275fa6/output/riscv64-linux-gnu/bitcoin-be4f78275fa6-riscv64-linux-gnu.tar.gz
17e9ed6817139513fae596446e003c5c6e1b96cb9497cb9b68e2423d62580b5137  guix-build-be4f78275fa6/output/x86_64-apple-darwin/SHA256SUMS.part
18ae08548740f12a8c0053570aa9048c8de3db0c195f2360e39048556efe1f1027  guix-build-be4f78275fa6/output/x86_64-apple-darwin/bitcoin-be4f78275fa6-x86_64-apple-darwin-unsigned.tar.gz
1996228a3d7ef976f8dccbe58c462065c260191ec093fa56919a8a96bae4631fdf  guix-build-be4f78275fa6/output/x86_64-apple-darwin/bitcoin-be4f78275fa6-x86_64-apple-darwin-unsigned.zip
203cd89ca037f9ffc8a42c9e83ddccc5fc49f7c365fcbed4c5ae50b6a243f8fffd  guix-build-be4f78275fa6/output/x86_64-apple-darwin/bitcoin-be4f78275fa6-x86_64-apple-darwin.tar.gz
213ddcd9d6d618b2a1769baccaf5a4d6f44cf7ac4f6554c27be2aaa50dfc5efeca  guix-build-be4f78275fa6/output/x86_64-linux-gnu/SHA256SUMS.part
2249f09f86a8b485ce0b55bb56a7f214021ea56a23e942e98a4994a01559761615  guix-build-be4f78275fa6/output/x86_64-linux-gnu/bitcoin-be4f78275fa6-x86_64-linux-gnu-debug.tar.gz
23fe0e969bdfeb3743074b51d2eee31da938110ec00f10b3e1d3fa8548d4400645  guix-build-be4f78275fa6/output/x86_64-linux-gnu/bitcoin-be4f78275fa6-x86_64-linux-gnu.tar.gz
24b6e26a5527d84fc65077c34b61b3d813e5aa3b76383eb13aab84b2282b1b27dc  guix-build-be4f78275fa6/output/x86_64-w64-mingw32/SHA256SUMS.part
25fd2352c71357a7e239da30154ca056df1f2d31594e353f44d74841d786879840  guix-build-be4f78275fa6/output/x86_64-w64-mingw32/bitcoin-be4f78275fa6-win64-debug.zip
26521e156965a8bee4399ba861edf6aba75579d00b077d1b4db34b7c01d565b6d4  guix-build-be4f78275fa6/output/x86_64-w64-mingw32/bitcoin-be4f78275fa6-win64-setup-unsigned.exe
274b6ebd88fd17aac230099ceee6f40c49e5bf841e964a53f52024d04b6e447dfe  guix-build-be4f78275fa6/output/x86_64-w64-mingw32/bitcoin-be4f78275fa6-win64-unsigned.tar.gz
289830bcba326f52fb0cc529826243b2f878a975e9ae70db09bf2358c6602b39dc  guix-build-be4f78275fa6/output/x86_64-w64-mingw32/bitcoin-be4f78275fa6-win64.zip

TheCharlatan commented at 2:07 pm on September 9, 2024: contributor

Guix builds (aarch64):

 0b3bcd9f7508b35b3f4a187e9f1e4c87648bf3897575c0c4db8664f1fe08c2cf4  guix-build-be4f78275fa6/output/aarch64-linux-gnu/SHA256SUMS.part
 1356c7b9493887fc839e6b7951a3396085bfea33efce91070f972a69f60aac1f4  guix-build-be4f78275fa6/output/aarch64-linux-gnu/bitcoin-be4f78275fa6-aarch64-linux-gnu-debug.tar.gz
 2e2887613ca5d1f929294487f86bd36ab6af0739d12625c6c661a35781c4f1523  guix-build-be4f78275fa6/output/aarch64-linux-gnu/bitcoin-be4f78275fa6-aarch64-linux-gnu.tar.gz
 392514b0968dbc869cc40fa618576d92aeedebcc7b93b08355ce7e0ced96e8992  guix-build-be4f78275fa6/output/arm-linux-gnueabihf/SHA256SUMS.part
 41e692efe2151693cd353ad584678718431aed1f3b26550b7708774c32f8f11b8  guix-build-be4f78275fa6/output/arm-linux-gnueabihf/bitcoin-be4f78275fa6-arm-linux-gnueabihf-debug.tar.gz
 53182761dacaac998d2f4bf3c40d8f459ab6c61ea3912895e4fb4f5ef78814b0c  guix-build-be4f78275fa6/output/arm-linux-gnueabihf/bitcoin-be4f78275fa6-arm-linux-gnueabihf.tar.gz
 6498954cd93a28fa8cf710f0aaa096d91b4e920612188b7f3b2e61af28a9d7d6e  guix-build-be4f78275fa6/output/arm64-apple-darwin/SHA256SUMS.part
 722999d45e4c5e22b1279a4362abda833d51bed2f5c1d478ad8f9f73b8878def5  guix-build-be4f78275fa6/output/arm64-apple-darwin/bitcoin-be4f78275fa6-arm64-apple-darwin-unsigned.tar.gz
 8286febd16cd27c9f5f71ea9b8f0e7dd1ee2bfb2dfa6f59cb43a229d02a460e25  guix-build-be4f78275fa6/output/arm64-apple-darwin/bitcoin-be4f78275fa6-arm64-apple-darwin-unsigned.zip
 91dd8fb0de68f9598f245d2565d634fbae232ce2507019de83724f72c3835f8b8  guix-build-be4f78275fa6/output/arm64-apple-darwin/bitcoin-be4f78275fa6-arm64-apple-darwin.tar.gz
107e48a49b04818bab314d872cffd11aa41650b01717bc01edc461e50d5afcb428  guix-build-be4f78275fa6/output/dist-archive/bitcoin-be4f78275fa6.tar.gz
1165fae266d1a0bee5654bde79d02d9df9d0e0a35b517da1d8f227edb889171b8b  guix-build-be4f78275fa6/output/powerpc64-linux-gnu/SHA256SUMS.part
1296ab98442b875cec7aa7ef927ae1ffb3ea047c1827f82e97ce3e2b5d942c8998  guix-build-be4f78275fa6/output/powerpc64-linux-gnu/bitcoin-be4f78275fa6-powerpc64-linux-gnu-debug.tar.gz
13fdb0639b6efe2baee6266c516f482ed36ed71965ba21a3706d0a61444792a700  guix-build-be4f78275fa6/output/powerpc64-linux-gnu/bitcoin-be4f78275fa6-powerpc64-linux-gnu.tar.gz
142ea0fa8ee3e33350a43cb153223ab9d11cb6520f300c08010784df2cdfd9e9b2  guix-build-be4f78275fa6/output/riscv64-linux-gnu/SHA256SUMS.part
1562c8961a668bee937eb9afa3ddf532a43f81402d55db4c9b16aeb3025e1f1a6a  guix-build-be4f78275fa6/output/riscv64-linux-gnu/bitcoin-be4f78275fa6-riscv64-linux-gnu-debug.tar.gz
160fa073206c1b5723242317ff4564d1c78e2f2184464552c896fcd90a6fcc98fa  guix-build-be4f78275fa6/output/riscv64-linux-gnu/bitcoin-be4f78275fa6-riscv64-linux-gnu.tar.gz
17674b1df15a79d891c17936fd2de46209e25ab1cf70136416dfc0936b560012c5  guix-build-be4f78275fa6/output/x86_64-apple-darwin/SHA256SUMS.part
18ae08548740f12a8c0053570aa9048c8de3db0c195f2360e39048556efe1f1027  guix-build-be4f78275fa6/output/x86_64-apple-darwin/bitcoin-be4f78275fa6-x86_64-apple-darwin-unsigned.tar.gz
1924e42f85fae635448de1a538fb6be5cd7372260c049362d7b4f89e5876f94da3  guix-build-be4f78275fa6/output/x86_64-apple-darwin/bitcoin-be4f78275fa6-x86_64-apple-darwin-unsigned.zip
203cd89ca037f9ffc8a42c9e83ddccc5fc49f7c365fcbed4c5ae50b6a243f8fffd  guix-build-be4f78275fa6/output/x86_64-apple-darwin/bitcoin-be4f78275fa6-x86_64-apple-darwin.tar.gz
213ddcd9d6d618b2a1769baccaf5a4d6f44cf7ac4f6554c27be2aaa50dfc5efeca  guix-build-be4f78275fa6/output/x86_64-linux-gnu/SHA256SUMS.part
2249f09f86a8b485ce0b55bb56a7f214021ea56a23e942e98a4994a01559761615  guix-build-be4f78275fa6/output/x86_64-linux-gnu/bitcoin-be4f78275fa6-x86_64-linux-gnu-debug.tar.gz
23fe0e969bdfeb3743074b51d2eee31da938110ec00f10b3e1d3fa8548d4400645  guix-build-be4f78275fa6/output/x86_64-linux-gnu/bitcoin-be4f78275fa6-x86_64-linux-gnu.tar.gz
24b6e26a5527d84fc65077c34b61b3d813e5aa3b76383eb13aab84b2282b1b27dc  guix-build-be4f78275fa6/output/x86_64-w64-mingw32/SHA256SUMS.part
25fd2352c71357a7e239da30154ca056df1f2d31594e353f44d74841d786879840  guix-build-be4f78275fa6/output/x86_64-w64-mingw32/bitcoin-be4f78275fa6-win64-debug.zip
26521e156965a8bee4399ba861edf6aba75579d00b077d1b4db34b7c01d565b6d4  guix-build-be4f78275fa6/output/x86_64-w64-mingw32/bitcoin-be4f78275fa6-win64-setup-unsigned.exe
274b6ebd88fd17aac230099ceee6f40c49e5bf841e964a53f52024d04b6e447dfe  guix-build-be4f78275fa6/output/x86_64-w64-mingw32/bitcoin-be4f78275fa6-win64-unsigned.tar.gz
289830bcba326f52fb0cc529826243b2f878a975e9ae70db09bf2358c6602b39dc  guix-build-be4f78275fa6/output/x86_64-w64-mingw32/bitcoin-be4f78275fa6-win64.zip

in contrib/devtools/security-check.py:135 in be4f78275f

130+        if match:
131+            chk_funcs.add(match.group(0))
132+
133+    # ignore stack-protector and bdb
134+    chk_funcs.discard('__stack_chk')
135+    chk_funcs.discard('__db_chk')

TheCharlatan commented at 2:22 pm on September 9, 2024:

Bit unfortunate that this list has to be maintained, but I can’t think of a better way either.

fanquake commented at 8:55 am on September 10, 2024:

Yea, it’s a bit annoying. At least post-BDB, it’ll just be “ignore the stack protector”.

TheCharlatan approved

TheCharlatan commented at 2:23 pm on September 9, 2024: contributor

ACK be4f78275fa6608b11377dd5a29a809597d3fe8d

DrahtBot requested review from laanwj on Sep 9, 2024

DrahtBot added the label CI failed on Sep 9, 2024

DrahtBot commented at 11:32 pm on September 9, 2024: contributor

Guix builds (on x86_64) [untrusted test-only build, possibly unsafe, not for production use]

File	commit 712a2b5453cdf2568fece94b969d6e0923b6ba16(master)	commit 8300a35c8d16056654d33a5c3c69b469102c958d(master and this pull)
SHA256SUMS.part	`9ad30f314fadec5b...`	`1a335b762e041b11...`
*-aarch64-linux-gnu-debug.tar.gz	`823e68da6a312e26...`	`f90829104f3c3534...`
*-aarch64-linux-gnu.tar.gz	`0d35a4c03cc25bf4...`	`408bfb43c5e4dcc6...`
*-arm-linux-gnueabihf-debug.tar.gz	`4f47c5c051f82dde...`	`76203c885c2d581f...`
*-arm-linux-gnueabihf.tar.gz	`c9237ef8593d539e...`	`6b88beb0c434ab2a...`
*-arm64-apple-darwin-unsigned.tar.gz	`1d6e67f279353867...`	`c3cc72600f2d5aac...`
*-arm64-apple-darwin-unsigned.zip	`7d97c73dd52df78d...`	`601f08682e47dae7...`
*-arm64-apple-darwin.tar.gz	`f7b9f476f26b7cee...`	`ddb4a33188172f32...`
*-powerpc64-linux-gnu-debug.tar.gz	`c1731bd23e3872e0...`	`620abd9ff752789c...`
*-powerpc64-linux-gnu.tar.gz	`eab17c7cab25293a...`	`0c37ff38214f86b2...`
*-riscv64-linux-gnu-debug.tar.gz	`0d5d330ab4c19eb9...`	`64819b3d04c3c049...`
*-riscv64-linux-gnu.tar.gz	`8140418fddd4ffe0...`	`b20d689b5e1f9110...`
*-x86_64-apple-darwin-unsigned.tar.gz	`6e73d97ff6f35412...`	`7b4337926f67ce9b...`
*-x86_64-apple-darwin-unsigned.zip	`592d4715b1893cd8...`	`1a4eb81dff4c92f2...`
*-x86_64-apple-darwin.tar.gz	`af38614dd7d3378d...`	`da43346c39b1a97b...`
*-x86_64-linux-gnu-debug.tar.gz	`ac8477768621775e...`	`e43c2937656bae46...`
*-x86_64-linux-gnu.tar.gz	`25e7e1ef671cfd5d...`	`6e48fc8761934398...`
*.tar.gz	`5fe864ecd9fad95b...`	`bcd3cfbad388d76e...`
guix_build.log	`9439849b41f164ca...`	`b5b2f18b9376d806...`
guix_build.log.diff		`48716f7fd8852415...`

DrahtBot removed the label DrahtBot Guix build requested on Sep 9, 2024

hebasto commented at 8:50 am on September 10, 2024: member

Shouldn’t we check for the absence of unfortified versions of functions, rather than checking for the presence of fortified ones?

fanquake commented at 8:54 am on September 10, 2024: member

Shouldn’t we check for the absence of unfortified versions of functions, rather than checking for the presence of fortified ones?

Can you explain how that test would work? Not all functions are guaranteed to be fortified.

hebasto commented at 9:00 am on September 10, 2024: member

Shouldn’t we check for the absence of unfortified versions of functions, rather than checking for the presence of fortified ones?

Can you explain how that test would work? Not all functions are guaranteed to be fortified.

Get the list of fortified functions from all binaries.
Create a list of the corresponding unfortified functions based on the list from step 1.
Check for the absence of symbols from the list in step 2.

fanquake commented at 9:05 am on September 10, 2024: member

Get the list of fortified functions from all binaries.

This assumes that fortification is already working correctly, otherwise you’ll miss any (relevant) function that hasn’t been fortified at least one time.

Again, it’s not a bug to have unfortified functions. So I’m not sure what you are trying to acheive by turning that into a check failure. Can you explain further.

hebasto commented at 9:14 am on September 10, 2024: member

Again, it’s not a bug to have unfortified functions.

Then how it can be classified?

So I’m not sure what you are trying to acheive by turning that into a check failure.

Fortified functions can be statically linked into executables from a toolchain that was built with fortification enabled, while the rest of the code remains unfortified. In that case, the current PR branch will report a false positive result, won’t it?

fanquake commented at 9:18 am on September 10, 2024: member

Then how it can be classified?

As expected behaviour, given that whether fortification occurs is dependant on various (compiler & libc) heuristics.

Fortified functions can be statically linked into executables from a toolchain that was built with fortification enabled, while the rest of the code remains unfortified. In that case, the current PR branch will report a false positive result, won’t it?

I don’t really understand what you mean. Can you give a specific example of a false positive/issue, in the context of our Guix environment/build.

hebasto commented at 9:43 am on September 10, 2024: member

Can you give a specific example of a false positive/issue, in the context of our Guix environment/build.

Sure. This branch clearly demonstrates false positive results for bitcoind and bitcoin-qt:

0b07d7f1b7e5f5eaf8649685e7f8e031e4ac078f87dbd27e0d732c2a578ef3c4c  guix-build-423fc912bca9/output/dist-archive/bitcoin-423fc912bca9.tar.gz
1e7cce3c0bdf87e4583067fdf39aea50fb4c12fb0d52cbb78e3c7c0c967a9b215  guix-build-423fc912bca9/output/x86_64-linux-gnu/SHA256SUMS.part
2b14a23e900a0ed33a4cc6ca274070e793bb0c649155f2ecac236f3c58438c06c  guix-build-423fc912bca9/output/x86_64-linux-gnu/bitcoin-423fc912bca9-x86_64-linux-gnu-debug.tar.gz
3a4e71897a197c0c27fa303cd701278ae2c2354e13db78bb7f74fa9ee191ab01a  guix-build-423fc912bca9/output/x86_64-linux-gnu/bitcoin-423fc912bca9-x86_64-linux-gnu.tar.gz

fanquake commented at 9:58 am on September 10, 2024: member

Sure. This branch clearly demonstrates false positive results for bitcoind and bitcoin-qt:

Thanks. I built this branch and inspected bitcoind, and it contains calls to fortified functions. i.e:

 0objdump -D /root/bitcoin/guix-build-423fc912bca9/output/x86_64-linux-gnu/bitcoin-423fc912bca9/bin/bitcoind
 1<snip>
 2  6f9afe:	e8 cd dd 95 ff       	call   578d0 <__vsnprintf_chk@plt>
 3  6fd0a1:	e8 ba b1 95 ff       	call   58260 <__fprintf_chk@plt>
 4  6fe135:	e8 66 a0 95 ff       	call   581a0 <__fdelt_chk@plt>
 5  6fe161:	e8 3a a0 95 ff       	call   581a0 <__fdelt_chk@plt>
 6  6fe1ec:	e8 af 9f 95 ff       	call   581a0 <__fdelt_chk@plt>
 7  6fe228:	e8 73 9f 95 ff       	call   581a0 <__fdelt_chk@plt>
 8  6fe410:	e8 8b 9d 95 ff       	call   581a0 <__fdelt_chk@plt>
 9  6fe461:	e8 3a 9d 95 ff       	call   581a0 <__fdelt_chk@plt>
10  6fe47f:	e8 1c 9d 95 ff       	call   581a0 <__fdelt_chk@plt>
11  6ff600:	e8 1b 86 95 ff       	call   57c20 <__stack_chk_fail@plt>
12  6ff85c:	e8 6f 8a 95 ff       	call   582d0 <__memcpy_chk@plt>
13  6ff951:	e8 ca 82 95 ff       	call   57c20 <__stack_chk_fail@plt>
14<much more output>

So how is this a false positive?

hebasto commented at 10:02 am on September 10, 2024: member

So how is this a false positive?

This commit deletes the source fortification logic from the build system altogether. Nevertheless, the check passes.

fanquake commented at 10:04 am on September 10, 2024: member

This commit deletes the source fortification logic from the build system altogether. Nevertheless, the check passes.

Yes, the check as implemented, which checks for (any) usage of fortified function calls in the binary, passes, because the binary contains calls to fortified functions.

fanquake merged this on Sep 12, 2024

fanquake closed this on Sep 12, 2024

fanquake deleted the branch on Sep 12, 2024

security-check: test for _FORTIFY_SOURCE usage in release binaries #27038

Code Coverage

Reviews

Conflicts

Guix builds (on x86_64) [untrusted test-only build, possibly unsafe, not for production use]

Guix builds (on x86_64) [untrusted test-only build, possibly unsafe, not for production use]

Guix builds (on x86_64) [untrusted test-only build, possibly unsafe, not for production use]

security-check: test for `_FORTIFY_SOURCE` usage in release binaries #27038