`security-check.py` produces false positive result for stack smashing protection #29084

issue hebasto opened this issue on December 14, 2023
  1. hebasto commented at 8:20 PM on December 14, 2023: member

    I'm aware that test-security-check.py tests both cases -fno-stack-protector and -fstack-protector-all.

    However, the security-check.py passes in the master branch @ 986047170892c9482ccbc21f05bf4f1499b3089d with the diff as follows:

    --- a/configure.ac
+++ b/configure.ac
@@ -935,7 +935,7 @@ fi
 if test "$use_hardening" != "no"; then
   use_hardening=yes
   AX_CHECK_COMPILE_FLAG([-Wstack-protector], [HARDENED_CXXFLAGS="$HARDENED_CXXFLAGS -Wstack-protector"])
-  AX_CHECK_COMPILE_FLAG([-fstack-protector-all], [HARDENED_CXXFLAGS="$HARDENED_CXXFLAGS -fstack-protector-all"])
+  AX_CHECK_COMPILE_FLAG([-fno-stack-protector], [HARDENED_CXXFLAGS="$HARDENED_CXXFLAGS -fno-stack-protector"])
 
   AX_CHECK_COMPILE_FLAG([-fcf-protection=full], [HARDENED_CXXFLAGS="$HARDENED_CXXFLAGS -fcf-protection=full"])

    To reproduce, please run env HOSTS=x86_64-linux-gnu ./contrib/guix/guix-build.

  2. fanquake commented at 8:24 PM on December 14, 2023: member

    Probably because our GCC in guix is passing stack protection flags by default?

  3. hebasto commented at 8:25 PM on December 14, 2023: member

    Probably because our GCC in guix is passing stack protection flags by default?

    Shouldn't -fno-stack-protector override compiler's defaults?

  4. hebasto commented at 8:26 PM on December 14, 2023: member

    Probably because our GCC in guix is passing stack protection flags by default?

    Why does the test-security-check.py pass then?

  5. fanquake commented at 8:30 PM on December 14, 2023: member

    Probably because the toolchain is built hardened, so any test bin still has the stack protection symbol coming from glibc or similar.

  6. bitcoin deleted a comment on Dec 28, 2023
  7. fanquake commented at 11:51 AM on January 12, 2024: member

    The claim here is that if you change -fstack-protector-all to -fno-stack-protector in our compile flags, then check_ELF_Canary in security-check.py should fail during a Guix build.

    However that wont happen, because the check looks for the presence of __stack_chk_fail, and that will still be in the binary, because libs in depends are compiled with the on-by-default stack-protector flags. This can easily be checked after Guix building with the diff above:

      CXXFLAGS        =    -Wstack-protector -fno-stack-protector -fcf-protection=full -fstack-clash-protection      -fno-extended-identifiers -fstack-reuse=none -fvisibility=hidden -pipe -std=c++20 -O2 -O2 -g -ffile-prefix-map=/gnu/store/dyzpk3myxgx3asavbcd9aspa9gvbyxcr-profile=/usr
....
/bitcoin/guix-build-c5f12669c591/distsrc-c5f12669c591-x86_64-linux-gnu/src# nm -C bitcoind | grep __stack
                 U __stack_chk_fail@GLIBC_2.4

    Going to close this, as there is no false-positive as far as I can see.

  8. fanquake closed this on Jan 12, 2024
  9. bitcoin locked this on Jan 11, 2025
Contributors
hebastofanquake
github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2026-04-24 21:13 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me