mirror of
https://github.com/dashpay/dash.git
synced 2024-12-25 12:02:48 +01:00
merge bitcoin#21889: check for control flow instrumentation
This commit is contained in:
parent
853583019b
commit
cdedbea0b4
@ -188,6 +188,19 @@ def check_NX(executable) -> bool:
|
||||
binary = lief.parse(executable)
|
||||
return binary.has_nx
|
||||
|
||||
def check_control_flow(executable) -> bool:
|
||||
'''
|
||||
Check for control flow instrumentation
|
||||
'''
|
||||
binary = lief.parse(executable)
|
||||
|
||||
content = binary.get_content_from_virtual_address(binary.entrypoint, 4, lief.Binary.VA_TYPES.AUTO)
|
||||
|
||||
if content == [243, 15, 30, 250]: # endbr64
|
||||
return True
|
||||
return False
|
||||
|
||||
|
||||
CHECKS = {
|
||||
'ELF': [
|
||||
('PIE', check_ELF_PIE),
|
||||
@ -208,7 +221,8 @@ CHECKS = {
|
||||
('NOUNDEFS', check_MACHO_NOUNDEFS),
|
||||
('NX', check_NX),
|
||||
('LAZY_BINDINGS', check_MACHO_LAZY_BINDINGS),
|
||||
('Canary', check_MACHO_Canary)
|
||||
('Canary', check_MACHO_Canary),
|
||||
('CONTROL_FLOW', check_control_flow),
|
||||
]
|
||||
}
|
||||
|
||||
|
@ -81,16 +81,18 @@ class TestSecurityChecks(unittest.TestCase):
|
||||
write_testcode(source)
|
||||
|
||||
self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-no_pie','-Wl,-flat_namespace','-Wl,-allow_stack_execute','-fno-stack-protector']),
|
||||
(1, executable+': failed PIE NOUNDEFS NX LAZY_BINDINGS Canary'))
|
||||
(1, executable+': failed PIE NOUNDEFS NX LAZY_BINDINGS Canary CONTROL_FLOW'))
|
||||
self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-no_pie','-Wl,-flat_namespace','-Wl,-allow_stack_execute','-fstack-protector-all']),
|
||||
(1, executable+': failed PIE NOUNDEFS NX LAZY_BINDINGS'))
|
||||
(1, executable+': failed PIE NOUNDEFS NX LAZY_BINDINGS CONTROL_FLOW'))
|
||||
self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-no_pie','-Wl,-flat_namespace','-fstack-protector-all']),
|
||||
(1, executable+': failed PIE NOUNDEFS LAZY_BINDINGS'))
|
||||
(1, executable+': failed PIE NOUNDEFS LAZY_BINDINGS CONTROL_FLOW'))
|
||||
self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-no_pie','-fstack-protector-all']),
|
||||
(1, executable+': failed PIE LAZY_BINDINGS'))
|
||||
(1, executable+': failed PIE LAZY_BINDINGS CONTROL_FLOW'))
|
||||
self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-no_pie','-Wl,-bind_at_load','-fstack-protector-all']),
|
||||
(1, executable+': failed PIE CONTROL_FLOW'))
|
||||
self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-no_pie','-Wl,-bind_at_load','-fstack-protector-all', '-fcf-protection=full']),
|
||||
(1, executable+': failed PIE'))
|
||||
self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-pie','-Wl,-bind_at_load','-fstack-protector-all']),
|
||||
self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-pie','-Wl,-bind_at_load','-fstack-protector-all', '-fcf-protection=full']),
|
||||
(0, ''))
|
||||
|
||||
clean_files(source, executable)
|
||||
|
@ -30,6 +30,7 @@ $(package)_config_libraries=filesystem,thread,test
|
||||
$(package)_cxxflags=-std=c++17 -fvisibility=hidden
|
||||
$(package)_cxxflags_linux=-fPIC
|
||||
$(package)_cxxflags_android=-fPIC
|
||||
$(package)_cxxflags_darwin=-fcf-protection=full
|
||||
endef
|
||||
|
||||
# Fix unused variable in boost_process, can be removed after upgrading to 1.72
|
||||
|
Loading…
Reference in New Issue
Block a user