Page MenuHomePhabricator

build: add -fcf-protection=full to hardening options and test for control flow instrumentation
ClosedPublic

Authored by PiRK on Jun 7 2023, 15:36.

Details

Summary

build: add -fcf-protection=full to hardening options

Enables code instrumentation of control-flow transfers. Available in
GCC 8 and Clang 7.

This option is now on by default in Ubuntu GCC as of 19.10.

This is a backport of core#18921, core#21889, core#23535 and core#23839
https://github.com/bitcoin/bitcoin/pull/18921/commits/076183b36b76a11438463883ff916f17aef9e001

Test Plan

guix build and gitian builds

Event Timeline

@bot gitian-osx gitian-linux gitian-win

Tail of the build log:

 * [new tag]             phabricator/diff/40529 -> phabricator/diff/40529
 * [new tag]             phabricator/diff/40541 -> phabricator/diff/40541
 * [new tag]             phabricator/diff/40542 -> phabricator/diff/40542
 * [new tag]             phabricator/diff/40543 -> phabricator/diff/40543
 * [new tag]             phabricator/diff/40544 -> phabricator/diff/40544
 * [new tag]             phabricator/diff/40551 -> phabricator/diff/40551
 * [new tag]             phabricator/diff/40552 -> phabricator/diff/40552
 * [new tag]             phabricator/diff/40559 -> phabricator/diff/40559
 * [new tag]             phabricator/diff/40560 -> phabricator/diff/40560
 * [new tag]             phabricator/diff/40561 -> phabricator/diff/40561
 * [new tag]             phabricator/diff/40562 -> phabricator/diff/40562
 * [new tag]             phabricator/diff/40563 -> phabricator/diff/40563
 * [new tag]             phabricator/diff/40564 -> phabricator/diff/40564
 * [new tag]             phabricator/diff/40578 -> phabricator/diff/40578
 * [new tag]             phabricator/diff/40579 -> phabricator/diff/40579
 * [new tag]             phabricator/diff/40580 -> phabricator/diff/40580
 * [new tag]             phabricator/diff/40581 -> phabricator/diff/40581
 * [new tag]             phabricator/diff/40583 -> phabricator/diff/40583
 * [new tag]             phabricator/diff/40585 -> phabricator/diff/40585
 * [new tag]             phabricator/diff/40589 -> phabricator/diff/40589
 * [new tag]             phabricator/diff/40590 -> phabricator/diff/40590
 * [new tag]             phabricator/diff/40591 -> phabricator/diff/40591
 * [new tag]             phabricator/diff/40594 -> phabricator/diff/40594
 * [new tag]             phabricator/diff/40595 -> phabricator/diff/40595
 * [new tag]             phabricator/diff/40597 -> phabricator/diff/40597
 * [new tag]             phabricator/diff/40598 -> phabricator/diff/40598
 * [new tag]             phabricator/diff/40599 -> phabricator/diff/40599
 * [new tag]             phabricator/diff/40603 -> phabricator/diff/40603
 * [new tag]             phabricator/diff/40604 -> phabricator/diff/40604
 * [new tag]             phabricator/diff/40606 -> phabricator/diff/40606
 * [new tag]             phabricator/diff/40618 -> phabricator/diff/40618
 * [new tag]             phabricator/diff/40635 -> phabricator/diff/40635
 * [new tag]             phabricator/diff/40636 -> phabricator/diff/40636
 * [new tag]             phabricator/diff/40637 -> phabricator/diff/40637
 * [new tag]             phabricator/diff/40640 -> phabricator/diff/40640
 * [new tag]             phabricator/diff/8992  -> phabricator/diff/8992
 * [new tag]             phabricator/diff/8993  -> phabricator/diff/8993
 * [new branch]          master                 -> master
--- Building for bullseye amd64 ---
Stopping target if it is up
Error response from daemon: No such container: gitian-target
Error: No such container: gitian-target
Making a new image copy
Starting target
Checking if target is up.
Preparing build environment
Updating apt-get repository (log in var/install.log)
Installing additional packages (log in var/install.log)
Upgrading system, may take a while (log in var/install.log)
Creating package manifest
Creating build script (var/build-script)
Running build script (log in var/build.log)
./bin/gbuild:23:in `system!': failed to run on-target setarch x86_64 bash -x < var/build-script > var/build.log 2>&1 (RuntimeError)
	from ./bin/gbuild:185:in `build_one_configuration'
	from ./bin/gbuild:339:in `block (2 levels) in <main>'
	from ./bin/gbuild:334:in `each'
	from ./bin/gbuild:334:in `block in <main>'
	from ./bin/gbuild:332:in `each'
	from ./bin/gbuild:332:in `<main>'
Build gitian-win failed with exit code 1

Tail of the build log:

 * [new tag]             phabricator/diff/40541 -> phabricator/diff/40541
 * [new tag]             phabricator/diff/40542 -> phabricator/diff/40542
 * [new tag]             phabricator/diff/40543 -> phabricator/diff/40543
 * [new tag]             phabricator/diff/40544 -> phabricator/diff/40544
 * [new tag]             phabricator/diff/40551 -> phabricator/diff/40551
 * [new tag]             phabricator/diff/40552 -> phabricator/diff/40552
 * [new tag]             phabricator/diff/40553 -> phabricator/diff/40553
 * [new tag]             phabricator/diff/40558 -> phabricator/diff/40558
 * [new tag]             phabricator/diff/40559 -> phabricator/diff/40559
 * [new tag]             phabricator/diff/40560 -> phabricator/diff/40560
 * [new tag]             phabricator/diff/40561 -> phabricator/diff/40561
 * [new tag]             phabricator/diff/40562 -> phabricator/diff/40562
 * [new tag]             phabricator/diff/40563 -> phabricator/diff/40563
 * [new tag]             phabricator/diff/40564 -> phabricator/diff/40564
 * [new tag]             phabricator/diff/40578 -> phabricator/diff/40578
 * [new tag]             phabricator/diff/40579 -> phabricator/diff/40579
 * [new tag]             phabricator/diff/40583 -> phabricator/diff/40583
 * [new tag]             phabricator/diff/40584 -> phabricator/diff/40584
 * [new tag]             phabricator/diff/40585 -> phabricator/diff/40585
 * [new tag]             phabricator/diff/40594 -> phabricator/diff/40594
 * [new tag]             phabricator/diff/40595 -> phabricator/diff/40595
 * [new tag]             phabricator/diff/40597 -> phabricator/diff/40597
 * [new tag]             phabricator/diff/40598 -> phabricator/diff/40598
 * [new tag]             phabricator/diff/40599 -> phabricator/diff/40599
 * [new tag]             phabricator/diff/40603 -> phabricator/diff/40603
 * [new tag]             phabricator/diff/40605 -> phabricator/diff/40605
 * [new tag]             phabricator/diff/40617 -> phabricator/diff/40617
 * [new tag]             phabricator/diff/40618 -> phabricator/diff/40618
 * [new tag]             phabricator/diff/40625 -> phabricator/diff/40625
 * [new tag]             phabricator/diff/40628 -> phabricator/diff/40628
 * [new tag]             phabricator/diff/40629 -> phabricator/diff/40629
 * [new tag]             phabricator/diff/40632 -> phabricator/diff/40632
 * [new tag]             phabricator/diff/40633 -> phabricator/diff/40633
 * [new tag]             phabricator/diff/40637 -> phabricator/diff/40637
 * [new tag]             phabricator/diff/40640 -> phabricator/diff/40640
 * [new tag]             phabricator/diff/8992  -> phabricator/diff/8992
 * [new tag]             phabricator/diff/8993  -> phabricator/diff/8993
 * [new branch]          master                 -> master
--- Building for bullseye amd64 ---
Stopping target if it is up
Error response from daemon: No such container: gitian-target
Error: No such container: gitian-target
Making a new image copy
Starting target
Checking if target is up.
Preparing build environment
Updating apt-get repository (log in var/install.log)
Installing additional packages (log in var/install.log)
Upgrading system, may take a while (log in var/install.log)
Creating package manifest
Creating build script (var/build-script)
Running build script (log in var/build.log)
./bin/gbuild:23:in `system!': failed to run on-target setarch x86_64 bash -x < var/build-script > var/build.log 2>&1 (RuntimeError)
	from ./bin/gbuild:185:in `build_one_configuration'
	from ./bin/gbuild:339:in `block (2 levels) in <main>'
	from ./bin/gbuild:334:in `each'
	from ./bin/gbuild:334:in `block in <main>'
	from ./bin/gbuild:332:in `each'
	from ./bin/gbuild:332:in `<main>'
Build gitian-osx failed with exit code 1

Tail of the build log:

 * [new tag]             phabricator/diff/40513 -> phabricator/diff/40513
 * [new tag]             phabricator/diff/40518 -> phabricator/diff/40518
 * [new tag]             phabricator/diff/40521 -> phabricator/diff/40521
 * [new tag]             phabricator/diff/40522 -> phabricator/diff/40522
 * [new tag]             phabricator/diff/40526 -> phabricator/diff/40526
 * [new tag]             phabricator/diff/40529 -> phabricator/diff/40529
 * [new tag]             phabricator/diff/40531 -> phabricator/diff/40531
 * [new tag]             phabricator/diff/40532 -> phabricator/diff/40532
 * [new tag]             phabricator/diff/40541 -> phabricator/diff/40541
 * [new tag]             phabricator/diff/40542 -> phabricator/diff/40542
 * [new tag]             phabricator/diff/40543 -> phabricator/diff/40543
 * [new tag]             phabricator/diff/40554 -> phabricator/diff/40554
 * [new tag]             phabricator/diff/40558 -> phabricator/diff/40558
 * [new tag]             phabricator/diff/40559 -> phabricator/diff/40559
 * [new tag]             phabricator/diff/40560 -> phabricator/diff/40560
 * [new tag]             phabricator/diff/40562 -> phabricator/diff/40562
 * [new tag]             phabricator/diff/40563 -> phabricator/diff/40563
 * [new tag]             phabricator/diff/40564 -> phabricator/diff/40564
 * [new tag]             phabricator/diff/40579 -> phabricator/diff/40579
 * [new tag]             phabricator/diff/40584 -> phabricator/diff/40584
 * [new tag]             phabricator/diff/40585 -> phabricator/diff/40585
 * [new tag]             phabricator/diff/40590 -> phabricator/diff/40590
 * [new tag]             phabricator/diff/40591 -> phabricator/diff/40591
 * [new tag]             phabricator/diff/40594 -> phabricator/diff/40594
 * [new tag]             phabricator/diff/40597 -> phabricator/diff/40597
 * [new tag]             phabricator/diff/40598 -> phabricator/diff/40598
 * [new tag]             phabricator/diff/40599 -> phabricator/diff/40599
 * [new tag]             phabricator/diff/40600 -> phabricator/diff/40600
 * [new tag]             phabricator/diff/40603 -> phabricator/diff/40603
 * [new tag]             phabricator/diff/40606 -> phabricator/diff/40606
 * [new tag]             phabricator/diff/40617 -> phabricator/diff/40617
 * [new tag]             phabricator/diff/40618 -> phabricator/diff/40618
 * [new tag]             phabricator/diff/40635 -> phabricator/diff/40635
 * [new tag]             phabricator/diff/40637 -> phabricator/diff/40637
 * [new tag]             phabricator/diff/40640 -> phabricator/diff/40640
 * [new tag]             phabricator/diff/8992  -> phabricator/diff/8992
 * [new tag]             phabricator/diff/8993  -> phabricator/diff/8993
 * [new branch]          master                 -> master
--- Building for bullseye amd64 ---
Stopping target if it is up
Error response from daemon: No such container: gitian-target
Error: No such container: gitian-target
Making a new image copy
Starting target
Checking if target is up.
Preparing build environment
Updating apt-get repository (log in var/install.log)
Installing additional packages (log in var/install.log)
Upgrading system, may take a while (log in var/install.log)
Creating package manifest
Creating build script (var/build-script)
Running build script (log in var/build.log)
./bin/gbuild:23:in `system!': failed to run on-target setarch x86_64 bash -x < var/build-script > var/build.log 2>&1 (RuntimeError)
	from ./bin/gbuild:185:in `build_one_configuration'
	from ./bin/gbuild:339:in `block (2 levels) in <main>'
	from ./bin/gbuild:334:in `each'
	from ./bin/gbuild:334:in `block in <main>'
	from ./bin/gbuild:332:in `each'
	from ./bin/gbuild:332:in `<main>'
Build gitian-linux failed with exit code 1
PiRK retitled this revision from scripts: test for control flow instrumentation to build: add -fcf-protection=full to hardening options and test for control flow instrumentation.
PiRK edited the summary of this revision. (Show Details)

@bot gitian-osx gitian-linux gitian-win

Tail of the build log:

wallet_txn_doublespend.py --mineblock     | ✓ Passed  | 4 s
wallet_watchonly.py                       | ✓ Passed  | 1 s
wallet_watchonly.py --usecli              | ✓ Passed  | 1 s
chronik_avalanche.py                      | ○ Skipped | 0 s
chronik_block.py                          | ○ Skipped | 0 s
chronik_block_info.py                     | ○ Skipped | 0 s
chronik_block_txs.py                      | ○ Skipped | 0 s
chronik_blockchain_info.py                | ○ Skipped | 0 s
chronik_blocks.py                         | ○ Skipped | 0 s
chronik_disallow_prune.py                 | ○ Skipped | 0 s
chronik_raw_tx.py                         | ○ Skipped | 0 s
chronik_resync.py                         | ○ Skipped | 0 s
chronik_script_confirmed_txs.py           | ○ Skipped | 0 s
chronik_script_history.py                 | ○ Skipped | 0 s
chronik_script_unconfirmed_txs.py         | ○ Skipped | 0 s
chronik_script_utxos.py                   | ○ Skipped | 0 s
chronik_serve.py                          | ○ Skipped | 0 s
chronik_spent_by.py                       | ○ Skipped | 0 s
chronik_tx.py                             | ○ Skipped | 0 s
chronik_ws.py                             | ○ Skipped | 0 s
chronik_ws_script.py                      | ○ Skipped | 0 s
interface_usdt_net.py                     | ○ Skipped | 0 s
interface_usdt_utxocache.py               | ○ Skipped | 0 s
interface_usdt_validation.py              | ○ Skipped | 0 s

ALL                                       | ✓ Passed  | 1887 s (accumulated) 
Runtime: 378 s

[176/487] Test Bitcoin RPC authentication...
...
----------------------------------------------------------------------
Ran 3 tests in 0.021s

OK
[177/487] cd /work/contrib/devtools/chainparams && /usr/bin/python3.9 ./test_make_chainparams.py
.....
----------------------------------------------------------------------
Ran 5 tests in 0.001s

OK
[342/487] bitcoin: testing validationinterface_tests
FAILED: src/test/CMakeFiles/check-bitcoin-validationinterface_tests 
cd /work/abc-ci-builds/build-debug/src/test && /usr/bin/cmake -E make_directory /work/abc-ci-builds/build-debug/test/junit && /usr/bin/cmake -E make_directory /work/abc-ci-builds/build-debug/test/log && /usr/bin/cmake -E env /work/cmake/utils/log-and-print-on-failure.sh /work/abc-ci-builds/build-debug/test/log/bitcoin-validationinterface_tests.log /work/abc-ci-builds/build-debug/src/test/test_bitcoin --run_test=validationinterface_tests --logger=HRF,message:JUNIT,message,bitcoin-validationinterface_tests.xml --catch_system_errors=no
Running 3 test cases...
../../src/test/validationinterface_tests.cpp(108): error: in "validationinterface_tests/unregister_all_during_call": check destroyed has failed

*** 1 failure is detected in the test module "Bitcoin ABC unit tests"
[406/487] Running secp256k1 test suite
PASSED: secp256k1 test suite
[443/487] Running pow test suite
PASSED: pow test suite
[456/487] Running seeder test suite
PASSED: seeder test suite
[472/487] Running avalanche test suite
PASSED: avalanche test suite
[480/487] Running bitcoin-qt test suite
PASSED: bitcoin-qt test suite
[484/487] Running utility command for check-bitcoin-coins_tests
ninja: build stopped: cannot make progress due to previous errors.
Build build-debug failed with exit code 1

rebase for unrelated build-debug failure

PiRK published this revision for review.Jun 8 2023, 06:35
Fabien added inline comments.
src/CMakeLists.txt
191

I thought it was not working on windows ?

It is

src/CMakeLists.txt
191

It is only -fstack-clash-protection that does not work on windows (D14013)

This revision is now accepted and ready to land.Jun 8 2023, 15:19