diff options
| author | fanquake <fanquake@gmail.com> | 2024-01-16 15:32:52 +0000 |
|---|---|---|
| committer | fanquake <fanquake@gmail.com> | 2024-01-16 15:33:41 +0000 |
| commit | f1fcc9638cde7664b9642018fe6872148bbb0172 (patch) | |
| tree | 4f13c0d36e9c6a63bd088974d621d3602e211322 /contrib | |
| parent | 9fa8eda8af83b194f281385ad57ea79cad16cbe0 (diff) | |
| parent | 5335e454c0889c8a1bb05aa09435883322133974 (diff) | |
| download | bitcoin-f1fcc9638cde7664b9642018fe6872148bbb0172.tar.xz | |
Merge bitcoin/bitcoin#29170: contrib: add macho branch protection check
5335e454c0889c8a1bb05aa09435883322133974 contrib: add macho branch protection check (fanquake)
Pull request description:
Followup to https://github.com/bitcoin/bitcoin/pull/28459. Add a sanity check that `bti` instructions are present in the arm macho binary, similar to our x86_64 check for control flow.
Could do something similar for aarch64 linux in future, and maybe could use https://github.com/lief-project/LIEF/issues/975.
ACKs for top commit:
TheCharlatan:
ACK 5335e454c0889c8a1bb05aa09435883322133974
Tree-SHA512: 6cc8721209fe07fe07f0524ef6f114004e2b98844f73d31ff16547f7055c7cb4a5609480058c45ede21b457b2dea5357f1475eaa5063ea1f9772aa260f49039b
Diffstat (limited to 'contrib')
| -rwxr-xr-x | contrib/devtools/security-check.py | 12 | ||||
| -rwxr-xr-x | contrib/devtools/test-security-check.py | 8 |
2 files changed, 15 insertions, 5 deletions
diff --git a/contrib/devtools/security-check.py b/contrib/devtools/security-check.py index 590c2ed87d..f57e9abfec 100755 --- a/contrib/devtools/security-check.py +++ b/contrib/devtools/security-check.py @@ -192,6 +192,16 @@ def check_MACHO_control_flow(binary) -> bool: return True return False +def check_MACHO_branch_protection(binary) -> bool: + ''' + Check for branch protection instrumentation + ''' + content = binary.get_content_from_virtual_address(binary.entrypoint, 4, lief.Binary.VA_TYPES.AUTO) + + if content.tolist() == [95, 36, 3, 213]: # bti + return True + return False + BASE_ELF = [ ('PIE', check_PIE), ('NX', check_NX), @@ -231,7 +241,7 @@ CHECKS = { lief.ARCHITECTURES.X86: BASE_MACHO + [('PIE', check_PIE), ('NX', check_NX), ('CONTROL_FLOW', check_MACHO_control_flow)], - lief.ARCHITECTURES.ARM64: BASE_MACHO, + lief.ARCHITECTURES.ARM64: BASE_MACHO + [('BRANCH_PROTECTION', check_MACHO_branch_protection)], } } diff --git a/contrib/devtools/test-security-check.py b/contrib/devtools/test-security-check.py index 64daabad4e..48823c7e45 100755 --- a/contrib/devtools/test-security-check.py +++ b/contrib/devtools/test-security-check.py @@ -137,12 +137,12 @@ class TestSecurityChecks(unittest.TestCase): else: # arm64 darwin doesn't support non-PIE binaries, control flow or executable stacks self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-flat_namespace','-fno-stack-protector', '-Wl,-no_fixup_chains']), - (1, executable+': failed NOUNDEFS Canary FIXUP_CHAINS')) - self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-flat_namespace','-fno-stack-protector', '-Wl,-fixup_chains']), + (1, executable+': failed NOUNDEFS Canary FIXUP_CHAINS BRANCH_PROTECTION')) + self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-flat_namespace','-fno-stack-protector', '-Wl,-fixup_chains', '-mbranch-protection=bti']), (1, executable+': failed NOUNDEFS Canary')) - self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-flat_namespace','-fstack-protector-all', '-Wl,-fixup_chains']), + self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-flat_namespace','-fstack-protector-all', '-Wl,-fixup_chains', '-mbranch-protection=bti']), (1, executable+': failed NOUNDEFS')) - self.assertEqual(call_security_check(cc, source, executable, ['-fstack-protector-all', '-Wl,-fixup_chains']), + self.assertEqual(call_security_check(cc, source, executable, ['-fstack-protector-all', '-Wl,-fixup_chains', '-mbranch-protection=bti']), (0, '')) |