Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

BA2025 EnableShadowStack incorrectly reports on arm64EC binaries #1022

Open
wesleywiser opened this issue Dec 10, 2024 · 0 comments
Open

BA2025 EnableShadowStack incorrectly reports on arm64EC binaries #1022

wesleywiser opened this issue Dec 10, 2024 · 0 comments
Assignees
@AllDwarf
Labels
rust Rust

Comments

@wesleywiser
Copy link

arm64EC does not support /CETCOMPAT but BinSkim still reports BA2025 indicating it should be enabled.

From a Dev Tools shell configured to target arm64 (I'm using Powershell):

> cat hello_world.cpp
#include <stdio.h>

int main() {
  printf("Hello, World!\n");
  return 0;
}

> cl /arm64EC /Zi hello_world.cpp
Microsoft (R) C/C++ Optimizing Compiler Version 19.41.34119 for ARM64
Copyright (C) Microsoft Corporation.  All rights reserved.

hello_world.cpp
Microsoft (R) Incremental Linker Version 14.41.34119.0
Copyright (C) Microsoft Corporation.  All rights reserved.

/out:hello_world.exe
/machine:arm64ec
/debug
hello_world.obj

> ~/Downloads/microsoft.codeanalysis.binskim.2.0.0-rc2\tools\netcoreapp3.1\win-x64\BinSkim.exe analyze hello_world.exe
...
hello_world.exe: warning BA2025: 'hello_world.exe' does not enable the Control-flow Enforcement Technology (CET) Shadow Stack mitigation. To resolve this issue, pass /CETCOMPAT on the linker command lines.
...

However, /CETCOMPAT is only supported on x86 and x64:

> cl /arm64EC /Zi hello_world.cpp /link /CETCOMPAT
Microsoft (R) C/C++ Optimizing Compiler Version 19.41.34119 for ARM64
Copyright (C) Microsoft Corporation.  All rights reserved.

hello_world.cpp
Microsoft (R) Incremental Linker Version 14.41.34119.0
Copyright (C) Microsoft Corporation.  All rights reserved.

/out:hello_world.exe
/machine:arm64ec
/debug
/CETCOMPAT
hello_world.obj
LINK : fatal error LNK1246: '/CETCOMPAT' not compatible with 'ARM64X' target machine; link without '/CETCOMPAT'

It looks this code is missing handling for arm64EC:

binskim/src/BinSkim.Rules/PERules/BA2025.EnableShadowStack.cs

Lines 67 to 77 in 66597e4

if (portableExecutable.Machine == Machine.Arm64)
{
reasonForNotAnalyzing = MetadataConditions.ImageIsArm64BitBinary;
return notApplicable;
}
if (portableExecutable.Machine == Machine.Arm || portableExecutable.Machine == Machine.ArmThumb2)
{
reasonForNotAnalyzing = MetadataConditions.ImageIsArmBinary;
return notApplicable;
}

@AllDwarf AllDwarf added the rust Rust label Jan 9, 2025
@AllDwarf AllDwarf self-assigned this Jan 9, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@AllDwarf AllDwarf

Labels
rust Rust
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@wesleywiser @AllDwarf