Skip to content

GitLab

  • Menu
Projects Groups Snippets
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
  • Sign in / Register
  • HardenedBSD HardenedBSD
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
    • Locked Files
  • Issues 29
    • Issues 29
    • List
    • Boards
    • Service Desk
    • Milestones
    • Iterations
    • Requirements
  • Merge requests 4
    • Merge requests 4
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
    • Test Cases
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Monitor
    • Monitor
    • Incidents
  • Packages & Registries
    • Packages & Registries
    • Package Registry
    • Infrastructure Registry
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Code review
    • Insights
    • Issue
    • Repository
  • Wiki
    • Wiki
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • HardenedBSD
  • HardenedBSDHardenedBSD
  • Issues
  • #48

Closed
Open
Created May 22, 2021 by Shawn Webb@shawn.webbOwner

Resolve cfi-icall violations

Many applications violate the cfi-icall scheme. A cursory list, found by grep, is listed below. This bug report should be the master issue, tracking sub-issues to fix each individual application. So this ticket should be broken out for each application (for example: one for md5, another for mount_nfs, another for bhyveload, etc.)

Some of these cannot be fixed until we gain Cross-DSO CFI support. For example, if a function pointer crosses a DSO boundary (dlopen/dlsym).

hbsd-current-01[shawn]:/usr/src $ grep -rnF CFI_OVERRIDE .
./sbin/md5/Makefile:7:CFI_OVERRIDE=-fno-sanitize=cfi-icall
./sbin/mount_nfs/Makefile:14:CFI_OVERRIDE=      -fno-sanitize=cfi-icall
./usr.sbin/rpc.yppasswdd/Makefile:18:CFI_OVERRIDE=      -fno-sanitize=cfi-icall
./usr.sbin/bhyveload/Makefile:8:CFI_OVERRIDE=-fno-sanitize=cfi-icall
./usr.sbin/mountd/Makefile:7:CFI_OVERRIDE=      -fno-sanitize=cfi-icall
./usr.sbin/pwd_mkdb/Makefile:11:CFI_OVERRIDE=-fno-sanitize=cfi-icall
./usr.sbin/blacklistd/Makefile:23:CFI_OVERRIDE= -fno-sanitize=cfi-icall
./usr.sbin/rpc.ypupdated/Makefile:11:CFI_OVERRIDE=      -fno-sanitize=cfi-icall
./usr.sbin/rpc.umntall/Makefile:10:CFI_OVERRIDE=        -fno-sanitize=cfi-icall
./usr.sbin/rpc.ypxfrd/Makefile:10:CFI_OVERRIDE= -fno-sanitize=cfi-icall
./usr.sbin/ppp/Makefile:19:CFI_OVERRIDE=        -fno-sanitize=cfi-icall
./usr.sbin/unbound/checkconf/Makefile:16:CFI_OVERRIDE=-fno-sanitize=cfi-icall
./usr.sbin/rpcbind/Makefile:10:CFI_OVERRIDE=    -fno-sanitize=cfi-icall
./usr.sbin/services_mkdb/Makefile:10:CFI_OVERRIDE=-fno-sanitize=cfi-icall
./usr.sbin/sendmail/Makefile:31:CFI_OVERRIDE=-fno-sanitize=cfi-icall
./usr.sbin/rpc.lockd/Makefile:12:CFI_OVERRIDE=  -fno-sanitize=cfi-icall
./usr.sbin/rpc.statd/Makefile:10:CFI_OVERRIDE=  -fno-sanitize=cfi-icall
./usr.bin/rpcgen/Makefile:7:CFI_OVERRIDE=       -fno-sanitize=cfi-icall
./usr.bin/showmount/Makefile:7:CFI_OVERRIDE=    -fno-sanitize=cfi-icall
./usr.bin/mail/Makefile:15:CFI_OVERRIDE=-fno-sanitize=cfi-icall
./usr.bin/rpcinfo/Makefile:12:CFI_OVERRIDE=     -fno-sanitize=cfi-icall
./usr.bin/nc/Makefile:13:CFI_OVERRIDE=-fno-sanitize=cfi-icall
./usr.bin/svn/svn/Makefile:70:CFI_OVERRIDE=     -fno-sanitize=cfi-icall
./usr.bin/vi/Makefile:19:CFI_OVERRIDE=-fno-sanitize=cfi-icall
./usr.bin/tsort/Makefile:6:CFI_OVERRIDE=-fno-sanitize=cfi-icall
./kerberos5/usr.sbin/kstash/Makefile:12:CFI_OVERRIDE=   -fno-sanitize=cfi-icall
./kerberos5/usr.sbin/iprop-log/Makefile:14:CFI_OVERRIDE=        -fno-sanitize=cfi-icall
./kerberos5/usr.sbin/ktutil/Makefile:19:CFI_OVERRIDE=   -fno-sanitize=cfi-icall
./kerberos5/libexec/hprop/Makefile:19:CFI_OVERRIDE=     -fno-sanitize=cfi-icall
./kerberos5/libexec/hpropd/Makefile:12:CFI_OVERRIDE=    -fno-sanitize=cfi-icall
./kerberos5/libexec/kcm/Makefile:20:CFI_OVERRIDE=       -fno-sanitize=cfi-icall
./kerberos5/libexec/ipropd-slave/Makefile:13:CFI_OVERRIDE=      -fno-sanitize=cfi-icall
./kerberos5/libexec/kadmind/Makefile:10:CFI_OVERRIDE=   -fno-sanitize=cfi-icall
./kerberos5/libexec/kdigest/Makefile:13:CFI_OVERRIDE=   -fno-sanitize=cfi-icall
./kerberos5/libexec/kdc/Makefile:11:CFI_OVERRIDE=       -fno-sanitize=cfi-icall
./kerberos5/libexec/kpasswdd/Makefile:11:CFI_OVERRIDE=  -fno-sanitize=cfi-icall
./kerberos5/libexec/digest-service/Makefile:15:CFI_OVERRIDE=    -fno-sanitize=cfi-icall
./kerberos5/libexec/ipropd-master/Makefile:13:CFI_OVERRIDE=     -fno-sanitize=cfi-icall
./kerberos5/libexec/kimpersonate/Makefile:11:CFI_OVERRIDE=      -fno-sanitize=cfi-icall
./kerberos5/libexec/kfd/Makefile:9:CFI_OVERRIDE=        -fno-sanitize=cfi-icall
./kerberos5/usr.bin/kdestroy/Makefile:8:CFI_OVERRIDE=   -fno-sanitize=cfi-icall
./kerberos5/usr.bin/kcc/Makefile:19:CFI_OVERRIDE=       -fno-sanitize=cfi-icall
./kerberos5/usr.bin/string2key/Makefile:13:CFI_OVERRIDE=        -fno-sanitize=cfi-icall
./kerberos5/usr.bin/kadmin/Makefile:27:CFI_OVERRIDE=    -fno-sanitize=cfi-icall
./kerberos5/usr.bin/kf/Makefile:9:CFI_OVERRIDE= -fno-sanitize=cfi-icall
./kerberos5/usr.bin/kpasswd/Makefile:8:CFI_OVERRIDE=    -fno-sanitize=cfi-icall
./kerberos5/usr.bin/kinit/Makefile:7:CFI_OVERRIDE=      -fno-sanitize=cfi-icall
./kerberos5/usr.bin/kgetcred/Makefile:8:CFI_OVERRIDE=   -fno-sanitize=cfi-icall
./kerberos5/usr.bin/hxtool/Makefile:14:CFI_OVERRIDE=    -fno-sanitize=cfi-icall
./kerberos5/usr.bin/verify_krb5_conf/Makefile:9:CFI_OVERRIDE=   -fno-sanitize=cfi-icall
./kerberos5/usr.bin/ksu/Makefile:13:CFI_OVERRIDE=       -fno-sanitize=cfi-icall
Assignee
Assign to
Time tracking