-
Notifications
You must be signed in to change notification settings - Fork 1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Load dependencies by name #1594
base: master
Are you sure you want to change the base?
Conversation
CMakeLists.txt
Outdated
message(WARNING | ||
"Dependency signature verification during dynamic run-time linking is disabled. This may " | ||
"lead to security vulnerabilities. It is recommended to leave it enabled in production " | ||
"environment. Unset TBB_VERIFY_DEPENDENCY_SIGNATURE or set it ON to enable it again.") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Will unsetting TBB_VERIFY_DEPENDENCY_SIGNATURE not disable it instead? Did you mean "Set TBB_VERIFY_DEPENDENCY_SIGNATURE ..."
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I clarified the messaging.
src/tbb/dynamic_link.cpp
Outdated
error = va_arg(args, dlerr_t); | ||
// TODO: Use fprintf_s once dynamic link functionality is extracted into a separate | ||
// module (e.g., a static library) | ||
std::fprintf(stdout, "%s The module \"%s\" was not loaded because it was not found. " |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please look up and use the more secured version fprintf_s
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
src/tbb/dynamic_link.cpp
Outdated
case dl_sys_fail: | ||
str = va_arg(args, const char*); | ||
error = va_arg(args, dlerr_t); | ||
std::fprintf(stdout, "oneTBB: A call to \"%s\" failed with error " DLERROR_SPECIFIER |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same here
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
and all other locations of fprintf
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
} | ||
|
||
va_end(args); | ||
} // library_warning |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is there a case that covers a certificate that has expired?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please see comments in this conversation
DYNAMIC_LINK_WARNING( dl_sig_other_error, filepath, retval); | ||
break; | ||
} | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Similar here: Is the case for an expired certificate covered somewhere?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It is covered by untrusted root case as the whole chain of certificates is checked.
} | ||
|
||
bool has_valid_signature(const char* filepath, const std::size_t length) { | ||
__TBB_ASSERT_EX(length <= PATH_MAX, "Too small buffer for path conversion"); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is minor:
Is length too small when it is equal to PATH_MAX? (Maybe length < PATH_MAX)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It is just enough as it includes the null-terminating character.
Signed-off-by: Fedotov, Aleksei <[email protected]>
Signed-off-by: Fedotov, Aleksei <[email protected]>
Signed-off-by: Fedotov, Aleksei <[email protected]>
Signed-off-by: Fedotov, Aleksei <[email protected]>
Signed-off-by: Fedotov, Aleksei <[email protected]>
Signed-off-by: Fedotov, Aleksei <[email protected]>
3872b7b
to
4605226
Compare
src/tbb/CMakeLists.txt
Outdated
else() | ||
set(TBB_COMPILER_MACRO_SWITCH -D) | ||
endif() | ||
set(TBB_LIB_COMPILE_FLAGS ${TBB_LIB_COMPILE_FLAGS} ${TBB_COMPILER_MACRO_SWITCH}__TBB_VERIFY_DEPENDENCY_SIGNATURE) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can target_compile_definitions
be used instead?
pWVTData.dwProvFlags = WTD_CACHE_ONLY_URL_RETRIEVAL | WTD_REVOCATION_CHECK_CHAIN; | ||
pWVTData.dwUIContext = WTD_UICONTEXT_EXECUTE; // UI Context to run the file | ||
|
||
const auto rc = WinVerifyTrust((HWND)INVALID_HANDLE_VALUE, &pgActionID, &pWVTData); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Better to use LONG instead of auto to prevent ambiguity and unintended typecasting when doing comparisons later with the return code from WinVerifyTrust
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
From the security standpoint, this is good for now.
A few notes:
- This is still up for discussion but anything beside ERROR_SUCCESS from WinVerifyTrust should result in an error instead of a warning sometimes. The user always has to option to turn off signature verification if they want, so once it's on, it's either success or failure.
- Might also need review from the TBB team.
- If there are some testing results that we can share, that will be great.
Description
This PR applies RFC:
Fixes # - issue number(s) if exists
Type of change
Choose one or multiple, leave empty if none of the other choices apply
Add a respective label(s) to PR if you have permissions
Tests
Documentation
Breaks backward compatibility
Notify the following users
List users with
@
to send notificationsOther information