BA2024 - Defect : EnableSpectreMitigations

[yitam]

I ran binskim on our binaries but received the following issue as defect. Already updated to the latest Visual Studio 2017 v15.9.23 with these installed:

What else can I do to resolve this defect?

The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line: 
msvcprtd.lib,cxx,19.15.26706.0 : locale0_implib.obj 
MSVCRTD.lib,cxx,19.15.26706.0 : argv_mode.obj,default_local_stdio_options.obj,delete_scalar.obj,delete_scalar_size.obj,dll_dllmain.obj,ehvecdtr.obj,error.obj,fltused.obj,gshandler.obj,gshandlereh.obj,init.obj,initializers.obj,initsect.obj,new_scalar.obj,pdblkup.obj,stack.obj,std_type_info_static.obj,throw_bad_alloc.obj,tncleanup.obj,ucrt_stubs.obj,userapi.obj,utility.obj,utility_desktop.obj 
MSVCRTD.lib,c,19.15.26706.0 : cpu_disp.obj,dyn_tls_init.obj,gs_cookie.obj,gs_report.obj,gs_support.obj,guard_support.obj,loadcfg.obj,ucrt_detection.obj

[yitam]

Any feedback or pointer is appreciated.

[TobiasFunk]

hey i have the same issue. Interesting is that point that this only happens when /QSpectre switch is enabled in a debug build or a managed c++ application /clr with the release version everything is fine so i assume that really the debug msvcrtd.lib is not build with spectre

[Maximus5]

Seems like libcmtd.lib and msvcrtd.lib were not compiled with spectre mitigation.
Only release versions are.

[eddynaka]

@yitam @TobiasFunk , sorry for the delay. Are you still facing this issue?

[TobiasFunk]

i changed my projects to not run binskim on debug builds, but manually i shortly checked and at least i can't see the error any more (we changed to a new compiler version in the meanwhile)

[eddynaka]

@TobiasFunk , we observed that if you run in debug, it won't work. I will try to change the text in the rule itself or add some kind of hint so people will know to run this validation only on release mode.

[yitam]

@eddynaka yes I ran on debug build as well. I will give it a try using the release build then.

[eddynaka]

@yitam , thank you! let me know the result. Ping me on teams if you face any issue.

[yitam]

@eddynaka with the release build I still got the following. Is there anything else I should do? It's been months since I last updated Visual Studio, but is that the cause?

2021-03-11T16:47:30.0922486Z The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:
2021-03-11T16:47:30.0923365Z msvcprt.lib,cxx,19.15.26706.0 : locale0_implib.obj
2021-03-11T16:47:30.0924539Z MSVCRT.lib,cxx,19.15.26706.0 : argv_mode.obj,default_local_stdio_options.obj,delete_scalar.obj,delete_scalar_size.obj,dll_dllmain.obj,ehvecdtr.obj,fltused.obj,gshandler.obj,gshandlereh.obj,initializers.obj,initsect.obj,new_scalar.obj,std_type_info_static.obj,throw_bad_alloc.obj,tncleanup.obj,ucrt_stubs.obj,utility.obj,utility_desktop.obj
2021-03-11T16:47:30.0925864Z MSVCRT.lib,c,19.15.26706.0 : cpu_disp.obj,dyn_tls_init.obj,gs_cookie.obj,gs_report.obj,gs_support.obj,guard_support.obj,loadcfg.obj,ucrt_detection.obj

[eddynaka]

@yitam , looking at my current installation I have:

• C++ v14.27 ATL for v142 build tools with Spectre mitiigations (x86 & x64)
• C++ v14.27 MFC for v142 build tools with Spectre mitiigations (x86 & x64)
• MSVC v142 - VS2019 C++ x64/x86 spectre-mitigated libs
• MSVC v142 - VS2019 C++ x64/x86 build tools.

Also, check if you are using control flow guard.

[yitam]

Yes @eddynaka control flow guard is on, but I'm using Visual Studio 2017. I will upgrade later if the version is the reason.

2021-03-11T16:47:29.8788235Z c:\vsts-agent\_work\1\s\7.4\x64\php_pdo_sqlsrv.dll: pass BA2008: 'php_pdo_sqlsrv.dll' enables the control flow guard mitigation. As a result, the operating system will force an application to close if an attacker is able to redirect execution in the component to an unexpected location.

[yitam]

Thanks @eddynaka it seems this issue has disappeared when compiling the binaries with Visual Studio 2019. Please go ahead to close this issue if you like.

[eddynaka]

Good to know! So, vs2019 and release mode is the way to go. Will remember that.
closing for now.

[jeofyoung]

For anybody who stumbles upon this post, apparently you also need to specify '/Zi' together with '/Qspectre' in order for binskim to detect this flag even for release builds.

[Odenburg83]

We are facing the same issue with a C++ library compiled using cmake. CMake properly identifies the required settings if we ask it to enable spectra mitigations (we validated the generated vcproj file). However, binskim cannot validate this statement without setting /Zi (as it was suggested by @jeofyoung), but this leads to crashes with our code base during runtime.
Do you have any other suggestion to solve the problem?

[jonthysell]

We're still seeing this warning in VS 2022, and we specify both <DebugInformationFormat>ProgramDatabase</DebugInformationFormat> and SpectreMitigation>Spectre</SpectreMitigation>.