Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

'WinGetUtil.dll' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities #748

Closed
palenshus opened this issue Feb 9, 2021 · 5 comments · Fixed by #856
Closed

'WinGetUtil.dll' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities #748

palenshus opened this issue Feb 9, 2021 · 5 comments · Fixed by #856
Labels
Issue-Bug It either shouldn't be doing this or needs an investigation.
Milestone
v1.3-Client

Comments

@palenshus
Copy link
Contributor

palenshus commented Feb 9, 2021
edited
Loading

Brief description of your issue

I ran binskim against wingetutil.dll, and it reported this error:

warning BA2024: 'WinGetUtil.dll' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request. The following modules are out of policy:
The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:
Delayimp.lib,cxx,19.28.29118.96 : delayhk1.obj,delayhk2.obj,delayhlp.obj
YamlCppLib.lib,c,19.28.29336.0 : api.obj,dumper.obj,emitter.obj,loader.obj,parser.obj,reader.obj,scanner.obj,writer.obj
msvcprt.lib,cxx,19.28.29118.96 : filesystem.obj,locale0_implib.obj,nothrow.obj,syserror_import_lib.obj
MSVCRT.lib,c,19.28.29118.96 : chandler4gs.obj,cpu_disp.obj,dyn_tls_init.obj,gs_cookie.obj,gs_report.obj,gs_support.obj,guard_support.obj,loadcfg.obj,secchk.obj,ucrt_detection.obj
MSVCRT.lib,cxx,19.28.29118.96 : argv_mode.obj,default_local_stdio_options.obj,delete_array.obj,delete_scalar.obj,delete_scalar_size.obj,dll_dllmain.obj,dll_dllmain_stub.obj,ehvccctr.obj,ehvecctr.obj,ehvecdtr.obj,fltused.obj,initializers.obj,initsect.obj,new_array.obj,new_scalar.obj,new_scalar_nothrow.obj,std_type_info_static.obj,thread_safe_statics.obj,throw_bad_alloc.obj,tlssup.obj,tncleanup.obj,ucrt_stubs.obj,utility.obj,utility_desktop.obj,x86_exception_filter.obj
JsonCppLib.lib,cxx,19.28.29336.0 : jsoncpp.obj
Exports.obj,cxx,19.28.29336.0 : Exports.obj
pch.obj,cxx,19.28.29336.0 : pch.obj
AppInstallerCommonCore.lib,cxx,19.28.29336.0 : AppInstallerLogging.obj,AppInstallerStrings.obj,AppInstallerTelemetry.obj,Architecture.obj,DateTime.obj,Deployment.obj,Downloader.obj,ExperimentalFeature.obj,ExtensionCatalog.obj,FileLogger.obj,HttpClientWrapper.obj,HttpLocalCache.obj,HttpRandomAccessStream.obj,JsonUtil.obj,Manifest.obj,ManifestInstaller.obj,ManifestValidation.obj,MsixInfo.obj,pch.obj,Registry.obj,Runtime.obj,Settings.obj,SHA256.obj,Synchronization.obj,TraceLogging.obj,UserSettings.obj,Versions.obj,Yaml.obj,YamlParser.obj,YamlWrapper.obj
AppInstallerRepositoryCore.lib,cxx,19.28.29336.0 : ARPHelper.obj,CompositeSource.obj,Interface_1_0.obj,Interface_1_1.obj,ManifestMetadataTable.obj,ManifestTable.obj,MetadataTable.obj,OneToManyTable.obj,OneToOneTable.obj,PathPartTable.obj,pch.obj,PredefinedInstalledSourceFactory.obj,PreIndexedPackageSourceFactory.obj,RepositorySource.obj,SearchResultsTable_1_0.obj,SearchResultsTable_1_1.obj,SQLiteIndex.obj,SQLiteIndexSource.obj,SQLiteStatementBuilder.obj,SQLiteTempTable.obj,SQLiteWrapper.obj,Version.obj
AppInstallerRepositoryCore.lib,c,19.28.29336.0 : SQLiteICU.obj

Steps to reproduce

binskim\tools\netcoreapp3.1\win-x64\BinSkim.exe analyze D:\Git\winget-cli\src\x64\Release\WinGetUtil\WinGetUtil.dll

Expected behavior

Binskim should run clean against this binary

Actual behavior

See above
@ghost ghost added the Needs-Triage Issue need to be triaged label Feb 9, 2021
@denelon denelon added Issue-Bug It either shouldn't be doing this or needs an investigation. Impact-Compliance and removed Needs-Triage Issue need to be triaged labels Feb 10, 2021
@justus4234
Copy link

#754 #321 @danewalton

@justus4234
Copy link

Brief description of your issue

I ran binskim against wingetutil.dll, and it reported this error:

warning BA2024: 'WinGetUtil.dll' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request. The following modules are out of policy:
The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:
Delayimp.lib,cxx,19.28.29118.96 : delayhk1.obj,delayhk2.obj,delayhlp.obj
YamlCppLib.lib,c,19.28.29336.0 : api.obj,dumper.obj,emitter.obj,loader.obj,parser.obj,reader.obj,scanner.obj,writer.obj
msvcprt.lib,cxx,19.28.29118.96 : filesystem.obj,locale0_implib.obj,nothrow.obj,syserror_import_lib.obj
MSVCRT.lib,c,19.28.29118.96 : chandler4gs.obj,cpu_disp.obj,dyn_tls_init.obj,gs_cookie.obj,gs_report.obj,gs_support.obj,guard_support.obj,loadcfg.obj,secchk.obj,ucrt_detection.obj
MSVCRT.lib,cxx,19.28.29118.96 : argv_mode.obj,default_local_stdio_options.obj,delete_array.obj,delete_scalar.obj,delete_scalar_size.obj,dll_dllmain.obj,dll_dllmain_stub.obj,ehvccctr.obj,ehvecctr.obj,ehvecdtr.obj,fltused.obj,initializers.obj,initsect.obj,new_array.obj,new_scalar.obj,new_scalar_nothrow.obj,std_type_info_static.obj,thread_safe_statics.obj,throw_bad_alloc.obj,tlssup.obj,tncleanup.obj,ucrt_stubs.obj,utility.obj,utility_desktop.obj,x86_exception_filter.obj
JsonCppLib.lib,cxx,19.28.29336.0 : jsoncpp.obj
Exports.obj,cxx,19.28.29336.0 : Exports.obj
pch.obj,cxx,19.28.29336.0 : pch.obj
AppInstallerCommonCore.lib,cxx,19.28.29336.0 : AppInstallerLogging.obj,AppInstallerStrings.obj,AppInstallerTelemetry.obj,Architecture.obj,DateTime.obj,Deployment.obj,Downloader.obj,ExperimentalFeature.obj,ExtensionCatalog.obj,FileLogger.obj,HttpClientWrapper.obj,HttpLocalCache.obj,HttpRandomAccessStream.obj,JsonUtil.obj,Manifest.obj,ManifestInstaller.obj,ManifestValidation.obj,MsixInfo.obj,pch.obj,Registry.obj,Runtime.obj,Settings.obj,SHA256.obj,Synchronization.obj,TraceLogging.obj,UserSettings.obj,Versions.obj,Yaml.obj,YamlParser.obj,YamlWrapper.obj
AppInstallerRepositoryCore.lib,cxx,19.28.29336.0 : ARPHelper.obj,CompositeSource.obj,Interface_1_0.obj,Interface_1_1.obj,ManifestMetadataTable.obj,ManifestTable.obj,MetadataTable.obj,OneToManyTable.obj,OneToOneTable.obj,PathPartTable.obj,pch.obj,PredefinedInstalledSourceFactory.obj,PreIndexedPackageSourceFactory.obj,RepositorySource.obj,SearchResultsTable_1_0.obj,SearchResultsTable_1_1.obj,SQLiteIndex.obj,SQLiteIndexSource.obj,SQLiteStatementBuilder.obj,SQLiteTempTable.obj,SQLiteWrapper.obj,Version.obj
AppInstallerRepositoryCore.lib,c,19.28.29336.0 : SQLiteICU.obj

Steps to reproduce

binskim\tools\netcoreapp3.1\win-x64\BinSkim.exe analyze D:\Git\winget-cli\src\x64\Release\WinGetUtil\WinGetUtil.dll

Expected behavior

Binskim should run clean against this binary

Actual behavior

See above

@justus4234
Copy link

he sould help on over head for finish code ...or what to do with the blue pinted code when the other problem or problem s or done ....

@danewalton-msft
Copy link

was I mistakenly tagged here?

@megamorf
Copy link

megamorf commented Feb 16, 2021
edited
Loading

was I mistakenly tagged here?

Looks like the justus user is a spam bot and you were tagged for some random reason.

@yao-msft yao-msft linked a pull request Apr 9, 2021 that will close this issue
Enable code analysis, sdl checks, binskim and fix related errors #856
Merged
@denelon denelon added this to the v1.3-Client milestone Jun 21, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Issue-Bug It either shouldn't be doing this or needs an investigation.
Projects
None yet
Milestone
v1.3-Client
Development

Successfully merging a pull request may close this issue.

Enable code analysis, sdl checks, binskim and fix related errors yao-msft/winget-cli
5 participants
@megamorf @palenshus @danewalton-msft @denelon @justus4234