Explain why Get-HardenFlags currently fails.

Change-Id: I4a956b2479a482a9262e6e67f6c7611fad9dde84 Reviewed-on: https://code.wireshark.org/review/11448 Reviewed-by: Gerald Combs <gerald@wireshark.org>
2015-10-30 11:18:45 -07:00 · 2015-10-30 11:18:45 -07:00 · ad1f7f4677
parent b6497d44b5
commit ad1f7f4677
1 changed files with 15 additions and 0 deletions
--- a/tools/Get-HardenFlags.ps1
+++ b/tools/Get-HardenFlags.ps1
@ -28,6 +28,21 @@
 #   on all the binaries in the distribution, and then filters
 #   for the NXCOMPAT and DYNAMICBASE flags.

+# This script will probably fail for the forseeable future.
+#
+# Many of our third-party libraries are compiled using MinGW-w64. Its version
+# of `ld` doesn't enable the dynamicbase, nxcompat, or high-entropy-va flags
+# by default. When you *do* pass --dynamicbase it strips the relocation
+# section of the executable:
+#
+#   https://sourceware.org/bugzilla/show_bug.cgi?id=19011
+#
+# As a result, none of the distributions that produce Windows applications
+# and libraries have any sort of hardening flags enabled:
+#
+#   http://mingw-w64.org/doku.php/download
+#
+
 <#
 .SYNOPSIS
 Checks the NXCOMPAT and DYNAMICBASE flags on all the binaries.