Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

win,build: add option to enable cfg #56605

Merged
merged 4 commits into from
Mar 7, 2025
Merged

win,build: add option to enable cfg #56605

merged 4 commits into from
Mar 7, 2025

Conversation

huseyinacacak-janea
Copy link
Contributor

@huseyinacacak-janea huseyinacacak-janea commented Jan 15, 2025
edited
Loading

This adds an option to vcbuild.bat to compile with CFG (Control Flow Guard).

CFG is a programming or security concept used to ensure that the execution of a program follows its intended flow and prevents unauthorized or unintended behavior. It is often used to detect and mitigate attacks that exploit vulnerabilities, such as control flow hijacking, which occurs when an attacker manipulates the program’s control flow to execute malicious code.

  • CFG validates that indirect calls (e.g., calls via function pointers) and jumps go to legitimate, pre-determined destinations within the program.
  • When the application is compiled with CFG enabled, the compiler generates metadata about the valid control flow targets.
  • At runtime, Windows uses this metadata to verify the destination of indirect calls or jumps before allowing them.

More information about the CFG can be found at https://learn.microsoft.com/en-us/windows/win32/secbp/control-flow-guard

Fixes: #42100

@nodejs-github-bot
Copy link
Collaborator

Review requested:

  • @nodejs/gyp

@nodejs-github-bot nodejs-github-bot added build Issues and PRs related to build files or the CI. needs-ci PRs that need a full CI run. windows Issues and PRs related to the Windows platform. labels Jan 15, 2025
jasnell
jasnell approved these changes Jan 15, 2025
View reviewed changes
Copy link
Member

@jasnell jasnell left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM but would be worthwhile to expand on the motivation a bit in the PR or the commit message for folks unfamiliar with cfg

richardlau
richardlau reviewed Jan 15, 2025
View reviewed changes
Copy link
Member

@richardlau richardlau left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would rather a more descriptive name than "cfg" was used in common.gypi and configure (I'm less concerned with vcbuild.bat).

Are there any plans to enable this by default in the future?

@huseyinacacak-janea
Copy link
Contributor Author

Are there any plans to enable this by default in the future?

No plan yet. CFG adds extra checks to the code to increase security. Therefore, these checks have a runtime cost in certain situations. Instead of enabling it by default, it might be enabled and released as a separate executable.

@huseyinacacak-janea
Copy link
Contributor Author

LGTM but would be worthwhile to expand on the motivation a bit in the PR or the commit message for folks unfamiliar with cfg

I've updated the PR description to give more information about CFG.

@StefanStojanovic StefanStojanovic added the request-ci Add this label to start a Jenkins CI on a PR. label Jan 27, 2025
@github-actions github-actions bot removed the request-ci Add this label to start a Jenkins CI on a PR. label Jan 27, 2025
@nodejs-github-bot
Copy link
Collaborator

CI: https://ci.nodejs.org/job/node-test-pull-request/64765/

@huseyinacacak-janea
Copy link
Contributor Author

Is there anything else I can do to help this PR move forward?

@StefanStojanovic
Copy link
Contributor

Hey all, as I see there are no unresolved comments. In addition, this just enables Control Flow Guard, it doesn't enforce it in release builds (might open a follow-up PR for that). With all that in mind, I'd like to land this, so unless there is opposition, I'll land it on Monday (March 3).

@StefanStojanovic StefanStojanovic added the commit-queue Add this label to land a pull request using GitHub Actions. label Mar 3, 2025
@nodejs-github-bot nodejs-github-bot added commit-queue-failed An error occurred while landing this pull request using GitHub Actions. and removed commit-queue Add this label to land a pull request using GitHub Actions. labels Mar 3, 2025
@nodejs-github-bot
Copy link
Collaborator

Commit Queue failed
- Loading data for nodejs/node/pull/56605
✔  Done loading data for nodejs/node/pull/56605
----------------------------------- PR info ------------------------------------
Title      win,build: add option to enable cfg (#56605)
   ⚠  Could not retrieve the email or name of the PR author's from user's GitHub profile!
Branch     huseyinacacak-janea:huseyin-10270-enable-cfg -> nodejs:main
Labels     windows, build, needs-ci
Commits    5
 - win,build: add option to enable Control Flow Guard
 - Update common.gypi
 - Update configure.py
 - fix inconsistency in variables
 - Merge branch 'main' into huseyin-10270-enable-cfg
Committers 2
 - Hüseyin Açacak <huseyin@janeasystems.com>
 - GitHub <noreply@github.com>
PR-URL: https://github.com/nodejs/node/pull/56605
Fixes: https://github.com/nodejs/node/issues/42100
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Richard Lau <rlau@redhat.com>
------------------------------ Generated metadata ------------------------------
PR-URL: https://github.com/nodejs/node/pull/56605
Fixes: https://github.com/nodejs/node/issues/42100
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Richard Lau <rlau@redhat.com>
--------------------------------------------------------------------------------
   ℹ  This PR was created on Wed, 15 Jan 2025 09:50:33 GMT
   ✔  Approvals: 2
   ✔  - James M Snell (@jasnell) (TSC): https://github.com/nodejs/node/pull/56605#pullrequestreview-2552730898
   ✔  - Richard Lau (@richardlau) (TSC): https://github.com/nodejs/node/pull/56605#pullrequestreview-2650622770
   ✔  Last GitHub CI successful
   ℹ  Last Full PR CI on 2025-01-27T12:22:57Z: https://ci.nodejs.org/job/node-test-pull-request/64765/
   ⚠  Commits were pushed after the last Full PR CI run:
   ⚠  - Merge branch 'main' into huseyin-10270-enable-cfg
- Querying data for job/node-test-pull-request/64765/
   ✔  Last Jenkins CI successful
--------------------------------------------------------------------------------
   ✔  Aborted `git node land` session in /home/runner/work/node/node/.ncu
https://github.com/nodejs/node/actions/runs/13628619689

@StefanStojanovic StefanStojanovic added commit-queue-squash Add this label to instruct the Commit Queue to squash all the PR commits into the first one. commit-queue Add this label to land a pull request using GitHub Actions. and removed commit-queue-failed An error occurred while landing this pull request using GitHub Actions. labels Mar 3, 2025
@nodejs-github-bot nodejs-github-bot added commit-queue-failed An error occurred while landing this pull request using GitHub Actions. and removed commit-queue Add this label to land a pull request using GitHub Actions. labels Mar 3, 2025
@nodejs-github-bot
Copy link
Collaborator

Commit Queue failed
- Loading data for nodejs/node/pull/56605
✔  Done loading data for nodejs/node/pull/56605
----------------------------------- PR info ------------------------------------
Title      win,build: add option to enable cfg (#56605)
   ⚠  Could not retrieve the email or name of the PR author's from user's GitHub profile!
Branch     huseyinacacak-janea:huseyin-10270-enable-cfg -> nodejs:main
Labels     windows, build, needs-ci, commit-queue-squash
Commits    5
 - win,build: add option to enable Control Flow Guard
 - Update common.gypi
 - Update configure.py
 - fix inconsistency in variables
 - Merge branch 'main' into huseyin-10270-enable-cfg
Committers 2
 - Hüseyin Açacak <huseyin@janeasystems.com>
 - GitHub <noreply@github.com>
PR-URL: https://github.com/nodejs/node/pull/56605
Fixes: https://github.com/nodejs/node/issues/42100
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Richard Lau <rlau@redhat.com>
------------------------------ Generated metadata ------------------------------
PR-URL: https://github.com/nodejs/node/pull/56605
Fixes: https://github.com/nodejs/node/issues/42100
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Richard Lau <rlau@redhat.com>
--------------------------------------------------------------------------------
   ℹ  This PR was created on Wed, 15 Jan 2025 09:50:33 GMT
   ✔  Approvals: 2
   ✔  - James M Snell (@jasnell) (TSC): https://github.com/nodejs/node/pull/56605#pullrequestreview-2552730898
   ✔  - Richard Lau (@richardlau) (TSC): https://github.com/nodejs/node/pull/56605#pullrequestreview-2650622770
   ✔  Last GitHub CI successful
   ℹ  Last Full PR CI on 2025-03-03T10:26:06Z: https://ci.nodejs.org/job/node-test-pull-request/64765/
- Querying data for job/node-test-pull-request/64765/
   ✔  Last Jenkins CI successful
--------------------------------------------------------------------------------
   ✔  No git cherry-pick in progress
   ✔  No git am in progress
   ✔  No git rebase in progress
--------------------------------------------------------------------------------
- Bringing origin/main up to date...
From https://github.com/nodejs/node
 * branch                  main       -> FETCH_HEAD
✔  origin/main is now up-to-date
- Downloading patch for 56605
From https://github.com/nodejs/node
 * branch                  refs/pull/56605/merge -> FETCH_HEAD
✔  Fetched commits as 47a59bde2aad..05b3a8aad7ef
--------------------------------------------------------------------------------
Auto-merging common.gypi
CONFLICT (content): Merge conflict in common.gypi
Auto-merging configure.py
Auto-merging vcbuild.bat
error: could not apply 07f6da193f... win,build: add option to enable Control Flow Guard
hint: After resolving the conflicts, mark them with
hint: "git add/rm <pathspec>", then run
hint: "git cherry-pick --continue".
hint: You can instead skip this commit with "git cherry-pick --skip".
hint: To abort and get back to the state before "git cherry-pick",
hint: run "git cherry-pick --abort".
hint: Disable this message with "git config set advice.mergeConflict false"
   ✘  Failed to apply patches
https://github.com/nodejs/node/actions/runs/13633314973

@richardlau
Copy link
Member

@StefanStojanovic This is failing to merge via commit queue because of the merge commit in this PR.

@StefanStojanovic StefanStojanovic force-pushed the huseyin-10270-enable-cfg branch from 05b3a8a to fd6368b Compare March 4, 2025 07:46
@StefanStojanovic StefanStojanovic removed commit-queue-failed An error occurred while landing this pull request using GitHub Actions. commit-queue-squash Add this label to instruct the Commit Queue to squash all the PR commits into the first one. labels Mar 4, 2025
@StefanStojanovic
Copy link
Contributor

@StefanStojanovic This is failing to merge via commit queue because of the merge commit in this PR.

Thanks for letting me know. I've resolved that and pushed the branch. Will run the CI later. When you get time, please take a look at it and reapprove if all seems good to you, as I'll need approval after the last push to land it.

@StefanStojanovic StefanStojanovic added the request-ci Add this label to start a Jenkins CI on a PR. label Mar 4, 2025
@github-actions github-actions bot removed the request-ci Add this label to start a Jenkins CI on a PR. label Mar 4, 2025
@nodejs-github-bot
Copy link
Collaborator

CI: https://ci.nodejs.org/job/node-test-pull-request/65565/

@nodejs-github-bot
Copy link
Collaborator

CI: https://ci.nodejs.org/job/node-test-pull-request/65583/

@nodejs-github-bot
Copy link
Collaborator

CI: https://ci.nodejs.org/job/node-test-pull-request/65629/

@StefanStojanovic StefanStojanovic added commit-queue-squash Add this label to instruct the Commit Queue to squash all the PR commits into the first one. commit-queue Add this label to land a pull request using GitHub Actions. labels Mar 7, 2025
@nodejs-github-bot nodejs-github-bot removed the commit-queue Add this label to land a pull request using GitHub Actions. label Mar 7, 2025
@nodejs-github-bot nodejs-github-bot merged commit f161033 into nodejs:main Mar 7, 2025
60 checks passed
@nodejs-github-bot
Copy link
Collaborator

Landed in f161033

@StefanStojanovic StefanStojanovic mentioned this pull request Mar 7, 2025
Closed
aduh95 pushed a commit that referenced this pull request Mar 9, 2025
@huseyinacacak-janea @aduh95
win,build: add option to enable Control Flow Guard
b98b278 
PR-URL: #56605
Fixes: #42100
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Richard Lau <rlau@redhat.com>
aduh95 pushed a commit that referenced this pull request Mar 9, 2025
@huseyinacacak-janea @aduh95
win,build: add option to enable Control Flow Guard
17d4074 
PR-URL: #56605
Fixes: #42100
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Richard Lau <rlau@redhat.com>
@github-actions github-actions bot mentioned this pull request Mar 12, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jasnell jasnell jasnell approved these changes

@richardlau richardlau richardlau approved these changes

Assignees
No one assigned
Labels
build Issues and PRs related to build files or the CI. commit-queue-squash Add this label to instruct the Commit Queue to squash all the PR commits into the first one. needs-ci PRs that need a full CI run. windows Issues and PRs related to the Windows platform.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Enable CFG in node.exe
5 participants
@huseyinacacak-janea @nodejs-github-bot @StefanStojanovic @richardlau @jasnell