Open shaopeng-gh opened 11 months ago
User report that BinSkim BA2021 could have compatibility issue with R2R Linux binaries
This issue is created to investigate if below check should be removed/revised
// TODO: do we really require this check? What is the proposed fix to this issue?
if (peHeader.SectionAlignment < PAGE_SIZE)
{
// '{0}' has a section alignment ({1}) that is less than its page size ({2}).
context.Logger.Log(this,
RuleUtilities.BuildResult(FailureLevel.Error, context, null,
nameof(RuleResources.BA2021_Error_UnexpectedSectionAligment),
context.CurrentTarget.Uri.GetFileName(),
"0x" + peHeader.SectionAlignment.ToString("x"),
"0x" + PAGE_SIZE.ToString("x")));
return;
}
To repro, download official C# extension Linux x64 version from https://marketplace.visualstudio.com/items?itemName=ms-dotnettools.csharp
We also encountered this issue, in binaries compiled for Linux only. Binaries compiled for Windows do not raise error BA2021.
Thanks for adding the feedback.
This just is to note that Binskim combability with .NET ReadyToRun and self-contained could be looked into. with
p:PublishReadyToRun=true
and--self-contained
With PublishReadyToRun the section alignment changed to 200 from 2000. Binskim will fail with PublishReadyToRun while pass without. Not sure if it is a security issue or by design.
full command
"C:\Program Files\dotnet\dotnet.exe" publish C:\Sources\Repos\aaa\aaa.csproj --configuration Debug --output C:\Sources\Repos\aaa\linux-x64\aaa -r linux-x64 p:PublishReadyToRun=true --self-contained --framework net6.0
[error]7. BinSkim Error BA2021 - File: build/linux-x64/aaa/aaa.dll.
Tool: BinSkim: Rule: BA2021 (DoNotMarkWritableSectionsAsExecutable). https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA2021DoNotMarkWritableSectionsAsExecutable 'aaa.dll' has a section alignment (0x200) that is smaller than its page size (0x1000).