set arm_control_flow_integrity = "pac" for fedora aarch64 build as

workaround for crash on BTI capable system
i9ce
Than Ngo 1 year ago
parent c85b98f7c6
commit 49554e50f0

@ -0,0 +1,12 @@
diff -up chromium-117.0.5938.132/build/config/arm.gni.me chromium-117.0.5938.132/build/config/arm.gni
--- chromium-117.0.5938.132/build/config/arm.gni.me 2023-09-29 15:37:18.281122162 +0200
+++ chromium-117.0.5938.132/build/config/arm.gni 2023-09-29 15:38:24.855369796 +0200
@@ -140,7 +140,7 @@ if (current_cpu == "arm" || v8_current_c
# target_cpu == "arm64" filters out some cases (e.g. the ChromeOS x64
# MSAN build) where the target platform is x64, but V8 is configured to
# use the arm64 simulator.
- arm_control_flow_integrity = "standard"
+ arm_control_flow_integrity = "pac"
}
}
assert(arm_control_flow_integrity == "none" ||

@ -82,6 +82,16 @@
%endif
%endif
# Workaround for https://bugzilla.redhat.com/show_bug.cgi?id=2239523
# Disable BTI until this is fixed upstream.
%global disable_bti 0
%ifarch aarch64
%if 0%{?fedora}
%global optflags %(echo %{optflags} | sed 's/-mbranch-protection=standard /-mbranch-protection=pac-ret /')
%global disable_bti 1
%endif
%endif
# Seems like we might need this sometimes
# Practically, no. But it's here in case we do.
%global use_gold 0
@ -239,7 +249,7 @@
Name: chromium%{chromium_channel}
Version: 117.0.5938.132
Release: 1%{?dist}
Release: 2%{?dist}
Summary: A WebKit (Blink) powered web browser that Google doesn't want you to use
Url: http://www.chromium.org/Home
License: BSD-3-Clause AND LGPL-2.1-or-later AND Apache-2.0 AND IJG AND MIT AND GPL-2.0-or-later AND ISC AND OpenSSL AND (MPL-1.1 OR GPL-2.0-only OR LGPL-2.0-only)
@ -377,6 +387,11 @@ Patch350: chromium-116-tweak_about_gpu.patch
# build error
Patch351: chromium-117-mnemonic-error.patch
# Workaround for https://bugzilla.redhat.com/show_bug.cgi?id=2239523
# https://bugs.chromium.org/p/chromium/issues/detail?id=1145581#c60
# Disable BTI until this is fixed upstream.
Patch352: chromium-117-workaround_for_crash_on_BTI_capable_system.patch
# upstream patches
Patch400: chromium-117-memory_leak_in_xserver.patch
@ -992,6 +1007,10 @@ udev.
%patch -P350 -p1 -b .tweak_about_gpu
%patch -P351 -p1 -b .mnemonic-error
%if %{disable_bti}
%patch -P352 -p1 -b .workaround_for_crash_on_BTI_capable_system
%endif
%patch -P400 -p1 -b .memory_leak_in_xserver
# Change shebang in all relevant files in this directory and all subdirectories
@ -1071,14 +1090,6 @@ FLAGS+=' -Wno-unused-but-set-variable -Wno-unused-result -Wno-unused-function -W
FLAGS+=' -Wno-unused-const-variable -Wno-unneeded-internal-declaration -Wno-unknown-attributes'
%endif
# Workaround for https://bugzilla.redhat.com/show_bug.cgi?id=2239523
# Disable BTI until this is fixed upstream.
%ifarch aarch64
%if 0%{?fedora}
FLAGS="${FLAGS/-mbranch-protection=standard/-mbranch-protection=none}"
%endif
%endif
%if %{system_build_flags}
CFLAGS=${CFLAGS/-g }
CFLAGS=${CFLAGS/-fexceptions}
@ -1695,6 +1706,9 @@ getent group chrome-remote-desktop >/dev/null || groupadd -r chrome-remote-deskt
%{chromium_path}/chromedriver
%changelog
* Fri Sep 29 2023 Than Ngo <than@redhat.com> - 117.0.5938.132-2
- add workaround for the crash on BTI capable system
* Thu Sep 28 2023 Than Ngo <than@redhat.com> - 117.0.5938.132-1
- update to 117.0.5938.132
- CVE-2023-5217, heap buffer overflow in vp8 encoding in libvpx.

Loading…
Cancel
Save