jfraeysd/fetch_ml
0
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1
fetch_ml/native/CMakeLists.txt
Jeremie Fraeys 7efe8bbfbf
native: security hardening, research trustworthiness, and CVE mitigations 
Security Fixes:
- CVE-2024-45339: Add O_EXCL flag to temp file creation in storage_write_entries()
  Prevents symlink attacks on predictable .tmp file paths
- CVE-2025-47290: Use openat_nofollow() in storage_open()
  Closes TOCTOU race condition via path_sanitizer infrastructure
- CVE-2025-0838: Add MAX_BATCH_SIZE=10000 to add_tasks()
  Prevents integer overflow in batch operations

Research Trustworthiness (dataset_hash):
- Deterministic file ordering: std::sort after collect_files()
- Recursive directory traversal: depth-limited with cycle detection
- Documented exclusions: hidden files and special files noted in API

Bug Fixes:
- R1: storage_init path validation for non-existent directories
- R2: safe_strncpy return value check before strcat
- R3: parallel_hash 256-file cap replaced with std::vector
- R4: wire qi_compact_index/qi_rebuild_index stubs
- R5: CompletionLatch race condition fix (hold mutex during decrement)
- R6: ARMv8 SHA256 transform fix (save abcd_pre before vsha256hq_u32)
- R7: fuzz_index_storage header format fix
- R8: enforce null termination in add_tasks/update_tasks
- R9: use 64 bytes (not 65) in combined hash to exclude null terminator
- R10: status field persistence in save()

New Tests:
- test_recursive_dataset.cpp: Verify deterministic recursive hashing
- test_storage_symlink_resistance.cpp: Verify CVE-2024-45339 fix
- test_queue_index_batch_limit.cpp: Verify CVE-2025-0838 fix
- test_sha256_arm_kat.cpp: ARMv8 known-answer tests
- test_storage_init_new_dir.cpp: F1 verification
- test_parallel_hash_large_dir.cpp: F3 verification
- test_queue_index_compact.cpp: F4 verification

All 8 native tests passing. Library ready for research lab deployment.
2026-02-21 13:33:45 -05:00

122 lines
4.6 KiB
CMake
Raw Blame History

cmake_minimum_required(VERSION 3.20)
project(fetchml_native VERSION 0.1.0 LANGUAGES CXX C)
set(CMAKE_CXX_STANDARD 20)
set(CMAKE_CXX_STANDARD_REQUIRED ON)
set(CMAKE_C_STANDARD 11)
set(CMAKE_C_STANDARD_REQUIRED ON)
# Build options
option(BUILD_SHARED_LIBS "Build shared libraries" ON)
option(ENABLE_ASAN "Enable AddressSanitizer" OFF)
option(ENABLE_TSAN "Enable ThreadSanitizer" OFF)
# Position independent code for shared libraries
set(CMAKE_POSITION_INDEPENDENT_CODE ON)
# Compiler flags
if(CMAKE_CXX_COMPILER_ID MATCHES "GNU|Clang")
set(CMAKE_CXX_FLAGS_RELEASE "-O3 -march=native -DNDEBUG -fomit-frame-pointer")
set(CMAKE_CXX_FLAGS_DEBUG "-O0 -g -fno-omit-frame-pointer")
set(CMAKE_C_FLAGS_RELEASE "-O3 -march=native -DNDEBUG -fomit-frame-pointer")
set(CMAKE_C_FLAGS_DEBUG "-O0 -g -fno-omit-frame-pointer")
# Security hardening flags (always enabled)
set(SECURITY_FLAGS
-D_FORTIFY_SOURCE=2 # Buffer overflow protection
-fstack-protector-strong # Stack canaries
-Wformat-security # Format string warnings
-Werror=format-security # Format string errors
-fPIE # Position-independent code
)
# Add security flags to all build types
add_compile_options(${SECURITY_FLAGS})
# Linker security flags (Linux only)
if(CMAKE_SYSTEM_NAME MATCHES "Linux")
set(CMAKE_EXE_LINKER_FLAGS "${CMAKE_EXE_LINKER_FLAGS} -Wl,-z,relro -Wl,-z,now -pie")
set(CMAKE_SHARED_LINKER_FLAGS "${CMAKE_SHARED_LINKER_FLAGS} -Wl,-z,relro -Wl,-z,now")
endif()
# Warnings
add_compile_options(-Wall -Wextra -Wpedantic)
if(ENABLE_ASAN)
add_compile_options(-fsanitize=address,undefined -fno-omit-frame-pointer)
add_link_options(-fsanitize=address,undefined)
endif()
if(ENABLE_TSAN)
add_compile_options(-fsanitize=thread)
add_link_options(-fsanitize=thread)
endif()
endif()
if(APPLE)
# macOS universal binary support (optional - comment out if targeting single arch)
# set(CMAKE_OSX_ARCHITECTURES "x86_64;arm64")
endif()
# Find threading library
find_package(Threads REQUIRED)
# Include directories
include_directories(${CMAKE_CURRENT_SOURCE_DIR})
# Enable testing
enable_testing()
# Libraries will be added as subdirectories
add_subdirectory(common)
add_subdirectory(queue_index)
add_subdirectory(dataset_hash)
# Tests from root tests/ directory
if(EXISTS ${CMAKE_CURRENT_SOURCE_DIR}/tests)
add_executable(test_storage tests/test_storage.cpp)
target_link_libraries(test_storage queue_index)
add_test(NAME storage_smoke COMMAND test_storage)
add_executable(test_dataset_hash tests/test_dataset_hash.cpp)
target_link_libraries(test_dataset_hash dataset_hash)
add_test(NAME dataset_hash_smoke COMMAND test_dataset_hash)
# Test storage_init on new directories
add_executable(test_storage_init_new_dir tests/test_storage_init_new_dir.cpp)
target_link_libraries(test_storage_init_new_dir queue_index)
add_test(NAME storage_init_new_dir COMMAND test_storage_init_new_dir)
# Test parallel_hash with >256 files
add_executable(test_parallel_hash_large_dir tests/test_parallel_hash_large_dir.cpp)
target_link_libraries(test_parallel_hash_large_dir dataset_hash)
add_test(NAME parallel_hash_large_dir COMMAND test_parallel_hash_large_dir)
# Test queue_index compact
add_executable(test_queue_index_compact tests/test_queue_index_compact.cpp)
target_link_libraries(test_queue_index_compact queue_index)
add_test(NAME queue_index_compact COMMAND test_queue_index_compact)
# Test ARMv8 SHA256 (only on ARM64)
if(CMAKE_SYSTEM_PROCESSOR MATCHES "arm64|aarch64")
add_executable(test_sha256_arm_kat tests/test_sha256_arm_kat.cpp)
target_link_libraries(test_sha256_arm_kat dataset_hash)
add_test(NAME sha256_arm_kat COMMAND test_sha256_arm_kat)
endif()
# CVE-2024-45339: Test storage symlink resistance
add_executable(test_storage_symlink_resistance tests/test_storage_symlink_resistance.cpp)
target_link_libraries(test_storage_symlink_resistance queue_index)
add_test(NAME storage_symlink_resistance COMMAND test_storage_symlink_resistance)
# CVE-2025-0838: Test queue index batch limit
add_executable(test_queue_index_batch_limit tests/test_queue_index_batch_limit.cpp)
target_link_libraries(test_queue_index_batch_limit queue_index)
add_test(NAME queue_index_batch_limit COMMAND test_queue_index_batch_limit)
endif()
# Combined target for building all libraries
add_custom_target(all_native_libs DEPENDS
queue_index
dataset_hash
)
Reference in a new issue View git blame Copy permalink