Skip to content

[release/10.0] Enable ControlFlowGuard for ANCM native .dll's #63437

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Aug 26, 2025
Merged

[release/10.0] Enable ControlFlowGuard for ANCM native .dll's #63437

merged 2 commits into from
Aug 26, 2025

Conversation

wtgodbe
Copy link
Member

@wtgodbe wtgodbe commented Aug 26, 2025

Fixes Binskim alerts

@wtgodbe wtgodbe requested review from Copilot and joperezr August 26, 2025 18:44
@wtgodbe wtgodbe requested a review from a team as a code owner August 26, 2025 18:44
Copilot
Copilot AI reviewed Aug 26, 2025
View reviewed changes
Copy link
Contributor

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR enables Control Flow Guard (CFG) for AspNetCore Module native DLLs to fix Binskim security alerts. CFG is a Windows security feature that helps prevent exploitation of memory corruption vulnerabilities.

  • Adds the /guard:cf compiler option to enable Control Flow Guard
  • Applied to both common build settings and CustomAction project

Reviewed Changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File Description
src/Installers/Windows/AspNetCoreModule-Setup/build/settings/common.props Adds CFG compiler option to common build settings
src/Installers/Windows/AspNetCoreModule-Setup/CustomAction/aspnetcoreCA.vcxproj Adds CFG compiler option to CustomAction project settings

@BrennanConroy
Copy link
Member

Idk what these dlls are called, but the ANCM native dlls are in https://github.com/dotnet/aspnetcore/tree/main/src/Servers/IIS/AspNetCoreModuleV2
Should those be updated?

@wtgodbe
Copy link
Member Author

wtgodbe commented Aug 26, 2025

Should those be updated?

Good catch, added it for a few more shipping assemblies (there are alerts filed for OutOfProcess & aspnetcore.dll)

joperezr
joperezr approved these changes Aug 26, 2025
View reviewed changes
Copy link
Member

@joperezr joperezr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for fixing!

cc @ericstj @SamMonoRT

@wtgodbe wtgodbe added the tell-mode Indicates a PR which is being merged during tell-mode label Aug 26, 2025
@wtgodbe wtgodbe merged commit 03e9582 into release/10.0 Aug 26, 2025
28 checks passed
@wtgodbe wtgodbe deleted the wtgodbe/ControlFlowGuard branch August 26, 2025 22:16
@dotnet-policy-service dotnet-policy-service bot added this to the 10.0-rc2 milestone Aug 26, 2025
@wtgodbe
Copy link
Member Author

wtgodbe commented Aug 26, 2025

Confirmed that /guard:cf is getting passed to the compiler

wtgodbe added a commit that referenced this pull request Aug 27, 2025
@wtgodbe
Merge pull request #63437 from dotnet/wtgodbe/ControlFlowGuard (#63443)
e4d1da0 
[release/10.0] Enable ControlFlowGuard for ANCM native .dll's

Co-authored-by: William Godbe <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@BrennanConroy BrennanConroy BrennanConroy approved these changes

@ericstj ericstj ericstj approved these changes

@joperezr joperezr joperezr approved these changes

@halter73 halter73 Awaiting requested review from halter73 halter73 is a code owner

@JamesNK JamesNK Awaiting requested review from JamesNK JamesNK is a code owner

Assignees

No one assigned

Labels

tell-mode Indicates a PR which is being merged during tell-mode

Projects

None yet

Milestone

10.0-rc2

Development

Successfully merging this pull request may close these issues.

4 participants

@wtgodbe @BrennanConroy @ericstj @joperezr