Skip to content

[release/10.0] Enable ControlFlowGuard for ANCM native .dll's#63437

Merged
wtgodbe merged 2 commits intorelease/10.0from
wtgodbe/ControlFlowGuard
Aug 26, 2025
Merged

[release/10.0] Enable ControlFlowGuard for ANCM native .dll's#63437
wtgodbe merged 2 commits intorelease/10.0from
wtgodbe/ControlFlowGuard

Conversation

@wtgodbe
Copy link
Copy Markdown
Member

@wtgodbe wtgodbe commented Aug 26, 2025

Fixes Binskim alerts

@wtgodbe wtgodbe requested review from Copilot and joperezr August 26, 2025 18:44
@wtgodbe wtgodbe requested a review from a team as a code owner August 26, 2025 18:44
Copilot AI reviewed Aug 26, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR enables Control Flow Guard (CFG) for AspNetCore Module native DLLs to fix Binskim security alerts. CFG is a Windows security feature that helps prevent exploitation of memory corruption vulnerabilities.

  • Adds the /guard:cf compiler option to enable Control Flow Guard
  • Applied to both common build settings and CustomAction project

Reviewed Changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File Description
src/Installers/Windows/AspNetCoreModule-Setup/build/settings/common.props Adds CFG compiler option to common build settings
src/Installers/Windows/AspNetCoreModule-Setup/CustomAction/aspnetcoreCA.vcxproj Adds CFG compiler option to CustomAction project settings

@BrennanConroy
Copy link
Copy Markdown
Member

BrennanConroy commented Aug 26, 2025

Idk what these dlls are called, but the ANCM native dlls are in https://github.com/dotnet/aspnetcore/tree/main/src/Servers/IIS/AspNetCoreModuleV2
Should those be updated?

@wtgodbe
Copy link
Copy Markdown
Member Author

wtgodbe commented Aug 26, 2025

Should those be updated?

Good catch, added it for a few more shipping assemblies (there are alerts filed for OutOfProcess & aspnetcore.dll)

joperezr
joperezr approved these changes Aug 26, 2025
View reviewed changes
Copy link
Copy Markdown
Member

@joperezr joperezr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for fixing!

cc @ericstj @SamMonoRT

@wtgodbe wtgodbe added the tell-mode Indicates a PR which is being merged during tell-mode label Aug 26, 2025
@wtgodbe wtgodbe merged commit 03e9582 into release/10.0 Aug 26, 2025
28 checks passed
@wtgodbe wtgodbe deleted the wtgodbe/ControlFlowGuard branch August 26, 2025 22:16
@dotnet-policy-service dotnet-policy-service bot added this to the 10.0-rc2 milestone Aug 26, 2025
@wtgodbe
Copy link
Copy Markdown
Member Author

wtgodbe commented Aug 26, 2025

Confirmed that /guard:cf is getting passed to the compiler

wtgodbe added a commit that referenced this pull request Aug 27, 2025
@wtgodbe
Merge pull request #63437 from dotnet/wtgodbe/ControlFlowGuard (#63443)
e4d1da0 
[release/10.0] Enable ControlFlowGuard for ANCM native .dll's

Co-authored-by: William Godbe <wigodbe@microsoft.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@BrennanConroy BrennanConroy BrennanConroy approved these changes

@ericstj ericstj ericstj approved these changes

@joperezr joperezr joperezr approved these changes

@halter73 halter73 Awaiting requested review from halter73 halter73 is a code owner

@JamesNK JamesNK Awaiting requested review from JamesNK JamesNK is a code owner

Assignees

No one assigned

Labels

tell-mode Indicates a PR which is being merged during tell-mode

Projects

None yet

Milestone

10.0-rc2

Development

Successfully merging this pull request may close these issues.

5 participants

@wtgodbe @BrennanConroy @ericstj @joperezr