Skip to content

loader: replace version check with SHA-256 hash verification#534

Merged
nsavoire merged 3 commits into
mainfrom
nsavoire/add_hash_check
Apr 2, 2026
Merged

loader: replace version check with SHA-256 hash verification#534
nsavoire merged 3 commits into
mainfrom
nsavoire/add_hash_check

Conversation

@nsavoire

@nsavoire nsavoire commented Apr 2, 2026

Copy link
Copy Markdown
Collaborator

What does this PR do?

Verify the installed libdd_profiling-embedded.so by computing its SHA-256 on disk and comparing against the build-time hash, before calling dlopen. This avoids loading a library that cannot be safely unloaded on mismatch.

The build system now hashes the .so directly (instead of the .o wrapper), so the same hash serves as both the temp-file cache key and the installed-lib verification digest.

The ddprof_profiling_version symbol and the version-check infrastructure are removed — the hash check is strictly stronger and does not require dlopen.

SHA-256 implementation lives in src/lib/sha256.c.

@nsavoire
nsavoire requested a review from r1viollet as a code owner April 2, 2026 14:02

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: a9b670ac18

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread test/hash_mismatch-ut.sh Outdated
@nsavoire
nsavoire force-pushed the nsavoire/add_hash_check branch 2 times, most recently from c5c351a to b5f0e07 Compare April 2, 2026 15:11
r1viollet
r1viollet previously approved these changes Apr 2, 2026

@r1viollet r1viollet left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM
The sha256 is a better strategy, thanks

@nsavoire
nsavoire force-pushed the nsavoire/add_hash_check branch 2 times, most recently from b078ada to b799fc9 Compare April 2, 2026 19:17
nsavoire and others added 3 commits April 2, 2026 19:36
Verify the installed libdd_profiling-embedded.so by computing its
SHA-256 on disk and comparing against the build-time hash, before
calling dlopen.  This avoids loading a library that cannot be safely
unloaded on mismatch.

The build system now hashes the .so directly (instead of the .o
wrapper), so the same hash serves as both the temp-file cache key
and the installed-lib verification digest.

The ddprof_profiling_version symbol and the version-check
infrastructure are removed — the hash check is strictly stronger
and does not require dlopen.

SHA-256 implementation lives in src/lib/sha256.c.

Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
The loader tries dlopen("libdd_profiling-embedded.so") before falling
back to extracting the embedded copy to /tmp. But the embedded library
was never included in the install targets, so the dlopen always fails.

The /tmp copy of ddprof lacks file capabilities (CAP_PERFMON), which
causes perf_event_open to fail with EPERM.

Add dd_profiling-embedded to the install targets when USE_LOADER is ON
so the loader finds it via standard dlopen and never falls back to /tmp.

Upstream: #535

Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
@nsavoire
nsavoire force-pushed the nsavoire/add_hash_check branch from b799fc9 to 50a8886 Compare April 2, 2026 19:36
@nsavoire
nsavoire merged commit b81b250 into main Apr 2, 2026
3 checks passed
@nsavoire
nsavoire deleted the nsavoire/add_hash_check branch April 2, 2026 20:31
@xroche

xroche commented Apr 3, 2026

Copy link
Copy Markdown
Contributor

The sha256 is a better strategy, thanks

There is an issue though: the extracted embed library is stripped after computing the hash!

Edit: The issue was on our side (you can not strip the libs), sorry for the false positive!

@xroche

xroche commented Apr 3, 2026

Copy link
Copy Markdown
Contributor

@r1viollet @nsavoire The latest RC appears to work well, we're looking forward for the release!

image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants