[BUG] libSkiaSharp.dll does not enable the control flow guard (CFG)

[bcarthic]

Description

As per the rule BA2008, control flow guard needs to be enabled.

Rule Id: BA2008 Rule Name: EnableControlFlowGuard Rule Description: Binaries should enable the compiler control guard feature (CFG) at build time to prevent attackers from redirecting execution to unexpected, unsafe locations. CFG analyzes and discovers all indirect-call instructions at compilation and link time. It also injects a check that precedes every indirect call in code that ensures the target is an expected, safe location. If that check fails at runtime, the operating system will close the program.

Suggestion by Binskim

To resolve this issue, pass /guard:cf on both the compiler and linker command lines. Binaries also require the /DYNAMICBASE linker option in order to enable CFG. For VC projects use ItemDefinitionGroup - ClCompile - ControlFlowGuard property with 'Guard' value, link CFG property will be set automatically.

Code

The best way to share code for larger projects is a link to a GitHub repository: https://github.com/user/repo/tree/bug-123

But, you can also share a short block of code here:

// some C# code here

You can also share some XAML:

<!-- xaml code here -->

Expected Behavior

CFG needs to be enabled

Actual Behavior

No response

Version of SkiaSharp

3.116.0 (Current)

Last Known Good Version of SkiaSharp

2.88.9 (Previous)

IDE / Editor

Visual Studio (Windows)

Platform / Operating System

Windows

Platform / Operating System Version

No response

Devices

No response

Relevant Screenshots

No response

Relevant Log Output

Code of Conduct

• [x] I agree to follow this project's Code of Conduct

[azchohfi]

It seems like this was fixed by PR #3281, but there is still no published stable version of SkiaSharp with this. Is there an eta for the next preview?