X-Git-Url: https://ruderich.org/simon/gitweb/?a=blobdiff_plain;f=bin%2Fblhc;h=5181e78db0c7fa6afbb181a76fce7fcf32df636b;hb=ec57d62bf603e1f91e286bccbe7024661075da09;hp=26826f07a0abe87740087d16b1a3b63e8233b59f;hpb=766e4499437c6e872cc5870a821c4d10d2d8a63b;p=blhc%2Fblhc.git

diff --git a/bin/blhc b/bin/blhc
index 26826f0..5181e78 100755
--- a/bin/blhc
+++ b/bin/blhc
@@ -24,7 +24,7 @@ use warnings;
 use Getopt::Long ();
 use Text::ParseWords ();
 
-our $VERSION = '0.13';
+our $VERSION = '0.14';
 
 
 # CONSTANTS/VARIABLES
@@ -237,9 +237,18 @@ my @def_cflags_stack_bad = (
     '-fno-stack-protector-all',
     '-fno-stack-protector-strong',
 );
+my @def_cflags_stack_clash = (
+    '-fstack-clash-protection',
+);
 my @def_cflags_pie = (
     '-fPIE',
 );
+my @def_cflags_branch_amd64 = (
+    '-fcf-protection',
+);
+my @def_cflags_branch_arm64 = (
+    '-mbranch-protection=standard',
+);
 my @def_cxxflags = (
     @def_cflags,
 );
@@ -280,7 +289,10 @@ my @flag_refs = (
     \@def_cflags_stack,
     \@def_cflags_stack_strong,
     \@def_cflags_stack_bad,
+    \@def_cflags_stack_clash,
     \@def_cflags_pie,
+    \@def_cflags_branch_amd64,
+    \@def_cflags_branch_arm64,
     \@def_cxxflags,
     \@def_cppflags,
     \@def_cppflags_fortify,
@@ -802,6 +814,8 @@ foreach my $file (@ARGV) {
     my $harden_fortify = 1;
     my $harden_stack   = 1;
     my $harden_stack_strong = 1;
+    my $harden_stack_clash = 1;
+    my $harden_branch  = 1;
     my $harden_relro   = 1;
     my $harden_bindnow = $option_bindnow; # defaults to 0
     my $harden_pie     = $option_pie;     # defaults to 0
@@ -856,6 +870,8 @@ foreach my $file (@ARGV) {
 
             my $disable = 1;
             my $disable_strong = 1;
+            my $disable_clash = 1;
+            my $disable_branch = 1;
 
             if ($line =~ /\bdpkg-dev_(\S+)/) {
                 if (Dpkg::Version::version_compare($1, '1.16.1') >= 0) {
@@ -867,6 +883,10 @@ foreach my $file (@ARGV) {
                 if (Dpkg::Version::version_compare($1, '1.18.15') >= 0) {
                     $disable_harden_pie = 1;
                 }
+                if (Dpkg::Version::version_compare($1, '1.22.0') >= 0) {
+                    $disable_clash = 0;
+                    $disable_branch = 0;
+                }
             }
 
             if ($disable) {
@@ -880,6 +900,12 @@ foreach my $file (@ARGV) {
             if ($disable_strong) {
                 $harden_stack_strong = 0;
             }
+            if ($disable_clash) {
+                $harden_stack_clash = 0;
+            }
+            if ($disable_branch) {
+                $harden_branch = 0;
+            }
         }
 
         # The following two versions of CMake in Debian obeyed CPPFLAGS, but
@@ -1167,6 +1193,7 @@ foreach my $file (@ARGV) {
     }
 
     # Option or auto detected.
+    my @harden_branch_flags;
     if ($arch) {
         # The following was partially copied from dpkg-dev 1.22.0
         # (/usr/share/perl5/Dpkg/Vendor/Debian.pm, set_build_features and
@@ -1195,6 +1222,7 @@ foreach my $file (@ARGV) {
             i386
             kfreebsd-amd64
             kfreebsd-i386
+            loong64
             mips
             mips64
             mips64el
@@ -1217,20 +1245,28 @@ foreach my $file (@ARGV) {
         );
 
         # Disable unsupported hardening options.
-        if ($os !~ /^(?:linux|kfreebsd|knetbsd|hurd)$/ or $cpu eq 'hppa') {
+        if ($disable_harden_pie and exists $builtin_pie_arch{$arch}) {
+            $harden_pie = 0;
+        }
+        if ($os !~ /^(?:linux|kfreebsd|hurd)$/
+                or $cpu =~ /^(?:alpha|hppa|ia64)$/) {
             $harden_pie = 0;
         }
         if ($cpu =~ /^(?:ia64|alpha|hppa|nios2)$/ or $arch eq 'arm') {
             $harden_stack = 0;
             $harden_stack_strong = 0;
         }
+        if ($arch !~ /^(?:amd64|arm64|armhf|armel)$/) {
+            $harden_stack_clash = 0;
+        }
         if ($cpu =~ /^(?:ia64|hppa)$/) {
             $harden_relro   = 0;
             $harden_bindnow = 0;
         }
-
-        if ($disable_harden_pie and exists $builtin_pie_arch{$arch}) {
-            $harden_pie = 0;
+        if ($cpu eq 'amd64') {
+            @harden_branch_flags = @def_cflags_branch_amd64;
+        } elsif ($cpu eq 'arm64') {
+            @harden_branch_flags = @def_cflags_branch_arm64;
         }
     }
 
@@ -1252,6 +1288,10 @@ foreach my $file (@ARGV) {
         @cflags   = (@cflags,   @def_cflags_stack);
         @cxxflags = (@cxxflags, @def_cflags_stack);
     }
+    if ($harden_stack_clash) {
+        @cflags   = (@cflags,   @def_cflags_stack_clash);
+        @cxxflags = (@cxxflags, @def_cflags_stack_clash);
+    }
     if ($harden_fortify) {
         @cflags   = (@cflags,   @def_cflags_fortify);
         @cxxflags = (@cxxflags, @def_cflags_fortify);
@@ -1261,6 +1301,10 @@ foreach my $file (@ARGV) {
         @cflags   = (@cflags,   @def_cflags_format);
         @cxxflags = (@cxxflags, @def_cflags_format);
     }
+    if ($harden_branch and @harden_branch_flags) {
+        @cflags   = (@cflags,   @harden_branch_flags);
+        @cxxflags = (@cxxflags, @harden_branch_flags);
+    }
     if ($harden_relro) {
         @ldflags = (@ldflags, @def_ldflags_relro);
     }