NEWS
====
+Version 0.XX
+------------
+
+- Detect restore of -D_FORTIFY_SOURCE=2 after it was overwritten by
+ -D_FORTIFY_SOURCE=0 or 1 or -U_FORTIFY_SOURCE; reported by Mike Hommey
+ (Debian bug #898332).
+
+
Version 0.08
------------
sub cppflags_fortify_broken {
my ($line, $missing_flags) = @_;
- # This doesn't take the position into account, but is a simple solution.
- # And if the build system tries to force -D_FORTIFY_SOURCE=0/1, something
- # is wrong anyway.
-
- if (any_flags_used($line, @def_cppflags_fortify_bad)) {
- # $def_cppflags_fortify[0] must be -D_FORTIFY_SOURCE=2!
- push @{$missing_flags}, $def_cppflags_fortify[0];
- return 1;
+ if (not any_flags_used($line, @def_cppflags_fortify_bad)) {
+ return 0;
}
- return 0;
+ # $def_cppflags_fortify[0] must be -D_FORTIFY_SOURCE=2!
+ my $fortify_source = $def_cppflags_fortify[0];
+
+ # Some build systems enable/disable fortify source multiple times, check
+ # the final result.
+ my $disable_pos = 0;
+ foreach my $flag (@def_cppflags_fortify_bad) {
+ while ($line =~ /$flag/g) {
+ if ($disable_pos < $+[0]) {
+ $disable_pos = $+[0];
+ }
+ }
+ }
+ my $enable_pos = 0;
+ while ($line =~ /$fortify_source/g) {
+ $enable_pos = $+[0];
+ }
+ if ($enable_pos > $disable_pos) {
+ return 0;
+ }
+
+ push @{$missing_flags}, $fortify_source;
+ return 1;
}
# Modifies $missing_flags_ref array.
gcc -D_FORTIFY_SOURCE=1 -g -O2 -fstack-protector-strong -Wformat -Werror=format-security -c test-b.c
gcc -D_FORTIFY_SOURCE=2 -g -O2 -fstack-protector-strong -Wformat -Werror=format-security -D_FORTIFY_SOURCE=1 -c test-c.c
gcc -D_FORTIFY_SOURCE=2 -g -O2 -fstack-protector-strong -Wformat -Werror=format-security -D_FORTIFY_SOURCE=0 -c test-d.c
-gcc -D_FORTIFY_SOURCE=0 -g -O2 -fstack-protector-strong -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2 -c test-e.c
-gcc -D_FORTIFY_SOURCE=1 -g -O2 -fstack-protector-strong -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2 -c test-f.c
gcc -U_FORTIFY_SOURCE -g -O2 -fstack-protector-strong -Wformat -Werror=format-security -c test-g.c
-gcc -U_FORTIFY_SOURCE -g -O2 -fstack-protector-strong -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2 -c test-h.c
gcc -D_FORTIFY_SOURCE=2 -g -O2 -fstack-protector-strong -Wformat -Werror=format-security -U_FORTIFY_SOURCE -c test-i.c
+gcc -D_FORTIFY_SOURCE=2 -g -O2 -fstack-protector-strong -Wformat -Werror=format-security -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -U_FORTIFY_SOURCE -c test-i.c
+gcc -D_FORTIFY_SOURCE=2 -g -O2 -fstack-protector-strong -Wformat -Werror=format-security -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -D_FORTIFY_SOURCE=1 -c test-i.c
gcc -MM test.c > test.d
gcc -MM -MT test.d test.c
+
+gcc -U_FORTIFY_SOURCE -g -O2 -fstack-protector-strong -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2 -c test-h.c
+gcc -D_FORTIFY_SOURCE=0 -g -O2 -fstack-protector-strong -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2 -c test-e.c
+gcc -D_FORTIFY_SOURCE=1 -g -O2 -fstack-protector-strong -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2 -c test-f.c
+gcc -D_FORTIFY_SOURCE=2 -g -O2 -fstack-protector-strong -Wformat -Werror=format-security -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -c test-i.c
CPPFLAGS missing (-D_FORTIFY_SOURCE=2): gcc -D_FORTIFY_SOURCE=1 -g -O2 -fstack-protector-strong -Wformat -Werror=format-security -c test-b.c
CPPFLAGS missing (-D_FORTIFY_SOURCE=2): gcc -D_FORTIFY_SOURCE=2 -g -O2 -fstack-protector-strong -Wformat -Werror=format-security -D_FORTIFY_SOURCE=1 -c test-c.c
CPPFLAGS missing (-D_FORTIFY_SOURCE=2): gcc -D_FORTIFY_SOURCE=2 -g -O2 -fstack-protector-strong -Wformat -Werror=format-security -D_FORTIFY_SOURCE=0 -c test-d.c
-CPPFLAGS missing (-D_FORTIFY_SOURCE=2): gcc -D_FORTIFY_SOURCE=0 -g -O2 -fstack-protector-strong -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2 -c test-e.c
-CPPFLAGS missing (-D_FORTIFY_SOURCE=2): gcc -D_FORTIFY_SOURCE=1 -g -O2 -fstack-protector-strong -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2 -c test-f.c
CPPFLAGS missing (-D_FORTIFY_SOURCE=2): gcc -U_FORTIFY_SOURCE -g -O2 -fstack-protector-strong -Wformat -Werror=format-security -c test-g.c
-CPPFLAGS missing (-D_FORTIFY_SOURCE=2): gcc -U_FORTIFY_SOURCE -g -O2 -fstack-protector-strong -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2 -c test-h.c
CPPFLAGS missing (-D_FORTIFY_SOURCE=2): gcc -D_FORTIFY_SOURCE=2 -g -O2 -fstack-protector-strong -Wformat -Werror=format-security -U_FORTIFY_SOURCE -c test-i.c
+CPPFLAGS missing (-D_FORTIFY_SOURCE=2): gcc -D_FORTIFY_SOURCE=2 -g -O2 -fstack-protector-strong -Wformat -Werror=format-security -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -U_FORTIFY_SOURCE -c test-i.c
+CPPFLAGS missing (-D_FORTIFY_SOURCE=2): gcc -D_FORTIFY_SOURCE=2 -g -O2 -fstack-protector-strong -Wformat -Werror=format-security -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -D_FORTIFY_SOURCE=1 -c test-i.c
';
is_blhc 'bad-cppflags', '--ignore-flag -D_FORTIFY_SOURCE=2', 0,