Disable checks for -O2 for those lines.
Fixes Debian bug #714628, reported by Matthias Klose. Thanks.
t/logs/debian-hardening-wrapper
t/logs/debian-hardening-wrapper-old-build-depends
t/logs/debian-hardening-wrapper-pbuilder
+t/logs/debug-build
t/logs/dpkg-buildpackage-architecture-old
t/logs/empty
t/logs/false-positives
Fritsch.
- Sync architecture specific hardening support with dpkg 1.17.1.
+- Consider lines with -O0 or -Og debug builds and disable checks for -O2
+ (Debian bug #714628), reported by Matthias Klose.
Version 0.04
dpkp-buildpackage but still want to check a build log, adding it as first line
should work fine.
+To prevent false positives when checking debug builds, compiler lines
+containing '-OO' or '-Og' are considered debug builds and are not checked for
+'-O2', even though fortification doesn't work without '-O2'.
+
The following non-verbose builds can't be detected:
gcc -o test
# real regexps below for better execution speed).
my @def_cflags = (
'-g',
- '-O(?:2|3)',
+ '-O(?:2|3)', # keep at index 1, search for @def_cflags_debug to change it
+);
+my @def_cflags_debug = (
+ # These flags indicate a debug build which disables checks for -O2.
+ '-O0',
+ '-Og',
);
my @def_cflags_format = (
'-Wformat(?:=2)?', # -Wformat=2 implies -Wformat, accept it too
# References to all used flags.
my @flag_refs_all = (
@flag_refs,
+ \@def_cflags_debug,
\@def_cppflags_fortify_bad,
\@def_ldflags_pic,
);
return 1;
}
-# Remove @flags from $flag_refs_ref, and $flag_renames_ref.
+# Remove @flags from $flag_refs_ref, uses $flag_renames_ref as reference.
sub remove_flags {
my ($flag_refs_ref, $flag_renames_ref, @flags) = @_;
$statistics{link}++ if $link;
}
+ # Check if there are flags indicating a debug build. If that's true,
+ # skip the check for -O2. This prevents fortification, but that's fine
+ # for a debug build.
+ if (any_flags_used($line, @def_cflags_debug)) {
+ remove_flags([\@cflags], \%flag_renames, $def_cflags[1]);
+ }
+
# Check hardening flags.
my @missing;
if ($compile and not all_flags_used($line, \@missing, @cflags)
--- /dev/null
+dpkg-buildpackage: source package test
+
+gcc -g -O0 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -c test-a.c
+gcc -g -O0 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -c test-b.c
+gcc -g -O0 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -c test-c.c
+gcc -g -O0 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -c test-d.c
+gcc -Wl,-z,relro -o test test-a.o test-b.o test-c.o -ltest
+
+gcc -g -Og -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -c test-a.c
+gcc -g -Og -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -c test-b.c
+gcc -g -Og -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -c test-c.c
+gcc -g -Og -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -c test-d.c
+gcc -Wl,-z,relro -o test test-a.o test-b.o test-c.o -ltest
use strict;
use warnings;
-use Test::More tests => 212;
+use Test::More tests => 214;
sub is_blhc {
';
+# handle debug builds
+
+is_blhc 'debug-build', '', 0, '';
+
+
# configure/make
is_blhc 'configure', '', 1,
ruderich.org/simon / blhc / blhc.git / commitdiff