From ae5da64f4f6f53ca3eb055d2124988847b2e8d50 Mon Sep 17 00:00:00 2001 From: Simon Ruderich Date: Mon, 25 Jun 2012 03:23:49 +0200 Subject: [PATCH] Handle compiled headers (.h.gch). This change also reduces the number of false positives drastically, but may introduce false negatives if unusual file extensions are used when linking. However checking for missing LDFLAGS (e.g. -Wl,-z,relro etc.) is already handled by lintian with good accuracy, so this shouldn't be a problem. --- bin/blhc | 30 ++++++++++++++++++++++++++++-- t/logs/bad-ldflags | 3 +++ t/logs/libtool | 3 +++ t/tests.t | 12 ++++++++++++ 4 files changed, 46 insertions(+), 2 deletions(-) diff --git a/bin/blhc b/bin/blhc index c84c9d2..704d323 100755 --- a/bin/blhc +++ b/bin/blhc @@ -102,6 +102,17 @@ my @header_preprocess = ( # C++ qw( hh H hp hxx hpp HPP h++ tcc ), ); +# Object files. +my @object = ( + # Normal object files. + qw ( o ), + # Libtool object files. + qw ( lo la ), + # Dynamic libraries. bzip2 uses .sho. + qw ( so sho ), + # Static libraries. + qw ( a ), +); # Hashes for fast extensions lookup to check if a file falls in one of these # categories. @@ -128,10 +139,14 @@ my %extensions_compile_cpp = map { $_ => 1 } ( @source_preprocess_compile_cpp, @source_no_preprocess_compile_cpp, ); +my %extensions_object = map { $_ => 1 } ( + @object, +); my %extension = map { $_ => 1 } ( @source_no_preprocess, @header_preprocess, @source_preprocess, + @object, ); # Regexp to match file extensions. @@ -963,11 +978,11 @@ LINE: $preprocess = 1; } + if (not $flag_preprocess) { # If there are source files then it's compiling/linking in one step # and we must check both. We only check for source files here, because # header files cause too many false positives. - if (not $flag_preprocess - and extension_found(\%extensions_compile_link, @extensions)) { + if (extension_found(\%extensions_compile_link, @extensions)) { # Assembly files don't need CFLAGS. if (not extension_found(\%extensions_compile, @extensions) and extension_found(\%extensions_no_compile, @extensions)) { @@ -976,6 +991,17 @@ LINE: } else { $compile = 1; } + # No compilable extensions found, either linking or compiling + # header flags. + # + # If there are also no object files we are just compiling headers + # (.h -> .h.gch). Don't check for linker flags in this case. Due + # to our liberal checks for compiler lines, this also reduces the + # number of false positives considerably. + } elsif ($link + and not extension_found(\%extensions_object, @extensions)) { + $link = 0; + } } # Assume CXXFLAGS are required when a C++ file is specified in the diff --git a/t/logs/bad-ldflags b/t/logs/bad-ldflags index 969ccfa..de5ebb7 100644 --- a/t/logs/bad-ldflags +++ b/t/logs/bad-ldflags @@ -4,3 +4,6 @@ gcc -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-securit gcc -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -c test-b.c gcc -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -c test-c.c gcc -o test test-a.o test-b.o test-c.o -ltest + +gcc -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2 -o test test-a.o test-b.o test-c.o +gcc -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2 -o test test-a.o test-b.o test-c.o test.h diff --git a/t/logs/libtool b/t/logs/libtool index 3849e6f..fb0c30c 100644 --- a/t/logs/libtool +++ b/t/logs/libtool @@ -31,3 +31,6 @@ libtool: install: /usr/bin/install -c ... /bin/bash ../../libtool --mode=install /usr/bin/install -c ... /bin/bash ../../libtool --mode=install /usr/bin/install -c ... /bin/bash ../../../libtool --mode=install /usr/bin/install -c ... + +/bin/sh ../libtool --mode=link gcc -Wl,-z,relro -o libtest.la test.h test-a.lo test-b.lo test-c.lo test-d.la +/bin/sh ../libtool --mode=link gcc -o libtest.la test.h test-a.lo test-b.lo test-c.lo test-d.la diff --git a/t/tests.t b/t/tests.t index a24b7db..0811ef7 100644 --- a/t/tests.t +++ b/t/tests.t @@ -527,6 +527,8 @@ is_blhc 'bad-cppflags', '--ignore-flag -D_FORTIFY_SOURCE=2', 0, my $bad_ldflags = 'LDFLAGS missing (-Wl,-z,relro): gcc -o test test-a.o test-b.o test-c.o -ltest +LDFLAGS missing (-Wl,-z,relro): gcc -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2 -o test test-a.o test-b.o test-c.o +LDFLAGS missing (-Wl,-z,relro): gcc -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2 -o test test-a.o test-b.o test-c.o test.h '; is_blhc 'bad-ldflags', '', 8, $bad_ldflags; @@ -535,15 +537,21 @@ is_blhc 'bad-ldflags', '--pie', 8, CFLAGS missing (-fPIE): gcc -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -c test-b.c CFLAGS missing (-fPIE): gcc -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -c test-c.c LDFLAGS missing (-fPIE -pie -Wl,-z,relro): gcc -o test test-a.o test-b.o test-c.o -ltest +LDFLAGS missing (-fPIE -pie -Wl,-z,relro): gcc -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2 -o test test-a.o test-b.o test-c.o +LDFLAGS missing (-fPIE -pie -Wl,-z,relro): gcc -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2 -o test test-a.o test-b.o test-c.o test.h '; is_blhc 'bad-ldflags', '--bindnow', 8, 'LDFLAGS missing (-Wl,-z,relro -Wl,-z,now): gcc -o test test-a.o test-b.o test-c.o -ltest +LDFLAGS missing (-Wl,-z,relro -Wl,-z,now): gcc -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2 -o test test-a.o test-b.o test-c.o +LDFLAGS missing (-Wl,-z,relro -Wl,-z,now): gcc -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2 -o test test-a.o test-b.o test-c.o test.h '; is_blhc 'bad-ldflags', '--pie --bindnow', 8, 'CFLAGS missing (-fPIE): gcc -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -c test-a.c CFLAGS missing (-fPIE): gcc -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -c test-b.c CFLAGS missing (-fPIE): gcc -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -c test-c.c LDFLAGS missing (-fPIE -pie -Wl,-z,relro -Wl,-z,now): gcc -o test test-a.o test-b.o test-c.o -ltest +LDFLAGS missing (-fPIE -pie -Wl,-z,relro -Wl,-z,now): gcc -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2 -o test test-a.o test-b.o test-c.o +LDFLAGS missing (-fPIE -pie -Wl,-z,relro -Wl,-z,now): gcc -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2 -o test test-a.o test-b.o test-c.o test.h '; is_blhc 'bad-multiline', '', 8, @@ -764,6 +772,10 @@ LDFLAGS missing (-fPIE -pie -Wl,-z,now): gcc -g -O2 -fstack-protector --param=ss CFLAGS missing (-g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security): /bin/bash ../libtool --tag=CC --mode=link gcc -Wl,-z,relro -o test.so test.c CPPFLAGS missing (-D_FORTIFY_SOURCE=2): /bin/bash ../libtool --tag=CC --mode=link gcc -Wl,-z,relro -o test.so test.c LDFLAGS missing (-fPIE -pie -Wl,-z,now): /bin/bash ../libtool --tag=CC --mode=link gcc -Wl,-z,relro -o test.so test.c +CPPFLAGS missing (-D_FORTIFY_SOURCE=2): /bin/sh ../libtool --mode=link gcc -Wl,-z,relro -o libtest.la test.h test-a.lo test-b.lo test-c.lo test-d.la +LDFLAGS missing (-fPIE -pie -Wl,-z,now): /bin/sh ../libtool --mode=link gcc -Wl,-z,relro -o libtest.la test.h test-a.lo test-b.lo test-c.lo test-d.la +CPPFLAGS missing (-D_FORTIFY_SOURCE=2): /bin/sh ../libtool --mode=link gcc -o libtest.la test.h test-a.lo test-b.lo test-c.lo test-d.la +LDFLAGS missing (-fPIE -pie -Wl,-z,relro -Wl,-z,now): /bin/sh ../libtool --mode=link gcc -o libtest.la test.h test-a.lo test-b.lo test-c.lo test-d.la '; -- 2.45.2