From 019d2b1c80b43bc7fa2a1df68ca3fa4f81569961 Mon Sep 17 00:00:00 2001 From: Simon Ruderich Date: Wed, 28 Feb 2024 12:42:54 +0100 Subject: [PATCH] Support branch protection --- NEWS | 3 +++ bin/blhc | 24 ++++++++++++++++++++++++ t/logs/arch-amd64 | 2 +- t/logs/debian-gcc-pie | 4 ++-- t/tests.t | 6 +++--- 5 files changed, 33 insertions(+), 6 deletions(-) diff --git a/NEWS b/NEWS index 5906b26..1e0944e 100644 --- a/NEWS +++ b/NEWS @@ -20,6 +20,9 @@ Version 0.XX (Debian Bugs #1043522 and #1054882). - Check for stack clash protection (-fstack-clash-protection); requested by Emanuele Rocca (Debian Bug #1050909). +- Check for branch protection (amd64: -fcf-protection, arm64: + -mbranch-protection=standard); requested by Emanuele Rocca (Debian Bug + #1050912). Version 0.13 diff --git a/bin/blhc b/bin/blhc index c444383..9b785b1 100755 --- a/bin/blhc +++ b/bin/blhc @@ -243,6 +243,12 @@ my @def_cflags_stack_clash = ( my @def_cflags_pie = ( '-fPIE', ); +my @def_cflags_branch_amd64 = ( + '-fcf-protection', +); +my @def_cflags_branch_arm64 = ( + '-mbranch-protection=standard', +); my @def_cxxflags = ( @def_cflags, ); @@ -285,6 +291,8 @@ my @flag_refs = ( \@def_cflags_stack_bad, \@def_cflags_stack_clash, \@def_cflags_pie, + \@def_cflags_branch_amd64, + \@def_cflags_branch_arm64, \@def_cxxflags, \@def_cppflags, \@def_cppflags_fortify, @@ -807,6 +815,7 @@ foreach my $file (@ARGV) { my $harden_stack = 1; my $harden_stack_strong = 1; my $harden_stack_clash = 1; + my $harden_branch = 1; my $harden_relro = 1; my $harden_bindnow = $option_bindnow; # defaults to 0 my $harden_pie = $option_pie; # defaults to 0 @@ -862,6 +871,7 @@ foreach my $file (@ARGV) { my $disable = 1; my $disable_strong = 1; my $disable_clash = 1; + my $disable_branch = 1; if ($line =~ /\bdpkg-dev_(\S+)/) { if (Dpkg::Version::version_compare($1, '1.16.1') >= 0) { @@ -875,6 +885,7 @@ foreach my $file (@ARGV) { } if (Dpkg::Version::version_compare($1, '1.22.0') >= 0) { $disable_clash = 0; + $disable_branch = 0; } } @@ -892,6 +903,9 @@ foreach my $file (@ARGV) { if ($disable_clash) { $harden_stack_clash = 0; } + if ($disable_branch) { + $harden_branch = 0; + } } # The following two versions of CMake in Debian obeyed CPPFLAGS, but @@ -1179,6 +1193,7 @@ foreach my $file (@ARGV) { } # Option or auto detected. + my @harden_branch_flags; if ($arch) { # The following was partially copied from dpkg-dev 1.22.0 # (/usr/share/perl5/Dpkg/Vendor/Debian.pm, set_build_features and @@ -1248,6 +1263,11 @@ foreach my $file (@ARGV) { $harden_relro = 0; $harden_bindnow = 0; } + if ($cpu eq 'amd64') { + @harden_branch_flags = @def_cflags_branch_amd64; + } elsif ($cpu eq 'arm64') { + @harden_branch_flags = @def_cflags_branch_arm64; + } } # Default values. @@ -1281,6 +1301,10 @@ foreach my $file (@ARGV) { @cflags = (@cflags, @def_cflags_format); @cxxflags = (@cxxflags, @def_cflags_format); } + if ($harden_branch and @harden_branch_flags) { + @cflags = (@cflags, @harden_branch_flags); + @cxxflags = (@cxxflags, @harden_branch_flags); + } if ($harden_relro) { @ldflags = (@ldflags, @def_ldflags_relro); } diff --git a/t/logs/arch-amd64 b/t/logs/arch-amd64 index f985d87..7719629 100644 --- a/t/logs/arch-amd64 +++ b/t/logs/arch-amd64 @@ -3,7 +3,7 @@ dpkg-buildpackage: host architecture amd64 # all hardening options -gcc -D_FORTIFY_SOURCE=2 -g -O2 -fPIE -fstack-protector-strong -fstack-clash-protection -Wformat -Wformat-security -Werror=format-security -Wall -c test.c +gcc -D_FORTIFY_SOURCE=2 -g -O2 -fPIE -fcf-protection -fstack-protector-strong -fstack-clash-protection -Wformat -Wformat-security -Werror=format-security -Wall -c test.c gcc -fPIE -pie -Wl,-z,relro -Wl,-z,now -o test test.o # missing flags diff --git a/t/logs/debian-gcc-pie b/t/logs/debian-gcc-pie index 132f9d3..0d46d28 100644 --- a/t/logs/debian-gcc-pie +++ b/t/logs/debian-gcc-pie @@ -1,5 +1,5 @@ dpkg-buildpackage: source package foo package dpkg-buildpackage: host architecture amd64 -gcc -g -O2 -D_FORTIFY_SOURCE=2 -Wl,-z,relro -Wl,-z,now -fstack-protector-strong -fstack-clash-protection -Wformat -Werror=format-security -o test test.c -gcc -fPIE -pie -g -O2 -D_FORTIFY_SOURCE=2 -Wl,-z,relro -Wl,-z,now -fstack-protector-strong -fstack-clash-protection -Wformat -Werror=format-security -o test test.c +gcc -g -O2 -D_FORTIFY_SOURCE=2 -Wl,-z,relro -Wl,-z,now -fcf-protection -fstack-protector-strong -fstack-clash-protection -Wformat -Werror=format-security -o test test.c +gcc -fPIE -pie -g -O2 -D_FORTIFY_SOURCE=2 -Wl,-z,relro -Wl,-z,now -fcf-protection -fstack-protector-strong -fstack-clash-protection -Wformat -Werror=format-security -o test test.c diff --git a/t/tests.t b/t/tests.t index 9ae22b0..5d9eb9b 100644 --- a/t/tests.t +++ b/t/tests.t @@ -104,7 +104,7 @@ is_blhc 'empty', '', 1, # ANSI colored output. is_blhc 'arch-amd64', '--color', 8, - "\033[31mCFLAGS missing\033[0m (-fstack-protector-strong)\033[33m:\033[0m gcc -D_FORTIFY_SOURCE=2 -g -O2 -fPIE -fstack-clash-protection -Wformat -Wformat-security -Werror=format-security -Wall -c test.c + "\033[31mCFLAGS missing\033[0m (-fstack-protector-strong -fcf-protection)\033[33m:\033[0m gcc -D_FORTIFY_SOURCE=2 -g -O2 -fPIE -fstack-clash-protection -Wformat -Wformat-security -Werror=format-security -Wall -c test.c \033[31mLDFLAGS missing\033[0m (-pie)\033[33m:\033[0m gcc -fPIE -Wl,-z,relro -Wl,-z,now -o test test.o "; @@ -1101,7 +1101,7 @@ is_blhc ['arch-i386', 'arch-amd64', 'arch-hppa', 'ignore-flag'], "checking './t/logs/arch-i386'... LDFLAGS missing (-pie): gcc -fPIE -Wl,-z,relro -Wl,-z,now -o test test.o checking './t/logs/arch-amd64'... -CFLAGS missing (-fstack-protector-strong): gcc -D_FORTIFY_SOURCE=2 -g -O2 -fPIE -fstack-clash-protection -Wformat -Wformat-security -Werror=format-security -Wall -c test.c +CFLAGS missing (-fstack-protector-strong -fcf-protection): gcc -D_FORTIFY_SOURCE=2 -g -O2 -fPIE -fstack-clash-protection -Wformat -Wformat-security -Werror=format-security -Wall -c test.c LDFLAGS missing (-pie): gcc -fPIE -Wl,-z,relro -Wl,-z,now -o test test.o checking './t/logs/arch-hppa'... checking './t/logs/ignore-flag'... @@ -1115,7 +1115,7 @@ is_blhc ['arch-i386', 'arch-amd64', 'arch-hppa', 'ignore-line'], "checking './t/logs/arch-i386'... LDFLAGS missing (-pie): gcc -fPIE -Wl,-z,relro -Wl,-z,now -o test test.o checking './t/logs/arch-amd64'... -CFLAGS missing (-fstack-protector-strong): gcc -D_FORTIFY_SOURCE=2 -g -O2 -fPIE -fstack-clash-protection -Wformat -Wformat-security -Werror=format-security -Wall -c test.c +CFLAGS missing (-fstack-protector-strong -fcf-protection): gcc -D_FORTIFY_SOURCE=2 -g -O2 -fPIE -fstack-clash-protection -Wformat -Wformat-security -Werror=format-security -Wall -c test.c LDFLAGS missing (-pie): gcc -fPIE -Wl,-z,relro -Wl,-z,now -o test test.o checking './t/logs/arch-hppa'... checking './t/logs/ignore-line'... -- 2.45.2