From 5668edb1e7b4210adc381c847487861765486cf9 Mon Sep 17 00:00:00 2001 From: Simon Ruderich Date: Wed, 28 Feb 2024 10:50:32 +0100 Subject: [PATCH] Sync architecture specific hardening support with dpkg 1.22.5 --- bin/blhc | 11 ++++++----- t/logs/arch-ia64 | 4 +--- t/logs/buildd-gcc-pie-builtin-wrong-arch | 2 +- t/tests.t | 7 ++----- 4 files changed, 10 insertions(+), 14 deletions(-) diff --git a/bin/blhc b/bin/blhc index 26826f0..9040a08 100755 --- a/bin/blhc +++ b/bin/blhc @@ -1195,6 +1195,7 @@ foreach my $file (@ARGV) { i386 kfreebsd-amd64 kfreebsd-i386 + loong64 mips mips64 mips64el @@ -1217,7 +1218,11 @@ foreach my $file (@ARGV) { ); # Disable unsupported hardening options. - if ($os !~ /^(?:linux|kfreebsd|knetbsd|hurd)$/ or $cpu eq 'hppa') { + if ($disable_harden_pie and exists $builtin_pie_arch{$arch}) { + $harden_pie = 0; + } + if ($os !~ /^(?:linux|kfreebsd|hurd)$/ + or $cpu =~ /^(?:alpha|hppa|ia64)$/) { $harden_pie = 0; } if ($cpu =~ /^(?:ia64|alpha|hppa|nios2)$/ or $arch eq 'arm') { @@ -1228,10 +1233,6 @@ foreach my $file (@ARGV) { $harden_relro = 0; $harden_bindnow = 0; } - - if ($disable_harden_pie and exists $builtin_pie_arch{$arch}) { - $harden_pie = 0; - } } # Default values. diff --git a/t/logs/arch-ia64 b/t/logs/arch-ia64 index 173fe4d..07d0c7e 100644 --- a/t/logs/arch-ia64 +++ b/t/logs/arch-ia64 @@ -1,11 +1,9 @@ dpkg-buildpackage: source package test dpkg-buildpackage: host architecture ia64 -# no stack protector and no relro,bindnow +# no stack protector and no relro,bindnow and no pie gcc -D_FORTIFY_SOURCE=2 -g -O2 -fPIE -Wformat -Wformat-security -Werror=format-security -Wall -c test.c gcc -fPIE -pie -o test test.o - -# missing flags gcc -D_FORTIFY_SOURCE=2 -g -O2 -Wformat -Wformat-security -Werror=format-security -Wall -c test.c gcc -fPIE -o test test.o diff --git a/t/logs/buildd-gcc-pie-builtin-wrong-arch b/t/logs/buildd-gcc-pie-builtin-wrong-arch index af5d4fc..7d97cbb 100644 --- a/t/logs/buildd-gcc-pie-builtin-wrong-arch +++ b/t/logs/buildd-gcc-pie-builtin-wrong-arch @@ -1,5 +1,5 @@ Toolchain package versions: ... dpkg-dev_1.18.15 ... dpkg-buildpackage: source package foo package -dpkg-buildpackage: host architecture ia64 +dpkg-buildpackage: host architecture m68k gcc -g -O2 -D_FORTIFY_SOURCE=2 -Wl,-z,relro -Wl,-z,now -fstack-protector-strong -Wformat -Werror=format-security -o test test.c diff --git a/t/tests.t b/t/tests.t index 4216c35..2314abf 100644 --- a/t/tests.t +++ b/t/tests.t @@ -905,11 +905,8 @@ LDFLAGS missing (-pie): gcc -fPIE -Wl,-z,relro -Wl,-z,now -o test test.o is_blhc 'arch-i386', '', 8, $arch_i386; -my $arch_ia64 = - 'CFLAGS missing (-fPIE): gcc -D_FORTIFY_SOURCE=2 -g -O2 -Wformat -Wformat-security -Werror=format-security -Wall -c test.c -LDFLAGS missing (-pie): gcc -fPIE -o test test.o -'; -is_blhc 'arch-ia64', '', 8, +my $arch_ia64 = ''; +is_blhc 'arch-ia64', '', 0, $arch_ia64; is_blhc 'arch-ia64', '--arch i386', 8, -- 2.45.2