From 5bba87ced3180480ea9d147b300517b79ac15136 Mon Sep 17 00:00:00 2001 From: Simon Ruderich Date: Sat, 7 Jul 2012 02:22:26 +0200 Subject: [PATCH 01/16] Use index() in a few more places. --- bin/blhc | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/bin/blhc b/bin/blhc index 22ebd6f..57ea000 100755 --- a/bin/blhc +++ b/bin/blhc @@ -641,8 +641,8 @@ foreach my $file (@ARGV) { # only, doesn't use the dpkg-buildpackage header. Necessary to ignore # build logs which aren't built (wrong architecture, build error, # etc.). - if (not $arch and $line =~ /^Architecture: (.+)$/) { - $arch = $1; + if (not $arch and index($line, 'Architecture: ') == 0) { + $arch = substr $line, 14, -1; # -1 to ignore '\n' at the end } # dpkg-buildflags only provides hardening flags since 1.16.1, don't @@ -713,12 +713,13 @@ foreach my $file (@ARGV) { # And stop at the end of the build log. Package details (reported by # the buildd logs) are not important for us. This also prevents false # positives. - last if $line =~ /^Build finished at \d{8}-\d{4}$/; + last if index($line, 'Build finished at ') == 0 + and $line =~ /^Build finished at \d{8}-\d{4}$/; # Detect architecture automatically unless overridden. if (not $arch - and $line =~ /^dpkg-buildpackage: host architecture (.+)$/) { - $arch = $1; + and index($line, 'dpkg-buildpackage: host architecture ') == 0) { + $arch = substr $line, 37, -1; # -1 to ignore '\n' at the end } # Ignore compiler warnings for now. -- 2.45.2 From ebc38a8a974ddb3a3613be9cd3b61e5fc3d932f2 Mon Sep 17 00:00:00 2001 From: Simon Ruderich Date: Sat, 7 Jul 2012 18:21:02 +0200 Subject: [PATCH 02/16] Minor source documentation update. --- bin/blhc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/bin/blhc b/bin/blhc index 57ea000..2f253bb 100755 --- a/bin/blhc +++ b/bin/blhc @@ -430,8 +430,8 @@ sub is_non_verbose_build { $file = $1; if (index($next_line, $file) != -1 and $next_line =~ /$cc_regex/o) { - # We still have to skip the current line as it doesn't contain any - # compiler commands. + # Not a non-verbose line, but we still have to skip the current line + # as it doesn't contain any compiler commands. ${$skip_ref} = 1; return 0; } -- 2.45.2 From 388bdf91c4879a0212ac77840d2c3f016ff4b75b Mon Sep 17 00:00:00 2001 From: Nicolas Boulenguez Date: Sat, 7 Jul 2012 18:23:23 +0200 Subject: [PATCH 03/16] Ignore CPPFLAGS for Ada files. See http://bugs.debian.org/680117. --- bin/blhc | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/bin/blhc b/bin/blhc index 2f253bb..d276bc0 100755 --- a/bin/blhc +++ b/bin/blhc @@ -90,10 +90,14 @@ my @source_no_preprocess_compile = ( qw( mi ), # Fortran qw( f for ftn f90 f95 f03 f08 ), + # Ada body + qw( adb ), ); my @source_no_preprocess_no_compile = ( # Assembly qw( s ), + # Ada specification + qw( ads ), ); my @source_no_preprocess = ( @source_no_preprocess_compile, -- 2.45.2 From e703305cc4c2d1717d6b63987d13951910b682ce Mon Sep 17 00:00:00 2001 From: Simon Ruderich Date: Sat, 7 Jul 2012 19:11:03 +0200 Subject: [PATCH 04/16] Prepare for multiple 'Build-Depends' checks. No behavioral changes. --- bin/blhc | 22 ++++++++++++---------- 1 file changed, 12 insertions(+), 10 deletions(-) diff --git a/bin/blhc b/bin/blhc index d276bc0..75888b8 100755 --- a/bin/blhc +++ b/bin/blhc @@ -686,17 +686,19 @@ foreach my $file (@ARGV) { } } - # If hardening wrapper is used (wraps calls to gcc and adds hardening - # flags automatically) we can't perform any checks, abort. - if (index($line, 'Build-Depends: ') == 0 - and $line =~ /\bhardening-wrapper\b/) { - if (not $option_buildd) { - error_hardening_wrapper(); - $exit |= $exit_code{hardening_wrapper}; - } else { - print "$buildd_tag{hardening_wrapper}||\n"; + if (index($line, 'Build-Depends: ') == 0) { + # If hardening wrapper is used (wraps calls to gcc and adds + # hardening flags automatically) we can't perform any checks, + # abort. + if ($line =~ /\bhardening-wrapper\b/) { + if (not $option_buildd) { + error_hardening_wrapper(); + $exit |= $exit_code{hardening_wrapper}; + } else { + print "$buildd_tag{hardening_wrapper}||\n"; + } + next FILE; } - next FILE; } # We skip over unimportant lines at the beginning of the log to -- 2.45.2 From 23020a59781f2a07a8d56053972d14c6d3cae2b3 Mon Sep 17 00:00:00 2001 From: Simon Ruderich Date: Sat, 7 Jul 2012 19:27:04 +0200 Subject: [PATCH 05/16] Ignore missing -Wformat -Werror=format-security for Ada files. Thanks to Nicolas Boulenguez for reporting this. See http://bugs.debian.org/680117 for details. --- MANIFEST | 1 + bin/blhc | 66 +++++++++++++++++++++++++++++++++++++++++++++++++++--- t/logs/ada | 16 +++++++++++++ t/tests.t | 15 ++++++++++++- 4 files changed, 94 insertions(+), 4 deletions(-) create mode 100644 t/logs/ada diff --git a/MANIFEST b/MANIFEST index 1ef6dac..adebaab 100644 --- a/MANIFEST +++ b/MANIFEST @@ -6,6 +6,7 @@ META.json META.yml NEWS README +t/logs/ada t/logs/arch-amd64 t/logs/arch-avr32 t/logs/arch-i386 diff --git a/bin/blhc b/bin/blhc index 75888b8..e03ac28 100755 --- a/bin/blhc +++ b/bin/blhc @@ -81,6 +81,12 @@ my @source_no_preprocess_compile_cpp = ( # Objective-C++ qw( mii ), ); +my @source_no_preprocess_compile_ada = ( + # Ada body + qw( adb ), + # If you add another file, fix use of @source_no_preprocess_compile_ada + # below (search for $compile_ada). +); my @source_no_preprocess_compile = ( # C qw( i ), @@ -90,8 +96,8 @@ my @source_no_preprocess_compile = ( qw( mi ), # Fortran qw( f for ftn f90 f95 f03 f08 ), - # Ada body - qw( adb ), + # Ada + @source_no_preprocess_compile_ada, ); my @source_no_preprocess_no_compile = ( # Assembly @@ -287,6 +293,20 @@ my $option_color; # FUNCTIONS +# Only works for single-level arrays with no undef values. Thanks to perlfaq4. +sub array_equal { + my ($first_ref, $second_ref) = @_; + + return 0 if scalar @{$first_ref} != scalar @{$second_ref}; + + my $length = scalar @{$first_ref}; + for (my $i = 0; $i < $length; $i++) { + return 0 if $first_ref->[$i] ne $second_ref->[$i]; + } + + return 1; +} + sub error_flags { my ($message, $missing_flags_ref, $flag_renames_ref, $line) = @_; @@ -640,6 +660,11 @@ foreach my $file (@ARGV) { my $harden_bindnow = $option_bindnow; # defaults to 0 my $harden_pie = $option_pie; # defaults to 0 + # Does this build log use ada? Ada also uses gcc as compiler but uses + # different CFLAGS. But only perform ada checks if an ada compiler used + # for performance reasons. + my $ada = 0; + while (my $line = <$fh>) { # Detect architecture automatically unless overridden. For buildd logs # only, doesn't use the dpkg-buildpackage header. Necessary to ignore @@ -699,6 +724,11 @@ foreach my $file (@ARGV) { } next FILE; } + + # Ada compiler. + if ($line =~ /\bgnat\b/) { + $ada = 1; + } } # We skip over unimportant lines at the beginning of the log to @@ -905,6 +935,22 @@ foreach my $file (@ARGV) { @ldflags = (@ldflags, @def_ldflags_bindnow); } + # Stores normal CFLAGS when @cflags_ada are temporarily used. + my @cflags_backup; + # Ada CFLAGS. + my @cflags_ada = @cflags; + # Ada doesn't support format hardening flags, see #680117 for more + # information. Filter them out if ada is used. + if ($ada and $harden_format) { + @cflags_ada = grep { + my $ok = 1; + foreach my $flag (@def_cflags_format) { + $ok = 0 if $_ eq $flag; + } + $ok; + } @cflags; + } + # Hack to fix cppflags_fortify_broken() if --ignore-flag # -D_FORTIFY_SOURCE=2 is used to ignore missing fortification. Only works # as long as @def_cppflags_fortify contains only one variable. @@ -1029,13 +1075,22 @@ LINE: } } + my $compile_cpp = 0; + my $compile_ada = 0; # Assume CXXFLAGS are required when a C++ file is specified in the # compiler line. - my $compile_cpp = 0; if ($compile and extension_found(\%extensions_compile_cpp, @extensions)) { $compile = 0; $compile_cpp = 1; + # Ada needs special CFLAGS, use them if only ada files are compiled. + } elsif ($ada + and $compile + and array_equal(\@extensions, + \@source_no_preprocess_compile_ada)) { + $compile_ada = 1; + @cflags_backup = @cflags; + @cflags = @cflags_ada; } if ($option_buildd) { @@ -1100,6 +1155,11 @@ LINE: $statistics{link_missing}++; } } + + # Restore normal CFLAGS. + if ($compile_ada) { + @cflags = @cflags_backup; + } } } diff --git a/t/logs/ada b/t/logs/ada new file mode 100644 index 0000000..bc801c2 --- /dev/null +++ b/t/logs/ada @@ -0,0 +1,16 @@ +Build-Depends: ..., gnat, gnat-4.6, ... + +dpkg-buildpackage: source package ada package + + +gcc-4.6 -c -fPIC -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security test.c +gcc-4.6 -c -fPIC -g -O2 -fstack-protector --param=ssp-buffer-size=4 -gnatn -gnatw.eH test-a.adb +gcc-4.6 -c -fPIC -g -O2 -fstack-protector --param=ssp-buffer-size=4 -gnatn -gnatw.eH test-b.adb +gcc-4.6 -c -fPIC -g -O2 -fstack-protector --param=ssp-buffer-size=4 -gnatn -gnatw.eH test-c.adb +gcc-4.6 -c -fPIC -g -O2 -fstack-protector --param=ssp-buffer-size=4 -gnatn -gnatw.eH test-d.ads + +/usr/bin/gcc-4.6 -shared -lgnat-4.6 -o libtest.so.2 test-a.o test-b.o test-c.o -Wl,-z,relro -Wl,--as-needed +/usr/bin/gcc-4.6 -shared -lgnat-4.6 -o libtest.so.2 test-a.o test-b.o test-c.o -Wl,--as-needed + +gcc -c -g -O2 test.c +gcc -g -O2 test.c diff --git a/t/tests.t b/t/tests.t index 0811ef7..0e1833e 100644 --- a/t/tests.t +++ b/t/tests.t @@ -19,7 +19,7 @@ use strict; use warnings; -use Test::More tests => 194; +use Test::More tests => 196; sub is_blhc { @@ -748,6 +748,19 @@ LDFLAGS missing (-fPIE -pie -Wl,-z,relro -Wl,-z,now): g++-4.6 -Wl,-z,defs -o tes '; +# ada + +is_blhc 'ada', '', 8, + 'CPPFLAGS missing (-D_FORTIFY_SOURCE=2): gcc-4.6 -c -fPIC -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security test.c +LDFLAGS missing (-Wl,-z,relro): /usr/bin/gcc-4.6 -shared -lgnat-4.6 -o libtest.so.2 test-a.o test-b.o test-c.o -Wl,--as-needed +CFLAGS missing (-fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security): gcc -c -g -O2 test.c +CPPFLAGS missing (-D_FORTIFY_SOURCE=2): gcc -c -g -O2 test.c +CFLAGS missing (-fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security): gcc -g -O2 test.c +CPPFLAGS missing (-D_FORTIFY_SOURCE=2): gcc -g -O2 test.c +LDFLAGS missing (-Wl,-z,relro): gcc -g -O2 test.c +'; + + # libtool is_blhc 'libtool', '--bindnow', 8, -- 2.45.2 From fbfa7bab6a0c7f1705ca56a37b1ccc1d5d3c5288 Mon Sep 17 00:00:00 2001 From: Simon Ruderich Date: Sun, 8 Jul 2012 14:53:02 +0200 Subject: [PATCH 06/16] Always end functions with return. Found by perlcritic. --- bin/blhc | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/bin/blhc b/bin/blhc index e03ac28..9525baa 100755 --- a/bin/blhc +++ b/bin/blhc @@ -319,6 +319,8 @@ sub error_flags { printf '%s (%s)%s %s', error_color($message, 'red'), $flags, error_color(':', 'yellow'), $line; + + return; } sub error_non_verbose_build { my ($line) = @_; @@ -327,6 +329,8 @@ sub error_non_verbose_build { error_color('NONVERBOSE BUILD', 'red'), error_color(':', 'yellow'), $line; + + return; } sub error_invalid_cmake { my ($version) = @_; @@ -335,12 +339,16 @@ sub error_invalid_cmake { error_color('INVALID CMAKE', 'red'), error_color(':', 'yellow'), $version; + + return; } sub error_hardening_wrapper { printf "%s%s %s\n", error_color('HARDENING WRAPPER', 'red'), error_color(':', 'yellow'), 'no checks possible, aborting'; + + return; } sub error_color { my ($message, $color) = @_; @@ -477,6 +485,8 @@ sub remove_flags { or not exists $removes{$flag_renames_ref->{$_}}) } @{$flags}; } + + return; } sub compile_flag_regexp { -- 2.45.2 From ab7bee2bcb8c8ad131cec611e67c0b93fba2d32b Mon Sep 17 00:00:00 2001 From: Simon Ruderich Date: Sun, 16 Sep 2012 18:58:06 +0200 Subject: [PATCH 07/16] Accept -Wformat=2 because it implies -Wformat. --- bin/blhc | 3 ++- t/logs/good | 3 +++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/bin/blhc b/bin/blhc index 9525baa..b77420d 100755 --- a/bin/blhc +++ b/bin/blhc @@ -182,7 +182,7 @@ my @def_cflags = ( '-O(?:2|3)', ); my @def_cflags_format = ( - '-Wformat', + '-Wformat(?:=2)?', # -Wformat=2 implies -Wformat, accept it too '-Werror=format-security', # implies -Wformat-security ); my @def_cflags_fortify = ( @@ -251,6 +251,7 @@ my @flag_refs_all = ( # stores string values of flag regexps above, see compile_flag_regexp(). my %flag_renames = ( '-O(?:2|3)' => '-O2', + '-Wformat(?:=2)?' => '-Wformat', '-Wl,(?:-z,)?relro' => '-Wl,-z,relro', '-Wl,(?:-z,)?now' => '-Wl,-z,now', ); diff --git a/t/logs/good b/t/logs/good index 0be962c..9837879 100644 --- a/t/logs/good +++ b/t/logs/good @@ -20,6 +20,9 @@ gcc -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-s gcc -g -O3 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2 -c test-d.c gcc -Wl,-z,relro -o test test-a.o test-b.o test-c.o -ltest +# -Wformat=2 implies -Wformat. +gcc -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat=2 -Werror=format-security -D_FORTIFY_SOURCE=2 -c test.c + # Compiling and linking in one step must also check CFLAGS/CPPFLAGS. gcc -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -Wl,-z,relro -o test test.c -ltest gcc -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -shared -fPIC -Wl,-z,relro -o test.so test.c -ltest -- 2.45.2 From 959cbe56d9b89868c42c2ae0082771eea8f31d1a Mon Sep 17 00:00:00 2001 From: Simon Ruderich Date: Mon, 24 Sep 2012 13:24:01 +0200 Subject: [PATCH 08/16] Also accept --param ssp-buffer-size=4. Space instead of equals sign after --param. --- bin/blhc | 3 ++- t/logs/good | 3 +++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/bin/blhc b/bin/blhc index b77420d..c13f3b6 100755 --- a/bin/blhc +++ b/bin/blhc @@ -190,7 +190,7 @@ my @def_cflags_fortify = ( ); my @def_cflags_stack = ( '-fstack-protector', - '--param=ssp-buffer-size=4', + '--param[= ]ssp-buffer-size=4', ); my @def_cflags_pie = ( '-fPIE', @@ -252,6 +252,7 @@ my @flag_refs_all = ( my %flag_renames = ( '-O(?:2|3)' => '-O2', '-Wformat(?:=2)?' => '-Wformat', + '--param[= ]ssp-buffer-size=4' => '--param=ssp-buffer-size=4', '-Wl,(?:-z,)?relro' => '-Wl,-z,relro', '-Wl,(?:-z,)?now' => '-Wl,-z,now', ); diff --git a/t/logs/good b/t/logs/good index 9837879..a345c7b 100644 --- a/t/logs/good +++ b/t/logs/good @@ -27,6 +27,9 @@ gcc -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat=2 -Werror=format gcc -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -Wl,-z,relro -o test test.c -ltest gcc -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -shared -fPIC -Wl,-z,relro -o test.so test.c -ltest +# --parm=ssp-buffer-size=4 can also be written with a space. +gcc -g -O2 -fstack-protector --param ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -c test.c + g++ -D_FORTIFY_SOURCE=2 -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -pthread -o ./testProgram -Wl,-z,relro ../src/test/testProgram.cpp g++ -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -pthread -Wl,-z,relro -o ../src/test/bin/test ../src/test/objs/test.o -- 2.45.2 From 6f81829798c6e302eb5ceea91ac4a41452754f98 Mon Sep 17 00:00:00 2001 From: Simon Ruderich Date: Mon, 24 Sep 2012 13:25:42 +0200 Subject: [PATCH 09/16] Fix indentation. No other changes. --- bin/blhc | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/bin/blhc b/bin/blhc index c13f3b6..4037750 100755 --- a/bin/blhc +++ b/bin/blhc @@ -250,11 +250,11 @@ my @flag_refs_all = ( # Renaming rules for the output so the regex parts are not visible. Also # stores string values of flag regexps above, see compile_flag_regexp(). my %flag_renames = ( - '-O(?:2|3)' => '-O2', - '-Wformat(?:=2)?' => '-Wformat', + '-O(?:2|3)' => '-O2', + '-Wformat(?:=2)?' => '-Wformat', '--param[= ]ssp-buffer-size=4' => '--param=ssp-buffer-size=4', - '-Wl,(?:-z,)?relro' => '-Wl,-z,relro', - '-Wl,(?:-z,)?now' => '-Wl,-z,now', + '-Wl,(?:-z,)?relro' => '-Wl,-z,relro', + '-Wl,(?:-z,)?now' => '-Wl,-z,now', ); my %exit_code = ( -- 2.45.2 From 7c2d7bf70b579bfb7143b604f8246395c1cbc4d7 Mon Sep 17 00:00:00 2001 From: Simon Ruderich Date: Mon, 24 Sep 2012 15:38:06 +0200 Subject: [PATCH 10/16] Fix build dependency related checks for pbuilder build logs. This affects Ada and hardening-wrapper checks. --- MANIFEST | 2 ++ bin/blhc | 5 ++++- t/logs/ada-pbuilder | 17 +++++++++++++++++ t/logs/debian-hardening-wrapper-pbuilder | 9 +++++++++ t/tests.t | 14 +++++++++++--- 5 files changed, 43 insertions(+), 4 deletions(-) create mode 100644 t/logs/ada-pbuilder create mode 100644 t/logs/debian-hardening-wrapper-pbuilder diff --git a/MANIFEST b/MANIFEST index adebaab..1b2b03d 100644 --- a/MANIFEST +++ b/MANIFEST @@ -7,6 +7,7 @@ META.yml NEWS README t/logs/ada +t/logs/ada-pbuilder t/logs/arch-amd64 t/logs/arch-avr32 t/logs/arch-i386 @@ -31,6 +32,7 @@ t/logs/debian-cmake t/logs/debian-cmake-2 t/logs/debian-cmake-ok t/logs/debian-hardening-wrapper +t/logs/debian-hardening-wrapper-pbuilder t/logs/empty t/logs/false-positives t/logs/g++ diff --git a/bin/blhc b/bin/blhc index 4037750..bfdcfc5 100755 --- a/bin/blhc +++ b/bin/blhc @@ -723,7 +723,10 @@ foreach my $file (@ARGV) { } } - if (index($line, 'Build-Depends: ') == 0) { + # Debian's build daemons use Build-Depends: for the build + # dependencies, but pbuilder just uses Depends:; support both. + if (index($line, 'Build-Depends: ') == 0 + or index($line, 'Depends: ') == 0) { # If hardening wrapper is used (wraps calls to gcc and adds # hardening flags automatically) we can't perform any checks, # abort. diff --git a/t/logs/ada-pbuilder b/t/logs/ada-pbuilder new file mode 100644 index 0000000..5b1e47a --- /dev/null +++ b/t/logs/ada-pbuilder @@ -0,0 +1,17 @@ +# pbuilder uses Depends: for the build dependencies. +Depends: ..., gnat, gnat-4.6, ... + +dpkg-buildpackage: source package ada package + + +gcc-4.6 -c -fPIC -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security test.c +gcc-4.6 -c -fPIC -g -O2 -fstack-protector --param=ssp-buffer-size=4 -gnatn -gnatw.eH test-a.adb +gcc-4.6 -c -fPIC -g -O2 -fstack-protector --param=ssp-buffer-size=4 -gnatn -gnatw.eH test-b.adb +gcc-4.6 -c -fPIC -g -O2 -fstack-protector --param=ssp-buffer-size=4 -gnatn -gnatw.eH test-c.adb +gcc-4.6 -c -fPIC -g -O2 -fstack-protector --param=ssp-buffer-size=4 -gnatn -gnatw.eH test-d.ads + +/usr/bin/gcc-4.6 -shared -lgnat-4.6 -o libtest.so.2 test-a.o test-b.o test-c.o -Wl,-z,relro -Wl,--as-needed +/usr/bin/gcc-4.6 -shared -lgnat-4.6 -o libtest.so.2 test-a.o test-b.o test-c.o -Wl,--as-needed + +gcc -c -g -O2 test.c +gcc -g -O2 test.c diff --git a/t/logs/debian-hardening-wrapper-pbuilder b/t/logs/debian-hardening-wrapper-pbuilder new file mode 100644 index 0000000..97dae92 --- /dev/null +++ b/t/logs/debian-hardening-wrapper-pbuilder @@ -0,0 +1,9 @@ +# pbuilder uses Depends: for the build dependencies. +Depends: .., hardening-wrapper, ... + +dpkg-buildpackage: source package test + +gcc -g -O2 -c test-a.c +gcc -g -O2 -c test-b.c +gcc -g -O2 -c test-c.c +gcc -o test test-a.o test-b.o test-c.o -ltest diff --git a/t/tests.t b/t/tests.t index 0e1833e..6b47757 100644 --- a/t/tests.t +++ b/t/tests.t @@ -19,7 +19,7 @@ use strict; use warnings; -use Test::More tests => 196; +use Test::More tests => 202; sub is_blhc { @@ -750,8 +750,7 @@ LDFLAGS missing (-fPIE -pie -Wl,-z,relro -Wl,-z,now): g++-4.6 -Wl,-z,defs -o tes # ada -is_blhc 'ada', '', 8, - 'CPPFLAGS missing (-D_FORTIFY_SOURCE=2): gcc-4.6 -c -fPIC -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security test.c +my $ada = 'CPPFLAGS missing (-D_FORTIFY_SOURCE=2): gcc-4.6 -c -fPIC -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security test.c LDFLAGS missing (-Wl,-z,relro): /usr/bin/gcc-4.6 -shared -lgnat-4.6 -o libtest.so.2 test-a.o test-b.o test-c.o -Wl,--as-needed CFLAGS missing (-fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security): gcc -c -g -O2 test.c CPPFLAGS missing (-D_FORTIFY_SOURCE=2): gcc -c -g -O2 test.c @@ -759,6 +758,10 @@ CFLAGS missing (-fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=for CPPFLAGS missing (-D_FORTIFY_SOURCE=2): gcc -g -O2 test.c LDFLAGS missing (-Wl,-z,relro): gcc -g -O2 test.c '; +is_blhc 'ada', '', 8, + $ada; +is_blhc 'ada-pbuilder', '', 8, + $ada; # libtool @@ -871,6 +874,8 @@ my $debian_hardening_wrapper = '; is_blhc 'debian-hardening-wrapper', '', 16, $debian_hardening_wrapper; +is_blhc 'debian-hardening-wrapper-pbuilder', '', 16, + $debian_hardening_wrapper; # false positives @@ -903,6 +908,9 @@ is_blhc 'buildd-dpkg-dev-missing', '--buildd', 0, is_blhc 'debian-hardening-wrapper', '--buildd', 0, 'I-hardening-wrapper-used|| '; +is_blhc 'debian-hardening-wrapper-pbuilder', '--buildd', 0, + 'I-hardening-wrapper-used|| +'; is_blhc 'buildd-verbose-build', '--buildd', 0, 'W-compiler-flags-hidden|1 (of 5) hidden| -- 2.45.2 From 76236e46263e6d2cc6ed9451ae5ef1ff63711ba7 Mon Sep 17 00:00:00 2001 From: Simon Ruderich Date: Tue, 25 Sep 2012 12:44:24 +0200 Subject: [PATCH 11/16] README: Document how build dependencies are extracted. --- README | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/README b/README index 7b575b5..8944b54 100644 --- a/README +++ b/README @@ -100,6 +100,14 @@ following line (output of dpkg-buildpackage): The available hardening flags are adapted to the architecture because some architectures don't support certain hardening options. +Some checks (Ada and hardening-wrapper at the moment) check the build +dependencies for certain packages. The following lines are used to get the +build dependencies. The first is used in buildd build logs, the second by +pbuilder logs, both are detected: + + Build-Depends: ... + Depends: ... + LIMITATIONS ----------- -- 2.45.2 From 287e6f3e56eeed74465bada187f9f4b18c07eb91 Mon Sep 17 00:00:00 2001 From: Simon Ruderich Date: Sat, 29 Sep 2012 14:39:43 +0200 Subject: [PATCH 12/16] Detect architecture in old buildd logs which add an "is". E.g. dpkg-buildpackage: host architecture is ia64 --- MANIFEST | 1 + bin/blhc | 7 +++++++ t/logs/buildd-architecture-old | 8 ++++++++ t/tests.t | 8 +++++++- 4 files changed, 23 insertions(+), 1 deletion(-) create mode 100644 t/logs/buildd-architecture-old diff --git a/MANIFEST b/MANIFEST index 1b2b03d..ff09898 100644 --- a/MANIFEST +++ b/MANIFEST @@ -19,6 +19,7 @@ t/logs/bad-cppflags t/logs/bad-ldflags t/logs/bad-library t/logs/bad-multiline +t/logs/buildd-architecture-old t/logs/buildd-dpkg-dev t/logs/buildd-dpkg-dev-missing t/logs/buildd-dpkg-dev-old diff --git a/bin/blhc b/bin/blhc index bfdcfc5..f2f0d6f 100755 --- a/bin/blhc +++ b/bin/blhc @@ -771,6 +771,13 @@ foreach my $file (@ARGV) { if (not $arch and index($line, 'dpkg-buildpackage: host architecture ') == 0) { $arch = substr $line, 37, -1; # -1 to ignore '\n' at the end + + # Old buildd logs use e.g. "host architecture is alpha", remove + # the "is", otherwise debarch_to_debtriplet() will not detect the + # architecture. + if (index($arch, 'is ') == 0) { + $arch = substr $arch, 3; + } } # Ignore compiler warnings for now. diff --git a/t/logs/buildd-architecture-old b/t/logs/buildd-architecture-old new file mode 100644 index 0000000..da7565c --- /dev/null +++ b/t/logs/buildd-architecture-old @@ -0,0 +1,8 @@ +dpkg-buildpackage: source package test +dpkg-buildpackage: host architecture is ia64 + +# Old buildd logs use "host architecture is ia64" (note the "is"). Detect the +# architecture correctly for those logs. + +gcc -D_FORTIFY_SOURCE=2 -g -O2 -fPIE -Wformat -Wformat-security -Werror=format-security -Wall -c test.c +gcc -fPIE -pie -o test test.o diff --git a/t/tests.t b/t/tests.t index 6b47757..f35e5ea 100644 --- a/t/tests.t +++ b/t/tests.t @@ -19,7 +19,7 @@ use strict; use warnings; -use Test::More tests => 202; +use Test::More tests => 204; sub is_blhc { @@ -830,6 +830,12 @@ LDFLAGS missing (-pie -Wl,-z,relro): gcc -fPIE -o test test.o '; +# architecture in older buildd logs + +is_blhc 'buildd-architecture-old', '', 0, + ''; + + # ignore architecture is_blhc ['arch-avr32', 'arch-i386', 'empty', 'arch-mipsel'], -- 2.45.2 From e3d197b9a4f8aa60eaf053c7e3255fea2833e01c Mon Sep 17 00:00:00 2001 From: Simon Ruderich Date: Thu, 4 Oct 2012 21:29:39 +0200 Subject: [PATCH 13/16] Handle more cases of `moc-qt4` and support `moc-qt5`. Fixes false positives. Thanks to Felix Geyer for informing me of this issue. For more information see Debian bug #689616. --- bin/blhc | 13 ++++++++----- t/logs/qt4 | 10 +++++++++- 2 files changed, 17 insertions(+), 6 deletions(-) diff --git a/bin/blhc b/bin/blhc index f2f0d6f..01c0e02 100755 --- a/bin/blhc +++ b/bin/blhc @@ -852,12 +852,15 @@ foreach my $file (@ARGV) { [Cc]ompiler[\s.]*:?\s+ /x; next if $line =~ /^\s*(?:- )?(?:HOST_)?(?:CC|CXX)\s*=\s*$cc_regex_full\s*$/o; - # `moc-qt4`, contains '-I/usr/share/qt4/mkspecs/linux-g++' (or - # similar for other architectures) which gets recognized as a - # compiler line. Ignore it. - next if $line =~ m{^/usr/bin/moc-qt4 + # `moc-qt4`/`moc-qt5` contain '-I.../linux-g++' in their command + # line (or similar for other architectures) which gets recognized + # as a compiler line, but `moc-qt*` is only a preprocessor for Qt + # C++ files. No hardening flags are relevant during this step, + # thus ignore `moc-qt*` lines. The resulting files will be + # compiled in a separate step (and therefore checked). + next if $line =~ m{^\S+/bin/moc-qt[45] \s.+\s - -I/usr/share/qt4/mkspecs/[a-z]+-g\++(?:-64)? + -I\S+/mkspecs/[a-z]+-g\++(?:-64)? \s}x; # Ignore false positives when the line contains only CC=gcc but no # other gcc command. diff --git a/t/logs/qt4 b/t/logs/qt4 index c707639..c5823bb 100644 --- a/t/logs/qt4 +++ b/t/logs/qt4 @@ -1,8 +1,16 @@ dpkg-buildpackage: source package test -# Output by qt4 which should be ignored. +# `moc-qt4`/`moc-qt5` are preprocessors and don't require any hardening flags. /usr/bin/moc-qt4 -DQT_GUI_LIB -DQT_NETWORK_LIB -DQT_CORE_LIB -DQT_SHARED -I/usr/share/qt4/mkspecs/linux-g++ -I. -I/usr/include/qt4/QtCore -I/usr/include/qt4/QtNetwork -I/usr/include/qt4/QtGui -I/usr/include/qt4 -I/usr/include/qt4/QtDBus -I/include -I.. -I. -I. test.h -o moc_test.cpp /usr/bin/moc-qt4 -DQT_NO_DEBUG_OUTPUT -DAPP_VERSION=1.1 -DQT_USE_FAST_CONCATENATION -DQT_USE_FAST_OPERATOR_PLUS -DQT_NO_DEBUG -DQT_PHONON_LIB -DQT_DBUS_LIB -DQT_SQL_LIB -DQT_XML_LIB -DQT_GUI_LIB -DQT_NETWORK_LIB -DQT_CORE_LIB -DQT_SHARED -I/usr/share/qt4/mkspecs/glibc-g++ -I. -I/usr/include/qt4/QtCore -I/usr/include/qt4/QtNetwork -I/usr/include/qt4/QtGui -I/usr/include/qt4/QtXml -I/usr/include/qt4/QtSql -I/usr/include/qt4/QtDBus -I/usr/include/qt4 -Ilocale -Ibuild/moc -o build/moc/moc_test.cpp /usr/bin/moc-qt4 -DQT_NO_DEBUG_OUTPUT -DAPP_VERSION=1.1 -DQT_USE_FAST_CONCATENATION -DQT_USE_FAST_OPERATOR_PLUS -DQT_NO_DEBUG -DQT_PHONON_LIB -DQT_DBUS_LIB -DQT_SQL_LIB -DQT_XML_LIB -DQT_GUI_LIB -DQT_NETWORK_LIB -DQT_CORE_LIB -DQT_SHARED -I/usr/share/qt4/mkspecs/linux-g++-64 -I. -I/usr/include/qt4/QtCore -I/usr/include/qt4/QtNetwork -I/usr/include/qt4/QtGui -I/usr/include/qt4/QtXml -I/usr/include/qt4/QtSql -I/usr/include/qt4/QtDBus -I/usr/include/qt4 -Ilocale -Ibuild/moc -o build/moc/moc_test.cpp + +# Tests for Debian bug #678616. + +/tmp/buildd/qt4-x11-4.8.3+dfsg/bin/moc-qt4 -DQT_OPENGL_SUPPORT -D_LARGEFILE64_SOURCE -D_LARGEFILE_SOURCE -DQT_NO_DEBUG -DQT_DECLARATIVE_LIB -DQT_SQL_LIB -DQT_XML_LIB -DQT_OPENGL_LIB -DQT_GUI_LIB -DQT_NETWORK_LIB -DQT_CORE_LIB -DQT_HAVE_MMX -DQT_HAVE_3DNOW -DQT_HAVE_SSE -DQT_HAVE_MMXEXT -DQT_HAVE_SSE2 -DQT_HAVE_SSE3 -DQT_HAVE_SSSE3 -DQT_HAVE_SSE4_1 -DQT_HAVE_SSE4_2 -DQT_HAVE_AVX -DQT_SHARED -I../../mkspecs/linux-g++-64 -I. -I../../include/QtCore -I../../include/QtNetwork -I../../include/QtGui -I../../include/QtOpenGL -I../../include/QtXml -I../../include/QtSql -I../../include/QtDeclarative -I../../include -I../../include/QtHelp -I/usr/X11R6/include -I/usr/X11R6/include -I.moc/release-shared demoitemanimation.h -o .moc/release-shared/moc_demoitemanimation.cpp + +/tmp/buildd/qtbase-opensource-src-5.0.0~beta1/bin/moc-qt5 -D_LARGEFILE64_SOURCE -D_LARGEFILE_SOURCE -DQT_NO_DEBUG -DQT_WIDGETS_LIB -DQT_GUI_LIB -DQT_CORE_LIB -I../../../../mkspecs/linux-g++-64 -I. -I../../../../include -I../../../../include/QtWidgets -I../../../../include/QtGui -I../../../../include/QtCore -I.moc/release-shared norwegianwoodstyle.h -o .moc/release-shared/moc_norwegianwoodstyle.cpp +/tmp/buildd/qtbase-opensource-src-5.0.0~beta1/bin/moc-qt5 -D_LARGEFILE64_SOURCE -D_LARGEFILE_SOURCE -DQT_NO_DEBUG -DQT_WIDGETS_LIB -DQT_GUI_LIB -DQT_CORE_LIB -I../../../../mkspecs/linux-g++-64 -I. -I../../../../include -I../../../../include/QtWidgets -I../../../../include/QtGui -I../../../../include/QtCore -I.moc/release-shared norwegianwoodstyle.h -o .moc/release-shared/moc_norwegianwoodstyle.cpp +/tmp/buildd/qtbase-opensource-src-5.0.0~beta1/bin/moc-qt5 -D_LARGEFILE64_SOURCE -D_LARGEFILE_SOURCE -DQT_NO_DEBUG -DQT_WIDGETS_LIB -DQT_GUI_LIB -DQT_CORE_LIB -I../../../../mkspecs/linux-g++-64 -I. -I../../../../include -I../../../../include/QtWidgets -I../../../../include/QtGui -I../../../../include/QtCore -I.moc/release-shared norwegianwoodstyle.h -o .moc/release-shared/moc_norwegianwoodstyle.cpp -- 2.45.2 From 3b0cee1e332ae137ad1efd3309e6be0cd1c37364 Mon Sep 17 00:00:00 2001 From: Simon Ruderich Date: Sat, 6 Oct 2012 12:46:37 +0200 Subject: [PATCH 14/16] NEWS: Add recent changes. --- NEWS | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/NEWS b/NEWS index 74e74f1..c45a233 100644 --- a/NEWS +++ b/NEWS @@ -1,6 +1,24 @@ NEWS ==== +Version 0.XX +------------ + +- Fix many false positives, this includes compiled header files, lines with + only CC=gcc but no other compiler commands and `moc-qt4`/`moc-qt5` commands. +- Accept -Wformat=2 because it implies -Wformat. +- Accept --param ssp-buffer-size=4 (space instead of equals sign). +- Fix build dependency related checks (Ada, hardening-wrapper) for pbuilder + build logs. +- Fix architecture detection in old buildd build logs which use an additional + "is" in the "dpkg-buildpackage: host architecture" field. + +- Updated output in buildd mode. +- Only return non-zero exit codes for errors in buildd mode, not for warnings. +- Minor performance improvements. +- Support for Ada files. + + Version 0.03 ------------ -- 2.45.2 From 4c7a085e5317ed6bbc88d354c9c691c18714df06 Mon Sep 17 00:00:00 2001 From: Simon Ruderich Date: Thu, 28 Feb 2013 15:30:36 +0100 Subject: [PATCH 15/16] Fix false positive in kismet's build log. --- bin/blhc | 1 + t/logs/configure | 19 +++++++++++++++++++ 2 files changed, 20 insertions(+) diff --git a/bin/blhc b/bin/blhc index 01c0e02..1bdea29 100755 --- a/bin/blhc +++ b/bin/blhc @@ -440,6 +440,7 @@ sub is_non_verbose_build { # # C++ compiler setting. return 0 if $line =~ /^\s*C\+\+.+?:\s+(?:yes|no)\s*$/; + return 0 if $line =~ /^\s*C\+\+ Library: stdc\+\+$/; # "Compiling" with no file name. if ($line =~ /^\s*[Cc]ompiling\s+(.+?)(?:\.\.\.)?$/) { # $file_extension_regex may need spaces around the filename. diff --git a/t/logs/configure b/t/logs/configure index 91cb354..5f45d19 100644 --- a/t/logs/configure +++ b/t/logs/configure @@ -102,3 +102,22 @@ CC = cc CC=gcc CC_I386=$(CC) -m32 HOST_CC=gcc + +# From kismet. +Configuration complete: + Compiling for: linux-gnu (i486) + C++ Library: stdc++ + Installing as group: root + Man pages owned by: man + Installing into: /usr + Setuid group: kismet + Terminal Control: ncurses + Linux WEXT capture : yes + OSX/Darwin capture : n/a (only OSX/Darwin) + PCRE Regex Filters : yes + pcap capture: yes + airpcap control: n/a (only Cygwin/Win32) + PPI log format: yes +LibCapability (enhanced + privilege dropping): yes + Linux Netlink: yes (mac80211 VAP creation) - libnl-3.0 libnl-genl-3.0 -- 2.45.2 From 49540cde704094918ad460f476ef65edb1a3d4f0 Mon Sep 17 00:00:00 2001 From: Simon Ruderich Date: Thu, 28 Feb 2013 15:32:15 +0100 Subject: [PATCH 16/16] Update copyright year. --- Build.PL | 2 +- README | 2 +- bin/blhc | 6 +++--- t/tests.t | 4 ++-- 4 files changed, 7 insertions(+), 7 deletions(-) diff --git a/Build.PL b/Build.PL index 9c733a6..83040f1 100644 --- a/Build.PL +++ b/Build.PL @@ -1,6 +1,6 @@ #!/usr/bin/perl -# Copyright (C) 2012 Simon Ruderich +# Copyright (C) 2012-2013 Simon Ruderich # # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by diff --git a/README b/README index 8944b54..605ab68 100644 --- a/README +++ b/README @@ -168,7 +168,7 @@ LICENSE blhc is licensed under GPL version 3 or later. -Copyright (C) 2012 Simon Ruderich +Copyright (C) 2012-2013 Simon Ruderich This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by diff --git a/bin/blhc b/bin/blhc index 1bdea29..2506398 100755 --- a/bin/blhc +++ b/bin/blhc @@ -2,7 +2,7 @@ # Build log hardening check, checks build logs for missing hardening flags. -# Copyright (C) 2012 Simon Ruderich +# Copyright (C) 2012-2013 Simon Ruderich # # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -566,7 +566,7 @@ if ($option_help) { Pod::Usage::pod2usage(1); } if ($option_version) { - print "blhc $VERSION Copyright (C) 2012 Simon Ruderich + print "blhc $VERSION Copyright (C) 2012-2013 Simon Ruderich This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -1481,7 +1481,7 @@ Ejari.aalto@cante.netE for their valuable input and suggestions. =head1 LICENSE AND COPYRIGHT -Copyright (C) 2012 by Simon Ruderich +Copyright (C) 2012-2013 by Simon Ruderich This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by diff --git a/t/tests.t b/t/tests.t index f35e5ea..3fbdb3e 100644 --- a/t/tests.t +++ b/t/tests.t @@ -1,6 +1,6 @@ # Tests for blhc. # -# Copyright (C) 2012 Simon Ruderich +# Copyright (C) 2012-2013 Simon Ruderich # # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -61,7 +61,7 @@ is_blhc '', '', 2, $usage; is_blhc '', '--version', 0, - 'blhc 0.03 Copyright (C) 2012 Simon Ruderich + 'blhc 0.03 Copyright (C) 2012-2013 Simon Ruderich This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by -- 2.45.2