Release 0.03.

[blhc/blhc.git] / bin / blhc

diff --git a/bin/blhc b/bin/blhc
index 0d66b78b88dbbe89ae4ddbea31491d1c239b747c..712d16cb7d37c7cb24f5ab5d0274304b06b46d7e 100755 (executable)
--- a/bin/blhc
+++ b/bin/blhc
@@ -24,7 +24,7 @@ use warnings;
 use Getopt::Long ();
 use Text::ParseWords ();
 
-our $VERSION = '0.02';
+our $VERSION = '0.03';
 
 
 # CONSTANTS/VARIABLES
@@ -171,7 +171,14 @@ my @def_cxxflags = (
 # @def_cxxflags_* is the same as @def_cflags_*.
 my @def_cppflags = ();
 my @def_cppflags_fortify = (
-    '-D_FORTIFY_SOURCE=2',
+    '-D_FORTIFY_SOURCE=2', # must be first, see cppflags_fortify_broken()
+    # If you add another flag fix hack below (search for "Hack to fix").
+);
+my @def_cppflags_fortify_bad = (
+    # These flags may overwrite -D_FORTIFY_SOURCE=2.
+    '-U_FORTIFY_SOURCE',
+    '-D_FORTIFY_SOURCE=0',
+    '-D_FORTIFY_SOURCE=1',
 );
 my @def_ldflags = ();
 my @def_ldflags_relro = (
@@ -189,7 +196,7 @@ my @def_ldflags_pic = (
     '-fpic',
     '-shared',
 );
-# References to all flags checked by the parser.
+# References to all flags checked by the flag checker.
 my @flag_refs = (
     \@def_cflags,
     \@def_cflags_format,
@@ -207,6 +214,7 @@ my @flag_refs = (
 # References to all used flags.
 my @flag_refs_all = (
     @flag_refs,
+    \@def_cppflags_fortify_bad,
     \@def_ldflags_pic,
 );
 # Renaming rules for the output so the regex parts are not visible. Also
@@ -325,6 +333,22 @@ sub all_flags_used {
     return 0;
 }
 
+sub cppflags_fortify_broken {
+    my ($line, $missing_flags) = @_;
+
+    # This doesn't take the position into account, but is a simple solution.
+    # And if the build system tries to force -D_FORTIFY_SOURCE=0/1, something
+    # is wrong anyway.
+
+    if (any_flags_used($line, @def_cppflags_fortify_bad)) {
+        # $def_cppflags_fortify[0] must be -D_FORTIFY_SOURCE=2!
+        push @{$missing_flags}, $def_cppflags_fortify[0];
+        return 1;
+    }
+
+    return 0;
+}
+
 # Modifies $missing_flags_ref array.
 sub pic_pie_conflict {
     my ($line, $pie, $missing_flags_ref, @flags_pie) = @_;
@@ -840,6 +864,13 @@ foreach my $file (@ARGV) {
         @ldflags = (@ldflags, @def_ldflags_bindnow);
     }
 
+    # Hack to fix cppflags_fortify_broken() if --ignore-flag
+    # -D_FORTIFY_SOURCE=2 is used to ignore missing fortification. Only works
+    # as long as @def_cppflags_fortify contains only one variable.
+    if (scalar @def_cppflags_fortify == 0) {
+        $harden_fortify = 0;
+    }
+
     # Ignore flags for this arch if requested.
     if ($arch and exists $option_ignore_arch_flag{$arch}) {
         my @flag_refs = (\@cflags, \@cxxflags, \@cppflags, \@ldflags);
@@ -990,7 +1021,11 @@ LINE:
             }
             $exit |= $exit_code{flags_missing};
         }
-        if ($preprocess and not all_flags_used($line, \@missing, @cppflags)
+        if ($preprocess
+                and (not all_flags_used($line, \@missing, @cppflags)
+                    # The fortify flag might be overwritten, detect that.
+                     or ($harden_fortify
+                         and cppflags_fortify_broken($line, \@missing)))
                 # Assume dpkg-buildflags returns the correct flags.
                 and index($line, '`dpkg-buildflags --get CPPFLAGS`') == -1) {
             if (not $option_buildd) {
@@ -1074,6 +1109,8 @@ It's designed to check build logs generated by Debian's dpkg-buildpackage (or
 tools using dpkg-buildpackage like pbuilder or the official buildd build logs)
 to help maintainers detect missing hardening flags in their packages.
 
+If there's no output, no flags are missing and the build log is fine.
+
 =head1 OPTIONS
 
 =over 8
@@ -1175,6 +1212,8 @@ Normal usage, parse a single log file.
 
     blhc path/to/log/file
 
+If there's no output, no flags are missing and the build log is fine.
+
 Parse multiple log files. The exit code is ORed over all files.
 
     blhc path/to/directory/with/log/files/*