# Build log hardening check, checks build logs for missing hardening flags.
-# Copyright (C) 2012-2018 Simon Ruderich
+# Copyright (C) 2012-2019 Simon Ruderich
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
use Getopt::Long ();
use Text::ParseWords ();
-our $VERSION = '0.08';
+our $VERSION = '0.09';
# CONSTANTS/VARIABLES
my $warning_regex = qr/^(.+?):(\d+):\d+: warning: (.+?) \[(.+?)\]$/;
# Regex to catch libtool commands and not lines which show commands executed
# by libtool (e.g. libtool: link: ...).
-my $libtool_regex = qr/\blibtool\s.*--mode=/;
+my $libtool_regex = qr/\blibtool["']?\s.*--mode=/;
my $libtool_link_regex = qr/\blibtool: link: /;
# List of source file extensions which require preprocessing.
# fortify needs at least -O1, but -O2 is recommended anyway
);
my @def_cflags_stack = (
- '-fstack-protector',
+ '-fstack-protector', # keep first, used by cflags_stack_broken()
'--param[= ]ssp-buffer-size=4',
);
my @def_cflags_stack_strong = (
- '-fstack-protector-strong',
+ '-fstack-protector-strong', # keep first, used by cflags_stack_broken()
+);
+my @def_cflags_stack_bad = (
+ # Blacklist all stack protector options for simplicity.
+ '-fno-stack-protector',
+ '-fno-stack-protector-all',
+ '-fno-stack-protector-strong',
);
my @def_cflags_pie = (
'-fPIE',
\@def_cflags_fortify,
\@def_cflags_stack,
\@def_cflags_stack_strong,
+ \@def_cflags_stack_bad,
\@def_cflags_pie,
\@def_cxxflags,
\@def_cppflags,
@{$missing_flags_ref} = @missing_flags;
return 0;
}
+# Check if any of \@bad_flags occurs after $good_flag. Doesn't check if
+# $good_flag is present.
+sub flag_overwritten {
+ my ($line, $good_flag, $bad_flags) = @_;
-sub cppflags_fortify_broken {
- my ($line, $missing_flags) = @_;
-
- if (not any_flags_used($line, @def_cppflags_fortify_bad)) {
+ if (not any_flags_used($line, @{$bad_flags})) {
return 0;
}
- # $def_cppflags_fortify[0] must be -D_FORTIFY_SOURCE=2!
- my $fortify_source = $def_cppflags_fortify[0];
-
- # Some build systems enable/disable fortify source multiple times, check
- # the final result.
- my $disable_pos = 0;
- foreach my $flag (@def_cppflags_fortify_bad) {
+ my $bad_pos = 0;
+ foreach my $flag (@{$bad_flags}) {
while ($line =~ /$flag/g) {
- if ($disable_pos < $+[0]) {
- $disable_pos = $+[0];
+ if ($bad_pos < $+[0]) {
+ $bad_pos = $+[0];
}
}
}
- my $enable_pos = 0;
- while ($line =~ /$fortify_source/g) {
- $enable_pos = $+[0];
+ my $good_pos = 0;
+ while ($line =~ /$good_flag/g) {
+ $good_pos = $+[0];
}
- if ($enable_pos > $disable_pos) {
+ if ($good_pos > $bad_pos) {
return 0;
}
+ return 1;
+}
+
+sub cppflags_fortify_broken {
+ my ($line, $missing_flags) = @_;
+ # $def_cppflags_fortify[0] must be -D_FORTIFY_SOURCE=2!
+ my $fortify_source = $def_cppflags_fortify[0];
+
+ # Some build systems enable/disable fortify source multiple times, check
+ # the final result.
+ if (not flag_overwritten($line,
+ $fortify_source,
+ \@def_cppflags_fortify_bad)) {
+ return 0;
+ }
push @{$missing_flags}, $fortify_source;
return 1;
}
+sub cflags_stack_broken {
+ my ($line, $missing_flags, $strong) = @_;
+
+ my $flag = $strong ? $def_cflags_stack_strong[0]
+ : $def_cflags_stack[0];
+
+ if (not flag_overwritten($line, $flag, \@def_cflags_stack_bad)) {
+ return 0;
+ }
+ push @{$missing_flags}, $flag;
+ return 1;
+}
+
# Modifies $missing_flags_ref array.
sub pic_pie_conflict {
my ($line, $pie, $missing_flags_ref, @flags_pie) = @_;
return 0 if $line =~ /^\s*C\+\+.+?:\s+(?:yes|no)\s*$/;
return 0 if $line =~ /^\s*C\+\+ Library: stdc\+\+$/;
# "Compiling" non binary files.
- return 0 if $line =~ /^\s*Compiling \S+\.(?:py|el)['"]?\s*(?:\.\.\.)?$/;
+ return 0 if $line =~ /^\s*Compiling \S+\.(?:py|pyx|el)['"]?\s*(?:\.\.\.|because it changed\.)?$/;
+ return 0 if $line =~ /^\s*[Cc]ompiling catalog \S+\.po\b/;
# "Compiling" with no file name.
if ($line =~ /^\s*[Cc]ompiling\s+(.+?)(?:\.\.\.)?$/) {
# $file_extension_regex may need spaces around the filename.
}
if ($option_version) {
print <<"EOF";
-blhc $VERSION Copyright (C) 2012-2018 Simon Ruderich
+blhc $VERSION Copyright (C) 2012-2019 Simon Ruderich
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
my $harden_bindnow = $option_bindnow; # defaults to 0
my $harden_pie = $option_pie; # defaults to 0
- # Does this build log use ada? Ada also uses gcc as compiler but uses
- # different CFLAGS. But only perform ada checks if an ada compiler is used
- # for performance reasons.
- my $ada = 0;
- # Fortran also requires different CFLAGS.
- my $fortran = 0;
-
# Number of parallel jobs to prevent false positives when detecting
# non-verbose builds. As not all jobs declare the number of parallel jobs
# use a large enough default.
}
next FILE;
}
-
- # Ada compiler.
- if ($line =~ /\bgnat\b/) {
- $ada = 1;
- }
- # Fortran compiler.
- if ($line =~ /\bgfortran\b/) {
- $fortran = 1;
- }
}
# This flags is not always available, but if it is use it.
# Detect architecture automatically unless overridden.
if (not $arch
+ and index($line, 'dpkg-buildpackage: info: host architecture ') == 0) {
+ $arch = substr $line, 43, -1; # -1 to ignore '\n' at the end
+ # Older versions of dpkg-buildpackage
+ } elsif (not $arch
and index($line, 'dpkg-buildpackage: host architecture ') == 0) {
$arch = substr $line, 37, -1; # -1 to ignore '\n' at the end
# treated as a normal compiler line.
next if $line =~ m{^\s*rm\s+};
# Some build systems emit "gcc > file".
- next if $line =~ m{$cc_regex_normal\s*>\s*\S+};
+ next if $line =~ m{$cc_regex_normal\s*>\s*\S+}o;
+ # Hex output may contain "cc".
+ next if $line =~ m#(?:\b[0-9a-fA-F]{2,}\b\s*){5}#;
# Check if additional hardening options were used. Used to ensure
# they are used for the complete build.
# Option or auto detected.
if ($arch) {
- # The following was partially copied from dpkg-dev 1.19.0.5
+ # The following was partially copied from dpkg-dev 1.19.7
# (/usr/share/perl5/Dpkg/Vendor/Debian.pm, _add_build_flags()),
# copyright Raphaƫl Hertzog <hertzog@debian.org>, Guillem Jover
# <guillem@debian.org>, Kees Cook <kees@debian.org>, Canonical, Ltd.
}
my %builtin_pie_arch = map { $_ => 1 } qw(
- amd64 arm64 armel armhf hurd-i386 i386 kfreebsd-amd64 kfreebsd-i386
- mips mipsel mips64el powerpc ppc64 ppc64el s390x sparc sparc64
+ amd64
+ arm64
+ armel
+ armhf
+ hurd-i386
+ i386
+ kfreebsd-amd64
+ kfreebsd-i386
+ mips
+ mipsel
+ mips64el
+ powerpc
+ ppc64
+ ppc64el
+ riscv64
+ s390x
+ sparc
+ sparc64
);
# Disable unsupported hardening options.
}
# Ada doesn't support format hardening flags, see #680117 for more
- # information. Same for fortran. Filter them out if either language is
- # used.
+ # information. Same for fortran.
my @cflags_backup;
- my @cflags_noformat;
- if (($ada or $fortran) and $harden_format) {
- @cflags_noformat = grep {
- my $ok = 1;
- foreach my $flag (@def_cflags_format) {
- $ok = 0 if $_ eq $flag;
- }
- $ok;
- } @cflags;
- }
+ my @cflags_noformat = grep {
+ my $ok = 1;
+ foreach my $flag (@def_cflags_format) {
+ $ok = 0 if $_ eq $flag;
+ }
+ $ok;
+ } @cflags;
# Hack to fix cppflags_fortify_broken() if --ignore-flag
# -D_FORTIFY_SOURCE=2 is used to ignore missing fortification. Only works
and extension_found(\%extensions_compile_cpp, @extensions)) {
$compile = 0;
$compile_cpp = 1;
- # Ada needs special CFLAGS, use them if only ada files are compiled.
- } elsif ($ada
- and extension_found(\%extensions_ada, @extensions)) {
+ # Ada needs special CFLAGS
+ } elsif (extension_found(\%extensions_ada, @extensions)) {
$restore_cflags = 1;
$preprocess = 0; # Ada uses no CPPFLAGS
@cflags_backup = @cflags;
@cflags = @cflags_noformat;
- # Same for fortran.
- } elsif ($fortran
- and extension_found(\%extensions_fortran, @extensions)) {
+ # Same for fortran
+ } elsif (extension_found(\%extensions_fortran, @extensions)) {
$restore_cflags = 1;
@cflags_backup = @cflags;
@cflags = @cflags_noformat;
# Check hardening flags.
my @missing;
- if ($compile and not all_flags_used($line, \@missing, @cflags)
+ if ($compile and (not all_flags_used($line, \@missing, @cflags)
+ or (($harden_stack or $harden_stack_strong)
+ and cflags_stack_broken($line, \@missing,
+ $harden_stack_strong)))
# Libraries linked with -fPIC don't have to (and can't) be
# linked with -fPIE as well. It's no error if only PIE flags
# are missing.
=head1 LICENSE AND COPYRIGHT
-Copyright (C) 2012-2018 by Simon Ruderich
+Copyright (C) 2012-2019 by Simon Ruderich
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
ruderich.org/simon / blhc / blhc.git / blobdiff