use Getopt::Long ();
use Text::ParseWords ();
-our $VERSION = '0.08';
+our $VERSION = '0.09';
# CONSTANTS/VARIABLES
# fortify needs at least -O1, but -O2 is recommended anyway
);
my @def_cflags_stack = (
- '-fstack-protector',
+ '-fstack-protector', # keep first, used by cflags_stack_broken()
'--param[= ]ssp-buffer-size=4',
);
my @def_cflags_stack_strong = (
- '-fstack-protector-strong',
+ '-fstack-protector-strong', # keep first, used by cflags_stack_broken()
+);
+my @def_cflags_stack_bad = (
+ # Blacklist all stack protector options for simplicity.
+ '-fno-stack-protector',
+ '-fno-stack-protector-all',
+ '-fno-stack-protector-strong',
);
my @def_cflags_pie = (
'-fPIE',
\@def_cflags_fortify,
\@def_cflags_stack,
\@def_cflags_stack_strong,
+ \@def_cflags_stack_bad,
\@def_cflags_pie,
\@def_cxxflags,
\@def_cppflags,
return 1;
}
+sub cflags_stack_broken {
+ my ($line, $missing_flags, $strong) = @_;
+
+ my $flag = $strong ? $def_cflags_stack_strong[0]
+ : $def_cflags_stack[0];
+
+ if (not flag_overwritten($line, $flag, \@def_cflags_stack_bad)) {
+ return 0;
+ }
+ push @{$missing_flags}, $flag;
+ return 1;
+}
+
# Modifies $missing_flags_ref array.
sub pic_pie_conflict {
my ($line, $pie, $missing_flags_ref, @flags_pie) = @_;
# treated as a normal compiler line.
next if $line =~ m{^\s*rm\s+};
# Some build systems emit "gcc > file".
- next if $line =~ m{$cc_regex_normal\s*>\s*\S+};
+ next if $line =~ m{$cc_regex_normal\s*>\s*\S+}o;
+ # Hex output may contain "cc".
+ next if $line =~ m#(?:\b[0-9a-fA-F]{2,}\b\s*){5}#;
# Check if additional hardening options were used. Used to ensure
# they are used for the complete build.
# Option or auto detected.
if ($arch) {
- # The following was partially copied from dpkg-dev 1.19.0.5
+ # The following was partially copied from dpkg-dev 1.19.5
# (/usr/share/perl5/Dpkg/Vendor/Debian.pm, _add_build_flags()),
# copyright Raphaƫl Hertzog <hertzog@debian.org>, Guillem Jover
# <guillem@debian.org>, Kees Cook <kees@debian.org>, Canonical, Ltd.
}
my %builtin_pie_arch = map { $_ => 1 } qw(
- amd64 arm64 armel armhf hurd-i386 i386 kfreebsd-amd64 kfreebsd-i386
- mips mipsel mips64el powerpc ppc64 ppc64el s390x sparc sparc64
+ amd64
+ arm64
+ armel
+ armhf
+ hurd-i386
+ i386
+ kfreebsd-amd64
+ kfreebsd-i386
+ mips
+ mipsel
+ mips64el
+ powerpc
+ ppc64
+ ppc64el
+ riscv64
+ s390x
+ sparc
+ sparc64
);
# Disable unsupported hardening options.
# Check hardening flags.
my @missing;
- if ($compile and not all_flags_used($line, \@missing, @cflags)
+ if ($compile and (not all_flags_used($line, \@missing, @cflags)
+ or (($harden_stack or $harden_stack_strong)
+ and cflags_stack_broken($line, \@missing,
+ $harden_stack_strong)))
# Libraries linked with -fPIC don't have to (and can't) be
# linked with -fPIE as well. It's no error if only PIE flags
# are missing.