(Debian Bugs #1043522 and #1054882).
- Check for stack clash protection (-fstack-clash-protection); requested by
Emanuele Rocca (Debian Bug #1050909).
+- Check for branch protection (amd64: -fcf-protection, arm64:
+ -mbranch-protection=standard); requested by Emanuele Rocca (Debian Bug
+ #1050912).
Version 0.13
my @def_cflags_pie = (
'-fPIE',
);
+my @def_cflags_branch_amd64 = (
+ '-fcf-protection',
+);
+my @def_cflags_branch_arm64 = (
+ '-mbranch-protection=standard',
+);
my @def_cxxflags = (
@def_cflags,
);
\@def_cflags_stack_bad,
\@def_cflags_stack_clash,
\@def_cflags_pie,
+ \@def_cflags_branch_amd64,
+ \@def_cflags_branch_arm64,
\@def_cxxflags,
\@def_cppflags,
\@def_cppflags_fortify,
my $harden_stack = 1;
my $harden_stack_strong = 1;
my $harden_stack_clash = 1;
+ my $harden_branch = 1;
my $harden_relro = 1;
my $harden_bindnow = $option_bindnow; # defaults to 0
my $harden_pie = $option_pie; # defaults to 0
my $disable = 1;
my $disable_strong = 1;
my $disable_clash = 1;
+ my $disable_branch = 1;
if ($line =~ /\bdpkg-dev_(\S+)/) {
if (Dpkg::Version::version_compare($1, '1.16.1') >= 0) {
}
if (Dpkg::Version::version_compare($1, '1.22.0') >= 0) {
$disable_clash = 0;
+ $disable_branch = 0;
}
}
if ($disable_clash) {
$harden_stack_clash = 0;
}
+ if ($disable_branch) {
+ $harden_branch = 0;
+ }
}
# The following two versions of CMake in Debian obeyed CPPFLAGS, but
}
# Option or auto detected.
+ my @harden_branch_flags;
if ($arch) {
# The following was partially copied from dpkg-dev 1.22.0
# (/usr/share/perl5/Dpkg/Vendor/Debian.pm, set_build_features and
$harden_relro = 0;
$harden_bindnow = 0;
}
+ if ($cpu eq 'amd64') {
+ @harden_branch_flags = @def_cflags_branch_amd64;
+ } elsif ($cpu eq 'arm64') {
+ @harden_branch_flags = @def_cflags_branch_arm64;
+ }
}
# Default values.
@cflags = (@cflags, @def_cflags_format);
@cxxflags = (@cxxflags, @def_cflags_format);
}
+ if ($harden_branch and @harden_branch_flags) {
+ @cflags = (@cflags, @harden_branch_flags);
+ @cxxflags = (@cxxflags, @harden_branch_flags);
+ }
if ($harden_relro) {
@ldflags = (@ldflags, @def_ldflags_relro);
}
# all hardening options
-gcc -D_FORTIFY_SOURCE=2 -g -O2 -fPIE -fstack-protector-strong -fstack-clash-protection -Wformat -Wformat-security -Werror=format-security -Wall -c test.c
+gcc -D_FORTIFY_SOURCE=2 -g -O2 -fPIE -fcf-protection -fstack-protector-strong -fstack-clash-protection -Wformat -Wformat-security -Werror=format-security -Wall -c test.c
gcc -fPIE -pie -Wl,-z,relro -Wl,-z,now -o test test.o
# missing flags
dpkg-buildpackage: source package foo package
dpkg-buildpackage: host architecture amd64
-gcc -g -O2 -D_FORTIFY_SOURCE=2 -Wl,-z,relro -Wl,-z,now -fstack-protector-strong -fstack-clash-protection -Wformat -Werror=format-security -o test test.c
-gcc -fPIE -pie -g -O2 -D_FORTIFY_SOURCE=2 -Wl,-z,relro -Wl,-z,now -fstack-protector-strong -fstack-clash-protection -Wformat -Werror=format-security -o test test.c
+gcc -g -O2 -D_FORTIFY_SOURCE=2 -Wl,-z,relro -Wl,-z,now -fcf-protection -fstack-protector-strong -fstack-clash-protection -Wformat -Werror=format-security -o test test.c
+gcc -fPIE -pie -g -O2 -D_FORTIFY_SOURCE=2 -Wl,-z,relro -Wl,-z,now -fcf-protection -fstack-protector-strong -fstack-clash-protection -Wformat -Werror=format-security -o test test.c
# ANSI colored output.
is_blhc 'arch-amd64', '--color', 8,
- "\033[31mCFLAGS missing\033[0m (-fstack-protector-strong)\033[33m:\033[0m gcc -D_FORTIFY_SOURCE=2 -g -O2 -fPIE -fstack-clash-protection -Wformat -Wformat-security -Werror=format-security -Wall -c test.c
+ "\033[31mCFLAGS missing\033[0m (-fstack-protector-strong -fcf-protection)\033[33m:\033[0m gcc -D_FORTIFY_SOURCE=2 -g -O2 -fPIE -fstack-clash-protection -Wformat -Wformat-security -Werror=format-security -Wall -c test.c
\033[31mLDFLAGS missing\033[0m (-pie)\033[33m:\033[0m gcc -fPIE -Wl,-z,relro -Wl,-z,now -o test test.o
";
"checking './t/logs/arch-i386'...
LDFLAGS missing (-pie): gcc -fPIE -Wl,-z,relro -Wl,-z,now -o test test.o
checking './t/logs/arch-amd64'...
-CFLAGS missing (-fstack-protector-strong): gcc -D_FORTIFY_SOURCE=2 -g -O2 -fPIE -fstack-clash-protection -Wformat -Wformat-security -Werror=format-security -Wall -c test.c
+CFLAGS missing (-fstack-protector-strong -fcf-protection): gcc -D_FORTIFY_SOURCE=2 -g -O2 -fPIE -fstack-clash-protection -Wformat -Wformat-security -Werror=format-security -Wall -c test.c
LDFLAGS missing (-pie): gcc -fPIE -Wl,-z,relro -Wl,-z,now -o test test.o
checking './t/logs/arch-hppa'...
checking './t/logs/ignore-flag'...
"checking './t/logs/arch-i386'...
LDFLAGS missing (-pie): gcc -fPIE -Wl,-z,relro -Wl,-z,now -o test test.o
checking './t/logs/arch-amd64'...
-CFLAGS missing (-fstack-protector-strong): gcc -D_FORTIFY_SOURCE=2 -g -O2 -fPIE -fstack-clash-protection -Wformat -Wformat-security -Werror=format-security -Wall -c test.c
+CFLAGS missing (-fstack-protector-strong -fcf-protection): gcc -D_FORTIFY_SOURCE=2 -g -O2 -fPIE -fstack-clash-protection -Wformat -Wformat-security -Werror=format-security -Wall -c test.c
LDFLAGS missing (-pie): gcc -fPIE -Wl,-z,relro -Wl,-z,now -o test test.o
checking './t/logs/arch-hppa'...
checking './t/logs/ignore-line'...
ruderich.org/simon / blhc / blhc.git / commitdiff