Detect overwrite of -fstack-protector

diff --git a/MANIFEST b/MANIFEST
index 590b4161ffe379ede23212a8a0ddaf49acf443a1..d6a5c417b9330c7afbe66574b98ce2d3a7a054cf 100644 (file)
--- a/MANIFEST
+++ b/MANIFEST
@@ -15,6 +15,7 @@ t/logs/arch-ia64
 t/logs/arch-mipsel
 t/logs/bad
 t/logs/bad-cflags
 t/logs/arch-mipsel
 t/logs/bad
 t/logs/bad-cflags

+t/logs/bad-cflags-stackprotector

 t/logs/bad-cppflags
 t/logs/bad-ldflags
 t/logs/bad-library
 t/logs/bad-cppflags
 t/logs/bad-ldflags
 t/logs/bad-library

diff --git a/NEWS b/NEWS
index 1c8247f11a5eb97bac4409c72896cf237155cc53..47d3327503e2e18ab1a80314c39ed6e9ef6031ed 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -7,6 +7,8 @@ Version 0.XX
 - Detect restore of -D_FORTIFY_SOURCE=2 after it was overwritten by
   -D_FORTIFY_SOURCE=0 or 1 or -U_FORTIFY_SOURCE; reported by Mike Hommey
   (Debian bug #898332).
 - Detect restore of -D_FORTIFY_SOURCE=2 after it was overwritten by
   -D_FORTIFY_SOURCE=0 or 1 or -U_FORTIFY_SOURCE; reported by Mike Hommey
   (Debian bug #898332).

+- Detect overwrite of -fstack-protector options with -fno-stack-protector
+  (same for -fstack-protector-all and -fstack-protector-strong).

 
 
 Version 0.08
 
 
 Version 0.08

diff --git a/bin/blhc b/bin/blhc
index d56a6c079eb9cd641961f87f13efc609dee4b29f..c2a9d98f9b802494c49b9760f27f3afb6c476b29 100755 (executable)
--- a/bin/blhc
+++ b/bin/blhc
@@ -222,11 +222,17 @@ my @def_cflags_fortify = (
     # fortify needs at least -O1, but -O2 is recommended anyway
 );
 my @def_cflags_stack = (
     # fortify needs at least -O1, but -O2 is recommended anyway
 );
 my @def_cflags_stack = (

-    '-fstack-protector',
+    '-fstack-protector', # keep first, used by cflags_stack_broken()

     '--param[= ]ssp-buffer-size=4',
 );
 my @def_cflags_stack_strong = (
     '--param[= ]ssp-buffer-size=4',
 );
 my @def_cflags_stack_strong = (

-    '-fstack-protector-strong',
+    '-fstack-protector-strong', # keep first, used by cflags_stack_broken()
+);
+my @def_cflags_stack_bad = (
+    # Blacklist all stack protector options for simplicity.
+    '-fno-stack-protector',
+    '-fno-stack-protector-all',
+    '-fno-stack-protector-strong',

 );
 my @def_cflags_pie = (
     '-fPIE',
 );
 my @def_cflags_pie = (
     '-fPIE',


@@ -270,6 +276,7 @@ my @flag_refs = (
     \@def_cflags_fortify,
     \@def_cflags_stack,
     \@def_cflags_stack_strong,
     \@def_cflags_fortify,
     \@def_cflags_stack,
     \@def_cflags_stack_strong,

+    \@def_cflags_stack_bad,

     \@def_cflags_pie,
     \@def_cxxflags,
     \@def_cppflags,
     \@def_cflags_pie,
     \@def_cxxflags,
     \@def_cppflags,


@@ -471,6 +478,19 @@ sub cppflags_fortify_broken {
     return 1;
 }
 
     return 1;
 }
 

+sub cflags_stack_broken {
+    my ($line, $missing_flags, $strong) = @_;
+
+    my $flag = $strong ? $def_cflags_stack_strong[0]
+                       : $def_cflags_stack[0];
+
+    if (not flag_overwritten($line, $flag, \@def_cflags_stack_bad)) {
+        return 0;
+    }
+    push @{$missing_flags}, $flag;
+    return 1;
+}
+

 # Modifies $missing_flags_ref array.
 sub pic_pie_conflict {
     my ($line, $pie, $missing_flags_ref, @flags_pie) = @_;
 # Modifies $missing_flags_ref array.
 sub pic_pie_conflict {
     my ($line, $pie, $missing_flags_ref, @flags_pie) = @_;


@@ -1356,7 +1376,10 @@ LINE:
 
         # Check hardening flags.
         my @missing;
 
         # Check hardening flags.
         my @missing;

-        if ($compile and not all_flags_used($line, \@missing, @cflags)
+        if ($compile and (not all_flags_used($line, \@missing, @cflags)
+                    or (($harden_stack or $harden_stack_strong)
+                        and cflags_stack_broken($line, \@missing,
+                                                $harden_stack_strong)))

                 # Libraries linked with -fPIC don't have to (and can't) be
                 # linked with -fPIE as well. It's no error if only PIE flags
                 # are missing.
                 # Libraries linked with -fPIC don't have to (and can't) be
                 # linked with -fPIE as well. It's no error if only PIE flags
                 # are missing.

diff --git a/t/logs/bad-cflags-stackprotector b/t/logs/bad-cflags-stackprotector
new file mode 100644 (file)
index 0000000..ab460f2
--- /dev/null
+++ b/t/logs/bad-cflags-stackprotector
@@ -0,0 +1,5 @@
+dpkg-buildpackage: source package test
+
+gcc -g -O2 -fstack-protector-strong -Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -c -fno-stack-protector test-a.c
+gcc -g -O2 -fstack-protector-strong -Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -c -fno-stack-protector-all test-a.c
+gcc -g -O2 -fstack-protector-strong -Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -c -fno-stack-protector-strong test-a.c

diff --git a/t/logs/good b/t/logs/good
index f8f3f81d5494beb24a26d739a7856877c4381c5d..d4d3e7d4cab867a8c899c49cbc39079d08f8b7b5 100644 (file)
--- a/t/logs/good
+++ b/t/logs/good
@@ -54,3 +54,7 @@ gcc -U_FORTIFY_SOURCE   -g -O2 -fstack-protector-strong -Wformat -Werror=format-
 gcc -D_FORTIFY_SOURCE=0 -g -O2 -fstack-protector-strong -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2 -c test-e.c
 gcc -D_FORTIFY_SOURCE=1 -g -O2 -fstack-protector-strong -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2 -c test-f.c
 gcc -D_FORTIFY_SOURCE=2 -g -O2 -fstack-protector-strong -Wformat -Werror=format-security -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -c test-i.c
 gcc -D_FORTIFY_SOURCE=0 -g -O2 -fstack-protector-strong -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2 -c test-e.c
 gcc -D_FORTIFY_SOURCE=1 -g -O2 -fstack-protector-strong -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2 -c test-f.c
 gcc -D_FORTIFY_SOURCE=2 -g -O2 -fstack-protector-strong -Wformat -Werror=format-security -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -c test-i.c

+
+gcc -g -O2 -fstack-protector-strong -Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -c -fno-stack-protector -fstack-protector-strong test-a.c
+gcc -g -O2 -fstack-protector-strong -Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -c -fno-stack-protector-all -fstack-protector-strong test-a.c
+gcc -g -O2 -fstack-protector-strong -Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -c -fno-stack-protector-strong -fstack-protector-strong test-a.c

diff --git a/t/tests.t b/t/tests.t
index 5e7b7018a1364bcf26ebde31af20e9efaf39ecf5..f0b5f9982921dd3a4a304432dda3136bf3efaa71 100644 (file)
--- a/t/tests.t
+++ b/t/tests.t
@@ -19,7 +19,7 @@
 use strict;
 use warnings;
 
 use strict;
 use warnings;
 

-use Test::More tests => 234;
+use Test::More tests => 236;

 
 
 sub is_blhc {
 
 
 sub is_blhc {


@@ -492,6 +492,11 @@ CFLAGS missing (-g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-se
 CPPFLAGS missing (-D_FORTIFY_SOURCE=2): (gcc -Wl,-z,relro -o test.output test.c)
 LDFLAGS missing (-fPIE -pie -Wl,-z,now): (gcc -Wl,-z,relro -o test.output test.c)
 ';
 CPPFLAGS missing (-D_FORTIFY_SOURCE=2): (gcc -Wl,-z,relro -o test.output test.c)
 LDFLAGS missing (-fPIE -pie -Wl,-z,now): (gcc -Wl,-z,relro -o test.output test.c)
 ';

+is_blhc 'bad-cflags-stackprotector', '', 8,
+        'CFLAGS missing (-fstack-protector-strong): gcc -g -O2 -fstack-protector-strong -Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -c -fno-stack-protector test-a.c
+CFLAGS missing (-fstack-protector-strong): gcc -g -O2 -fstack-protector-strong -Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -c -fno-stack-protector-all test-a.c
+CFLAGS missing (-fstack-protector-strong): gcc -g -O2 -fstack-protector-strong -Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -c -fno-stack-protector-strong test-a.c
+';

 
 is_blhc 'bad-cppflags', '', 8,
         'CPPFLAGS missing (-D_FORTIFY_SOURCE=2): gcc -g -O2 -fstack-protector-strong -Wformat -Wformat-security -Werror=format-security -c test-a.c
 
 is_blhc 'bad-cppflags', '', 8,
         'CPPFLAGS missing (-D_FORTIFY_SOURCE=2): gcc -g -O2 -fstack-protector-strong -Wformat -Wformat-security -Werror=format-security -c test-a.c