From: Simon Ruderich <simon@ruderich.org>
Date: Mon, 14 Sep 2015 22:22:00 +0000 (+0200)
Subject: fix false positive with `gcc -v`
X-Git-Tag: 0.06~9
X-Git-Url: https://ruderich.org/simon/gitweb/?p=blhc%2Fblhc.git;a=commitdiff_plain;h=78f7218d807b87ede58fca00ca672ce597e2145e;hp=5dd19bb96effb0b40c26bb669dd0f8ef176ebf40

fix false positive with `gcc -v`

Fixes Debian Bug #765756, reported by Andreas Beckmann.
---

diff --git a/NEWS b/NEWS
index a3dffc8..818a4fc 100644
--- a/NEWS
+++ b/NEWS
@@ -7,6 +7,8 @@ Version 0.XX
 - Sync architecture specific hardening support with dpkg 1.18.2.
 - Fix false positive in "libtool: link: g++ -include test.h .." (Debian Bug
   #784959), reported by Raphaël Hertzog.
+- Fix false positive with `gcc -v` (Debian Bug #765756), reported by Andreas
+  Beckmann.
 
 
 Version 0.05
diff --git a/bin/blhc b/bin/blhc
index 0c2ba90..cc4f44b 100755
--- a/bin/blhc
+++ b/bin/blhc
@@ -38,8 +38,11 @@ my $cc_regex = qr/
     /x;
 # Full regex which matches the complete compiler name. Used in a few places to
 # prevent false negatives.
+my $cc_regex_full_prefix = qr/
+    [a-z0-9_]+-(?:linux-|kfreebsd-)?gnu(?:eabi|eabihf)?
+    /x;
 my $cc_regex_full = qr/
-    (?:[a-z0-9_]+-(?:linux-|kfreebsd-)?gnu(?:eabi|eabihf)?-)?
+    (?:$cc_regex_full_prefix-)?
     $cc_regex
     /x;
 # Regex to check if a line contains a compiler command.
@@ -943,6 +946,12 @@ foreach my $file (@ARGV) {
                 next if     not $before =~ /$cc_regex_normal/o
                         and not $after  =~ /$cc_regex_normal/o;
             }
+            # Ignore false positives caused by gcc -v. It outputs a line
+            # looking like a normal compiler line but which is sometimes
+            # missing hardening flags, although the normal compiler line
+            # contains them.
+            next if $line =~ m{^\s+/usr/lib/gcc/$cc_regex_full_prefix/
+                                   [0-9.]+/cc1(?:plus)?}xo;
 
             # Check if additional hardening options were used. Used to ensure
             # they are used for the complete build.
diff --git a/t/logs/false-positives b/t/logs/false-positives
index 35e71e9..b0ac298 100644
--- a/t/logs/false-positives
+++ b/t/logs/false-positives
@@ -5,3 +5,36 @@ dpkg-buildpackage: source package test
 swig -Wall -c++ -python test.i
 
 + CC=gcc CFLAGS=-g -O2 ... sh ../../build.sh -r -c lto
+
+# gcc -v can cause false positives.
+cd GUI && qmake
+/usr/bin/make -C GUI
+make[2]: Entering directory '/tmp/buildd/i7z-0.27.2+git2013.10.12-g5023138/GUI'
+/usr/lib/x86_64-linux-gnu/qt4/bin/moc -DQT_GUI_LIB -DQT_CORE_LIB -DQT_SHARED -I/usr/share/qt4/mkspecs/linux-g++-64 -I. -I/usr/include/qt4/QtCore -I/usr/include/qt4/QtGui -I/usr/include/qt4 -I. -I. i7z_GUI.cpp -o i7z_GUI.moc
+g++ -c -m64 -pipe -g -O2 -fstack-protector-strong -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2 -v -fno-schedule-insns2 -fno-schedule-insns -fno-inline-small-functions -fno-caller-saves -g -Wall -W -D_REENTRANT -DQT_GUI_LIB -DQT_CORE_LIB -DQT_SHARED -I/usr/share/qt4/mkspecs/linux-g++-64 -I. -I/usr/include/qt4/QtCore -I/usr/include/qt4/QtGui -I/usr/include/qt4 -I. -I. -o i7z_GUI.o i7z_GUI.cpp
+Using built-in specs.
+COLLECT_GCC=g++
+Target: x86_64-linux-gnu
+Configured with: ../src/configure -v --with-pkgversion='Debian 4.9.1-17' --with-bugurl=file:///usr/share/doc/gcc-4.9/README.Bugs --enable-languages=c,c++,java,go,d,fortran,objc,obj-c++ --prefix=/usr --program-suffix=-4.9 --enable-shared --enable-linker-build-id --libexecdir=/usr/lib --without-included-gettext --enable-threads=posix --with-gxx-include-dir=/usr/include/c++/4.9 --libdir=/usr/lib --enable-nls --with-sysroot=/ --enable-clocale=gnu --enable-libstdcxx-debug --enable-libstdcxx-time=yes --enable-gnu-unique-object --disable-vtable-verify --enable-plugin --with-system-zlib --disable-browser-plugin --enable-java-awt=gtk --enable-gtk-cairo --with-java-home=/usr/lib/jvm/java-1.5.0-gcj-4.9-amd64/jre --enable-java-home --with-jvm-root-dir=/usr/lib/jvm/java-1.5.0-gcj-4.9-amd64 --with-jvm-jar-dir=/usr/lib/jvm-exports/java-1.5.0-gcj-4.9-amd64 --with-arch-directory=amd64 --with-ecj-jar=/usr/share/java/eclipse-ecj.jar --enable-objc-gc --enable-multiarch --with-arch-32=i586 --with-abi=m64 --with-multilib-list=m32,m64,mx32 --enable-multilib --with-tune=generic--enable-checking=release --build=x86_64-linux-gnu --host=x86_64-linux-gnu --target=x86_64-linux-gnu
+Thread model: posix
+gcc version 4.9.1 (Debian 4.9.1-17)
+COLLECT_GCC_OPTIONS='-c' '-m64' '-pipe' '-g' '-O2' '-fstack-protector-strong' '-Wformat=1' '-Werror=format-security' '-D' '_FORTIFY_SOURCE=2' '-v' '-fno-schedule-insns2' '-fno-schedule-insns' '-fno-inline-small-functions' '-fno-caller-saves' '-g' '-Wall' '-Wextra' '-D' '_REENTRANT' '-D' 'QT_GUI_LIB' '-D' 'QT_CORE_LIB' '-D' 'QT_SHARED' '-I' '/usr/share/qt4/mkspecs/linux-g++-64' '-I' '.' '-I' '/usr/include/qt4/QtCore' '-I' '/usr/include/qt4/QtGui' '-I' '/usr/include/qt4' '-I' '.' '-I' '.' '-o' 'i7z_GUI.o' '-shared-libgcc' '-mtune=generic' '-march=x86-64'
+ /usr/lib/gcc/x86_64-linux-gnu/4.9/cc1plus -quiet -v -I /usr/share/qt4/mkspecs/linux-g++-64 -I . -I /usr/include/qt4/QtCore -I /usr/include/qt4/QtGui -I /usr/include/qt4 -I . -I . -imultiarch x86_64-linux-gnu -D_GNU_SOURCE -D _FORTIFY_SOURCE=2 -D _REENTRANT -D QT_GUI_LIB -D QT_CORE_LIB -D QT_SHARED i7z_GUI.cpp -quiet -dumpbase i7z_GUI.cpp -m64 -mtune=generic -march=x86-64 -auxbase-strip i7z_GUI.o -g -g -O2 -Wformat=1 -Werror=format-security -Wall -Wextra -version -fstack-protector-strong -fno-schedule-insns2 -fno-schedule-insns -fno-inline-small-functions -fno-caller-saves -o - | as -v -I /usr/share/qt4/mkspecs/linux-g++-64 -I . -I /usr/include/qt4/QtCore -I /usr/include/qt4/QtGui -I /usr/include/qt4 -I . -I . --64 -o i7z_GUI.o
+GNU assembler version 2.24.51 (x86_64-linux-gnu) using BFD version (GNU Binutils for Debian) 2.24.90.20141014
+GNU C++ (Debian 4.9.1-17) version 4.9.1 (x86_64-linux-gnu)
+        compiled by GNU C version 4.9.1, GMP version 6.0.0, MPFR version 3.1.2-p3, MPC version 1.0.2
+GGC heuristics: --param ggc-min-expand=100 --param ggc-min-heapsize=131072
+ignoring duplicate directory "/usr/include/x86_64-linux-gnu/c++/4.9"
+ignoring nonexistent directory "/usr/local/include/x86_64-linux-gnu"
+ignoring nonexistent directory "/usr/lib/gcc/x86_64-linux-gnu/4.9/../../../../x86_64-linux-gnu/include"
+ignoring duplicate directory "."
+ignoring duplicate directory "."
+#include "..." search starts here:
+#include <...> search starts here:
+[...]
+ /usr/include
+End of search list.
+GNU C++ (Debian 4.9.1-17) version 4.9.1 (x86_64-linux-gnu)
+        compiled by GNU C version 4.9.1, GMP version 6.0.0, MPFR version 3.1.2-p3, MPC version 1.0.2
+GGC heuristics: --param ggc-min-expand=100 --param ggc-min-heapsize=131072
+Compiler executable checksum: 26648cf2c5cb5e5907eedabc7a0be2ce
diff --git a/t/tests.t b/t/tests.t
index 9fa6fc3..b781bfe 100644
--- a/t/tests.t
+++ b/t/tests.t
@@ -902,8 +902,8 @@ is_blhc 'debian-hardening-wrapper-pbuilder', '', 16,
 
 # false positives
 
-is_blhc 'false-positives', '', 1,
-        $empty;
+is_blhc 'false-positives', '', 0,
+        '';
 
 
 # buildd support