From: Simon Ruderich Date: Thu, 10 May 2018 15:48:58 +0000 (+0200) Subject: Detect overwrite of -fstack-protector X-Git-Tag: 0.09~3 X-Git-Url: https://ruderich.org/simon/gitweb/?p=blhc%2Fblhc.git;a=commitdiff_plain;h=d791242047730d55a858f668702ea27fe3c77f77 Detect overwrite of -fstack-protector --- diff --git a/MANIFEST b/MANIFEST index 590b416..d6a5c41 100644 --- a/MANIFEST +++ b/MANIFEST @@ -15,6 +15,7 @@ t/logs/arch-ia64 t/logs/arch-mipsel t/logs/bad t/logs/bad-cflags +t/logs/bad-cflags-stackprotector t/logs/bad-cppflags t/logs/bad-ldflags t/logs/bad-library diff --git a/NEWS b/NEWS index 1c8247f..47d3327 100644 --- a/NEWS +++ b/NEWS @@ -7,6 +7,8 @@ Version 0.XX - Detect restore of -D_FORTIFY_SOURCE=2 after it was overwritten by -D_FORTIFY_SOURCE=0 or 1 or -U_FORTIFY_SOURCE; reported by Mike Hommey (Debian bug #898332). +- Detect overwrite of -fstack-protector options with -fno-stack-protector + (same for -fstack-protector-all and -fstack-protector-strong). Version 0.08 diff --git a/bin/blhc b/bin/blhc index d56a6c0..c2a9d98 100755 --- a/bin/blhc +++ b/bin/blhc @@ -222,11 +222,17 @@ my @def_cflags_fortify = ( # fortify needs at least -O1, but -O2 is recommended anyway ); my @def_cflags_stack = ( - '-fstack-protector', + '-fstack-protector', # keep first, used by cflags_stack_broken() '--param[= ]ssp-buffer-size=4', ); my @def_cflags_stack_strong = ( - '-fstack-protector-strong', + '-fstack-protector-strong', # keep first, used by cflags_stack_broken() +); +my @def_cflags_stack_bad = ( + # Blacklist all stack protector options for simplicity. + '-fno-stack-protector', + '-fno-stack-protector-all', + '-fno-stack-protector-strong', ); my @def_cflags_pie = ( '-fPIE', @@ -270,6 +276,7 @@ my @flag_refs = ( \@def_cflags_fortify, \@def_cflags_stack, \@def_cflags_stack_strong, + \@def_cflags_stack_bad, \@def_cflags_pie, \@def_cxxflags, \@def_cppflags, @@ -471,6 +478,19 @@ sub cppflags_fortify_broken { return 1; } +sub cflags_stack_broken { + my ($line, $missing_flags, $strong) = @_; + + my $flag = $strong ? $def_cflags_stack_strong[0] + : $def_cflags_stack[0]; + + if (not flag_overwritten($line, $flag, \@def_cflags_stack_bad)) { + return 0; + } + push @{$missing_flags}, $flag; + return 1; +} + # Modifies $missing_flags_ref array. sub pic_pie_conflict { my ($line, $pie, $missing_flags_ref, @flags_pie) = @_; @@ -1356,7 +1376,10 @@ LINE: # Check hardening flags. my @missing; - if ($compile and not all_flags_used($line, \@missing, @cflags) + if ($compile and (not all_flags_used($line, \@missing, @cflags) + or (($harden_stack or $harden_stack_strong) + and cflags_stack_broken($line, \@missing, + $harden_stack_strong))) # Libraries linked with -fPIC don't have to (and can't) be # linked with -fPIE as well. It's no error if only PIE flags # are missing. diff --git a/t/logs/bad-cflags-stackprotector b/t/logs/bad-cflags-stackprotector new file mode 100644 index 0000000..ab460f2 --- /dev/null +++ b/t/logs/bad-cflags-stackprotector @@ -0,0 +1,5 @@ +dpkg-buildpackage: source package test + +gcc -g -O2 -fstack-protector-strong -Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -c -fno-stack-protector test-a.c +gcc -g -O2 -fstack-protector-strong -Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -c -fno-stack-protector-all test-a.c +gcc -g -O2 -fstack-protector-strong -Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -c -fno-stack-protector-strong test-a.c diff --git a/t/logs/good b/t/logs/good index f8f3f81..d4d3e7d 100644 --- a/t/logs/good +++ b/t/logs/good @@ -54,3 +54,7 @@ gcc -U_FORTIFY_SOURCE -g -O2 -fstack-protector-strong -Wformat -Werror=format- gcc -D_FORTIFY_SOURCE=0 -g -O2 -fstack-protector-strong -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2 -c test-e.c gcc -D_FORTIFY_SOURCE=1 -g -O2 -fstack-protector-strong -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2 -c test-f.c gcc -D_FORTIFY_SOURCE=2 -g -O2 -fstack-protector-strong -Wformat -Werror=format-security -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -c test-i.c + +gcc -g -O2 -fstack-protector-strong -Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -c -fno-stack-protector -fstack-protector-strong test-a.c +gcc -g -O2 -fstack-protector-strong -Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -c -fno-stack-protector-all -fstack-protector-strong test-a.c +gcc -g -O2 -fstack-protector-strong -Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -c -fno-stack-protector-strong -fstack-protector-strong test-a.c diff --git a/t/tests.t b/t/tests.t index 5e7b701..f0b5f99 100644 --- a/t/tests.t +++ b/t/tests.t @@ -19,7 +19,7 @@ use strict; use warnings; -use Test::More tests => 234; +use Test::More tests => 236; sub is_blhc { @@ -492,6 +492,11 @@ CFLAGS missing (-g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-se CPPFLAGS missing (-D_FORTIFY_SOURCE=2): (gcc -Wl,-z,relro -o test.output test.c) LDFLAGS missing (-fPIE -pie -Wl,-z,now): (gcc -Wl,-z,relro -o test.output test.c) '; +is_blhc 'bad-cflags-stackprotector', '', 8, + 'CFLAGS missing (-fstack-protector-strong): gcc -g -O2 -fstack-protector-strong -Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -c -fno-stack-protector test-a.c +CFLAGS missing (-fstack-protector-strong): gcc -g -O2 -fstack-protector-strong -Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -c -fno-stack-protector-all test-a.c +CFLAGS missing (-fstack-protector-strong): gcc -g -O2 -fstack-protector-strong -Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -c -fno-stack-protector-strong test-a.c +'; is_blhc 'bad-cppflags', '', 8, 'CPPFLAGS missing (-D_FORTIFY_SOURCE=2): gcc -g -O2 -fstack-protector-strong -Wformat -Wformat-security -Werror=format-security -c test-a.c