From 290a8e3484c700ebb91c3460820310e03ca38cb2 Mon Sep 17 00:00:00 2001 From: Simon Ruderich Date: Sun, 23 Jul 2017 21:10:04 +0200 Subject: [PATCH] Don't report missing PIE flags in buildd mode if GCC defaults to PIE Dpkg since 1.8.15 respects GCC's settings and doesn't inject PIE flags if GCC already applies them internally. Therefore don't require PIE flags if a recent enough dpkg version is used and GCC applies PIE on the current architecture. --- MANIFEST | 3 +++ NEWS | 2 ++ bin/blhc | 22 +++++++++++++++++++++- t/logs/buildd-gcc-pie | 5 +++++ t/logs/buildd-gcc-pie-builtin | 6 ++++++ t/logs/buildd-gcc-pie-builtin-wrong-arch | 5 +++++ t/tests.t | 11 ++++++++++- 7 files changed, 52 insertions(+), 2 deletions(-) create mode 100644 t/logs/buildd-gcc-pie create mode 100644 t/logs/buildd-gcc-pie-builtin create mode 100644 t/logs/buildd-gcc-pie-builtin-wrong-arch diff --git a/MANIFEST b/MANIFEST index de6e472..e6bf651 100644 --- a/MANIFEST +++ b/MANIFEST @@ -26,6 +26,9 @@ t/logs/buildd-dpkg-dev-missing t/logs/buildd-dpkg-dev-old t/logs/buildd-dpkg-fstack-protector t/logs/buildd-dpkg-fstack-protector-missing +t/logs/buildd-gcc-pie +t/logs/buildd-gcc-pie-builtin +t/logs/buildd-gcc-pie-builtin-wrong-arch t/logs/buildd-package-details t/logs/buildd-verbose-build t/logs/c++ diff --git a/NEWS b/NEWS index f8bbff1..f980c07 100644 --- a/NEWS +++ b/NEWS @@ -10,6 +10,8 @@ Version 0.XX in non-verbose-build detection, reported by Boud Roukema and Nico Schlömer (Debian Bug #853265). - Add better support for Fortran (c.f. Debian Bug #853265). +- Don't report missing PIE flags in buildd mode if GCC defaults to PIE (c.f. + Debian Bug 845339). Version 0.07 diff --git a/bin/blhc b/bin/blhc index 6afff57..cfdcbba 100755 --- a/bin/blhc +++ b/bin/blhc @@ -750,6 +750,10 @@ foreach my $file (@ARGV) { # use a large enough default. my $parallel = 10; + # Don't check for PIE flags if automatically applied by the compiler. Only + # used in buildd mode. + my $disable_harden_pie = 0; + while (my $line = <$fh>) { # Detect architecture automatically unless overridden. For buildd logs # only, doesn't use the dpkg-buildpackage header. Necessary to ignore @@ -772,6 +776,10 @@ foreach my $file (@ARGV) { # flags are not checked. # # Strong stack protector is used since dpkg 1.17.11. + # + # Recent GCC versions automatically use PIE (only on supported + # architectures) and dpkg respects this properly since 1.18.15 and + # doesn't pass PIE flags manually. if ($option_buildd and index($line, 'Toolchain package versions: ') == 0) { require Dpkg::Version; @@ -786,6 +794,9 @@ foreach my $file (@ARGV) { if (Dpkg::Version::version_compare($1, '1.17.11') >= 0) { $disable_strong = 0; } + if (Dpkg::Version::version_compare($1, '1.18.15') >= 0) { + $disable_harden_pie = 1; + } } if ($disable) { @@ -1040,7 +1051,7 @@ foreach my $file (@ARGV) { # Option or auto detected. if ($arch) { - # The following was partially copied from dpkg-dev 1.18.15 + # The following was partially copied from dpkg-dev 1.18.24 # (/usr/share/perl5/Dpkg/Vendor/Debian.pm, _add_hardening_flags()), # copyright Raphaël Hertzog , Kees Cook # , Canonical, Ltd. licensed under GPL version 2 or @@ -1056,6 +1067,11 @@ foreach my $file (@ARGV) { (undef, $os, $cpu) = Dpkg::Arch::debarch_to_debtriplet($arch); } + my %builtin_pie_arch = map { $_ => 1 } qw( + amd64 arm64 armel armhf i386 kfreebsd-amd64 kfreebsd-i386 + mips mipsel mips64el ppc64el s390x sparc sparc64 + ); + # Disable unsupported hardening options. if ($os !~ /^(?:linux|kfreebsd|knetbsd|hurd)$/ or $cpu =~ /^(?:hppa|avr32)$/) { @@ -1069,6 +1085,10 @@ foreach my $file (@ARGV) { $harden_relro = 0; $harden_bindnow = 0; } + + if ($disable_harden_pie and exists $builtin_pie_arch{$arch}) { + $harden_pie = 0; + } } # Default values. diff --git a/t/logs/buildd-gcc-pie b/t/logs/buildd-gcc-pie new file mode 100644 index 0000000..863111c --- /dev/null +++ b/t/logs/buildd-gcc-pie @@ -0,0 +1,5 @@ +Toolchain package versions: ... dpkg-dev_1.18.14 ... +dpkg-buildpackage: source package foo package +dpkg-buildpackage: host architecture amd64 + +gcc -g -O2 -D_FORTIFY_SOURCE=2 -Wl,-z,relro -Wl,-z,now -fstack-protector-strong -Wformat -Werror=format-security -o test test.c diff --git a/t/logs/buildd-gcc-pie-builtin b/t/logs/buildd-gcc-pie-builtin new file mode 100644 index 0000000..98a413b --- /dev/null +++ b/t/logs/buildd-gcc-pie-builtin @@ -0,0 +1,6 @@ +Toolchain package versions: ... dpkg-dev_1.18.15 ... +dpkg-buildpackage: source package foo package +dpkg-buildpackage: host architecture amd64 + +gcc -g -O2 -D_FORTIFY_SOURCE=2 -Wl,-z,relro -Wl,-z,now -fstack-protector-strong -Wformat -Werror=format-security -o test test.c +gcc -fPIE -pie -g -O2 -D_FORTIFY_SOURCE=2 -Wl,-z,relro -Wl,-z,now -fstack-protector-strong -Wformat -Werror=format-security -o test test.c diff --git a/t/logs/buildd-gcc-pie-builtin-wrong-arch b/t/logs/buildd-gcc-pie-builtin-wrong-arch new file mode 100644 index 0000000..af5d4fc --- /dev/null +++ b/t/logs/buildd-gcc-pie-builtin-wrong-arch @@ -0,0 +1,5 @@ +Toolchain package versions: ... dpkg-dev_1.18.15 ... +dpkg-buildpackage: source package foo package +dpkg-buildpackage: host architecture ia64 + +gcc -g -O2 -D_FORTIFY_SOURCE=2 -Wl,-z,relro -Wl,-z,now -fstack-protector-strong -Wformat -Werror=format-security -o test test.c diff --git a/t/tests.t b/t/tests.t index 2d02809..4c6b5dc 100644 --- a/t/tests.t +++ b/t/tests.t @@ -19,7 +19,7 @@ use strict; use warnings; -use Test::More tests => 218; +use Test::More tests => 226; sub is_blhc { @@ -931,6 +931,15 @@ is_blhc 'buildd-dpkg-dev-missing', '--buildd', 0, 'W-dpkg-buildflags-missing|CFLAGS 3 (of 6), CXXFLAGS 1 (of 1) missing| '; +is_blhc 'buildd-gcc-pie', '--buildd --all', 0, + 'W-dpkg-buildflags-missing|CFLAGS 1 (of 1), LDFLAGS 1 (of 1) missing| +'; +is_blhc 'buildd-gcc-pie-builtin-wrong-arch', '--buildd --all', 0, + 'W-dpkg-buildflags-missing|CFLAGS 1 (of 1), LDFLAGS 1 (of 1) missing| +'; +is_blhc 'buildd-gcc-pie-builtin', '--buildd', 0, ''; +is_blhc 'buildd-gcc-pie-builtin', '--buildd --all', 0, ''; + # Older dpkg versions use -fstack-protector instead of -strong. is_blhc 'buildd-dpkg-fstack-protector', '--buildd', 0, ''; -- 2.43.2