From f61763f97aa10059755d434556945465a4984aab Mon Sep 17 00:00:00 2001 From: Simon Ruderich Date: Fri, 6 Apr 2012 18:33:56 +0200 Subject: [PATCH] Fix architecture detection when checking multiple files. --- bin/blhc | 13 ++++++++----- t/tests.t | 13 ++++++++++--- 2 files changed, 18 insertions(+), 8 deletions(-) diff --git a/bin/blhc b/bin/blhc index 028dfbe..eb80324 100755 --- a/bin/blhc +++ b/bin/blhc @@ -475,6 +475,9 @@ my $exit = 0; FILE: foreach my $file (@ARGV) { open my $fh, '<', $file or die "$!: $file"; + # Architecture of this file. + my $arch = $option_arch; + # Hardening options. Not all architectures support all hardening options. my $harden_format = 1; my $harden_fortify = 1; @@ -549,9 +552,9 @@ FILE: foreach my $file (@ARGV) { last if $line =~ /^Build finished at \d{8}-\d{4}$/; # Detect architecture automatically unless overridden. - if (not $option_arch + if (not $arch and $line =~ /^dpkg-buildpackage: host architecture (.+)$/) { - $option_arch = $1; + $arch = $1; } # Ignore compiler warnings for now. @@ -655,7 +658,7 @@ FILE: foreach my $file (@ARGV) { } # Option or auto detected. - if ($option_arch) { + if ($arch) { # The following was partially copied from dpkg-dev 1.16.1.2 # (/usr/share/perl5/Dpkg/Vendor/Debian.pm, add_hardening_flags()), # copyright Raphaël Hertzog , Kees Cook @@ -663,10 +666,10 @@ FILE: foreach my $file (@ARGV) { # later. Keep it in sync. require Dpkg::Arch; - my ($abi, $os, $cpu) = Dpkg::Arch::debarch_to_debtriplet($option_arch); + my ($abi, $os, $cpu) = Dpkg::Arch::debarch_to_debtriplet($arch); # Disable unsupported hardening options. - if ($cpu =~ /^(ia64|alpha|mips|mipsel|hppa)$/ or $option_arch eq 'arm') { + if ($cpu =~ /^(ia64|alpha|mips|mipsel|hppa)$/ or $arch eq 'arm') { $harden_stack = 0; } if ($cpu =~ /^(ia64|hppa|avr32)$/) { diff --git a/t/tests.t b/t/tests.t index a4ccf60..0b98fe3 100644 --- a/t/tests.t +++ b/t/tests.t @@ -19,7 +19,7 @@ use strict; use warnings; -use Test::More tests => 108; +use Test::More tests => 110; sub is_blhc { @@ -531,15 +531,19 @@ my $arch_avr32 = is_blhc 'arch-avr32', '', 8, $arch_avr32; -is_blhc 'arch-i386', '', 8, +my $arch_i386 = 'CFLAGS missing (-fstack-protector): gcc -D_FORTIFY_SOURCE=2 -g -O2 -fPIE --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -Wall -c test.c LDFLAGS missing (-pie): gcc -fPIE -Wl,-z,relro -Wl,-z,now -o test test.o '; +is_blhc 'arch-i386', '', 8, + $arch_i386; -is_blhc 'arch-ia64', '', 8, +my $arch_ia64 = 'CFLAGS missing (-fPIE): gcc -D_FORTIFY_SOURCE=2 -g -O2 -Wformat -Wformat-security -Werror=format-security -Wall -c test.c LDFLAGS missing (-pie): gcc -fPIE -o test test.o '; +is_blhc 'arch-ia64', '', 8, + $arch_ia64; is_blhc 'arch-mipsel', '', 8, 'CFLAGS missing (-Werror=format-security): gcc -D_FORTIFY_SOURCE=2 -g -O2 -Wformat -Wformat-security -Wall -c test.c @@ -613,6 +617,9 @@ is_blhc ['good', 'good-pie', 'good-bindnow', 'good-all', 'good-multiline', 'good is_blhc ['good-all', 'good-library'], '--all', 0, ''; +is_blhc ['arch-i386', 'arch-ia64'], '', 8, + $arch_i386 . $arch_ia64; + # No exit when multiple files are specified. is_blhc ['bad-ldflags', 'empty', 'arch-avr32', 'debian-hardening-wrapper'], '', 25, $bad_ldflags -- 2.43.2