# Build log hardening check, checks build logs for missing hardening flags.
-# Copyright (C) 2012 Simon Ruderich
+# Copyright (C) 2012-2013 Simon Ruderich
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
use Getopt::Long ();
use Text::ParseWords ();
-our $VERSION = '0.03';
+our $VERSION = '0.04';
# CONSTANTS/VARIABLES
# Objective-C++
qw( mii ),
);
+my @source_no_preprocess_compile_ada = (
+ # Ada body
+ qw( adb ),
+ # If you add another file, fix use of @source_no_preprocess_compile_ada
+ # below (search for $compile_ada).
+);
my @source_no_preprocess_compile = (
# C
qw( i ),
qw( mi ),
# Fortran
qw( f for ftn f90 f95 f03 f08 ),
- # Ada body
- qw( adb ),
+ # Ada
+ @source_no_preprocess_compile_ada,
);
my @source_no_preprocess_no_compile = (
# Assembly
'-O(?:2|3)',
);
my @def_cflags_format = (
- '-Wformat',
+ '-Wformat(?:=2)?', # -Wformat=2 implies -Wformat, accept it too
'-Werror=format-security', # implies -Wformat-security
);
my @def_cflags_fortify = (
);
my @def_cflags_stack = (
'-fstack-protector',
- '--param=ssp-buffer-size=4',
+ '--param[= ]ssp-buffer-size=4',
);
my @def_cflags_pie = (
'-fPIE',
# Renaming rules for the output so the regex parts are not visible. Also
# stores string values of flag regexps above, see compile_flag_regexp().
my %flag_renames = (
- '-O(?:2|3)' => '-O2',
- '-Wl,(?:-z,)?relro' => '-Wl,-z,relro',
- '-Wl,(?:-z,)?now' => '-Wl,-z,now',
+ '-O(?:2|3)' => '-O2',
+ '-Wformat(?:=2)?' => '-Wformat',
+ '--param[= ]ssp-buffer-size=4' => '--param=ssp-buffer-size=4',
+ '-Wl,(?:-z,)?relro' => '-Wl,-z,relro',
+ '-Wl,(?:-z,)?now' => '-Wl,-z,now',
);
my %exit_code = (
# FUNCTIONS
+# Only works for single-level arrays with no undef values. Thanks to perlfaq4.
+sub array_equal {
+ my ($first_ref, $second_ref) = @_;
+
+ return 0 if scalar @{$first_ref} != scalar @{$second_ref};
+
+ my $length = scalar @{$first_ref};
+ for (my $i = 0; $i < $length; $i++) {
+ return 0 if $first_ref->[$i] ne $second_ref->[$i];
+ }
+
+ return 1;
+}
+
sub error_flags {
my ($message, $missing_flags_ref, $flag_renames_ref, $line) = @_;
printf '%s (%s)%s %s',
error_color($message, 'red'), $flags, error_color(':', 'yellow'),
$line;
+
+ return;
}
sub error_non_verbose_build {
my ($line) = @_;
error_color('NONVERBOSE BUILD', 'red'),
error_color(':', 'yellow'),
$line;
+
+ return;
}
sub error_invalid_cmake {
my ($version) = @_;
error_color('INVALID CMAKE', 'red'),
error_color(':', 'yellow'),
$version;
+
+ return;
}
sub error_hardening_wrapper {
printf "%s%s %s\n",
error_color('HARDENING WRAPPER', 'red'),
error_color(':', 'yellow'),
'no checks possible, aborting';
+
+ return;
}
sub error_color {
my ($message, $color) = @_;
#
# C++ compiler setting.
return 0 if $line =~ /^\s*C\+\+.+?:\s+(?:yes|no)\s*$/;
+ return 0 if $line =~ /^\s*C\+\+ Library: stdc\+\+$/;
# "Compiling" with no file name.
if ($line =~ /^\s*[Cc]ompiling\s+(.+?)(?:\.\.\.)?$/) {
# $file_extension_regex may need spaces around the filename.
or not exists $removes{$flag_renames_ref->{$_}})
} @{$flags};
}
+
+ return;
}
sub compile_flag_regexp {
Pod::Usage::pod2usage(1);
}
if ($option_version) {
- print "blhc $VERSION Copyright (C) 2012 Simon Ruderich
+ print "blhc $VERSION Copyright (C) 2012-2013 Simon Ruderich
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
my $harden_bindnow = $option_bindnow; # defaults to 0
my $harden_pie = $option_pie; # defaults to 0
+ # Does this build log use ada? Ada also uses gcc as compiler but uses
+ # different CFLAGS. But only perform ada checks if an ada compiler used
+ # for performance reasons.
+ my $ada = 0;
+
while (my $line = <$fh>) {
# Detect architecture automatically unless overridden. For buildd logs
# only, doesn't use the dpkg-buildpackage header. Necessary to ignore
}
}
- if (index($line, 'Build-Depends: ') == 0) {
+ # Debian's build daemons use Build-Depends: for the build
+ # dependencies, but pbuilder just uses Depends:; support both.
+ if (index($line, 'Build-Depends: ') == 0
+ or index($line, 'Depends: ') == 0) {
# If hardening wrapper is used (wraps calls to gcc and adds
# hardening flags automatically) we can't perform any checks,
# abort.
}
next FILE;
}
+
+ # Ada compiler.
+ if ($line =~ /\bgnat\b/) {
+ $ada = 1;
+ }
}
# We skip over unimportant lines at the beginning of the log to
if (not $arch
and index($line, 'dpkg-buildpackage: host architecture ') == 0) {
$arch = substr $line, 37, -1; # -1 to ignore '\n' at the end
+
+ # Old buildd logs use e.g. "host architecture is alpha", remove
+ # the "is", otherwise debarch_to_debtriplet() will not detect the
+ # architecture.
+ if (index($arch, 'is ') == 0) {
+ $arch = substr $arch, 3;
+ }
}
# Ignore compiler warnings for now.
[Cc]ompiler[\s.]*:?\s+
/x;
next if $line =~ /^\s*(?:- )?(?:HOST_)?(?:CC|CXX)\s*=\s*$cc_regex_full\s*$/o;
- # `moc-qt4`, contains '-I/usr/share/qt4/mkspecs/linux-g++' (or
- # similar for other architectures) which gets recognized as a
- # compiler line. Ignore it.
- next if $line =~ m{^/usr/bin/moc-qt4
+ # `moc-qt4`/`moc-qt5` contain '-I.../linux-g++' in their command
+ # line (or similar for other architectures) which gets recognized
+ # as a compiler line, but `moc-qt*` is only a preprocessor for Qt
+ # C++ files. No hardening flags are relevant during this step,
+ # thus ignore `moc-qt*` lines. The resulting files will be
+ # compiled in a separate step (and therefore checked).
+ next if $line =~ m{^\S+/bin/moc-qt[45]
\s.+\s
- -I/usr/share/qt4/mkspecs/[a-z]+-g\++(?:-64)?
+ -I\S+/mkspecs/[a-z]+-g\++(?:-64)?
\s}x;
# Ignore false positives when the line contains only CC=gcc but no
# other gcc command.
@ldflags = (@ldflags, @def_ldflags_bindnow);
}
+ # Stores normal CFLAGS when @cflags_ada are temporarily used.
+ my @cflags_backup;
+ # Ada CFLAGS.
+ my @cflags_ada = @cflags;
+ # Ada doesn't support format hardening flags, see #680117 for more
+ # information. Filter them out if ada is used.
+ if ($ada and $harden_format) {
+ @cflags_ada = grep {
+ my $ok = 1;
+ foreach my $flag (@def_cflags_format) {
+ $ok = 0 if $_ eq $flag;
+ }
+ $ok;
+ } @cflags;
+ }
+
# Hack to fix cppflags_fortify_broken() if --ignore-flag
# -D_FORTIFY_SOURCE=2 is used to ignore missing fortification. Only works
# as long as @def_cppflags_fortify contains only one variable.
}
}
+ my $compile_cpp = 0;
+ my $compile_ada = 0;
# Assume CXXFLAGS are required when a C++ file is specified in the
# compiler line.
- my $compile_cpp = 0;
if ($compile
and extension_found(\%extensions_compile_cpp, @extensions)) {
$compile = 0;
$compile_cpp = 1;
+ # Ada needs special CFLAGS, use them if only ada files are compiled.
+ } elsif ($ada
+ and $compile
+ and array_equal(\@extensions,
+ \@source_no_preprocess_compile_ada)) {
+ $compile_ada = 1;
+ @cflags_backup = @cflags;
+ @cflags = @cflags_ada;
}
if ($option_buildd) {
$statistics{link_missing}++;
}
}
+
+ # Restore normal CFLAGS.
+ if ($compile_ada) {
+ @cflags = @cflags_backup;
+ }
}
}
=head1 LICENSE AND COPYRIGHT
-Copyright (C) 2012 by Simon Ruderich
+Copyright (C) 2012-2013 by Simon Ruderich
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by