use Getopt::Long ();
use Text::ParseWords ();
-our $VERSION = '0.08';
+our $VERSION = '0.09';
# CONSTANTS/VARIABLES
# fortify needs at least -O1, but -O2 is recommended anyway
);
my @def_cflags_stack = (
- '-fstack-protector',
+ '-fstack-protector', # keep first, used by cflags_stack_broken()
'--param[= ]ssp-buffer-size=4',
);
my @def_cflags_stack_strong = (
- '-fstack-protector-strong',
+ '-fstack-protector-strong', # keep first, used by cflags_stack_broken()
+);
+my @def_cflags_stack_bad = (
+ # Blacklist all stack protector options for simplicity.
+ '-fno-stack-protector',
+ '-fno-stack-protector-all',
+ '-fno-stack-protector-strong',
);
my @def_cflags_pie = (
'-fPIE',
\@def_cflags_fortify,
\@def_cflags_stack,
\@def_cflags_stack_strong,
+ \@def_cflags_stack_bad,
\@def_cflags_pie,
\@def_cxxflags,
\@def_cppflags,
@{$missing_flags_ref} = @missing_flags;
return 0;
}
+# Check if any of \@bad_flags occurs after $good_flag. Doesn't check if
+# $good_flag is present.
+sub flag_overwritten {
+ my ($line, $good_flag, $bad_flags) = @_;
-sub cppflags_fortify_broken {
- my ($line, $missing_flags) = @_;
-
- if (not any_flags_used($line, @def_cppflags_fortify_bad)) {
+ if (not any_flags_used($line, @{$bad_flags})) {
return 0;
}
- # $def_cppflags_fortify[0] must be -D_FORTIFY_SOURCE=2!
- my $fortify_source = $def_cppflags_fortify[0];
-
- # Some build systems enable/disable fortify source multiple times, check
- # the final result.
- my $disable_pos = 0;
- foreach my $flag (@def_cppflags_fortify_bad) {
+ my $bad_pos = 0;
+ foreach my $flag (@{$bad_flags}) {
while ($line =~ /$flag/g) {
- if ($disable_pos < $+[0]) {
- $disable_pos = $+[0];
+ if ($bad_pos < $+[0]) {
+ $bad_pos = $+[0];
}
}
}
- my $enable_pos = 0;
- while ($line =~ /$fortify_source/g) {
- $enable_pos = $+[0];
+ my $good_pos = 0;
+ while ($line =~ /$good_flag/g) {
+ $good_pos = $+[0];
}
- if ($enable_pos > $disable_pos) {
+ if ($good_pos > $bad_pos) {
return 0;
}
+ return 1;
+}
+
+sub cppflags_fortify_broken {
+ my ($line, $missing_flags) = @_;
+ # $def_cppflags_fortify[0] must be -D_FORTIFY_SOURCE=2!
+ my $fortify_source = $def_cppflags_fortify[0];
+
+ # Some build systems enable/disable fortify source multiple times, check
+ # the final result.
+ if (not flag_overwritten($line,
+ $fortify_source,
+ \@def_cppflags_fortify_bad)) {
+ return 0;
+ }
push @{$missing_flags}, $fortify_source;
return 1;
}
+sub cflags_stack_broken {
+ my ($line, $missing_flags, $strong) = @_;
+
+ my $flag = $strong ? $def_cflags_stack_strong[0]
+ : $def_cflags_stack[0];
+
+ if (not flag_overwritten($line, $flag, \@def_cflags_stack_bad)) {
+ return 0;
+ }
+ push @{$missing_flags}, $flag;
+ return 1;
+}
+
# Modifies $missing_flags_ref array.
sub pic_pie_conflict {
my ($line, $pie, $missing_flags_ref, @flags_pie) = @_;
# treated as a normal compiler line.
next if $line =~ m{^\s*rm\s+};
# Some build systems emit "gcc > file".
- next if $line =~ m{$cc_regex_normal\s*>\s*\S+};
+ next if $line =~ m{$cc_regex_normal\s*>\s*\S+}o;
+ # Hex output may contain "cc".
+ next if $line =~ m#(?:\b[0-9a-fA-F]{2,}\b\s*){5}#;
# Check if additional hardening options were used. Used to ensure
# they are used for the complete build.
# Option or auto detected.
if ($arch) {
- # The following was partially copied from dpkg-dev 1.19.0.5
+ # The following was partially copied from dpkg-dev 1.19.5
# (/usr/share/perl5/Dpkg/Vendor/Debian.pm, _add_build_flags()),
# copyright Raphaƫl Hertzog <hertzog@debian.org>, Guillem Jover
# <guillem@debian.org>, Kees Cook <kees@debian.org>, Canonical, Ltd.
}
my %builtin_pie_arch = map { $_ => 1 } qw(
- amd64 arm64 armel armhf hurd-i386 i386 kfreebsd-amd64 kfreebsd-i386
- mips mipsel mips64el powerpc ppc64 ppc64el s390x sparc sparc64
+ amd64
+ arm64
+ armel
+ armhf
+ hurd-i386
+ i386
+ kfreebsd-amd64
+ kfreebsd-i386
+ mips
+ mipsel
+ mips64el
+ powerpc
+ ppc64
+ ppc64el
+ riscv64
+ s390x
+ sparc
+ sparc64
);
# Disable unsupported hardening options.
# Check hardening flags.
my @missing;
- if ($compile and not all_flags_used($line, \@missing, @cflags)
+ if ($compile and (not all_flags_used($line, \@missing, @cflags)
+ or (($harden_stack or $harden_stack_strong)
+ and cflags_stack_broken($line, \@missing,
+ $harden_stack_strong)))
# Libraries linked with -fPIC don't have to (and can't) be
# linked with -fPIE as well. It's no error if only PIE flags
# are missing.