From d569fff93bdd0e2f2bf8c041a6534d8a19613969 Mon Sep 17 00:00:00 2001 From: Simon Ruderich Date: Wed, 14 Aug 2013 21:04:06 +0200 Subject: [PATCH 1/1] Consider lines with -O0 or -Og debug builds. Disable checks for -O2 for those lines. Fixes Debian bug #714628, reported by Matthias Klose. Thanks. --- MANIFEST | 1 + NEWS | 2 ++ README | 4 ++++ bin/blhc | 17 +++++++++++++++-- t/logs/debug-build | 13 +++++++++++++ t/tests.t | 7 ++++++- 6 files changed, 41 insertions(+), 3 deletions(-) create mode 100644 t/logs/debug-build diff --git a/MANIFEST b/MANIFEST index efbc65d..f7c6eab 100644 --- a/MANIFEST +++ b/MANIFEST @@ -37,6 +37,7 @@ t/logs/debian-cmake-ok t/logs/debian-hardening-wrapper t/logs/debian-hardening-wrapper-old-build-depends t/logs/debian-hardening-wrapper-pbuilder +t/logs/debug-build t/logs/dpkg-buildpackage-architecture-old t/logs/empty t/logs/false-positives diff --git a/NEWS b/NEWS index 7bd78a7..bbc2c03 100644 --- a/NEWS +++ b/NEWS @@ -20,6 +20,8 @@ Version 0.XX Fritsch. - Sync architecture specific hardening support with dpkg 1.17.1. +- Consider lines with -O0 or -Og debug builds and disable checks for -O2 + (Debian bug #714628), reported by Matthias Klose. Version 0.04 diff --git a/README b/README index aeccd30..5e58567 100644 --- a/README +++ b/README @@ -123,6 +123,10 @@ If it's not present no compiler commands are detected. In case you don't use dpkp-buildpackage but still want to check a build log, adding it as first line should work fine. +To prevent false positives when checking debug builds, compiler lines +containing '-OO' or '-Og' are considered debug builds and are not checked for +'-O2', even though fortification doesn't work without '-O2'. + The following non-verbose builds can't be detected: gcc -o test diff --git a/bin/blhc b/bin/blhc index 72a2c42..2624585 100755 --- a/bin/blhc +++ b/bin/blhc @@ -183,7 +183,12 @@ my $file_extension_regex = qr/ # real regexps below for better execution speed). my @def_cflags = ( '-g', - '-O(?:2|3)', + '-O(?:2|3)', # keep at index 1, search for @def_cflags_debug to change it +); +my @def_cflags_debug = ( + # These flags indicate a debug build which disables checks for -O2. + '-O0', + '-Og', ); my @def_cflags_format = ( '-Wformat(?:=2)?', # -Wformat=2 implies -Wformat, accept it too @@ -248,6 +253,7 @@ my @flag_refs = ( # References to all used flags. my @flag_refs_all = ( @flag_refs, + \@def_cflags_debug, \@def_cppflags_fortify_bad, \@def_ldflags_pic, ); @@ -495,7 +501,7 @@ sub is_non_verbose_build { return 1; } -# Remove @flags from $flag_refs_ref, and $flag_renames_ref. +# Remove @flags from $flag_refs_ref, uses $flag_renames_ref as reference. sub remove_flags { my ($flag_refs_ref, $flag_renames_ref, @flags) = @_; @@ -1174,6 +1180,13 @@ LINE: $statistics{link}++ if $link; } + # Check if there are flags indicating a debug build. If that's true, + # skip the check for -O2. This prevents fortification, but that's fine + # for a debug build. + if (any_flags_used($line, @def_cflags_debug)) { + remove_flags([\@cflags], \%flag_renames, $def_cflags[1]); + } + # Check hardening flags. my @missing; if ($compile and not all_flags_used($line, \@missing, @cflags) diff --git a/t/logs/debug-build b/t/logs/debug-build new file mode 100644 index 0000000..395a2d1 --- /dev/null +++ b/t/logs/debug-build @@ -0,0 +1,13 @@ +dpkg-buildpackage: source package test + +gcc -g -O0 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -c test-a.c +gcc -g -O0 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -c test-b.c +gcc -g -O0 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -c test-c.c +gcc -g -O0 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -c test-d.c +gcc -Wl,-z,relro -o test test-a.o test-b.o test-c.o -ltest + +gcc -g -Og -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -c test-a.c +gcc -g -Og -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -c test-b.c +gcc -g -Og -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -c test-c.c +gcc -g -Og -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -c test-d.c +gcc -Wl,-z,relro -o test test-a.o test-b.o test-c.o -ltest diff --git a/t/tests.t b/t/tests.t index 93801f5..acb8ab7 100644 --- a/t/tests.t +++ b/t/tests.t @@ -19,7 +19,7 @@ use strict; use warnings; -use Test::More tests => 212; +use Test::More tests => 214; sub is_blhc { @@ -647,6 +647,11 @@ NONVERBOSE BUILD: Compiling test.c \ gcc test.c '; +# handle debug builds + +is_blhc 'debug-build', '', 0, ''; + + # configure/make is_blhc 'configure', '', 1, -- 2.45.2