diff -Nru hardening-wrapper-1.8/debian/changelog hardening-wrapper-1.11/debian/changelog --- hardening-wrapper-1.8/debian/changelog 2008-03-23 22:11:28.000000000 -0700 +++ hardening-wrapper-1.11/debian/changelog 2008-04-14 17:50:31.000000000 -0700 @@ -1,3 +1,34 @@ +hardening-wrapper (1.11) unstable; urgency=low + + * hardened-ld: disable PIE logic -- gcc should be the only part of the + toolchain requesting PIE. + * tests/Makefile: use -B instead of GCC_EXEC_PREFIX, which does not + do the right thing on all architectures. + + -- Kees Cook Mon, 14 Apr 2008 16:06:00 -0700 + +hardening-wrapper (1.10) unstable; urgency=low + + * hardened-cc, hardened-ld: re-arranged logic for "-pie". Old logic + was resulting in failed compiles under cmake. + * tests/Makefile: moved debian/rules tests into separate directory, + added -fPIC test cases, based on issues uncovered by cmake. + * debian/rules: disabled stack protector on mips, hppa -- not supported. + + -- Kees Cook Mon, 14 Apr 2008 11:15:35 -0700 + +hardening-wrapper (1.9) unstable; urgency=low + + * debian/rules: + - disable stack protector on arm, armel. + - disable PIE on arm, armel (thanks to Riku Voipio, Closes: 475764). + - show readelf output on test builds. + - fully link by tricking gcc into running the ld test wrapper. + * hello.c: re-arranged to exercise stack protector, report PIE. + * hardened-ld: add env var way to force use of /usr/bin/ld during tests. + + -- Kees Cook Sun, 13 Apr 2008 18:01:38 -0700 + hardening-wrapper (1.8) unstable; urgency=low * debian/rules: disable stack protector on ia64 and alpha. diff -Nru /tmp/GvwX4l6jf1/hardening-wrapper-1.8/debian/rules /tmp/yY5kGfAL3U/hardening-wrapper-1.11/debian/rules --- hardening-wrapper-1.8/debian/rules 2008-03-23 22:09:07.000000000 -0700 +++ hardening-wrapper-1.11/debian/rules 2008-04-14 12:56:20.000000000 -0700 @@ -10,15 +10,19 @@ # Calculate arch-specific defaults DEFAULT_PIE=0 ifneq (,$(findstring :$(DEB_HOST_ARCH_OS):,:linux:knetbsd:)) - ifeq (,$(findstring :$(DEB_HOST_ARCH_CPU):,:hppa:m68k:)) - # PIE enabled only on linux/knetbsd, but not on hppa, m68k + # PIE enabled only on linux/knetbsd + ifeq (,$(findstring :$(DEB_HOST_ARCH_CPU):,:hppa:m68k:arm:)) + # disabled on hppa, m68k (where it doesn't work). + # disabled for arm since there is no randomization support in ARM kernels DEFAULT_PIE=1 endif endif DEFAULT_STACKPROT=1 -ifneq (,$(findstring :$(DEB_HOST_ARCH_CPU):,:ia64:alpha:)) - # Stack protector disabled on ia64, alpha - # "warning: -fstack-protector not supported for this target" +ifneq (,$(findstring :$(DEB_HOST_ARCH_CPU):,:ia64:alpha:mips:mipsel:hppa:arm:)) + # Stack protector disabled on ia64, alpha, mips, mipsel, hppa. + # "warning: -fstack-protector not supported for this target" + # Stack protector disabled on arm, armel. + # compiler supports it incorrectly (leads to SEGV) DEFAULT_STACKPROT=0 endif @@ -58,15 +62,7 @@ test: build-stamp test-stamp test-stamp: - # Testing - perl -c build-tree/hardened-cc - perl -c build-tree/hardened-c++ - perl -c build-tree/hardened-ld - DEB_BUILD_HARDENING=1 DEB_BUILD_HARDENING_DEBUG=1 ./build-tree/hardened-cc -o build-tree/compiler hello.c - ./build-tree/compiler - DEB_BUILD_HARDENING=1 DEB_BUILD_HARDENING_DEBUG=1 ./build-tree/hardened-cc -o build-tree/linker.o hello.c - DEB_BUILD_HARDENING=1 DEB_BUILD_HARDENING_DEBUG=1 ./build-tree/hardened-ld -o build-tree/linker build-tree/linker.o - + (cd tests; make check) # Done testing touch test-stamp diff -Nru /tmp/GvwX4l6jf1/hardening-wrapper-1.8/hardened-cc /tmp/yY5kGfAL3U/hardening-wrapper-1.11/hardened-cc --- hardening-wrapper-1.8/hardened-cc 2008-03-21 12:35:12.000000000 -0700 +++ hardening-wrapper-1.11/hardened-cc 2008-04-14 10:24:39.000000000 -0700 @@ -17,27 +17,28 @@ $default{'DEB_BUILD_HARDENING_PIE'}=1; # Scan arguments - my $use_stack = defined($ENV{'DEB_BUILD_HARDENING_STACKPROTECTOR'}) ? + my $force_stack = defined($ENV{'DEB_BUILD_HARDENING_STACKPROTECTOR'}) ? $ENV{'DEB_BUILD_HARDENING_STACKPROTECTOR'} : $default{'DEB_BUILD_HARDENING_STACKPROTECTOR'}; - my $use_format = defined($ENV{'DEB_BUILD_HARDENING_FORMAT'}) ? + my $force_format = defined($ENV{'DEB_BUILD_HARDENING_FORMAT'}) ? $ENV{'DEB_BUILD_HARDENING_FORMAT'} : $default{'DEB_BUILD_HARDENING_FORMAT'}; - my $use_PIE = defined($ENV{'DEB_BUILD_HARDENING_PIE'}) ? + my $force_fPIE = defined($ENV{'DEB_BUILD_HARDENING_PIE'}) ? $ENV{'DEB_BUILD_HARDENING_PIE'} : $default{'DEB_BUILD_HARDENING_PIE'}; - my $use_fortify = defined($ENV{'DEB_BUILD_HARDENING_FORTIFY'}) ? + my $force_pie = defined($ENV{'DEB_BUILD_HARDENING_PIE'}) ? + $ENV{'DEB_BUILD_HARDENING_PIE'} : + $default{'DEB_BUILD_HARDENING_PIE'}; + my $force_fortify = defined($ENV{'DEB_BUILD_HARDENING_FORTIFY'}) ? $ENV{'DEB_BUILD_HARDENING_FORTIFY'} : $default{'DEB_BUILD_HARDENING_FORTIFY'}; - $debug = defined($ENV{'DEB_BUILD_HARDENING_DEBUG'}) ? + $debug = defined($ENV{'DEB_BUILD_HARDENING_DEBUG'}) ? $ENV{'DEB_BUILD_HARDENING_DEBUG'} : $default{'DEB_BUILD_HARDENING_DEBUG'}; - my $use_linker = 1; + my $linking = 1; foreach my $arg (@ARGV) { - if ($arg eq "-fPIC" || - $arg eq "-fpic" || - $arg eq "-fno-PIC" || + if ($arg eq "-fno-PIC" || $arg eq "-fno-pic" || $arg eq "-fno-PIE" || $arg eq "-fno-pie" || @@ -48,37 +49,52 @@ $arg eq "-nostdlib" || $arg eq "-nostartfiles") { - $use_PIE = 0; + # If any PIC or PIE things are explicitly disabled, + # disable all our PIE flags. + $force_fPIE = 0; + $force_pie = 0; + } + if ($arg eq "-fPIC" || + $arg eq "-fpic") + { + # fPIC is a stricter version of fPIE, so don't use fPIE when + # we encounter fPIC. However, the inclusion of -fPIC does + # not mean we need to block the use of "-pie", which is still + # possible with fPIC. + $force_fPIE = 0; } if ($arg eq "-c") { - $use_linker = 0; + $linking = 0; } if ($arg =~ /^-D_FORTIFY_SOURCE(=|$)/) { - $use_fortify = 0; + $force_fortify = 0; } } - # Enable SSP by default (disable with -fno-stack-protector) - if ($use_stack) { + # Enable SSP by default + if ($force_stack) { push(@args,'-fstack-protector'); } - # Enable -fPIE by default (disable with -nopie) - if ($use_PIE) { + # Enable -fPIE by default + if ($force_fPIE) { push(@args, '-fPIE'); - if ($use_linker) { + } + if ($force_pie) { + if ($linking) { + # "-pie" is really only meaningful when calling the linker push(@args, '-pie'); } } # Enable glibc protections by default (-02 should already be defined...) # (disable with -D_FORTIFY_SOURCE=0) - if ($use_fortify) { + if ($force_fortify) { push(@args,'-D_FORTIFY_SOURCE=2'); } - # Enable format string checking (disable with -Wno-format) - if ($use_format) { + # Enable format string checking + if ($force_format) { push(@args,'-Wformat','-Wformat-security'); } } diff -Nru /tmp/GvwX4l6jf1/hardening-wrapper-1.8/hardened-ld /tmp/yY5kGfAL3U/hardening-wrapper-1.11/hardened-ld --- hardening-wrapper-1.8/hardened-ld 2008-03-21 12:35:56.000000000 -0700 +++ hardening-wrapper-1.11/hardened-ld 2008-04-14 16:05:55.000000000 -0700 @@ -12,45 +12,34 @@ # #OS# #CPU# $default{'DEB_BUILD_HARDENING_RELRO'}=1; - $default{'DEB_BUILD_HARDENING_PIE'}=1; $debug = defined($ENV{'DEB_BUILD_HARDENING_DEBUG'}) ? $ENV{'DEB_BUILD_HARDENING_DEBUG'} : $default{'DEB_BUILD_HARDENING_DEBUG'}; # Enable RELRO by default - my $use_relro = defined($ENV{'DEB_BUILD_HARDENING_RELRO'}) ? + my $force_relro = defined($ENV{'DEB_BUILD_HARDENING_RELRO'}) ? $ENV{'DEB_BUILD_HARDENING_RELRO'} : $default{'DEB_BUILD_HARDENING_RELRO'}; - if ($use_relro) { - push(@args,'-z','relro'); - } - # Enable PIE by default - my $use_PIE = defined($ENV{'DEB_BUILD_HARDENING_PIE'}) ? - $ENV{'DEB_BUILD_HARDENING_PIE'} : - $default{'DEB_BUILD_HARDENING_PIE'}; + my $index = 0; foreach my $arg (@ARGV) { - if ($arg eq "-nopie" || - $arg eq "-fno-PIE" || - $arg eq "-fno-pie" || - $arg eq "-static" || - $arg eq "-shared" || - $arg eq "-nostdlib" || - $arg eq "-nostartfiles") - { - $use_PIE = 0; + if ($arg eq "relro" && $index>0 && $ARGV[$index-1] eq "-z") { + $force_relro = 0; } + $index++; } - if ($use_PIE) { - push(@args,'-pie'); + + if ($force_relro) { + push(@args,'-z','relro'); } + } my $self = "hardened-ld"; my $link = ""; my $tool = $0; -if ($tool =~ /$self$/) { +if ($tool =~ /$self$/ || defined($ENV{'HARDENING_USE_USR_BIN'})) { $tool = "/usr/bin/ld"; } while (-l $tool && ($link = readlink($tool)) !~ /$self$/) { diff -Nru /tmp/GvwX4l6jf1/hardening-wrapper-1.8/hello.c /tmp/yY5kGfAL3U/hardening-wrapper-1.11/hello.c --- hardening-wrapper-1.8/hello.c 2008-03-21 12:46:49.000000000 -0700 +++ hardening-wrapper-1.11/hello.c 1969-12-31 16:00:00.000000000 -0800 @@ -1,14 +0,0 @@ -#include -#include -#include -#include -#include -#include -#include - -int main(int argc, char * argv[]) -{ - printf("Hardened compile ok\n"); - - return 0; -} diff -Nru /tmp/GvwX4l6jf1/hardening-wrapper-1.8/tests/Makefile /tmp/yY5kGfAL3U/hardening-wrapper-1.11/tests/Makefile --- hardening-wrapper-1.8/tests/Makefile 1969-12-31 16:00:00.000000000 -0800 +++ hardening-wrapper-1.11/tests/Makefile 2008-04-14 17:39:46.000000000 -0700 @@ -0,0 +1,91 @@ +#!/usr/bin/make -f + +BUILD_TREE=../build-tree + +WRAPPED_CC=$(BUILD_TREE)/hardened-cc +WRAPPED_CXX=$(BUILD_TREE)/hardened-c++ +WRAPPED_LD=$(BUILD_TREE)/hardened-ld + +# It seems that GCC_EXEC_PREFIX does not behave the same across all +# architectures, so we need to pass the -B flag instead. +CC=$(WRAPPED_CC) -B $(BUILD_TREE)/ + +WRAPPERS=$(WRAPPED_CC) $(WRAPPED_LD) $(WRAPPED_CXX) + + +SYMLINKED_LD=$(BUILD_TREE)/ld + +HELLO=hello.c + +TEST_REQS=$(HELLO) $(WRAPPERS) $(SYMLINKED_LD) + +export HARDENING_USE_USR_BIN=1 +export DEB_BUILD_HARDENING=1 +export DEB_BUILD_HARDENING_DEBUG=1 + +TESTS=\ + syntax.stamp \ + $(BUILD_TREE)/test-stock \ + $(BUILD_TREE)/test-compiled \ + $(SYMLINKED_LD) \ + $(BUILD_TREE)/test-linked \ + $(BUILD_TREE)/test-fPIC-direct \ + $(BUILD_TREE)/test-fPIC + +check: $(TESTS) + +clean: + rm -f $(TESTS) + +syntax.stamp: $(WRAPPERS) + # Test basic perl syntax + for script in $(WRAPPERS); do perl -c $$script; done + touch $@ + +########## +# Compilation and linking results tests + +$(BUILD_TREE)/test-stock: $(HELLO) $(WRAPPERS) + # Compiler and linker options disabled. + DEB_BUILD_HARDENING=0 $(CC) -o $@ $< + readelf -l $@ + $@ + +$(BUILD_TREE)/test-compiled: $(HELLO) $(WRAPPERS) + # Compiler options enabled. (linker is system-default) + $(CC) -o $@ $< + readelf -l $@ + # Run twice to show off PIE, if available in kernel + $@ + $@ + +$(SYMLINKED_LD): $(WRAPPED_LD) + # Enable symlink for ld to trick gcc into doing wrapped linking + (cd $(BUILD_TREE) && ln -s hardened-ld ld) + +$(BUILD_TREE)/test-linked: $(TEST_REQS) + # Compiler and linker options enabled. + $(CC) -o $@ $< + readelf -l $@ + # Run twice to show off PIE, if available in kernel + $@ + $@ + + +########## +# Compiler arg calling style tests + +# cmake likes to pass -fPIC to everything, which broke pre-1.10 wrappers +$(BUILD_TREE)/test-fPIC-direct: $(TEST_REQS) + # Build directly with -fPIC already defined + $(CC) -fPIC -o $@ $< + $@ + +$(BUILD_TREE)/test-fPIC.o: $(TEST_REQS) + # Build .o with -fPIC already defined + $(CC) -fPIC -o $@ -c $< + +$(BUILD_TREE)/test-fPIC: $(BUILD_TREE)/test-fPIC.o $(TEST_REQS) + # Link .o with -fPIC already defined + $(CC) -fPIC -o $@ $< + $@ diff -Nru /tmp/GvwX4l6jf1/hardening-wrapper-1.8/tests/hello.c /tmp/yY5kGfAL3U/hardening-wrapper-1.11/tests/hello.c --- hardening-wrapper-1.8/tests/hello.c 1969-12-31 16:00:00.000000000 -0800 +++ hardening-wrapper-1.11/tests/hello.c 2008-04-14 12:19:19.000000000 -0700 @@ -0,0 +1,20 @@ +#include +#include +#include +#include +#include +#include +#include + +int announcement(char *prog) +{ + char buf[1024]; + + snprintf(buf,sizeof(buf),"%s",prog); + return printf("%s: ok (%p)\n",buf,announcement); +} + +int main(int argc, char * argv[]) +{ + return !(announcement(argv[0]) > 0); +}