From: Steven Barth Date: Tue, 23 Jun 2015 14:38:03 +0000 (+0000) Subject: toolchain: add fortify-headers, enable FORTIFY_SOURCE by default X-Git-Url: http://git.lede-project.org./?a=commitdiff_plain;h=da0b4d006622ee46be2bb66b8116321dd78d030a;p=openwrt%2Fsvn-archive%2Farchive.git toolchain: add fortify-headers, enable FORTIFY_SOURCE by default Signed-off-by: Steven Barth SVN-Revision: 46117 --- diff --git a/config/Config-build.in b/config/Config-build.in index 35c07c63f8..aef03444c2 100644 --- a/config/Config-build.in +++ b/config/Config-build.in @@ -251,6 +251,7 @@ menu "Global build settings" choice prompt "Enable buffer-overflows detection (FORTIFY_SOURCE)" + default PKG_FORTIFY_SOURCE_1 help Enable the _FORTIFY_SOURCE macro which introduces additional checks to detect buffer-overflows in the following standard library diff --git a/rules.mk b/rules.mk index cb0b7da4ae..a0a9a5d202 100644 --- a/rules.mk +++ b/rules.mk @@ -144,7 +144,7 @@ ifndef DUMP export GCC_HONOUR_COPTS:=0 TARGET_CROSS:=$(if $(TARGET_CROSS),$(TARGET_CROSS),$(OPTIMIZE_FOR_CPU)-openwrt-linux$(if $(TARGET_SUFFIX),-$(TARGET_SUFFIX))-) TARGET_CFLAGS+= -fhonour-copts $(if $(CONFIG_GCC_VERSION_4_4)$(CONFIG_GCC_VERSION_4_5),,-Wno-error=unused-but-set-variable) - TARGET_CPPFLAGS+= -I$(TOOLCHAIN_DIR)/usr/include -I$(TOOLCHAIN_DIR)/include + TARGET_CPPFLAGS+= -I$(TOOLCHAIN_DIR)/usr/include -I$(TOOLCHAIN_DIR)/include/fortify -I$(TOOLCHAIN_DIR)/include TARGET_LDFLAGS+= -L$(TOOLCHAIN_DIR)/usr/lib -L$(TOOLCHAIN_DIR)/lib TARGET_PATH:=$(TOOLCHAIN_DIR)/bin:$(TARGET_PATH) else diff --git a/toolchain/Makefile b/toolchain/Makefile index c250cba480..cd5399e041 100644 --- a/toolchain/Makefile +++ b/toolchain/Makefile @@ -28,7 +28,7 @@ curdir:=toolchain # subdirectories to descend into -$(curdir)/builddirs := $(if $(CONFIG_GDB),gdb) $(if $(CONFIG_INSIGHT),insight) $(if $(CONFIG_EXTERNAL_TOOLCHAIN),wrapper,kernel-headers binutils gcc/minimal gcc/initial gcc/final $(LIBC)/headers $(LIBC)) +$(curdir)/builddirs := $(if $(CONFIG_GDB),gdb) $(if $(CONFIG_INSIGHT),insight) $(if $(CONFIG_EXTERNAL_TOOLCHAIN),wrapper,kernel-headers binutils gcc/minimal gcc/initial gcc/final $(LIBC)/headers $(LIBC) fortify-headers) ifdef CONFIG_USE_UCLIBC $(curdir)/builddirs += $(LIBC)/utils endif diff --git a/toolchain/fortify-headers/Makefile b/toolchain/fortify-headers/Makefile new file mode 100644 index 0000000000..b9cefe5935 --- /dev/null +++ b/toolchain/fortify-headers/Makefile @@ -0,0 +1,28 @@ +# +# Copyright (C) 2015 OpenWrt.org +# +# This is free software, licensed under the GNU General Public License v2. +# See /LICENSE for more information. +# +include $(TOPDIR)/rules.mk +include $(INCLUDE_DIR)/target.mk + +PKG_NAME:=fortify-headers +PKG_VERSION:=0.6 +PKG_RELEASE=1 + +PKG_SOURCE_URL:=http://dl.2f30.org/releases +PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz +PKG_MD5SUM:=d85072939ec02a40af282fe3febc6c18 + +include $(INCLUDE_DIR)/toolchain-build.mk + +define Host/Compile + true +endef + +define Host/Install + $(MAKE) -C $(HOST_BUILD_DIR) PREFIX="" DESTDIR="$(TOOLCHAIN_DIR)" install +endef + +$(eval $(call HostBuild)) diff --git a/toolchain/fortify-headers/patches/100-fix-getgroups.patch b/toolchain/fortify-headers/patches/100-fix-getgroups.patch new file mode 100644 index 0000000000..988deb5815 --- /dev/null +++ b/toolchain/fortify-headers/patches/100-fix-getgroups.patch @@ -0,0 +1,26 @@ +From 1f9848efc8a329cb9a13323cbb94b353d39802c1 Mon Sep 17 00:00:00 2001 +From: Steven Barth +Date: Mon, 22 Jun 2015 14:36:16 +0200 +Subject: [PATCH] unistd: fix signed / unsigned comparison in getgroups + +Signed-off-by: Steven Barth +--- + include/unistd.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/unistd.h b/include/unistd.h +index 45304e1..5274e22 100644 +--- a/include/unistd.h ++++ b/include/unistd.h +@@ -71,7 +71,7 @@ _FORTIFY_FN(getgroups) int getgroups(int __l, gid_t *__s) + { + size_t __b = __builtin_object_size(__s, 0); + +- if (__l > __b / sizeof(gid_t)) ++ if (__l < 0 || (size_t)__l > __b / sizeof(gid_t)) + __builtin_trap(); + return __orig_getgroups(__l, __s); + } +-- +2.1.4 +