Re: [hardening-discuss] Using hardening-wrapper but lintian warning still present

To: debian-devel@lists.debian.org
Subject: Re: [hardening-discuss] Using hardening-wrapper but lintian warning still present
From: José Luis Segura Lucas <josel.segura@gmx.es>
Date: Thu, 21 Jun 2012 17:47:05 +0200
Message-id: <[🔎] 4FE341F9.4010009@gmx.es>
In-reply-to: <[🔎] 20120620195621.GE5042@outflux.net>
References: <4FE1A41B.5060708@gmx.es> <[🔎] 20120620195621.GE5042@outflux.net>

El 20/06/12 21:56, Kees Cook escribió:
> If you're using debhelper compat level 9, you don't have to worry about
> including hardening-wrapper and using DEB_BUILD_HARDENING=1. You'll get
> the defaults automatically through debhelper. This is the preferred way
> to get build flags now.
>
Yes, I'm using it. I just re-compiled the package without the build-dep
and without the environment variable and it compiles and passes to Cmake
the right compiler options, including the previously problematic CPPFLAGS.
> It is possible that the read() was checked at compile-time to be
> safe which is why it was not linked with the protected version
> ("__read_chk"). For example, this will always be safe:
>
>     char buf[100];
>     ...
>     read(fd, buf, 50);
>
> In this case, the compiler can see that the read() can never overflow
> the buf (50 is less than 100), so there is no reason to use the protected
> function.
>
> If you're building with -O1 (or higher) and -D_FORTIFY_SOURCE=2, the
> compiler is always always going to be doing the right thing. :)
>
> If you really want to, you can test that this is the case by finding the
> uses of read() and using a volatile global variable to replace the length
> argument. (Don't leave the code like this, since it's not a useful change,
> but it can be used to make sure the compiler is doing the right thing.)
>
>   volatile size_t read_length;
>   ...
>   char buf[100];
>   ...
>   read_length = 50;
>   read(fd, buf, read_length);
>
> If making that change causes hardening-check to see the __read_chk call,
> then the compiler is being smart and noticed that it doesn't need to do
> extra work at run time to verify the arguments, and you're clear to put
> in a lintian override.
I looked at the source and they only uses "read" in one place (inside a
C++ class representing a standard file). The "read" takes as second
argument the argument of their StdioFile::Read function, but I have
checked all the uses of this StdioFile::Read and it's always safe
(always called with "buf" and "sizeof(buf)").

I will test with the "volatile" variable to assert that, and if it is
the case, I will add the override, to my debian directory.

Thanks very much, you have been very helpful :-)

-- 
José Luis Segura Lucas

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to:

References:
- Re: [hardening-discuss] Using hardening-wrapper but lintian warning still present
  - From: Kees Cook <kees@debian.org>

Prev by Date: Re: Report from the Bug Squashing Party in Salzburg
Next by Date: build-time testing of pure arch:all packages
Previous by thread: Re: [hardening-discuss] Using hardening-wrapper but lintian warning still present
Next by thread: Bug#678338: ITP: konoha -- interpreter of statically-typed scripting language Konoha
Index(es):
- Date
- Thread