[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#650536: update!

Hi Niels,

On Sun, Mar 11, 2012 at 12:16:09AM +0100, Niels Thykier wrote:
> I have started an unofficial branch[1] to get something more concrete on
> this.  I decided to rename the tags so they had a common prefix (it
> simplified the updated to t/scripts/implemented-tags.t).

Attached is a patch to clean up the remaining tests that still needed
stack protector and fortify to show up in their binaries.

> Last I checked we still have an "outstanding issue" hardening-check
> using ldd, which I am not certain will work with "foreign" binaries (see
> comment #39).  I suspect it will mostly affect people who do
> cross-builds and lintian.d.o[2].

And this should be taken care of now in hardening-includes 2.0, which
uses a hard-coded list of libc functions instead of trying to build the
list at runtime.

After this patch, the TODO's single remaining item is:

    + revise tag certainty and description:
      - overrides (we can't do much about FP etc.)

What is needed for this? Should I expand the descriptions more? Or was
there something else?

Thanks!

-Kees

-- 
Kees Cook                                            @debian.org

>From 44917dcc8af48043cb22b104398cfc494b74fbf6 Mon Sep 17 00:00:00 2001
From: Kees Cook <kees@outflux.net>
Date: Sat, 31 Mar 2012 23:59:28 -0700
Subject: [PATCH] Update for latest hardening-check

Additionally, clean up remaining hardening warnings in the tests.

Signed-off-by: Kees Cook <kees@debian.org>
---
 collection/hardening-info                          |    7 -------
 debian/changelog                                   |    7 +------
 debian/control                                     |    2 +-
 .../debian/hardening-trigger.h                     |    6 ++++++
 t/tests/binaries-embedded-libs/debian/libbz2.c     |    1 +
 t/tests/binaries-embedded-libs/debian/libexpat.c   |    1 +
 t/tests/binaries-embedded-libs/debian/libjpeg.c    |    1 +
 t/tests/binaries-embedded-libs/debian/libm.c       |    1 +
 t/tests/binaries-embedded-libs/debian/libmagic.c   |    1 +
 .../binaries-embedded-libs/debian/libopenjpeg.c    |    1 +
 t/tests/binaries-embedded-libs/debian/libpcre3.c   |    1 +
 t/tests/binaries-embedded-libs/debian/libpng.c     |    1 +
 t/tests/binaries-embedded-libs/debian/libsqlite.c  |    1 +
 t/tests/binaries-embedded-libs/debian/libtiff.c    |    1 +
 t/tests/binaries-embedded-libs/debian/libxml2.c    |    1 +
 t/tests/binaries-embedded-libs/debian/zlib.c       |    1 +
 .../debian/basic.c                                 |   10 ++++++++++
 .../debian/basic.c                                 |   10 ++++++++++
 .../debian/basic.c                                 |   10 ++++++++++
 t/tests/binaries-missing-depends/debian/basic.c    |   10 ++++++++++
 t/tests/binaries-multiarch-same/debian/basic.c     |   10 ++++++++++
 .../binaries-multiarch-wrong-dir/debian/basic.c    |   10 ++++++++++
 t/tests/binaries-multiarch/debian/basic.c          |   10 ++++++++++
 t/tests/binaries-spelling/debian/basic.c           |   10 ++++++++++
 t/tests/binaries-unsafe-open/debian/dummy.c        |   10 ++++++++++
 t/tests/strings-elf-detection/debian/Makefile      |    7 +++++++
 t/tests/strings-elf-detection/debian/debian/rules  |    3 +--
 t/tests/strings-elf-detection/debian/true.c        |   17 +++++++++++++++++
 28 files changed, 135 insertions(+), 16 deletions(-)
 create mode 100644 t/tests/binaries-embedded-libs/debian/hardening-trigger.h
 create mode 100644 t/tests/strings-elf-detection/debian/Makefile
 create mode 100644 t/tests/strings-elf-detection/debian/true.c

diff --git a/collection/hardening-info b/collection/hardening-info
index 6692c96..b7408be 100755
--- a/collection/hardening-info
+++ b/collection/hardening-info
@@ -44,13 +44,6 @@ if ( -e "$dir/hardening-info" ) {
 open OUT, '>', "$dir/hardening-info"
     or fail("cannot open hardening-info: $!");
 
-# If we're running inside the Lintian test suite itself, we need to avoid
-# all the tests except the "binaries-hardening" test.
-exit 0
-    if (defined $ENV{'LINTIAN_INTERNAL_TESTSUITE'} and
-        $ENV{'LINTIAN_INTERNAL_TESTSUITE'} eq "1" and
-        $dir !~ m|/binaries-hardening/binaries-hardening_1.0_.*_binary$|);
-
 # Prepare to examine the file tree.
 chdir ("$dir/unpacked")
     or fail("unable to chdir to unpacked: $!");
diff --git a/debian/changelog b/debian/changelog
index 1a71129..42224a0 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,13 +1,8 @@
 lintian (2.5.6) UNRELEASED; urgency=low
 
   * BRANCH TODO:
-    + handle checking of binaries from foreign architectures:
-      - hardening-check uses ldd
     + revise tag certainty and description:
       - overrides (we can't do much about FP etc.)
-    + test suite clean up:
-      - remove test-suite check in coll/hardening-info
-      - fix broken tests
 
   * checks/*:
     + [NT] Simplified some bit operations done on file permissions.
@@ -58,7 +53,7 @@ lintian (2.5.6) UNRELEASED; urgency=low
   * checks/binaries, collector/hardening-info*:
     + Add ELF hardening checks.  (Closes: 650536)
 
- -- Kees Cook <kees@ubuntu.com>  Sun, 04 Mar 2012 12:40:41 -0800
+ -- Kees Cook <kees@debian.org>  Sat, 31 Mar 2012 18:03:36 -0700
 
 lintian (2.5.5) unstable; urgency=low
 
diff --git a/debian/control b/debian/control
index f13205a..e0a983e 100644
--- a/debian/control
+++ b/debian/control
@@ -19,7 +19,7 @@ Build-Depends: binutils,
                fakeroot,
                file,
                gettext,
-               hardening-includes (>= 1.35),
+               hardening-includes (>= 2.0),
                intltool-debian,
                javahelper (>= 0.32~),
                libapt-pkg-perl,
diff --git a/t/tests/binaries-embedded-libs/debian/hardening-trigger.h b/t/tests/binaries-embedded-libs/debian/hardening-trigger.h
new file mode 100644
index 0000000..0bfe592
--- /dev/null
+++ b/t/tests/binaries-embedded-libs/debian/hardening-trigger.h
@@ -0,0 +1,6 @@
+void e(char *p, int i, void (*f)(char *)){
+  char test[10];
+  memcpy(test, p, i);
+  f(test);
+  printf("%s", test);
+}
diff --git a/t/tests/binaries-embedded-libs/debian/libbz2.c b/t/tests/binaries-embedded-libs/debian/libbz2.c
index d0ab79b..9fc9d92 100644
--- a/t/tests/binaries-embedded-libs/debian/libbz2.c
+++ b/t/tests/binaries-embedded-libs/debian/libbz2.c
@@ -1,4 +1,5 @@
 #include <stdio.h>
+#include "hardening-trigger.h"
 
 static const char bzip2_bug[]
     = "This is a bug in bzip2";
diff --git a/t/tests/binaries-embedded-libs/debian/libexpat.c b/t/tests/binaries-embedded-libs/debian/libexpat.c
index 707f1d6..1df8c01 100644
--- a/t/tests/binaries-embedded-libs/debian/libexpat.c
+++ b/t/tests/binaries-embedded-libs/debian/libexpat.c
@@ -1,4 +1,5 @@
 #include <stdio.h>
+#include "hardening-trigger.h"
 
 /*
  * The XML_DTD warning string is always present, even if expat was
diff --git a/t/tests/binaries-embedded-libs/debian/libjpeg.c b/t/tests/binaries-embedded-libs/debian/libjpeg.c
index ddf2cc9..6f76a7d 100644
--- a/t/tests/binaries-embedded-libs/debian/libjpeg.c
+++ b/t/tests/binaries-embedded-libs/debian/libjpeg.c
@@ -1,4 +1,5 @@
 #include <stdio.h>
+#include "hardening-trigger.h"
 
 /*
  * The quantization tables warning message is unique enough to be used to
diff --git a/t/tests/binaries-embedded-libs/debian/libm.c b/t/tests/binaries-embedded-libs/debian/libm.c
index 31e43f5..b69548d 100644
--- a/t/tests/binaries-embedded-libs/debian/libm.c
+++ b/t/tests/binaries-embedded-libs/debian/libm.c
@@ -1,4 +1,5 @@
 #include <stdio.h>
+#include "hardening-trigger.h"
 
 static const char domain_error[]
     = "neg**non-integral: DOMAIN error";
diff --git a/t/tests/binaries-embedded-libs/debian/libmagic.c b/t/tests/binaries-embedded-libs/debian/libmagic.c
index 8bd0788..d8a7d4c 100644
--- a/t/tests/binaries-embedded-libs/debian/libmagic.c
+++ b/t/tests/binaries-embedded-libs/debian/libmagic.c
@@ -1,4 +1,5 @@
 #include <stdio.h>
+#include "hardening-trigger.h"
 
 static const char no_magic_files[]
     = "could not find any magic files!";
diff --git a/t/tests/binaries-embedded-libs/debian/libopenjpeg.c b/t/tests/binaries-embedded-libs/debian/libopenjpeg.c
index 0dd0f28..b232b21 100644
--- a/t/tests/binaries-embedded-libs/debian/libopenjpeg.c
+++ b/t/tests/binaries-embedded-libs/debian/libopenjpeg.c
@@ -1,4 +1,5 @@
 #include <stdio.h>
+#include "hardening-trigger.h"
 
 /*
  * The tcd_decode error message appears to be unique enough to be used to
diff --git a/t/tests/binaries-embedded-libs/debian/libpcre3.c b/t/tests/binaries-embedded-libs/debian/libpcre3.c
index 9ec595f..5eca82e 100644
--- a/t/tests/binaries-embedded-libs/debian/libpcre3.c
+++ b/t/tests/binaries-embedded-libs/debian/libpcre3.c
@@ -1,4 +1,5 @@
 #include <stdio.h>
+#include "hardening-trigger.h"
 
 /*
  * The PCRE_UTF8 message is unique enough to be used to
diff --git a/t/tests/binaries-embedded-libs/debian/libpng.c b/t/tests/binaries-embedded-libs/debian/libpng.c
index 80718a9..3de5e57 100644
--- a/t/tests/binaries-embedded-libs/debian/libpng.c
+++ b/t/tests/binaries-embedded-libs/debian/libpng.c
@@ -1,4 +1,5 @@
 #include <stdio.h>
+#include "hardening-trigger.h"
 
 /*
  * The png_zalloc overflow error message is unique enough to be used to
diff --git a/t/tests/binaries-embedded-libs/debian/libsqlite.c b/t/tests/binaries-embedded-libs/debian/libsqlite.c
index 1d2020c..9bc97d0 100644
--- a/t/tests/binaries-embedded-libs/debian/libsqlite.c
+++ b/t/tests/binaries-embedded-libs/debian/libsqlite.c
@@ -1,4 +1,5 @@
 #include <stdio.h>
+#include "hardening-trigger.h"
 
 /*
  * the sqlite_master table is used by sqlite 2 and 3
diff --git a/t/tests/binaries-embedded-libs/debian/libtiff.c b/t/tests/binaries-embedded-libs/debian/libtiff.c
index 3d0d34f..ec36402 100644
--- a/t/tests/binaries-embedded-libs/debian/libtiff.c
+++ b/t/tests/binaries-embedded-libs/debian/libtiff.c
@@ -1,4 +1,5 @@
 #include <stdio.h>
+#include "hardening-trigger.h"
 
 /*
  * The PixarLog error message is unique enough to be used to
diff --git a/t/tests/binaries-embedded-libs/debian/libxml2.c b/t/tests/binaries-embedded-libs/debian/libxml2.c
index 609602f..5c151d2 100644
--- a/t/tests/binaries-embedded-libs/debian/libxml2.c
+++ b/t/tests/binaries-embedded-libs/debian/libxml2.c
@@ -1,4 +1,5 @@
 #include <stdio.h>
+#include "hardening-trigger.h"
 
 static const char root_dtd_mismatch[]
     = "root and DTD name do not match '%s' and '%s'";
diff --git a/t/tests/binaries-embedded-libs/debian/zlib.c b/t/tests/binaries-embedded-libs/debian/zlib.c
index 3237ebd..eb43c79 100644
--- a/t/tests/binaries-embedded-libs/debian/zlib.c
+++ b/t/tests/binaries-embedded-libs/debian/zlib.c
@@ -1,4 +1,5 @@
 #include <stdio.h>
+#include "hardening-trigger.h"
 
 /*
  * zlib asks derivative works to include this string, so it's the signature
diff --git a/t/tests/binaries-missing-depends-on-libc/debian/basic.c b/t/tests/binaries-missing-depends-on-libc/debian/basic.c
index a03a790..7bdd01c 100644
--- a/t/tests/binaries-missing-depends-on-libc/debian/basic.c
+++ b/t/tests/binaries-missing-depends-on-libc/debian/basic.c
@@ -1,7 +1,17 @@
 #include <stdio.h>
 
+static void
+hardening_trigger(char *p, int i, void (*f)(char *))
+{
+    char test[10];
+    memcpy(test, p, i);
+    f(test);
+    printf("%s", test);
+}
+
 int
 lib_interface(void)
 {
     printf("Hello world!\n");
+    hardening_trigger(NULL, 0, NULL);
 }
diff --git a/t/tests/binaries-missing-depends-on-numpy-abi/debian/basic.c b/t/tests/binaries-missing-depends-on-numpy-abi/debian/basic.c
index deea058..5e0971d 100644
--- a/t/tests/binaries-missing-depends-on-numpy-abi/debian/basic.c
+++ b/t/tests/binaries-missing-depends-on-numpy-abi/debian/basic.c
@@ -1,7 +1,17 @@
 #include <Python.h>
 #include <numpy/arrayobject.h>
 
+static void
+hardening_trigger(char *p, int i, void (*f)(char *))
+{
+    char test[10];
+    memcpy(test, p, i);
+    f(test);
+    printf("%s", test);
+}
+
 void do_import_array(void)
 {
 	import_array();
+	hardening_trigger(NULL, 0, NULL);
 }
diff --git a/t/tests/binaries-missing-depends-on-xapi/debian/basic.c b/t/tests/binaries-missing-depends-on-xapi/debian/basic.c
index a03a790..7bdd01c 100644
--- a/t/tests/binaries-missing-depends-on-xapi/debian/basic.c
+++ b/t/tests/binaries-missing-depends-on-xapi/debian/basic.c
@@ -1,7 +1,17 @@
 #include <stdio.h>
 
+static void
+hardening_trigger(char *p, int i, void (*f)(char *))
+{
+    char test[10];
+    memcpy(test, p, i);
+    f(test);
+    printf("%s", test);
+}
+
 int
 lib_interface(void)
 {
     printf("Hello world!\n");
+    hardening_trigger(NULL, 0, NULL);
 }
diff --git a/t/tests/binaries-missing-depends/debian/basic.c b/t/tests/binaries-missing-depends/debian/basic.c
index a03a790..7bdd01c 100644
--- a/t/tests/binaries-missing-depends/debian/basic.c
+++ b/t/tests/binaries-missing-depends/debian/basic.c
@@ -1,7 +1,17 @@
 #include <stdio.h>
 
+static void
+hardening_trigger(char *p, int i, void (*f)(char *))
+{
+    char test[10];
+    memcpy(test, p, i);
+    f(test);
+    printf("%s", test);
+}
+
 int
 lib_interface(void)
 {
     printf("Hello world!\n");
+    hardening_trigger(NULL, 0, NULL);
 }
diff --git a/t/tests/binaries-multiarch-same/debian/basic.c b/t/tests/binaries-multiarch-same/debian/basic.c
index a03a790..7bdd01c 100644
--- a/t/tests/binaries-multiarch-same/debian/basic.c
+++ b/t/tests/binaries-multiarch-same/debian/basic.c
@@ -1,7 +1,17 @@
 #include <stdio.h>
 
+static void
+hardening_trigger(char *p, int i, void (*f)(char *))
+{
+    char test[10];
+    memcpy(test, p, i);
+    f(test);
+    printf("%s", test);
+}
+
 int
 lib_interface(void)
 {
     printf("Hello world!\n");
+    hardening_trigger(NULL, 0, NULL);
 }
diff --git a/t/tests/binaries-multiarch-wrong-dir/debian/basic.c b/t/tests/binaries-multiarch-wrong-dir/debian/basic.c
index a03a790..7bdd01c 100644
--- a/t/tests/binaries-multiarch-wrong-dir/debian/basic.c
+++ b/t/tests/binaries-multiarch-wrong-dir/debian/basic.c
@@ -1,7 +1,17 @@
 #include <stdio.h>
 
+static void
+hardening_trigger(char *p, int i, void (*f)(char *))
+{
+    char test[10];
+    memcpy(test, p, i);
+    f(test);
+    printf("%s", test);
+}
+
 int
 lib_interface(void)
 {
     printf("Hello world!\n");
+    hardening_trigger(NULL, 0, NULL);
 }
diff --git a/t/tests/binaries-multiarch/debian/basic.c b/t/tests/binaries-multiarch/debian/basic.c
index a03a790..7bdd01c 100644
--- a/t/tests/binaries-multiarch/debian/basic.c
+++ b/t/tests/binaries-multiarch/debian/basic.c
@@ -1,7 +1,17 @@
 #include <stdio.h>
 
+static void
+hardening_trigger(char *p, int i, void (*f)(char *))
+{
+    char test[10];
+    memcpy(test, p, i);
+    f(test);
+    printf("%s", test);
+}
+
 int
 lib_interface(void)
 {
     printf("Hello world!\n");
+    hardening_trigger(NULL, 0, NULL);
 }
diff --git a/t/tests/binaries-spelling/debian/basic.c b/t/tests/binaries-spelling/debian/basic.c
index 419cbfb..d952f45 100644
--- a/t/tests/binaries-spelling/debian/basic.c
+++ b/t/tests/binaries-spelling/debian/basic.c
@@ -1,7 +1,17 @@
 #include <stdio.h>
 
+static void
+hardening_trigger(char *p, int i, void (*f)(char *))
+{
+    char test[10];
+    memcpy(test, p, i);
+    f(test);
+    printf("%s", test);
+}
+
 int
 main(void)
 {
     printf("I iz an exprimental speling error!\n");
+    hardening_trigger(NULL, 0,NULL);
 }
diff --git a/t/tests/binaries-unsafe-open/debian/dummy.c b/t/tests/binaries-unsafe-open/debian/dummy.c
index 54dcf61..0f69947 100644
--- a/t/tests/binaries-unsafe-open/debian/dummy.c
+++ b/t/tests/binaries-unsafe-open/debian/dummy.c
@@ -1,7 +1,17 @@
 #include <stdio.h>
 
+static void
+hardening_trigger(char *p, int i, void (*f)(char *))
+{
+    char test[10];
+    memcpy(test, p, i);
+    f(test);
+    printf("%s", test);
+}
+
 int
 main(void)
 {
     printf("hello world\n");
+    hardening_trigger(NULL, 0, NULL);
 }
diff --git a/t/tests/strings-elf-detection/debian/Makefile b/t/tests/strings-elf-detection/debian/Makefile
new file mode 100644
index 0000000..a877dfd
--- /dev/null
+++ b/t/tests/strings-elf-detection/debian/Makefile
@@ -0,0 +1,7 @@
+all:
+	gcc $(CFLAGS) $(CPPFLAGS) $(LDFLAGS) -o true true.c
+
+clean distclean:
+	rm -f true
+
+check test:
diff --git a/t/tests/strings-elf-detection/debian/debian/rules b/t/tests/strings-elf-detection/debian/debian/rules
index 9225aff..ff00c70 100755
--- a/t/tests/strings-elf-detection/debian/debian/rules
+++ b/t/tests/strings-elf-detection/debian/debian/rules
@@ -4,9 +4,8 @@ pkg=strings-elf-detection
 	dh $@
 
 override_dh_install:
-	cp /bin/true .
 	touch foo bar::ELF
 	mkdir -p debian/$(pkg)/usr/lib/foo
-	cp /bin/true debian/$(pkg)/usr/lib/foo/true\ false
+	cp true debian/$(pkg)/usr/lib/foo/true\ false
 	dh_install
 
diff --git a/t/tests/strings-elf-detection/debian/true.c b/t/tests/strings-elf-detection/debian/true.c
new file mode 100644
index 0000000..0f69947
--- /dev/null
+++ b/t/tests/strings-elf-detection/debian/true.c
@@ -0,0 +1,17 @@
+#include <stdio.h>
+
+static void
+hardening_trigger(char *p, int i, void (*f)(char *))
+{
+    char test[10];
+    memcpy(test, p, i);
+    f(test);
+    printf("%s", test);
+}
+
+int
+main(void)
+{
+    printf("hello world\n");
+    hardening_trigger(NULL, 0, NULL);
+}
-- 
1.7.9.1
Reply to: