Bug#673112: lintian: hardening-no-stackprotector check has many false positives
On 2012-05-22 12:54, Niels Thykier wrote:
> On 2012-05-21 20:25, Modestas Vainius wrote:
>> Hello,
>>
>
> Hi,
>
> [...]
>
> We use hardening-check (from hardening-includes) - as I recall it
> carries a list of "unprotected functions" and checks for them (via
> readelf). It maps them to a "safe-variant" and checks for that as well.
> If both protected and unprotected are used or if no unprotected
> functions are used, it should mark it safe. However, I believe Kees
> (CC'ed) can correct me on (or confirm) the above.
>
> ~Niels
>
>
>
>
Turns out hardening-check has a verbose flag that makes it print the
affected functions - testing amarok (testing i386) I got[1]. Looks like
memcpy is the primary source of false-positives (for amarok).
If it turns out that memcpy is (in general) the primary source of these
false-positives, perhaps it would be better to skip that particular
function than disable the entire check.
~Niels
[1]
$ hardening-check --verbose $(find usr/lib/ -type f) | perl -ne \
'print if /^\s+(un)?protected:/' | sort | uniq -c
1 protected: fprintf
1 protected: memcpy
1 protected: memmove
1 protected: memset
1 protected: pread64
1 protected: printf
1 protected: realpath
1 protected: snprintf
1 protected: sprintf
1 protected: strcat
1 protected: strcpy
1 protected: strncat
1 protected: strncpy
1 protected: vfprintf
1 protected: vsnprintf
1 unprotected: asprintf
1 unprotected: confstr
1 unprotected: fgets
1 unprotected: fprintf
2 unprotected: fread
1 unprotected: getcwd
1 unprotected: gethostname
43 unprotected: memcpy
1 unprotected: memmove
3 unprotected: memset
1 unprotected: pread64
1 unprotected: printf
1 unprotected: read
1 unprotected: readlink
1 unprotected: recv
1 unprotected: snprintf
2 unprotected: sprintf
1 unprotected: stpcpy
1 unprotected: strcat
2 unprotected: strcpy
2 unprotected: strncpy
Reply to: