[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SCM] Debian package checker branch, master, updated. 2.5.11-76-g54feab1

The following commit has been merged in the master branch:
commit 54feab18ff54402ee6c897714b913f24933b3161
Author: Niels Thykier <niels@thykier.net>
Date:   Fri Jan 18 15:10:13 2013 +0100

    coll/hardening-info: Do another F-P -> F-N trade off
    
    Consider memmove and memset to the "always safe" like "memcpy".  This
    is (another) false-positive -> false-negative trade-off for reducing
    the number of false-positives with hardening-no-fortify-functions.
    
    Signed-off-by: Niels Thykier <niels@thykier.net>

diff --git a/collection/hardening-info b/collection/hardening-info
index 23eecd3..a3343bd 100755
--- a/collection/hardening-info
+++ b/collection/hardening-info
@@ -65,7 +65,7 @@ foreach my $bin ($info->sorted_index) {
     next unless $info->index ($bin)->is_file;
     # Skip kernel modules - most of the checks do not apply to the
     # kernel.
-    next if $bin =~ m/\.ko/o;
+    next if $bin =~ m/\.ko$/o;
     my $finfo = $info->file_info ($bin);
     next unless $finfo =~ m/\bELF\b/o;
     printf {$opts{pipe_in}} "%s\0", $bin;
diff --git a/collection/hardening-info-helper b/collection/hardening-info-helper
index deb950b..ee5159c 100755
--- a/collection/hardening-info-helper
+++ b/collection/hardening-info-helper
@@ -56,6 +56,11 @@ my @recheck = ();
 # Work around bug in hardening-check when it proceses multiple binaries
 # with --lintian (see #677530).
 my %seen = ();
+my %whitelisted_funcs = (
+    'memcpy' => 1,
+    'memset' => 1,
+    'memmove' => 1,
+);
 
 pipe ($cread, $cwrite) or fail "pipe failed: $!";
 $cpid = fork();
@@ -108,8 +113,9 @@ if (not $cpid) {
             $emit = 0;
         } elsif ($line =~ m/^\s+Fortify Source functions:/) {
             $infsf = 1;
-        } elsif ($infsf and $line =~ m/^\s+unprotected:\s*(\S+)/) {
-            next if $1 eq 'memcpy';
+        } elsif ($infsf and $line =~ m/^\s+(un)?protected:\s*(\S+)/) {
+            next unless ($1//'') eq 'un';
+            next if exists $whitelisted_funcs{$2};
             $emit = 1;
         } else {
             $infsf = 0;
diff --git a/collection/hardening-info.desc b/collection/hardening-info.desc
index 82b5838..a4a7a7a 100644
--- a/collection/hardening-info.desc
+++ b/collection/hardening-info.desc
@@ -3,5 +3,5 @@ Author: Kees Cook <kees@debian.org>
 Info: This script runs hardening-check(1) over all ELF binaries of a binary
  package.
 Type: binary, udeb
-Version: 3
+Version: 4
 Needs-Info: bin-pkg-control, file-info, index, unpacked
diff --git a/debian/changelog b/debian/changelog
index bdbccc6..9d1e68f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -55,6 +55,10 @@ lintian (2.5.12) UNRELEASED; urgency=low
       not properly expand.  Thanks to Bernd Zeimetz for the report.
       (Closes: #683737)
 
+  * collection/hardening-info{,-helper,.desc}:
+    + [NT] Whitelist "memset" and "memmove" as "always safe"
+      functions.  Thanks to Sebastian Ramacher for the suggestion
+      and Roland Stigge for the report.  (Closes: #685299)
   * collection/strings:
     + [NT] Fix a regression in filtering out "debug" ELF binaries.
 

-- 
Debian package checker
Reply to: