Bug#921136: lintian: hardening-no-fortify-functions possible false positive

To: Scott Talbert <swt@techie.net>
Cc: Chris Lamb <lamby@debian.org>, 921136@bugs.debian.org
Subject: Bug#921136: lintian: hardening-no-fortify-functions possible false positive
From: Olly Betts <olly@survex.com>
Date: Wed, 30 Oct 2019 04:56:28 +0000
Message-id: <[🔎] 20191030045628.cpx2run7ymtf3vak@survex.com>
Reply-to: Olly Betts <olly@survex.com>, 921136@bugs.debian.org
In-reply-to: <[🔎] alpine.DEB.2.21.1910292302050.6530@bear.techie.net>
References: <154906928565.26456.6049876583145738097.reportbug@debian-unstable.techie.net> <1550061170.2486994.1657127312.441A5331@webmail.messagingengine.com> <alpine.DEB.2.21.1902131924230.2111@bear.techie.net> <154906928565.26456.6049876583145738097.reportbug@debian-unstable.techie.net> <1550273196.214293.1658898504.31B6E04D@webmail.messagingengine.com> <[🔎] 20191030004545.GA9526@survex.com> <[🔎] alpine.DEB.2.21.1910292302050.6530@bear.techie.net> <154906928565.26456.6049876583145738097.reportbug@debian-unstable.techie.net>

On Tue, Oct 29, 2019 at 11:05:02PM -0400, Scott Talbert wrote:
> On Wed, 30 Oct 2019, Olly Betts wrote:
> 
> > The same issue applies to memcpy() which is why it's deliberately from
> > lintian's list:
> > 
> > https://sources.debian.org/src/lintian/2.31.0/data/binaries/hardened-functions/?hl=6#L6
> > 
> > Presumably wmemcpy() is simply much less widely used than memcpy(), and
> > that's the only reason it's not also omitted already.
> 
> Thanks for the details, Olly.  So, what you're saying is that wmemcpy should
> be excluded from hardened-functions?

Yes.  Probably wmemset and wmemmove should be too.  The history of
this seems to be in #673112 (don't be misled by the bug title!)

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=673112#67 suggests
that perhaps recvfrom, recv and read ought to be as well.

The whole approach seems a bit flawed though - the
hardening-no-fortify-functions description says:

| Either there are no potentially unfortified functions called by any
| routines, all unfortified calls have already been fully validated at
| compile-time, or the package was not built with the default Debian
| compiler flags defined by dpkg-buildflags

One of the first two cases seems to often be true for a lot of C++
code.

I thought I read ages ago about an idea to record the hardening flags as
notes in the compiled files, which seemed a much more satisfactory
approach, but I guess nothing ever came of it.

Cheers,
    Olly

Reply to:

References:
- Bug#921136: lintian: hardening-no-fortify-functions possible false positive
  - From: Olly Betts <olly@survex.com>
- Bug#921136: lintian: hardening-no-fortify-functions possible false positive
  - From: Scott Talbert <swt@techie.net>

Prev by Date: Bug#921136: lintian: hardening-no-fortify-functions possible false positive
Next by Date: Bug#943724: lintian: internal error in Lintian::files::empty_package::_set_is_dummy
Previous by thread: Bug#921136: lintian: hardening-no-fortify-functions possible false positive
Next by thread: Problem when running lintian on binary package.
Index(es):
- Date
- Thread