toolchain: add fortify-headers, enable FORTIFY_SOURCE by default
authorSteven Barth <cyrus@openwrt.org>
Tue, 23 Jun 2015 14:38:03 +0000 (14:38 +0000)
committerSteven Barth <cyrus@openwrt.org>
Tue, 23 Jun 2015 14:38:03 +0000 (14:38 +0000)
Signed-off-by: Steven Barth <steven@midlink.org>
SVN-Revision: 46117

config/Config-build.in
rules.mk
toolchain/Makefile
toolchain/fortify-headers/Makefile [new file with mode: 0644]
toolchain/fortify-headers/patches/100-fix-getgroups.patch [new file with mode: 0644]

index 35c07c6..aef0344 100644 (file)
@@ -251,6 +251,7 @@ menu "Global build settings"
 
        choice
                prompt "Enable buffer-overflows detection (FORTIFY_SOURCE)"
+               default PKG_FORTIFY_SOURCE_1
                help
                  Enable the _FORTIFY_SOURCE macro which introduces additional
                  checks to detect buffer-overflows in the following standard library
index cb0b7da..a0a9a5d 100644 (file)
--- a/rules.mk
+++ b/rules.mk
@@ -144,7 +144,7 @@ ifndef DUMP
     export GCC_HONOUR_COPTS:=0
     TARGET_CROSS:=$(if $(TARGET_CROSS),$(TARGET_CROSS),$(OPTIMIZE_FOR_CPU)-openwrt-linux$(if $(TARGET_SUFFIX),-$(TARGET_SUFFIX))-)
     TARGET_CFLAGS+= -fhonour-copts $(if $(CONFIG_GCC_VERSION_4_4)$(CONFIG_GCC_VERSION_4_5),,-Wno-error=unused-but-set-variable)
-    TARGET_CPPFLAGS+= -I$(TOOLCHAIN_DIR)/usr/include -I$(TOOLCHAIN_DIR)/include
+    TARGET_CPPFLAGS+= -I$(TOOLCHAIN_DIR)/usr/include -I$(TOOLCHAIN_DIR)/include/fortify -I$(TOOLCHAIN_DIR)/include
     TARGET_LDFLAGS+= -L$(TOOLCHAIN_DIR)/usr/lib -L$(TOOLCHAIN_DIR)/lib
     TARGET_PATH:=$(TOOLCHAIN_DIR)/bin:$(TARGET_PATH)
   else
index c250cba..cd5399e 100644 (file)
@@ -28,7 +28,7 @@
 curdir:=toolchain
 
 # subdirectories to descend into
-$(curdir)/builddirs := $(if $(CONFIG_GDB),gdb) $(if $(CONFIG_INSIGHT),insight) $(if $(CONFIG_EXTERNAL_TOOLCHAIN),wrapper,kernel-headers binutils gcc/minimal gcc/initial gcc/final $(LIBC)/headers $(LIBC))
+$(curdir)/builddirs := $(if $(CONFIG_GDB),gdb) $(if $(CONFIG_INSIGHT),insight) $(if $(CONFIG_EXTERNAL_TOOLCHAIN),wrapper,kernel-headers binutils gcc/minimal gcc/initial gcc/final $(LIBC)/headers $(LIBC) fortify-headers)
 ifdef CONFIG_USE_UCLIBC
   $(curdir)/builddirs += $(LIBC)/utils
 endif
diff --git a/toolchain/fortify-headers/Makefile b/toolchain/fortify-headers/Makefile
new file mode 100644 (file)
index 0000000..b9cefe5
--- /dev/null
@@ -0,0 +1,28 @@
+#
+# Copyright (C) 2015 OpenWrt.org
+#
+# This is free software, licensed under the GNU General Public License v2.
+# See /LICENSE for more information.
+#
+include $(TOPDIR)/rules.mk
+include $(INCLUDE_DIR)/target.mk
+
+PKG_NAME:=fortify-headers
+PKG_VERSION:=0.6
+PKG_RELEASE=1
+
+PKG_SOURCE_URL:=http://dl.2f30.org/releases
+PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
+PKG_MD5SUM:=d85072939ec02a40af282fe3febc6c18
+
+include $(INCLUDE_DIR)/toolchain-build.mk
+
+define Host/Compile
+       true
+endef
+
+define Host/Install
+       $(MAKE) -C $(HOST_BUILD_DIR) PREFIX="" DESTDIR="$(TOOLCHAIN_DIR)" install
+endef
+
+$(eval $(call HostBuild))
diff --git a/toolchain/fortify-headers/patches/100-fix-getgroups.patch b/toolchain/fortify-headers/patches/100-fix-getgroups.patch
new file mode 100644 (file)
index 0000000..988deb5
--- /dev/null
@@ -0,0 +1,26 @@
+From 1f9848efc8a329cb9a13323cbb94b353d39802c1 Mon Sep 17 00:00:00 2001
+From: Steven Barth <steven@midlink.org>
+Date: Mon, 22 Jun 2015 14:36:16 +0200
+Subject: [PATCH] unistd: fix signed / unsigned comparison in getgroups
+
+Signed-off-by: Steven Barth <steven@midlink.org>
+---
+ include/unistd.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/unistd.h b/include/unistd.h
+index 45304e1..5274e22 100644
+--- a/include/unistd.h
++++ b/include/unistd.h
+@@ -71,7 +71,7 @@ _FORTIFY_FN(getgroups) int getgroups(int __l, gid_t *__s)
+ {
+       size_t __b = __builtin_object_size(__s, 0);
+-      if (__l > __b / sizeof(gid_t))
++      if (__l < 0 || (size_t)__l > __b / sizeof(gid_t))
+               __builtin_trap();
+       return __orig_getgroups(__l, __s);
+ }
+-- 
+2.1.4
+