diff options
author | Steven Barth <steven@midlink.org> | 2015-06-23 14:38:03 +0000 |
---|---|---|
committer | Steven Barth <steven@midlink.org> | 2015-06-23 14:38:03 +0000 |
commit | 3c20d2105fbbb34f497874ca5ca7a048ae43f5d5 (patch) | |
tree | dfe9795ec0e637d6200c42fc5cd23321a3f174c6 | |
parent | f92b2af1fb5be76af723b9278a0bdf40d62db603 (diff) | |
download | master-187ad058-3c20d2105fbbb34f497874ca5ca7a048ae43f5d5.tar.gz master-187ad058-3c20d2105fbbb34f497874ca5ca7a048ae43f5d5.tar.bz2 master-187ad058-3c20d2105fbbb34f497874ca5ca7a048ae43f5d5.zip |
toolchain: add fortify-headers, enable FORTIFY_SOURCE by default
Signed-off-by: Steven Barth <steven@midlink.org>
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@46117 3c298f89-4303-0410-b956-a3cf2f4a3e73
-rw-r--r-- | config/Config-build.in | 1 | ||||
-rw-r--r-- | rules.mk | 2 | ||||
-rw-r--r-- | toolchain/Makefile | 2 | ||||
-rw-r--r-- | toolchain/fortify-headers/Makefile | 28 | ||||
-rw-r--r-- | toolchain/fortify-headers/patches/100-fix-getgroups.patch | 26 |
5 files changed, 57 insertions, 2 deletions
diff --git a/config/Config-build.in b/config/Config-build.in index 35c07c63f8..aef03444c2 100644 --- a/config/Config-build.in +++ b/config/Config-build.in @@ -251,6 +251,7 @@ menu "Global build settings" choice prompt "Enable buffer-overflows detection (FORTIFY_SOURCE)" + default PKG_FORTIFY_SOURCE_1 help Enable the _FORTIFY_SOURCE macro which introduces additional checks to detect buffer-overflows in the following standard library @@ -144,7 +144,7 @@ ifndef DUMP export GCC_HONOUR_COPTS:=0 TARGET_CROSS:=$(if $(TARGET_CROSS),$(TARGET_CROSS),$(OPTIMIZE_FOR_CPU)-openwrt-linux$(if $(TARGET_SUFFIX),-$(TARGET_SUFFIX))-) TARGET_CFLAGS+= -fhonour-copts $(if $(CONFIG_GCC_VERSION_4_4)$(CONFIG_GCC_VERSION_4_5),,-Wno-error=unused-but-set-variable) - TARGET_CPPFLAGS+= -I$(TOOLCHAIN_DIR)/usr/include -I$(TOOLCHAIN_DIR)/include + TARGET_CPPFLAGS+= -I$(TOOLCHAIN_DIR)/usr/include -I$(TOOLCHAIN_DIR)/include/fortify -I$(TOOLCHAIN_DIR)/include TARGET_LDFLAGS+= -L$(TOOLCHAIN_DIR)/usr/lib -L$(TOOLCHAIN_DIR)/lib TARGET_PATH:=$(TOOLCHAIN_DIR)/bin:$(TARGET_PATH) else diff --git a/toolchain/Makefile b/toolchain/Makefile index c250cba480..cd5399e041 100644 --- a/toolchain/Makefile +++ b/toolchain/Makefile @@ -28,7 +28,7 @@ curdir:=toolchain # subdirectories to descend into -$(curdir)/builddirs := $(if $(CONFIG_GDB),gdb) $(if $(CONFIG_INSIGHT),insight) $(if $(CONFIG_EXTERNAL_TOOLCHAIN),wrapper,kernel-headers binutils gcc/minimal gcc/initial gcc/final $(LIBC)/headers $(LIBC)) +$(curdir)/builddirs := $(if $(CONFIG_GDB),gdb) $(if $(CONFIG_INSIGHT),insight) $(if $(CONFIG_EXTERNAL_TOOLCHAIN),wrapper,kernel-headers binutils gcc/minimal gcc/initial gcc/final $(LIBC)/headers $(LIBC) fortify-headers) ifdef CONFIG_USE_UCLIBC $(curdir)/builddirs += $(LIBC)/utils endif diff --git a/toolchain/fortify-headers/Makefile b/toolchain/fortify-headers/Makefile new file mode 100644 index 0000000000..b9cefe5935 --- /dev/null +++ b/toolchain/fortify-headers/Makefile @@ -0,0 +1,28 @@ +# +# Copyright (C) 2015 OpenWrt.org +# +# This is free software, licensed under the GNU General Public License v2. +# See /LICENSE for more information. +# +include $(TOPDIR)/rules.mk +include $(INCLUDE_DIR)/target.mk + +PKG_NAME:=fortify-headers +PKG_VERSION:=0.6 +PKG_RELEASE=1 + +PKG_SOURCE_URL:=http://dl.2f30.org/releases +PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz +PKG_MD5SUM:=d85072939ec02a40af282fe3febc6c18 + +include $(INCLUDE_DIR)/toolchain-build.mk + +define Host/Compile + true +endef + +define Host/Install + $(MAKE) -C $(HOST_BUILD_DIR) PREFIX="" DESTDIR="$(TOOLCHAIN_DIR)" install +endef + +$(eval $(call HostBuild)) diff --git a/toolchain/fortify-headers/patches/100-fix-getgroups.patch b/toolchain/fortify-headers/patches/100-fix-getgroups.patch new file mode 100644 index 0000000000..988deb5815 --- /dev/null +++ b/toolchain/fortify-headers/patches/100-fix-getgroups.patch @@ -0,0 +1,26 @@ +From 1f9848efc8a329cb9a13323cbb94b353d39802c1 Mon Sep 17 00:00:00 2001 +From: Steven Barth <steven@midlink.org> +Date: Mon, 22 Jun 2015 14:36:16 +0200 +Subject: [PATCH] unistd: fix signed / unsigned comparison in getgroups + +Signed-off-by: Steven Barth <steven@midlink.org> +--- + include/unistd.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/unistd.h b/include/unistd.h +index 45304e1..5274e22 100644 +--- a/include/unistd.h ++++ b/include/unistd.h +@@ -71,7 +71,7 @@ _FORTIFY_FN(getgroups) int getgroups(int __l, gid_t *__s) + { + size_t __b = __builtin_object_size(__s, 0); + +- if (__l > __b / sizeof(gid_t)) ++ if (__l < 0 || (size_t)__l > __b / sizeof(gid_t)) + __builtin_trap(); + return __orig_getgroups(__l, __s); + } +-- +2.1.4 + |