toolchain: add fortify-headers, enable FORTIFY_SOURCE by default

Signed-off-by: Steven Barth <steven@midlink.org> SVN-Revision: 46117
2015-06-23 14:38:03 +00:00
parent 2086f7284c
commit 2738526a16
5 changed files with 57 additions and 2 deletions
--- a/config/Config-build.in
+++ b/config/Config-build.in
@@ -251,6 +251,7 @@ menu "Global build settings"
 	choice
 		prompt "Enable buffer-overflows detection (FORTIFY_SOURCE)"
 		default PKG_FORTIFY_SOURCE_1
 		help
 		  Enable the _FORTIFY_SOURCE macro which introduces additional
 		  checks to detect buffer-overflows in the following standard library
--- a/rules.mk
+++ b/rules.mk
@@ -144,7 +144,7 @@ ifndef DUMP
    export GCC_HONOUR_COPTS:=0
    TARGET_CROSS:=$(if $(TARGET_CROSS),$(TARGET_CROSS),$(OPTIMIZE_FOR_CPU)-openwrt-linux$(if $(TARGET_SUFFIX),-$(TARGET_SUFFIX))-)
    TARGET_CFLAGS+= -fhonour-copts $(if $(CONFIG_GCC_VERSION_4_4)$(CONFIG_GCC_VERSION_4_5),,-Wno-error=unused-but-set-variable)
-    TARGET_CPPFLAGS+= -I$(TOOLCHAIN_DIR)/usr/include -I$(TOOLCHAIN_DIR)/include
+    TARGET_CPPFLAGS+= -I$(TOOLCHAIN_DIR)/usr/include -I$(TOOLCHAIN_DIR)/include/fortify -I$(TOOLCHAIN_DIR)/include
    TARGET_LDFLAGS+= -L$(TOOLCHAIN_DIR)/usr/lib -L$(TOOLCHAIN_DIR)/lib
    TARGET_PATH:=$(TOOLCHAIN_DIR)/bin:$(TARGET_PATH)
  else
--- a/toolchain/Makefile
+++ b/toolchain/Makefile
@@ -28,7 +28,7 @@
 curdir:=toolchain
 # subdirectories to descend into
-$(curdir)/builddirs := $(if $(CONFIG_GDB),gdb) $(if $(CONFIG_INSIGHT),insight) $(if $(CONFIG_EXTERNAL_TOOLCHAIN),wrapper,kernel-headers binutils gcc/minimal gcc/initial gcc/final $(LIBC)/headers $(LIBC))
+$(curdir)/builddirs := $(if $(CONFIG_GDB),gdb) $(if $(CONFIG_INSIGHT),insight) $(if $(CONFIG_EXTERNAL_TOOLCHAIN),wrapper,kernel-headers binutils gcc/minimal gcc/initial gcc/final $(LIBC)/headers $(LIBC) fortify-headers)
 ifdef CONFIG_USE_UCLIBC
  $(curdir)/builddirs += $(LIBC)/utils
 endif
--- a/toolchain/fortify-headers/Makefile
+++ b/toolchain/fortify-headers/Makefile
@@ -0,0 +1,28 @@
 #
 # Copyright (C) 2015 OpenWrt.org
 #
 # This is free software, licensed under the GNU General Public License v2.
 # See /LICENSE for more information.
 #
 include $(TOPDIR)/rules.mk
 include $(INCLUDE_DIR)/target.mk
 PKG_NAME:=fortify-headers
 PKG_VERSION:=0.6
 PKG_RELEASE=1
 PKG_SOURCE_URL:=http://dl.2f30.org/releases
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_MD5SUM:=d85072939ec02a40af282fe3febc6c18
 include $(INCLUDE_DIR)/toolchain-build.mk
 define Host/Compile
 	true
 endef
 define Host/Install
 	$(MAKE) -C $(HOST_BUILD_DIR) PREFIX="" DESTDIR="$(TOOLCHAIN_DIR)" install
 endef
 $(eval $(call HostBuild))
--- a/toolchain/fortify-headers/patches/100-fix-getgroups.patch
+++ b/toolchain/fortify-headers/patches/100-fix-getgroups.patch
@@ -0,0 +1,26 @@
 From 1f9848efc8a329cb9a13323cbb94b353d39802c1 Mon Sep 17 00:00:00 2001
 From: Steven Barth <steven@midlink.org>
 Date: Mon, 22 Jun 2015 14:36:16 +0200
 Subject: [PATCH] unistd: fix signed / unsigned comparison in getgroups
 Signed-off-by: Steven Barth <steven@midlink.org>
 ---
 include/unistd.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/include/unistd.h b/include/unistd.h
 index 45304e1..5274e22 100644
 --- a/include/unistd.h
 +++ b/include/unistd.h
@@ -71,7 +71,7 @@ _FORTIFY_FN(getgroups) int getgroups(int __l, gid_t *__s)
 {
 	size_t __b = __builtin_object_size(__s, 0);
 -	if (__l > __b / sizeof(gid_t))
 +	if (__l < 0 || (size_t)__l > __b / sizeof(gid_t))
 		__builtin_trap();
 	return __orig_getgroups(__l, __s);
 }
 -- 
 2.1.4