Debian Bug report logs - #673112
lintian: hardening-no-stackprotector check has many false positives

version graph

Package: lintian; Maintainer for lintian is Debian Lintian Maintainers <lintian-maint@debian.org>; Source for lintian is src:lintian.

Reported by: Sven Joachim <svenjoac@gmx.de>

Date: Wed, 16 May 2012 08:45:13 UTC

Severity: normal

Found in version lintian/2.5.7

Fixed in version lintian/2.5.8

Done: Niels Thykier <niels@thykier.net>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, svenjoac@gmx.de, Debian Lintian Maintainers <lintian-maint@debian.org>:
Bug#673112; Package lintian. (Wed, 16 May 2012 08:45:18 GMT) Full text and rfc822 format available.

Acknowledgement sent to Sven Joachim <svenjoac@gmx.de>:
New Bug report received and forwarded. Copy sent to svenjoac@gmx.de, Debian Lintian Maintainers <lintian-maint@debian.org>. (Wed, 16 May 2012 08:45:19 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Sven Joachim <svenjoac@gmx.de>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: lintian: hardening-no-stackprotector check has many false positives
Date: Wed, 16 May 2012 10:34:48 +0200
Package: lintian
Version: 2.5.7
Severity: normal

The new hardening warnings are certainly a useful reminder to use
dpkg-buildflags, but especially hardening-no-stackprotector seems to
have a high number of false positives.  In ncurses-examples alone there
are no less than 40 hardening-no-stackprotector warnings, and the
package ships 59 binaries in total, all built with -fstack-protector.


-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (101, 'experimental')
Architecture: i386 (x86_64)

Kernel: Linux 3.4.0-rc7-nouveau (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages lintian depends on:
ii  binutils                       2.22-6
ii  bzip2                          1.0.6-1
ii  diffstat                       1.55-2
ii  file                           5.11-1
ii  gettext                        0.18.1.1-7
ii  hardening-includes             2.1
ii  intltool-debian                0.35.0+20060710.1
ii  libapt-pkg-perl                0.1.26+b1
ii  libc-bin                       2.13-32
ii  libclass-accessor-perl         0.34-1
ii  libclone-perl                  0.31-1+b2
ii  libdigest-sha-perl             5.71-1
ii  libdpkg-perl                   1.16.3
ii  libemail-valid-perl            0.190-1
ii  libipc-run-perl                0.91-1
ii  libparse-debianchangelog-perl  1.2.0-1
ii  libtimedate-perl               1.2000-1
ii  liburi-perl                    1.60-1
ii  locales                        2.13-32
ii  man-db                         2.6.1-2
ii  patchutils                     0.3.2-1.1
ii  perl [libdigest-sha-perl]      5.14.2-10
ii  unzip                          6.0-6

lintian recommends no packages.

Versions of packages lintian suggests:
ii  binutils-multiarch     <none>
ii  dpkg-dev               1.16.3
ii  libhtml-parser-perl    3.69-2
ii  libtext-template-perl  1.45-2
ii  man-db                 2.6.1-2
ii  xz-utils               5.1.1alpha+20110809-3

-- no debconf information




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Lintian Maintainers <lintian-maint@debian.org>:
Bug#673112; Package lintian. (Fri, 18 May 2012 20:30:15 GMT) Full text and rfc822 format available.

Acknowledgement sent to Ralf Jung <post@ralfj.de>:
Extra info received and forwarded to list. Copy sent to Debian Lintian Maintainers <lintian-maint@debian.org>. (Fri, 18 May 2012 20:30:15 GMT) Full text and rfc822 format available.

Message #10 received at 673112@bugs.debian.org (full text, mbox):

From: Ralf Jung <post@ralfj.de>
To: 673112@bugs.debian.org
Subject: lintian: hardening-no-stackprotector check has many false positives
Date: Fri, 18 May 2012 22:29:30 +0200
Hi,

I'd like to extend this to hardening-no-fortify-functions: My package 
definitely has -D_FORTIFY_SOURCE=2 set (an excerpt from the build flags:
"-fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security 
-D_FORTIFY_SOURCE=2"), but I get a hardening-no-stackprotector and hardening-
no-fortify-functions for its only binary.

Kind regards,
Ralf




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Lintian Maintainers <lintian-maint@debian.org>:
Bug#673112; Package lintian. (Fri, 18 May 2012 20:36:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Russ Allbery <rra@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Lintian Maintainers <lintian-maint@debian.org>. (Fri, 18 May 2012 20:36:04 GMT) Full text and rfc822 format available.

Message #15 received at 673112@bugs.debian.org (full text, mbox):

From: Russ Allbery <rra@debian.org>
To: Ralf Jung <post@ralfj.de>
Cc: 673112@bugs.debian.org
Subject: Re: Bug#673112: lintian: hardening-no-stackprotector check has many false positives
Date: Fri, 18 May 2012 13:34:03 -0700
Ralf Jung <post@ralfj.de> writes:

> I'd like to extend this to hardening-no-fortify-functions: My package
> definitely has -D_FORTIFY_SOURCE=2 set (an excerpt from the build flags:
> "-fstack-protector --param=ssp-buffer-size=4 -Wformat
> -Werror=format-security -D_FORTIFY_SOURCE=2"), but I get a
> hardening-no-stackprotector and hardening- no-fortify-functions for its
> only binary.

False positives for _FORTIFY_SOURCE are somewhat rarer, and that one is
much easier to miss applying due to the CPPFLAGS vs. CFLAGS distinction.
My immediate inclination would be to ask people to add an override for
false positives for it, since it's more likely that the tag is valid.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Lintian Maintainers <lintian-maint@debian.org>:
Bug#673112; Package lintian. (Sat, 19 May 2012 13:00:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Sven Joachim <svenjoac@gmx.de>:
Extra info received and forwarded to list. Copy sent to Debian Lintian Maintainers <lintian-maint@debian.org>. (Sat, 19 May 2012 13:00:03 GMT) Full text and rfc822 format available.

Message #20 received at 673112@bugs.debian.org (full text, mbox):

From: Sven Joachim <svenjoac@gmx.de>
To: Russ Allbery <rra@debian.org>
Cc: 673112@bugs.debian.org, Ralf Jung <post@ralfj.de>
Subject: Re: Bug#673112: lintian: hardening-no-stackprotector check has many false positives
Date: Sat, 19 May 2012 14:57:07 +0200
On 2012-05-18 22:34 +0200, Russ Allbery wrote:

> Ralf Jung <post@ralfj.de> writes:
>
>> I'd like to extend this to hardening-no-fortify-functions: My package
>> definitely has -D_FORTIFY_SOURCE=2 set (an excerpt from the build flags:
>> "-fstack-protector --param=ssp-buffer-size=4 -Wformat
>> -Werror=format-security -D_FORTIFY_SOURCE=2"), but I get a
>> hardening-no-stackprotector and hardening- no-fortify-functions for its
>> only binary.
>
> False positives for _FORTIFY_SOURCE are somewhat rarer, and that one is
> much easier to miss applying due to the CPPFLAGS vs. CFLAGS distinction.
> My immediate inclination would be to ask people to add an override for
> false positives for it, since it's more likely that the tag is valid.

Easier said then done, how should I override this warning:

,----
| W: libncurses5: hardening-no-fortify-functions usr/lib/i386-linux-gnu/libmenu.so.5.9
`----

Using the output verbatim only works for one architecture and generates
an additional problem (unused-override) for all others, substituting
${DEB_HOST_MULTIARCH} at build time instead leads to
/usr/share/lintian/overrides/libncurses5 having architecture-dependent
content, breaking multiarch coinstallability.

Cheers,
       Sven




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Lintian Maintainers <lintian-maint@debian.org>:
Bug#673112; Package lintian. (Sat, 19 May 2012 16:51:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Russ Allbery <rra@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Lintian Maintainers <lintian-maint@debian.org>. (Sat, 19 May 2012 16:51:03 GMT) Full text and rfc822 format available.

Message #25 received at 673112@bugs.debian.org (full text, mbox):

From: Russ Allbery <rra@debian.org>
To: Sven Joachim <svenjoac@gmx.de>
Cc: 673112@bugs.debian.org, Ralf Jung <post@ralfj.de>
Subject: Re: Bug#673112: lintian: hardening-no-stackprotector check has many false positives
Date: Sat, 19 May 2012 09:49:14 -0700
Sven Joachim <svenjoac@gmx.de> writes:

> Easier said then done, how should I override this warning:

> ,----
> | W: libncurses5: hardening-no-fortify-functions usr/lib/i386-linux-gnu/libmenu.so.5.9
> `----

libncurses5 binary: hardening-no-fortify-functions usr/lib/*/libmenu.so.*

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Lintian Maintainers <lintian-maint@debian.org>:
Bug#673112; Package lintian. (Mon, 21 May 2012 18:27:11 GMT) Full text and rfc822 format available.

Acknowledgement sent to Modestas Vainius <modax@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Lintian Maintainers <lintian-maint@debian.org>. (Mon, 21 May 2012 18:27:11 GMT) Full text and rfc822 format available.

Message #30 received at 673112@bugs.debian.org (full text, mbox):

From: Modestas Vainius <modax@debian.org>
To: Russ Allbery <rra@debian.org>
Cc: Sven Joachim <svenjoac@gmx.de>, 673112@bugs.debian.org
Subject: Re: Bug#673112: lintian: hardening-no-stackprotector check has many false positives
Date: Mon, 21 May 2012 21:25:58 +0300
[Message part 1 (text/plain, inline)]
Hello,

On šeštadienis 19 Gegužė 2012 19:49:14 Russ Allbery wrote:
> Sven Joachim <svenjoac@gmx.de> writes:
> > Easier said then done, how should I override this warning:
> > 
> > ,----
> > 
> > | W: libncurses5: hardening-no-fortify-functions
> > | usr/lib/i386-linux-gnu/libmenu.so.5.9
> > 
> > `----
> 
> libncurses5 binary: hardening-no-fortify-functions usr/lib/*/libmenu.so.*

Well, I get this "nice" lintian output:

$ lintian -I amarok_2.5.0-2_amd64.changes
W: amarok: hardening-no-stackprotector usr/bin/amarok
W: amarok: hardening-no-stackprotector usr/bin/amarokpkg
W: amarok: hardening-no-fortify-functions usr/bin/amarokpkg
W: amarok: hardening-no-stackprotector usr/lib/kde4/amarok_appletscript_simple_javascript.so
W: amarok: hardening-no-fortify-functions usr/lib/kde4/amarok_appletscript_simple_javascript.so
W: amarok: hardening-no-stackprotector usr/lib/kde4/amarok_collection-audiocdcollection.so
W: amarok: hardening-no-fortify-functions usr/lib/kde4/amarok_collection-audiocdcollection.so
W: amarok: hardening-no-fortify-functions usr/lib/kde4/amarok_collection-ipodcollection.so
W: amarok: hardening-no-stackprotector usr/lib/kde4/amarok_collection-mtpcollection.so
W: amarok: hardening-no-fortify-functions usr/lib/kde4/amarok_collection-mtpcollection.so
W: amarok: hardening-no-fortify-functions usr/lib/kde4/amarok_collection-mysqlservercollection.so
W: amarok: hardening-no-stackprotector usr/lib/kde4/amarok_collection-playdarcollection.so
W: amarok: hardening-no-fortify-functions usr/lib/kde4/amarok_collection-playdarcollection.so
W: amarok: hardening-no-stackprotector usr/lib/kde4/amarok_collection-umscollection.so
W: amarok: hardening-no-fortify-functions usr/lib/kde4/amarok_collection-umscollection.so
W: amarok: hardening-no-stackprotector usr/lib/kde4/amarok_collection-upnpcollection.so
W: amarok: hardening-no-fortify-functions usr/lib/kde4/amarok_collection-upnpcollection.so
W: amarok: hardening-no-stackprotector usr/lib/kde4/amarok_containment_vertical.so
W: amarok: hardening-no-fortify-functions usr/lib/kde4/amarok_containment_vertical.so
W: amarok: hardening-no-stackprotector usr/lib/kde4/amarok_context_applet_albums.so
W: amarok: hardening-no-fortify-functions usr/lib/kde4/amarok_context_applet_albums.so
W: amarok: hardening-no-stackprotector usr/lib/kde4/amarok_context_applet_currenttrack.so
W: amarok: hardening-no-fortify-functions usr/lib/kde4/amarok_context_applet_currenttrack.so
W: amarok: hardening-no-stackprotector usr/lib/kde4/amarok_context_applet_info.so
W: amarok: hardening-no-stackprotector usr/lib/kde4/amarok_context_applet_labels.so
W: amarok: hardening-no-fortify-functions usr/lib/kde4/amarok_context_applet_labels.so
W: amarok: hardening-no-stackprotector usr/lib/kde4/amarok_context_applet_lyrics.so
W: amarok: hardening-no-fortify-functions usr/lib/kde4/amarok_context_applet_lyrics.so
W: amarok: hardening-no-stackprotector usr/lib/kde4/amarok_context_applet_photos.so
W: amarok: hardening-no-fortify-functions usr/lib/kde4/amarok_context_applet_photos.so
W: amarok: hardening-no-stackprotector usr/lib/kde4/amarok_context_applet_similarArtists.so
W: amarok: hardening-no-fortify-functions usr/lib/kde4/amarok_context_applet_similarArtists.so
W: amarok: hardening-no-stackprotector usr/lib/kde4/amarok_context_applet_spectrum_analyzer.so
W: amarok: hardening-no-fortify-functions usr/lib/kde4/amarok_context_applet_spectrum_analyzer.so
W: amarok: hardening-no-stackprotector usr/lib/kde4/amarok_context_applet_tabs.so
W: amarok: hardening-no-fortify-functions usr/lib/kde4/amarok_context_applet_tabs.so
W: amarok: hardening-no-stackprotector usr/lib/kde4/amarok_context_applet_upcomingEvents.so
W: amarok: hardening-no-fortify-functions usr/lib/kde4/amarok_context_applet_upcomingEvents.so
W: amarok: hardening-no-stackprotector usr/lib/kde4/amarok_context_applet_videoclip.so
W: amarok: hardening-no-fortify-functions usr/lib/kde4/amarok_context_applet_videoclip.so
W: amarok: hardening-no-stackprotector usr/lib/kde4/amarok_context_applet_wikipedia.so
W: amarok: hardening-no-fortify-functions usr/lib/kde4/amarok_context_applet_wikipedia.so
W: amarok: hardening-no-stackprotector usr/lib/kde4/amarok_data_engine_current.so
W: amarok: hardening-no-stackprotector usr/lib/kde4/amarok_data_engine_info.so
W: amarok: hardening-no-stackprotector usr/lib/kde4/amarok_data_engine_labels.so
W: amarok: hardening-no-stackprotector usr/lib/kde4/amarok_data_engine_lyrics.so
W: amarok: hardening-no-fortify-functions usr/lib/kde4/amarok_data_engine_lyrics.so
W: amarok: hardening-no-stackprotector usr/lib/kde4/amarok_data_engine_photos.so
W: amarok: hardening-no-stackprotector usr/lib/kde4/amarok_data_engine_similarArtists.so
W: amarok: hardening-no-stackprotector usr/lib/kde4/amarok_data_engine_spectrum_analyzer.so
W: amarok: hardening-no-fortify-functions usr/lib/kde4/amarok_data_engine_spectrum_analyzer.so
W: amarok: hardening-no-stackprotector usr/lib/kde4/amarok_data_engine_tabs.so
W: amarok: hardening-no-fortify-functions usr/lib/kde4/amarok_data_engine_tabs.so
W: amarok: hardening-no-stackprotector usr/lib/kde4/amarok_data_engine_upcomingEvents.so
W: amarok: hardening-no-fortify-functions usr/lib/kde4/amarok_data_engine_upcomingEvents.so
W: amarok: hardening-no-stackprotector usr/lib/kde4/amarok_data_engine_videoclip.so
W: amarok: hardening-no-fortify-functions usr/lib/kde4/amarok_data_engine_videoclip.so
W: amarok: hardening-no-fortify-functions usr/lib/kde4/amarok_data_engine_wikipedia.so
W: amarok: hardening-no-stackprotector usr/lib/kde4/amarok_device_massstorage.so
W: amarok: hardening-no-stackprotector usr/lib/kde4/amarok_device_nfs.so
W: amarok: hardening-no-stackprotector usr/lib/kde4/amarok_device_smb.so
W: amarok: hardening-no-stackprotector usr/lib/kde4/amarok_runnerscript_javascript.so
W: amarok: hardening-no-stackprotector usr/lib/kde4/amarok_service_amazonstore.so
W: amarok: hardening-no-fortify-functions usr/lib/kde4/amarok_service_amazonstore.so
W: amarok: hardening-no-stackprotector usr/lib/kde4/amarok_service_ampache.so
W: amarok: hardening-no-fortify-functions usr/lib/kde4/amarok_service_ampache.so
W: amarok: hardening-no-stackprotector usr/lib/kde4/amarok_service_jamendo.so
W: amarok: hardening-no-fortify-functions usr/lib/kde4/amarok_service_jamendo.so
W: amarok: hardening-no-stackprotector usr/lib/kde4/amarok_service_lastfm.so
W: amarok: hardening-no-fortify-functions usr/lib/kde4/amarok_service_lastfm.so
W: amarok: hardening-no-stackprotector usr/lib/kde4/amarok_service_magnatunestore.so
W: amarok: hardening-no-fortify-functions usr/lib/kde4/amarok_service_magnatunestore.so
W: amarok: hardening-no-stackprotector usr/lib/kde4/amarok_service_opmldirectory.so
W: amarok: hardening-no-fortify-functions usr/lib/kde4/amarok_service_opmldirectory.so
W: amarok: hardening-no-stackprotector usr/lib/kde4/kcm_amarok_service_amazonstore.so
W: amarok: hardening-no-stackprotector usr/lib/kde4/kcm_amarok_service_ampache.so
W: amarok: hardening-no-fortify-functions usr/lib/kde4/kcm_amarok_service_ampache.so
W: amarok: hardening-no-stackprotector usr/lib/kde4/kcm_amarok_service_lastfm.so
W: amarok: hardening-no-stackprotector usr/lib/kde4/kcm_amarok_service_magnatunestore.so
W: amarok: hardening-no-stackprotector usr/lib/kde4/kcm_amarok_service_mp3tunes.so
W: amarok: hardening-no-fortify-functions usr/lib/libamarok-sqlcollection.so.1.0.0
W: amarok: hardening-no-stackprotector usr/lib/libamarok-transcoding.so.1.0.0
W: amarok: hardening-no-fortify-functions usr/lib/libamarok-transcoding.so.1.0.0
W: amarok: hardening-no-fortify-functions usr/lib/libamarokcore.so.1.0.0
W: amarok: hardening-no-fortify-functions usr/lib/libamaroklib.so.1.0.0
W: amarok: hardening-no-stackprotector usr/lib/libamarokocsclient.so.4.7.0
W: amarok: hardening-no-fortify-functions usr/lib/libamarokocsclient.so.4.7.0
W: amarok: hardening-no-stackprotector usr/lib/libamarokpud.so.1.0.0
W: amarok: hardening-no-fortify-functions usr/lib/libamarokpud.so.1.0.0
W: amarok: binary-without-manpage usr/bin/amarokpkg
W: amarok-utils: hardening-no-stackprotector usr/bin/amarok_afttagger
W: amarok-utils: hardening-no-fortify-functions usr/bin/amarokcollectionscanner
W: amarok-utils: binary-without-manpage usr/bin/amarok_afttagger

This is like 90 false positives in a single source package, it makes lintian
output unreadable. I don't know how this hardening stuff is detected but I
suspect this failure might be because the package is built with
-fvisibility=hidden. If so, all KDE packages will suffer, and badly.

Anyway, in my opinion, lintian overrides should be used to fix rare corner cases
rather than workarounding obvious lintian bugs.

[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Lintian Maintainers <lintian-maint@debian.org>:
Bug#673112; Package lintian. (Tue, 22 May 2012 10:57:25 GMT) Full text and rfc822 format available.

Acknowledgement sent to Niels Thykier <niels@thykier.net>:
Extra info received and forwarded to list. Copy sent to Debian Lintian Maintainers <lintian-maint@debian.org>. (Tue, 22 May 2012 10:57:29 GMT) Full text and rfc822 format available.

Message #35 received at 673112@bugs.debian.org (full text, mbox):

From: Niels Thykier <niels@thykier.net>
To: Modestas Vainius <modax@debian.org>, 673112@bugs.debian.org, Sven Joachim <svenjoac@gmx.de>, Kees Cook <kees@debian.org>
Subject: Re: Bug#673112: lintian: hardening-no-stackprotector check has many false positives
Date: Tue, 22 May 2012 12:54:19 +0200
On 2012-05-21 20:25, Modestas Vainius wrote:
> Hello,
> 

Hi,

For the record, I have just demoted no-stackprotector to a wild-guess
(thus, it is now an I tag) and moved it to a separate profile
(debian/extra-hardening) so it is no longer enabled by default.

> On šeštadienis 19 Gegužė 2012 19:49:14 Russ Allbery wrote:
>> Sven Joachim <svenjoac@gmx.de> writes:
>>> Easier said then done, how should I override this warning:
>>>
>>> ,----
>>>
>>> | W: libncurses5: hardening-no-fortify-functions
>>> | usr/lib/i386-linux-gnu/libmenu.so.5.9
>>>
>>> `----
>>
>> libncurses5 binary: hardening-no-fortify-functions usr/lib/*/libmenu.so.*
> 
> Well, I get this "nice" lintian output:
> 
> $ lintian -I amarok_2.5.0-2_amd64.changes
> [...]
> 
> This is like 90 false positives in a single source package, it makes lintian
> output unreadable. I don't know how this hardening stuff is detected but I
> suspect this failure might be because the package is built with
> -fvisibility=hidden. If so, all KDE packages will suffer, and badly.
> 
> [...]

We use hardening-check (from hardening-includes) - as I recall it
carries a list of "unprotected functions" and checks for them (via
readelf).  It maps them to a "safe-variant" and checks for that as well.
 If both protected and unprotected are used or if no unprotected
functions are used, it should mark it safe.  However,  I believe Kees
(CC'ed) can correct me on (or confirm) the above.

~Niels





Information forwarded to debian-bugs-dist@lists.debian.org, Debian Lintian Maintainers <lintian-maint@debian.org>:
Bug#673112; Package lintian. (Tue, 22 May 2012 11:06:47 GMT) Full text and rfc822 format available.

Acknowledgement sent to Niels Thykier <niels@thykier.net>:
Extra info received and forwarded to list. Copy sent to Debian Lintian Maintainers <lintian-maint@debian.org>. (Tue, 22 May 2012 11:06:56 GMT) Full text and rfc822 format available.

Message #40 received at 673112@bugs.debian.org (full text, mbox):

From: Niels Thykier <niels@thykier.net>
To: 673112@bugs.debian.org
Cc: Modestas Vainius <modax@debian.org>, Sven Joachim <svenjoac@gmx.de>, Kees Cook <kees@debian.org>
Subject: Re: Bug#673112: lintian: hardening-no-stackprotector check has many false positives
Date: Tue, 22 May 2012 13:05:45 +0200
On 2012-05-22 12:54, Niels Thykier wrote:
> On 2012-05-21 20:25, Modestas Vainius wrote:
>> Hello,
>>
> 
> Hi,
> 
> [...]
> 
> We use hardening-check (from hardening-includes) - as I recall it
> carries a list of "unprotected functions" and checks for them (via
> readelf).  It maps them to a "safe-variant" and checks for that as well.
>  If both protected and unprotected are used or if no unprotected
> functions are used, it should mark it safe.  However,  I believe Kees
> (CC'ed) can correct me on (or confirm) the above.
> 
> ~Niels
> 
> 
> 
> 

Turns out hardening-check has a verbose flag that makes it print the
affected functions - testing amarok (testing i386) I got[1].  Looks like
memcpy is the primary source of false-positives (for amarok).

If it turns out that memcpy is (in general) the primary source of these
false-positives, perhaps it would be better to skip that particular
function than disable the entire check.

~Niels

[1]

$ hardening-check --verbose $(find usr/lib/ -type f) | perl -ne \
    'print if /^\s+(un)?protected:/' | sort | uniq -c
      1         protected: fprintf
      1         protected: memcpy
      1         protected: memmove
      1         protected: memset
      1         protected: pread64
      1         protected: printf
      1         protected: realpath
      1         protected: snprintf
      1         protected: sprintf
      1         protected: strcat
      1         protected: strcpy
      1         protected: strncat
      1         protected: strncpy
      1         protected: vfprintf
      1         protected: vsnprintf
      1         unprotected: asprintf
      1         unprotected: confstr
      1         unprotected: fgets
      1         unprotected: fprintf
      2         unprotected: fread
      1         unprotected: getcwd
      1         unprotected: gethostname
     43         unprotected: memcpy
      1         unprotected: memmove
      3         unprotected: memset
      1         unprotected: pread64
      1         unprotected: printf
      1         unprotected: read
      1         unprotected: readlink
      1         unprotected: recv
      1         unprotected: snprintf
      2         unprotected: sprintf
      1         unprotected: stpcpy
      1         unprotected: strcat
      2         unprotected: strcpy
      2         unprotected: strncpy




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Lintian Maintainers <lintian-maint@debian.org>:
Bug#673112; Package lintian. (Tue, 22 May 2012 12:09:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Niels Thykier <niels@thykier.net>:
Extra info received and forwarded to list. Copy sent to Debian Lintian Maintainers <lintian-maint@debian.org>. (Tue, 22 May 2012 12:10:19 GMT) Full text and rfc822 format available.

Message #45 received at 673112@bugs.debian.org (full text, mbox):

From: Niels Thykier <niels@thykier.net>
To: Niels Thykier <niels@thykier.net>, 673112@bugs.debian.org
Cc: Modestas Vainius <modax@debian.org>, Sven Joachim <svenjoac@gmx.de>, Kees Cook <kees@debian.org>
Subject: Re: Bug#673112: lintian: hardening-no-stackprotector check has many false positives
Date: Tue, 22 May 2012 14:05:31 +0200
On 2012-05-22 13:05, Niels Thykier wrote:
> [...]
> 
> Turns out hardening-check has a verbose flag that makes it print the
> affected functions - testing amarok (testing i386) I got[1].  Looks like
> memcpy is the primary source of false-positives (for amarok).
> 
> If it turns out that memcpy is (in general) the primary source of these
> false-positives, perhaps it would be better to skip that particular
> function than disable the entire check.
> 
> ~Niels
> 
> [1]
> [...]
> 
> 
> 


Okay, final "spam" for now.

I think it would be a very good idea to drop at least memcpy from the
hardening-check because GCC 4.7 (at -O2 or higher), GCC may replace
strcpy and other functions with memcpy[1].

I have tested a little code snippet[2] with gcc-4.7 and it indeed it
replaces strcpy with memcpy at -O2.  Also it never uses the fortified
variant of strcpy/memcpy (not even at -O0) in this "trivial case".

So for -O0 binaries we would still get false-positives in this case (and
binaries compiled with < 4.7), but we would presumably avoid a lot of
false-positiives for binaries compiled by gcc-4.7 -O2 in this way.

~Niels

[1] http://gcc.gnu.org/gcc-4.7/changes.html

"""
A string length optimization pass has been added. It attempts to track
string lengths and optimize various standard C string functions like
strlen, strchr, strcpy, strcat, stpcpy and their _FORTIFY_SOURCE
counterparts into faster alternatives. This pass is enabled by default
at -O2 or above, unless optimizing for size, and can be disabled by the
-fno-optimize-strlen option. The pass can e.g. optimize

char *bar (const char *a)
{
  size_t l = strlen (a) + 2;
  char *p = malloc (l); if (p == NULL) return p;
  strcpy (p, a); strcat (p, "/"); return p;
}

into:

char *bar (const char *a)
{
  size_t tmp = strlen (a);
  char *p = malloc (tmp + 2); if (p == NULL) return p;
  memcpy (p, a, tmp); memcpy (p + tmp, "/", 2); return p;
}
[...]
"""

[2] // Poor man's strdup
#include <stdio.h>
#include <string.h>
#include <stdlib.h>

int main(int argc, char **argv) {
  const char *s = argv[0];
  size_t l = strlen(s);
  char *cpy = malloc (l + 1);
  if (!cpy)
    return 1;
  strcpy(cpy, s);
  cpy[0] = 'b';
  printf("%s\n", cpy);
  return 0;
}






Information forwarded to debian-bugs-dist@lists.debian.org, Debian Lintian Maintainers <lintian-maint@debian.org>:
Bug#673112; Package lintian. (Tue, 22 May 2012 16:21:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Kees Cook <kees@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Lintian Maintainers <lintian-maint@debian.org>. (Tue, 22 May 2012 16:21:04 GMT) Full text and rfc822 format available.

Message #50 received at 673112@bugs.debian.org (full text, mbox):

From: Kees Cook <kees@debian.org>
To: Niels Thykier <niels@thykier.net>
Cc: Modestas Vainius <modax@debian.org>, 673112@bugs.debian.org, Sven Joachim <svenjoac@gmx.de>
Subject: Re: Bug#673112: lintian: hardening-no-stackprotector check has many false positives
Date: Tue, 22 May 2012 09:17:48 -0700
On Tue, May 22, 2012 at 12:54:19PM +0200, Niels Thykier wrote:
> On 2012-05-21 20:25, Modestas Vainius wrote:
> For the record, I have just demoted no-stackprotector to a wild-guess
> (thus, it is now an I tag) and moved it to a separate profile
> (debian/extra-hardening) so it is no longer enabled by default.

Ah well. Too bad. Once build flags are exposed in the ELF itself, this
will just have to be the way it is.

> > On šeštadienis 19 Gegužė 2012 19:49:14 Russ Allbery wrote:
> >> Sven Joachim <svenjoac@gmx.de> writes:
> >>> Easier said then done, how should I override this warning:
> >>>
> >>> ,----
> >>>
> >>> | W: libncurses5: hardening-no-fortify-functions
> >>> | usr/lib/i386-linux-gnu/libmenu.so.5.9
> >>>
> >>> `----
> >>
> >> libncurses5 binary: hardening-no-fortify-functions usr/lib/*/libmenu.so.*
> > 
> > Well, I get this "nice" lintian output:
> > 
> > $ lintian -I amarok_2.5.0-2_amd64.changes
> > [...]
> > 
> > This is like 90 false positives in a single source package, it makes lintian
> > output unreadable. I don't know how this hardening stuff is detected but I
> > suspect this failure might be because the package is built with
> > -fvisibility=hidden. If so, all KDE packages will suffer, and badly.
> > 
> > [...]
> 
> We use hardening-check (from hardening-includes) - as I recall it
> carries a list of "unprotected functions" and checks for them (via
> readelf).  It maps them to a "safe-variant" and checks for that as well.
>  If both protected and unprotected are used or if no unprotected
> functions are used, it should mark it safe.  However,  I believe Kees
> (CC'ed) can correct me on (or confirm) the above.

Correct. If none of the functions are found, it passes. If there is a mix
of protected and unprotected, it passes. If only protected are found, it
passes. If only unprotected are found, it fails.

It is, however, still an heuristic, since it is possible to only use the
functions in ways that are compile-time verifiable, resulting in no need
for the protected wrapper.

-Kees

-- 
Kees Cook                                            @debian.org




Added tag(s) pending. Request was from Niels Thykier <niels@thykier.net> to control@bugs.debian.org. (Sun, 27 May 2012 06:51:06 GMT) Full text and rfc822 format available.

Reply sent to Niels Thykier <niels@thykier.net>:
You have taken responsibility. (Tue, 29 May 2012 10:28:34 GMT) Full text and rfc822 format available.

Notification sent to Sven Joachim <svenjoac@gmx.de>:
Bug acknowledged by developer. (Tue, 29 May 2012 10:28:37 GMT) Full text and rfc822 format available.

Message #57 received at 673112-close@bugs.debian.org (full text, mbox):

From: Niels Thykier <niels@thykier.net>
To: 673112-close@bugs.debian.org
Subject: Bug#673112: fixed in lintian 2.5.8
Date: Tue, 29 May 2012 10:22:31 +0000
Source: lintian
Source-Version: 2.5.8

We believe that the bug you reported is fixed in the latest version of
lintian, which is due to be installed in the Debian FTP archive:

lintian_2.5.8.dsc
  to main/l/lintian/lintian_2.5.8.dsc
lintian_2.5.8.tar.gz
  to main/l/lintian/lintian_2.5.8.tar.gz
lintian_2.5.8_all.deb
  to main/l/lintian/lintian_2.5.8_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 673112@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Niels Thykier <niels@thykier.net> (supplier of updated lintian package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 29 May 2012 11:49:47 +0200
Source: lintian
Binary: lintian
Architecture: source all
Version: 2.5.8
Distribution: unstable
Urgency: low
Maintainer: Debian Lintian Maintainers <lintian-maint@debian.org>
Changed-By: Niels Thykier <niels@thykier.net>
Description: 
 lintian    - Debian package checker
Closes: 662134 667895 669911 671387 673106 673109 673112 673198 673352 673449 673451 673611 673613 673862
Changes: 
 lintian (2.5.8) unstable; urgency=low
 .
   Its like 2.5.7, only with less false positives and no FTBFS.
 .
   * checks/binaries{,.desc}:
     + [NT] Fix a too strict regex causing false-positives for
       biarch packages.  This was a regression introduced in
       version 2.5.7.  Thanks to Sven Joachim for reporting it.
       (Closes: #673106)
     + [NT] Demote certainty of hardening-no-stackprotector to
       wild-guess and move it to debian/extra-hardening profile.
     + [NT] Skip hardening-no-fortify-functions for binaries only
       using the unprotected memcpy.  This greatly reduces the
       number of false positives for binaries compiled with
       gcc-4.7 -O2 (or higher optimization).  (Closes: #673112)
   * checks/files:
     + [NT] Properly handle symlinks in icon directories.  Thanks
       to Nicholas Breen for the report and Felix Geyer for the
       patches.  (Closes: #673352)
     + [NT] Ignore wrong sizes on images in animations as it may
       be a method to implement the animation.  Thanks to Matthias
       Klumpp for the report and Felix Geyer for the patch.
       (Closes: #673862)
     + [NT] Ignore wrong icon sizes if the size difference is at
       most 2px.  Thanks to Felix Geyer for the patch.
   * checks/scripts:
     + [NT] Refactor the %versioned_interpreters into a new
       data file.
   * checks/shared-libs:
     + [NT] Fix false positive "dev-pkg-without-shlib-symlink"
       for shared libraries using "libtool -release X.Y".
       Thanks to Sven Joachim for the report.  (Closes: #673109)
     + [NT] Fix false positive "dev-pkg-without-shlib-symlink"
       for shared libraries installed in /lib.  Lintian now
       correctly expects the dev-symlink beneath /usr/lib.
       Thanks to Guillem Jover for the report.
   * checks/source-copyright:
     + [NT] Use the in-memory contents of the copyright file
       instead of re-reading the file when parsing it as a
       DEP-5 copyright file.
 .
   * collection/objdump-info{,.desc}:
     + [NT] Drop -D flag for readelf when looking for symbols.
       This makes some checks more reliable in Ubuntu.  Thanks
       to Marc Deslauriers for the report and the patch.
       (Closes: #673451)
 .
   * debian/control:
     + [NT] Add versioned Build-Depends on dpkg-dev (>= 1.16.1~)
       as the test suite relies on it.  Thanks to Luca Falavigna
       for reporting it.
     + [NT] Update the description to mention that the version
       of Lintian is calibrated for version 3.9.3 of the Policy.
   * debian/lintian.install:
     + [NT] Remove usr/share/lintian/data - Lintian does not
       need it and dpkg will not replace the dir with a symlink.
 .
   * data/scripts/interpreters:
     + [NT] Add falcon, gbr3, jython and ngp2 as known interpreters.
       (Closes: #669911, #671387, #662134, #667895)
   * data/scripts/versioned-interpreters:
     + [NT] New file.
     + [NT] Added python2.7 to the list of known Python 2 interpreters.
   * data/spelling/corrections:
     + [RA] Remove corrections for "writeable" and "overwriteable".  These
       spellings are permitted by the OED in UK English.  (Closes: #673611)
     + [NT] Add correction for "pointer".
 .
   * lib/Lintian/Collect/*.pm:
     + [NT] Localize "$_" to avoid truncating caller's variable.
       (Closes: #673613)
 .
   * t:
     + [NT] Generate empty ".so" files used in the test.  This
       resolves an issue where dpkg-source would exclude them
       causing a FTBFS.  (Closes: #673198)
     + [NT] Fix test failure in derivatives where some hardening
       flags are enabled by default.  Thanks to Marc Deslauriers
       for the report and the patch.  (Closes: #673449)
Checksums-Sha1: 
 de2ae82463727f45b3d28dce15b89bbea8fc641c 2485 lintian_2.5.8.dsc
 576c06a94e7758e358a43b549b123052a7e49fdc 1092923 lintian_2.5.8.tar.gz
 d6f247358c070a7e37c9f22c84aee63fbfd816fb 697324 lintian_2.5.8_all.deb
Checksums-Sha256: 
 20fd9f4084197aaa923af9a7bb7dba8cc06bd1ed307a16c8b14e275d91e1093f 2485 lintian_2.5.8.dsc
 b0a6016d9a0e5ba3ed1fc00cabd8b3be75c572fcfee7cd5079d06c64f626d343 1092923 lintian_2.5.8.tar.gz
 587c014c2f87ea1359f139e5a37bce1acd0b1552d7c49ca0e54e5e8b24f57c5c 697324 lintian_2.5.8_all.deb
Files: 
 71653df24991d1734fea17f3205ef042 2485 devel optional lintian_2.5.8.dsc
 1121be8bcccaf75a571e4c17197bebbc 1092923 devel optional lintian_2.5.8.tar.gz
 4fd057457a01384ffdc4fa39888f4f4d 697324 devel optional lintian_2.5.8_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCAAGBQJPxJ6zAAoJEAVLu599gGRCAksP/A2Iq8KuHfQKrsGzBr0a7rs6
FzMN8B8RFi79cpxkZRFF1rz2+lc4/DUXl38vX1Quztefj6165vCnDMEQxNwDcasC
OjC302qTGdPc4oY0h8M3ObJuAy1OLiccdIfDpWjeBcY5x7VbcKShnxbrZvwzl3Md
6BsetF6w2xo4JeUtjF8T/DM+dxqSSs3C2srt10T1IeGY1sSQA7Zq/tR9M6IeO7t1
nw1GSpetKmGowl8YBVM0p0abyAskAxD6YUNIdd7bbj0667FPLVHKv5YDtN4z2ACG
rZvJWcMFy1Q8CfZl6jBoAkqeOCCq9qegdRK0W21gqxwAwUajbEknpr64j0Jt4+i1
mbUeJwGmci4WzEFCTQ3NV4dW0Df33oXtzLWXw+1gGGCo2IcBlwJY0oI49GujAOYB
Hepxi10Yn4VymLsUHCactmqjzp2dUDfzYNXZELUedoL3Jo5mKjRaytdlsMMzXtkS
0/Lzv3J4xtJ1R7C0PetJCEjNdQQktMdzgCZcI8FA0WzNj/7C1egk9c0RbLYsM2l7
NmKYZPNC2sYmcYQRKK6SncbiP+IRjAsj8GrQzp4llaWcNwppLCzc7BK45L90REcl
b1YXJzlrdGgFLfxi594Smmc2iZPHuepjqgKtyMugzcuEdQNjapv5WEVKyATU18so
Pdc2YKJcYOfKU4zq/Tjg
=oiPt
-----END PGP SIGNATURE-----





Information forwarded to debian-bugs-dist@lists.debian.org, Debian Lintian Maintainers <lintian-maint@debian.org>:
Bug#673112; Package lintian. (Thu, 31 May 2012 09:49:28 GMT) Full text and rfc822 format available.

Acknowledgement sent to Sebastian Ramacher <s.ramacher@gmx.at>:
Extra info received and forwarded to list. Copy sent to Debian Lintian Maintainers <lintian-maint@debian.org>. (Thu, 31 May 2012 09:49:33 GMT) Full text and rfc822 format available.

Message #62 received at 673112@bugs.debian.org (full text, mbox):

From: Sebastian Ramacher <s.ramacher@gmx.at>
To: Niels Thykier <niels@thykier.net>, 673112@bugs.debian.org
Subject: Re: Bug#673112: lintian: hardening-no-stackprotector check has many false positives
Date: Thu, 31 May 2012 11:14:34 +0200
[Message part 1 (text/plain, inline)]
Hi Niels,

On 22/05/12 14:05, Niels Thykier wrote:
> [2] // Poor man's strdup
> #include <stdio.h>
> #include <string.h>
> #include <stdlib.h>
> 
> int main(int argc, char **argv) {
>   const char *s = argv[0];
>   size_t l = strlen(s);
>   char *cpy = malloc (l + 1);
>   if (!cpy)
>     return 1;
>   strcpy(cpy, s);
>   cpy[0] = 'b';
>   printf("%s\n", cpy);
>   return 0;
> }

I've been playing around with your example a bit. Since I stumbled upon some
cases where gcc didn't replace calls to memset and memmove with their hardened
versions, I modified your example to use memset and memmove. I ended up with the
following:

#include <string.h>
#include <stdio.h>
#include <stdlib.h>

int main(int argc, char** argv)
{
  const char* s = argv[0];
  size_t l = strlen(s);
  char* cpy = malloc(l + 1);
  if (!cpy)
    return 1;
  memset(cpy, s[0], l);
  cpy[l] = 0;
  printf("%s\n", cpy);
  memmove(cpy, s, l);
  cpy[0] = 'b';
  printf("%s\n", cpy);
  return 0;
}

Regardless of the flags passed to gcc [1], hardening-check reports the following
[2]:

 Fortify Source functions: no, only unprotected functions found!
        unprotected: memset
        unprotected: memmove

So maybe memset and memmove are good candidates for the while list as well.

Cheers

[1] `dpkg-buildflags --get CFLAGS` `dpkg-buildflags --get CPPFLAGS`
`dpkg-buildflags --get LDFLAGS` and iterated over all the possible -O.
[2] With -Os the call to memset is optimized and not present at all.
-- 
Sebastian Ramacher

[signature.asc (application/pgp-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Lintian Maintainers <lintian-maint@debian.org>:
Bug#673112; Package lintian. (Wed, 06 Jun 2012 08:27:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Leo Iannacone <l3on@ubuntu.com>:
Extra info received and forwarded to list. Copy sent to Debian Lintian Maintainers <lintian-maint@debian.org>. (Wed, 06 Jun 2012 08:27:03 GMT) Full text and rfc822 format available.

Message #67 received at 673112@bugs.debian.org (full text, mbox):

From: Leo Iannacone <l3on@ubuntu.com>
To: 673112@bugs.debian.org
Date: Wed, 6 Jun 2012 10:00:14 +0200
Hi all,

with ION package I've got these false positive:

      9 	unprotected: recvfrom
      8 	unprotected: recv
      8 	unprotected: memset
      6 	unprotected: read
      6 	unprotected: memcpy

while I'm using -D_FORTIFY_SOURCE=2 during build.

-- 
Ubuntu Member - http://launchpad.net/~l3on
Home Page - http://leoiannacone.com
GPG Key Id - 0xD282FC25




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Thu, 05 Jul 2012 07:35:12 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 14:59:03 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.