From: Michael Tremer <michael.tremer@ipfire.org>
Date: Fri, 2 Apr 2010 20:59:43 +0000 (+0200)
Subject: toolchain: Apply hardening patches to binutils in toolchain.
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c17a3a7d1e6bfac229edfb8408b769897dc436dc;p=ipfire-3.x.git

toolchain: Apply hardening patches to binutils in toolchain.
---

diff --git a/pkgs/toolchain/binutils-static/patches b/pkgs/toolchain/binutils-static/patches
new file mode 120000
index 000000000..046f17d4d
--- /dev/null
+++ b/pkgs/toolchain/binutils-static/patches
@@ -0,0 +1 @@
+../binutils/patches/
\ No newline at end of file
diff --git a/pkgs/toolchain/binutils/patches/binutils-2.19.1-asprintf_fix.patch b/pkgs/toolchain/binutils/patches/binutils-2.19.1-asprintf_fix.patch
new file mode 100644
index 000000000..102ec2e2c
--- /dev/null
+++ b/pkgs/toolchain/binutils/patches/binutils-2.19.1-asprintf_fix.patch
@@ -0,0 +1,16 @@
+https://hardened.gentooexperimental.org/trac/secure/raw-attachment/ticket/33/libiberty.h-asprintf-glibc-2.8.patch
+
+--- a/include/libiberty.h.orig	2007-02-09 15:29:21.000000000 +0000
++++ b/include/libiberty.h	2008-07-25 21:17:25.000000000 +0000
+@@ -554,8 +554,11 @@
+ /* Like sprintf but provides a pointer to malloc'd storage, which must
+    be freed by the caller.  */
+ 
++/* asprintf may be declared as a macro by glibc with __USE_FORTIFY_LEVEL.  */
++#ifndef asprintf
+ extern int asprintf (char **, const char *, ...) ATTRIBUTE_PRINTF_2;
+ #endif
++#endif
+ 
+ #if !HAVE_DECL_VASPRINTF
+ /* Like vsprintf but provides a pointer to malloc'd storage, which
diff --git a/pkgs/toolchain/binutils/patches/binutils-2.19.1-ld_makefile.patch b/pkgs/toolchain/binutils/patches/binutils-2.19.1-ld_makefile.patch
new file mode 100644
index 000000000..4624f29a2
--- /dev/null
+++ b/pkgs/toolchain/binutils/patches/binutils-2.19.1-ld_makefile.patch
@@ -0,0 +1,54 @@
+#!/bin/sh -e
+## 001_ld_makefile_patch.dpatch
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Description: correct where ld scripts are installed
+## DP: Author: Chris Chimelis <chris@debian.org>
+## DP: Upstream status: N/A
+## DP: Date: ??
+
+if [ $# -ne 1 ]; then
+    echo >&2 "`basename $0`: script expects -patch|-unpatch as argument"
+    exit 1
+fi
+
+[ -f debian/patches/00patch-opts ] && . debian/patches/00patch-opts
+patch_opts="${patch_opts:--f --no-backup-if-mismatch}"
+
+case "$1" in
+       -patch) patch $patch_opts -p1 < $0;;
+       -unpatch) patch $patch_opts -p1 -R < $0;;
+        *)
+                echo >&2 "`basename $0`: script expects -patch|-unpatch as argument"
+                exit 1;;
+esac
+
+exit 0
+
+@DPATCH@
+Index: binutils-2.18/ld/Makefile.am
+===================================================================
+--- binutils-2.18.orig/ld/Makefile.am	2007-06-28 09:19:34.837940280 +0200
++++ binutils-2.18/ld/Makefile.am	2007-06-28 09:19:35.795794664 +0200
+@@ -18,7 +18,7 @@
+ # We put the scripts in the directory $(scriptdir)/ldscripts.
+ # We can't put the scripts in $(datadir) because the SEARCH_DIR
+ # directives need to be different for native and cross linkers.
+-scriptdir = $(tooldir)/lib
++scriptdir = $(libdir)
+
+ EMUL = @EMUL@
+ EMULATION_OFILES = @EMULATION_OFILES@
+Index: binutils-2.18/ld/Makefile.in
+===================================================================
+--- binutils-2.18.orig/ld/Makefile.in	2007-06-28 09:19:34.844939216 +0200
++++ binutils-2.18/ld/Makefile.in	2007-06-28 09:19:35.796794512 +0200
+@@ -287,7 +287,7 @@
+ # We put the scripts in the directory $(scriptdir)/ldscripts.
+ # We can't put the scripts in $(datadir) because the SEARCH_DIR
+ # directives need to be different for native and cross linkers.
+-scriptdir = $(tooldir)/lib
++scriptdir = $(libdir)
+ BASEDIR = $(srcdir)/..
+ BFDDIR = $(BASEDIR)/bfd
+ INCDIR = $(BASEDIR)/include
diff --git a/pkgs/toolchain/binutils/patches/binutils-2.20-ipfire-ld-elf-1.patch b/pkgs/toolchain/binutils/patches/binutils-2.20-ipfire-ld-elf-1.patch
new file mode 100644
index 000000000..88e539dab
--- /dev/null
+++ b/pkgs/toolchain/binutils/patches/binutils-2.20-ipfire-ld-elf-1.patch
@@ -0,0 +1,15 @@
+diff -Nur a/ld/testsuite/ld-elf/elf.exp b/ld/testsuite/ld-elf/elf.exp
+--- a/ld/testsuite/ld-elf/elf.exp	2010-03-17 10:59:03.000000000 +0100
++++ b/ld/testsuite/ld-elf/elf.exp	2010-03-17 11:00:31.000000000 +0100
+@@ -70,11 +70,8 @@
+ 
+ set array_tests {
+     {"preinit array" "" "" {preinit.c} "preinit" "preinit.out"}
+-    {"static preinit array" "-static" "" {preinit.c} "preinit" "preinit.out"}
+     {"init array" "" "" {init.c} "init" "init.out"}
+-    {"static init array" "-static" "" {init.c} "init" "init.out"}
+     {"fini array" "" "" {fini.c} "fini" "fini.out"}
+-    {"static fini array" "-static" "" {fini.c} "fini" "fini.out"}
+ }
+ 
+ # NetBSD ELF systems do not currently support the .*_array sections.
diff --git a/pkgs/toolchain/binutils/patches/binutils-2.20-objcopy.patch b/pkgs/toolchain/binutils/patches/binutils-2.20-objcopy.patch
new file mode 100644
index 000000000..62c90c711
--- /dev/null
+++ b/pkgs/toolchain/binutils/patches/binutils-2.20-objcopy.patch
@@ -0,0 +1,24 @@
+diff --git a/binutils/objcopy.c b/binutils/objcopy.c
+index 9732b86..dec0feb 100644
+--- a/binutils/objcopy.c
++++ b/binutils/objcopy.c
+@@ -2287,6 +2287,18 @@ copy_file (const char *input_filename, const char *output_filename,
+ 
+       status = 1;
+     }
++
++  if (status == 0)
++    {
++      struct stat statbuf;
++
++      /* No need to check the return value of stat().  It has already
++	 been checked in get_file_size().  */
++      stat (input_filename, &statbuf);
++
++      /* Try to preserve the permission bits.  */
++      chmod (output_filename, statbuf.st_mode);
++    }
+ }
+ 
+ /* Add a name to the section renaming list.  */
+
diff --git a/pkgs/toolchain/binutils/patches/binutils-2.20.1-all_dobumen-new-dtags-behaviour.patch b/pkgs/toolchain/binutils/patches/binutils-2.20.1-all_dobumen-new-dtags-behaviour.patch
new file mode 100644
index 000000000..3587c99db
--- /dev/null
+++ b/pkgs/toolchain/binutils/patches/binutils-2.20.1-all_dobumen-new-dtags-behaviour.patch
@@ -0,0 +1,16 @@
+Index: binutils-2.19.51.0.5/ld/ld.texinfo
+===================================================================
+--- binutils-2.19.51.0.5.orig/ld/ld.texinfo
++++ binutils-2.19.51.0.5/ld/ld.texinfo
+@@ -2036,8 +2036,9 @@ This linker can create the new dynamic t
+ systems may not understand them. If you specify
+ @option{--enable-new-dtags}, the dynamic tags will be created as needed.
+ If you specify @option{--disable-new-dtags}, no new dynamic tags will be
+-created. By default, the new dynamic tags are not created. Note that
+-those options are only available for ELF systems.
++created. On IPFire, by default, the new dynamic tags are created (this
++differs from upstream behaviour). Note that those options are only
++available for ELF systems.
+ 
+ @kindex --hash-size=@var{number}
+ @item --hash-size=@var{number}
diff --git a/pkgs/toolchain/binutils/patches/binutils-2.20.1-gentoo-flexible-tests.patch b/pkgs/toolchain/binutils/patches/binutils-2.20.1-gentoo-flexible-tests.patch
new file mode 100644
index 000000000..c95e369ba
--- /dev/null
+++ b/pkgs/toolchain/binutils/patches/binutils-2.20.1-gentoo-flexible-tests.patch
@@ -0,0 +1,82 @@
+making some of the address matches more flexible fixes tests when using
+pax/relro/hash patches
+
+--- binutils/ld/testsuite/ld-i386/hidden2.d
++++ binutils/ld/testsuite/ld-i386/hidden2.d
+@@ -8,6 +8,6 @@
+ Disassembly of section .text:
+ 
+ [a-f0-9]+ <bar>:
+-[ 	]*[a-f0-9]+:	e8 af fe ff ff       	call   0 <bar-0x[a-f0-9]+>
++[ 	]*[a-f0-9]+:	e8 ([a-f0-9]{2} ){2}ff ff       	call   0 <bar-0x[a-f0-9]+>
+ [ 	]*[a-f0-9]+:	c3                   	ret    
+ #pass
+--- binutils/ld/testsuite/ld-x86-64/hidden2.d
++++ binutils/ld/testsuite/ld-x86-64/hidden2.d
+@@ -8,6 +8,6 @@
+ Disassembly of section .text:
+ 
+ [a-f0-9]+ <bar>:
+-[ 	]*[a-f0-9]+:	e8 33 fe ff ff       	callq  0 <bar-0x[a-f0-9]+>
++[ 	]*[a-f0-9]+:	e8 ([a-f0-9]{2} ){2}ff ff       	callq  0 <bar-0x[a-f0-9]+>
+ [ 	]*[a-f0-9]+:	c3                   	retq   
+ #pass
+--- binutils/ld/testsuite/ld-x86-64/protected3.d
++++ binutils/ld/testsuite/ld-x86-64/protected3.d
+@@ -8,6 +8,6 @@
+ Disassembly of section .text:
+ 
+ 0+[a-f0-9]+ <bar>:
+-[ 	]*[a-f0-9]+:	8b 05 ce 00 20 00    	mov    0x[a-f0-9]+\(%rip\),%eax        # [a-f0-9]+ <foo>
++[ 	]*[a-f0-9]+:	8b 05 ([a-f0-9]{2} ){2}20 00    	mov    0x[a-f0-9]+\(%rip\),%eax        # [a-f0-9]+ <foo>
+ [ 	]*[a-f0-9]+:	c3                   	retq   
+ #pass
+--- binutils/ld/testsuite/ld-ifunc/ifunc-1-local-x86.d
++++ binutils/ld/testsuite/ld-ifunc/ifunc-1-local-x86.d
+@@ -3,5 +3,5 @@
+ #target: x86_64-*-* i?86-*-*
+ 
+ #...
+-[ \t0-9a-f]+:[ \t0-9a-f]+call[ \t0-9a-fq]+<\*ABS\*(\+0x200|)@plt>
++[ \t0-9a-f]+:[ \t0-9a-f]+call[ \t0-9a-fq]+<\*ABS\*(\+0x[a-f0-9]+|)@plt>
+ #pass
+--- binutils/ld/testsuite/ld-ifunc/ifunc-1-x86.d
++++ binutils/ld/testsuite/ld-ifunc/ifunc-1-x86.d
+@@ -3,5 +3,5 @@
+ #target: x86_64-*-* i?86-*-*
+ 
+ #...
+-[ \t0-9a-f]+:[ \t0-9a-f]+call[ \t0-9a-fq]+<\*ABS\*(\+0x220|)@plt>
++[ \t0-9a-f]+:[ \t0-9a-f]+call[ \t0-9a-fq]+<\*ABS\*(\+0x[a-f0-9]+|)@plt>
+ #pass
+--- binutils/ld/testsuite/ld-ifunc/ifunc-2-local-x86-64.d
++++ binutils/ld/testsuite/ld-ifunc/ifunc-2-local-x86-64.d
+@@ -4,6 +4,6 @@
+ #target: x86_64-*-*
+ 
+ #...
+-[ \t0-9a-f]+:[ \t0-9a-f]+call[ \t0-9a-fq]+<\*ABS\*\+0x220@plt>
+-[ \t0-9a-f]+:[ \t0-9a-f]+lea[ \t]+.*\(%rip\),%rax.*[ \t0-9a-fq]+<\*ABS\*\+0x220@plt>
++[ \t0-9a-f]+:[ \t0-9a-f]+call[ \t0-9a-fq]+<\*ABS\*\+0x[a-f0-9]+@plt>
++[ \t0-9a-f]+:[ \t0-9a-f]+lea[ \t]+.*\(%rip\),%rax.*[ \t0-9a-fq]+<\*ABS\*\+0x[a-f0-9]+@plt>
+ #pass
+--- binutils/ld/testsuite/ld-ifunc/ifunc-2-x86-64.d
++++ binutils/ld/testsuite/ld-ifunc/ifunc-2-x86-64.d
+@@ -4,6 +4,6 @@
+ #target: x86_64-*-*
+ 
+ #...
+-[ \t0-9a-f]+:[ \t0-9a-f]+call[ \t0-9a-fq]+<\*ABS\*\+0x220@plt>
+-[ \t0-9a-f]+:[ \t0-9a-f]+lea[ \t]+.*\(%rip\),%rax.*[ \t0-9a-fq]+<\*ABS\*\+0x220@plt>
++[ \t0-9a-f]+:[ \t0-9a-f]+call[ \t0-9a-fq]+<\*ABS\*\+0x[a-f0-9]+@plt>
++[ \t0-9a-f]+:[ \t0-9a-f]+lea[ \t]+.*\(%rip\),%rax.*[ \t0-9a-fq]+<\*ABS\*\+0x[a-f0-9]+@plt>
+ #pass
+--- binutils/ld/testsuite/ld-ifunc/ifunc-3a-x86.d
++++ binutils/ld/testsuite/ld-ifunc/ifunc-3a-x86.d
+@@ -4,5 +4,5 @@
+ #target: x86_64-*-* i?86-*-*
+ 
+ #...
+-[ \t0-9a-f]+:[ \t0-9a-f]+call[ \t0-9a-fq]+<\*ABS\*(\+0x258|)@plt>
++[ \t0-9a-f]+:[ \t0-9a-f]+call[ \t0-9a-fq]+<\*ABS\*(\+0x[a-f0-9]+|)@plt>
+ #pass
diff --git a/pkgs/toolchain/binutils/patches/binutils-2.20.1-gentoo-rpath_envvar-smack.patch b/pkgs/toolchain/binutils/patches/binutils-2.20.1-gentoo-rpath_envvar-smack.patch
new file mode 100644
index 000000000..2e90f0c15
--- /dev/null
+++ b/pkgs/toolchain/binutils/patches/binutils-2.20.1-gentoo-rpath_envvar-smack.patch
@@ -0,0 +1,13 @@
+http://sourceware.org/ml/binutils/2007-07/msg00401.html
+http://sourceware.org/bugzilla/show_bug.cgi?id=4970
+
+--- a/configure
++++ b/configure
+@@ -5601,6 +5601,7 @@ case "${host}" in
+   *-*-mingw* | *-*-cygwin ) RPATH_ENVVAR=PATH ;;
+   *) RPATH_ENVVAR=LD_LIBRARY_PATH ;;
+ esac
++RPATH_ENVVAR="cant_touch_this_nah_nah_nah"
+ 
+ # On systems where the dynamic library environment variable is PATH,
+ if test "$RPATH_ENVVAR" = PATH; then
diff --git a/pkgs/toolchain/binutils/patches/binutils-2.20.1-gentoo-use-new-ld-dtags.patch b/pkgs/toolchain/binutils/patches/binutils-2.20.1-gentoo-use-new-ld-dtags.patch
new file mode 100644
index 000000000..84e20f70b
--- /dev/null
+++ b/pkgs/toolchain/binutils/patches/binutils-2.20.1-gentoo-use-new-ld-dtags.patch
@@ -0,0 +1,10 @@
+--- binutils/ld/ldmain.c
++++ binutils/ld/ldmain.c
+@@ -296,6 +296,7 @@ main (int argc, char **argv)
+ 
+   link_info.allow_undefined_version = TRUE;
+   link_info.keep_memory = TRUE;
++  link_info.new_dtags = TRUE;
+   link_info.combreloc = TRUE;
+   link_info.strip_discarded = TRUE;
+   link_info.callbacks = &link_callbacks;
diff --git a/pkgs/toolchain/binutils/patches/binutils-2.20.1-gentoo-use-relro.patch b/pkgs/toolchain/binutils/patches/binutils-2.20.1-gentoo-use-relro.patch
new file mode 100644
index 000000000..db3276b62
--- /dev/null
+++ b/pkgs/toolchain/binutils/patches/binutils-2.20.1-gentoo-use-relro.patch
@@ -0,0 +1,9 @@
+background:
+http://www.airs.com/blog/archives/189
+
+--- binutils/ld/ldmain.c
++++ binutils/ld/ldmain.c
+@@ -293,2 +293,3 @@ main (int argc, char **argv)
+   link_info.combreloc = TRUE;
++  link_info.relro = TRUE;
+   link_info.strip_discarded = TRUE;
diff --git a/pkgs/toolchain/binutils/patches/binutils-2.20.1-gentoo-warn-textrel.patch b/pkgs/toolchain/binutils/patches/binutils-2.20.1-gentoo-warn-textrel.patch
new file mode 100644
index 000000000..c8783a287
--- /dev/null
+++ b/pkgs/toolchain/binutils/patches/binutils-2.20.1-gentoo-warn-textrel.patch
@@ -0,0 +1,85 @@
+textrels are bad for forcing copy-on-write (this affects everyone),
+and for security/runtime code generation, this affects security ppl.
+But in either case, it doesn't matter who needs textrels, it's
+the very fact that they're needed at all.
+
+2006-06-10  Ned Ludd  <solar@gentoo.org>, Mike Frysinger <vapier@gentoo.org>
+
+	* bfd/elflink.c (bfd_elf_final_link): Check all objects for TEXTRELs.
+	* ld/ldmain.c (main): Change textrel warning default to true.
+	* ld/testsuite/lib/ld-lib.exp (default_ld_simple_link): Scrub TEXTREL
+	warnings from ld output.
+
+--- binutils/bfd/elflink.c
++++ binutils/bfd/elflink.c
+@@ -8652,14 +8652,12 @@
+ 	goto error_return;
+ 
+       /* Check for DT_TEXTREL (late, in case the backend removes it).  */
+-      if (info->warn_shared_textrel && info->shared)
++      o = bfd_get_section_by_name (dynobj, ".dynamic");
++      if (info->warn_shared_textrel && o != NULL)
+ 	{
+ 	  bfd_byte *dyncon, *dynconend;
+ 
+ 	  /* Fix up .dynamic entries.  */
+-	  o = bfd_get_section_by_name (dynobj, ".dynamic");
+-	  BFD_ASSERT (o != NULL);
+-
+ 	  dyncon = o->contents;
+ 	  dynconend = o->contents + o->size;
+ 	  for (; dyncon < dynconend; dyncon += bed->s->sizeof_dyn)
+@@ -8702,7 +8702,7 @@ bfd_elf_final_link (bfd *abfd, struct bf
+ 	      if (dyn.d_tag == DT_TEXTREL)
+ 		{
+ 		 info->callbacks->einfo
+-		    (_("%P: warning: creating a DT_TEXTREL in a shared object.\n"));
++		    (_("%P: warning: creating a DT_TEXTREL in object.\n"));
+ 		  break;
+ 		}
+ 	    }
+--- binutils/ld/ldmain.c
++++ binutils/ld/ldmain.c
+@@ -282,2 +282,3 @@
+   link_info.spare_dynamic_tags = 5;
++  link_info.warn_shared_textrel = TRUE;
+   link_info.sharable_sections = FALSE;
+--- binutils/ld/testsuite/lib/ld-lib.exp
++++ binutils/ld/testsuite/lib/ld-lib.exp
+@@ -181,6 +181,10 @@ proc default_ld_simple_link { ld target 
+     # symbol, since the default linker script might use ENTRY.
+     regsub -all "(^|\n)(\[^\n\]*: warning: cannot find entry symbol\[^\n\]*\n?)" $exec_output "\\1" exec_output
+ 
++    # Gentoo tweak:
++    # We want to ignore TEXTREL warnings since we force enable them by default
++    regsub -all "^.*ld-new: warning: creating a DT_TEXTREL in object\." $exec_output "\\1" exec_output
++
+     if [string match "" $exec_output] then {
+ 	return 1
+     } else {
+@@ -899,6 +903,10 @@
+ 	remote_file build delete "ld.tmp"
+ 	set cmdret [lindex $cmdret 0]
+ 
++	# Gentoo tweak:
++	# We want to ignore TEXTREL warnings since we force enable them by default
++	regsub -all "^.*ld-new: warning: creating a DT_TEXTREL in object\." $comp_output "\\1" comp_output
++
+ 	if { $cmdret == 0 && $run_objcopy } {
+ 	    set infile $objfile
+ 	    set objfile "tmpdir/dump1"
+
+this sucks, but the warn test explicitly checks for textrels, and we
+change/filter that output with the above hunks
+
+--- binutils/ld/testsuite/ld-i386/i386.exp
++++ binutils/ld/testsuite/ld-i386/i386.exp
+@@ -176,7 +176,7 @@
+ run_dump_test "pcrel16"
+ run_dump_test "pcrel16abs"
+ run_dump_test "alloc"
+-run_dump_test "warn1"
++#run_dump_test "warn1"
+ run_dump_test "tlsgd2"
+ run_dump_test "tlsie2"
+ run_dump_test "tlsie3"