Actions
Enhancement #750
closed
Compile BIP with secure flags
Start date:
2022-01-12
Due date:
% Done:
100%
Estimated time:
(Total: 0:00 h)
Patch Available:
Yes
Found in Versions:
Confirmed:
No
Branch:
Security:
Yes
Help Needed:
Description
We should fix issues raised by compiling with flags recommended by https://airbus-seclab.github.io/c-compiler-security/
GCC TL;DR
-O2 -Werror -Wall -Wextra -Wpedantic -Wformat=2 -Wformat-overflow=2 -Wformat-truncation=2 -Wformat-security -Wnull-dereference -Wstack-protector -Wtrampolines -Walloca -Wvla -Warray-bounds=2 -Wimplicit-fallthrough=3 -Wtraditional-conversion -Wshift-overflow=2 -Wcast-qual -Wstringop-overflow=4 -Wconversion -Warith-conversion -Wlogical-op -Wduplicated-cond -Wduplicated-branches -Wformat-signedness -Wshadow -Wstrict-overflow=4 -Wundef -Wstrict-prototypes -Wswitch-default -Wswitch-enum -Wstack-usage=1000000 -Wcast-align=strict -D_FORTIFY_SOURCE=2 -fstack-protector-strong -fstack-clash-protection -fPIE -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -Wl,-z,separate-code
Files
Updated by Loïc Gomez almost 3 years ago
Started working on it, but this will depend on another rework to avoid stuffing our code with casts.
Updated by Loïc Gomez almost 3 years ago
- Tracker changed from Bug to Enhancement
Updated by Loïc Gomez almost 3 years ago
- Related to Review #751: Fix /BIP commands truncating output added
Actions
#4
Updated by Loïc Gomez almost 3 years ago
- File 0001-Update-build-configuration.patch added
- File 0002-Add-compiled-stuff-to-gitignore.patch 0002-Add-compiled-stuff-to-gitignore.patch added
- File 0003-Add-secure-strict-CFLAGS.patch 0003-Add-secure-strict-CFLAGS.patch added
- File 0004-sanitize-add-bipmkpw_fatal-and-fix-bipmkpw-warnings.patch 0004-sanitize-add-bipmkpw_fatal-and-fix-bipmkpw-warnings.patch added
- File 0005-sanitize-add-missing-void-on-functions-not-expecting.patch 0005-sanitize-add-missing-void-on-functions-not-expecting.patch added
- File 0006-sanitize-trivial-fixes-and-casts-to-types-expected-b.patch 0006-sanitize-trivial-fixes-and-casts-to-types-expected-b.patch added
- File 0007-sanitize-fix-unused-return-values.patch 0007-sanitize-fix-unused-return-values.patch added
- File 0008-sanitize-configuration-parsing.patch 0008-sanitize-configuration-parsing.patch added
- File 0009-sanitize-handle-more-config-errors-replace-int-1-typ.patch 0009-sanitize-handle-more-config-errors-replace-int-1-typ.patch added
- File 0010-sanitize-use-proper-types-safe-casts-mostly-size_t.patch 0010-sanitize-use-proper-types-safe-casts-mostly-size_t.patch added
- Patch Available set to Yes
Here's code that NEED review as I'm not 100% sure of myself.
Checked it compiles and runs at least on a test config.
This is split into commits/patches that felt somehow logical.
Actions
#5
Updated by Loïc Gomez almost 3 years ago
- File 0011-sanitize-link_server-l_clientc-should-not-be-allowed.patch 0011-sanitize-link_server-l_clientc-should-not-be-allowed.patch added
- File 0012-sanitize-link_server-lag-shouldn-t-be-allowed-to-go-.patch 0012-sanitize-link_server-lag-shouldn-t-be-allowed-to-go-.patch added
- File 0013-sanitize-fix-pid-pidfile-handling.patch 0013-sanitize-fix-pid-pidfile-handling.patch added
- File 0014-sanitize-null-writes-write-errors-oversized-integers.patch 0014-sanitize-null-writes-write-errors-oversized-integers.patch added
- File 0015-sanitize-add-bip_clock_gettime-util-function.patch 0015-sanitize-add-bip_clock_gettime-util-function.patch added
- File 0016-sanitize-oidentd-handler-fixes.patch 0016-sanitize-oidentd-handler-fixes.patch added
- File 0017-sanitize-external-libs-warning-ignores.patch 0017-sanitize-external-libs-warning-ignores.patch added
- File 0018-sanitize-more-NULL-pointer-failsafes.patch 0018-sanitize-more-NULL-pointer-failsafes.patch added
- File 0019-sanitize-ftell-fseek-and-logfile-len-logstore-file_o.patch 0019-sanitize-ftell-fseek-and-logfile-len-logstore-file_o.patch added
- File 0020-sanitize-a-bit-involved-size_t-cast-for-get_str_elem.patch 0020-sanitize-a-bit-involved-size_t-cast-for-get_str_elem.patch added
Next batch
Actions
#6
Updated by Loïc Gomez almost 3 years ago
- File 0021-sanitize-pragmas-for-our-code.patch 0021-sanitize-pragmas-for-our-code.patch added
- File 0022-sanitize-irc_cli_part-set-cname-to-proper-const-char.patch 0022-sanitize-irc_cli_part-set-cname-to-proper-const-char.patch added
- File 0023-sanitize-fix-const-char-being-used-as-non-const.patch 0023-sanitize-fix-const-char-being-used-as-non-const.patch added
- File 0024-sanitize-pragma-ignore-passing-argument-X-of-.-with-.patch added
Last batch
Updated by Loïc Gomez almost 3 years ago
- Status changed from New to In Progress
- Security set to Yes
This code has #751 as a prerequisite.
Updated by Loïc Gomez almost 3 years ago
- File deleted (
0024-sanitize-pragma-ignore-passing-argument-X-of-.-with-.patch)
Updated by Loïc Gomez almost 3 years ago
- File 0024-sanitize-pragma-ignore-passing-argument-X-of-.-with-.patch added
Fixing last patch, pragmas were wrongly defined.
Updated by Loïc Gomez almost 3 years ago
- File deleted (
0024-sanitize-pragma-ignore-passing-argument-X-of-.-with-.patch)
Updated by Loïc Gomez almost 3 years ago
- File deleted (
0001-Update-build-configuration.patch)
Actions
#12
Updated by Loïc Gomez almost 3 years ago
- File 0001-Update-build-configuration.patch 0001-Update-build-configuration.patch added
- File 0024-sanitize-pragma-ignore-passing-argument-X-of-.-with-.patch 0024-sanitize-pragma-ignore-passing-argument-X-of-.-with-.patch added
And again.
Also, I couldn't find my way into Makefile.am to have generated lex.c file be compiled without -Wswitch-default -Wtraditional-conversion and -Wstrict-overflow.
Updated by Pierre-Louis Bonicoli over 2 years ago
- Status changed from In Progress to Resolved
- Target version set to 0.9.3
All the patches have been applied with the following updates:
- 0001-Update-build-configuration.patch: remove diff related to spaces/tabs
- 0003-Add-secure-strict-CFLAGS.patch: add the missing backslash (otherwise the added flags were ignored)
- update headers with the current year
0001e7d82acfff5877bcede66b6c1661a4a3e9ed3a2e000251a46a1454092dc74f64e299770195a2911fbdd30003fe108e390f6400ccc94ebfe09e0215ad57dbdccf000426d34bafabe7ba8aa778ff8e7af960d1a6dab0810005e694dae31cedcfd7dd2eadffb6c9a18b1f4b866c00062a5e7b6f7bea243117d671ec4812f63b46a23a3900079d6394679f075992b9902a7a3b4c2fe61819cb430008fbfae37d6581b6a077021ba5f62bd2af67b16bbf000994fe272018cfc38b05e98b5b64d9cc959b39e7f10010dd5343b7107ef91a81cae1c74164e08c4421c83f001162fd77dc177710574c66e38882c841c1368dec890012af590f83b7f8e843b2274c33099b653c2be438da0013b990a071b364696432de23a7b6f84807156129fd0014368149575d2cf8aefc6b50983dddb6e1a25b64260015ce4cf8b6a0c8610cc4df096184c006e7cfdd044b0016f379eb35d29c86d0667be072e02e5dfe4af2ec230017f54775fe9204942ab174c8d8e9a88a183c42fed30018dbf8ccd4de68f3dc54efaf63e782c19570ef77bb001979d9be4e71b171cf047bed0f59377dd9ce930d1e0020efb79b1e806142865f63255274f88f43af0c33620021edf78eadb1f1e69172451189aae50827dc179ea10022ee6ee0bd34855baf755c57047bb1404ebd930c17002326d347dec6d7f096cc41a9dac67984a3e19871050024e04f97c78ff528b3c83c080fcb3ecade664b5c73
Thanks Loïc ㊗️❤️!
Actions