Actions
Enhancement #750
closedCompile BIP with secure flags
Start date:
2022-01-12
Due date:
% Done:
100%
Estimated time:
(Total: 0:00 h)
Patch Available:
Yes
Found in Versions:
Confirmed:
No
Branch:
Security:
Yes
Help Needed:
Description
We should fix issues raised by compiling with flags recommended by https://airbus-seclab.github.io/c-compiler-security/
GCC TL;DR
-O2 -Werror -Wall -Wextra -Wpedantic -Wformat=2 -Wformat-overflow=2 -Wformat-truncation=2 -Wformat-security -Wnull-dereference -Wstack-protector -Wtrampolines -Walloca -Wvla -Warray-bounds=2 -Wimplicit-fallthrough=3 -Wtraditional-conversion -Wshift-overflow=2 -Wcast-qual -Wstringop-overflow=4 -Wconversion -Warith-conversion -Wlogical-op -Wduplicated-cond -Wduplicated-branches -Wformat-signedness -Wshadow -Wstrict-overflow=4 -Wundef -Wstrict-prototypes -Wswitch-default -Wswitch-enum -Wstack-usage=1000000 -Wcast-align=strict -D_FORTIFY_SOURCE=2 -fstack-protector-strong -fstack-clash-protection -fPIE -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -Wl,-z,separate-code
Files
Updated by Loïc Gomez almost 3 years ago
Started working on it, but this will depend on another rework to avoid stuffing our code with casts.
Updated by Loïc Gomez almost 3 years ago
- Tracker changed from Bug to Enhancement
Updated by Loïc Gomez almost 3 years ago
- Related to Review #751: Fix /BIP commands truncating output added
Actions
#4
Updated by Loïc Gomez almost 3 years ago
- File 0001-Update-build-configuration.patch added
- File 0002-Add-compiled-stuff-to-gitignore.patch 0002-Add-compiled-stuff-to-gitignore.patch added
- File 0003-Add-secure-strict-CFLAGS.patch 0003-Add-secure-strict-CFLAGS.patch added
- File 0004-sanitize-add-bipmkpw_fatal-and-fix-bipmkpw-warnings.patch 0004-sanitize-add-bipmkpw_fatal-and-fix-bipmkpw-warnings.patch added
- File 0005-sanitize-add-missing-void-on-functions-not-expecting.patch 0005-sanitize-add-missing-void-on-functions-not-expecting.patch added
- File 0006-sanitize-trivial-fixes-and-casts-to-types-expected-b.patch 0006-sanitize-trivial-fixes-and-casts-to-types-expected-b.patch added
- File 0007-sanitize-fix-unused-return-values.patch 0007-sanitize-fix-unused-return-values.patch added
- File 0008-sanitize-configuration-parsing.patch 0008-sanitize-configuration-parsing.patch added
- File 0009-sanitize-handle-more-config-errors-replace-int-1-typ.patch 0009-sanitize-handle-more-config-errors-replace-int-1-typ.patch added
- File 0010-sanitize-use-proper-types-safe-casts-mostly-size_t.patch 0010-sanitize-use-proper-types-safe-casts-mostly-size_t.patch added
- Patch Available set to Yes
Here's code that NEED review as I'm not 100% sure of myself.
Checked it compiles and runs at least on a test config.
This is split into commits/patches that felt somehow logical.
Actions
#5
Updated by Loïc Gomez almost 3 years ago
- File 0011-sanitize-link_server-l_clientc-should-not-be-allowed.patch 0011-sanitize-link_server-l_clientc-should-not-be-allowed.patch added
- File 0012-sanitize-link_server-lag-shouldn-t-be-allowed-to-go-.patch 0012-sanitize-link_server-lag-shouldn-t-be-allowed-to-go-.patch added
- File 0013-sanitize-fix-pid-pidfile-handling.patch 0013-sanitize-fix-pid-pidfile-handling.patch added
- File 0014-sanitize-null-writes-write-errors-oversized-integers.patch 0014-sanitize-null-writes-write-errors-oversized-integers.patch added
- File 0015-sanitize-add-bip_clock_gettime-util-function.patch 0015-sanitize-add-bip_clock_gettime-util-function.patch added
- File 0016-sanitize-oidentd-handler-fixes.patch 0016-sanitize-oidentd-handler-fixes.patch added
- File 0017-sanitize-external-libs-warning-ignores.patch 0017-sanitize-external-libs-warning-ignores.patch added
- File 0018-sanitize-more-NULL-pointer-failsafes.patch 0018-sanitize-more-NULL-pointer-failsafes.patch added
- File 0019-sanitize-ftell-fseek-and-logfile-len-logstore-file_o.patch 0019-sanitize-ftell-fseek-and-logfile-len-logstore-file_o.patch added
- File 0020-sanitize-a-bit-involved-size_t-cast-for-get_str_elem.patch 0020-sanitize-a-bit-involved-size_t-cast-for-get_str_elem.patch added
Next batch
Actions
#6
Updated by Loïc Gomez almost 3 years ago
- File 0021-sanitize-pragmas-for-our-code.patch 0021-sanitize-pragmas-for-our-code.patch added
- File 0022-sanitize-irc_cli_part-set-cname-to-proper-const-char.patch 0022-sanitize-irc_cli_part-set-cname-to-proper-const-char.patch added
- File 0023-sanitize-fix-const-char-being-used-as-non-const.patch 0023-sanitize-fix-const-char-being-used-as-non-const.patch added
- File 0024-sanitize-pragma-ignore-passing-argument-X-of-.-with-.patch added
Last batch
Updated by Loïc Gomez almost 3 years ago
- Status changed from New to In Progress
- Security set to Yes
This code has #751 as a prerequisite.
Updated by Loïc Gomez almost 3 years ago
- File deleted (
0024-sanitize-pragma-ignore-passing-argument-X-of-.-with-.patch)
Updated by Loïc Gomez almost 3 years ago
- File 0024-sanitize-pragma-ignore-passing-argument-X-of-.-with-.patch added
Fixing last patch, pragmas were wrongly defined.
Updated by Loïc Gomez almost 3 years ago
- File deleted (
0024-sanitize-pragma-ignore-passing-argument-X-of-.-with-.patch)
Updated by Loïc Gomez almost 3 years ago
- File deleted (
0001-Update-build-configuration.patch)
Actions
#12
Updated by Loïc Gomez almost 3 years ago
- File 0001-Update-build-configuration.patch 0001-Update-build-configuration.patch added
- File 0024-sanitize-pragma-ignore-passing-argument-X-of-.-with-.patch 0024-sanitize-pragma-ignore-passing-argument-X-of-.-with-.patch added
And again.
Also, I couldn't find my way into Makefile.am to have generated lex.c file be compiled without -Wswitch-default -Wtraditional-conversion and -Wstrict-overflow.
Updated by Pierre-Louis Bonicoli almost 3 years ago
- Status changed from In Progress to Resolved
- Target version set to 0.9.3
All the patches have been applied with the following updates:
- 0001-Update-build-configuration.patch: remove diff related to spaces/tabs
- 0003-Add-secure-strict-CFLAGS.patch: add the missing backslash (otherwise the added flags were ignored)
- update headers with the current year
0001
e7d82acfff5877bcede66b6c1661a4a3e9ed3a2e0002
51a46a1454092dc74f64e299770195a2911fbdd30003
fe108e390f6400ccc94ebfe09e0215ad57dbdccf0004
26d34bafabe7ba8aa778ff8e7af960d1a6dab0810005
e694dae31cedcfd7dd2eadffb6c9a18b1f4b866c0006
2a5e7b6f7bea243117d671ec4812f63b46a23a390007
9d6394679f075992b9902a7a3b4c2fe61819cb430008
fbfae37d6581b6a077021ba5f62bd2af67b16bbf0009
94fe272018cfc38b05e98b5b64d9cc959b39e7f10010
dd5343b7107ef91a81cae1c74164e08c4421c83f0011
62fd77dc177710574c66e38882c841c1368dec890012
af590f83b7f8e843b2274c33099b653c2be438da0013
b990a071b364696432de23a7b6f84807156129fd0014
368149575d2cf8aefc6b50983dddb6e1a25b64260015
ce4cf8b6a0c8610cc4df096184c006e7cfdd044b0016
f379eb35d29c86d0667be072e02e5dfe4af2ec230017
f54775fe9204942ab174c8d8e9a88a183c42fed30018
dbf8ccd4de68f3dc54efaf63e782c19570ef77bb0019
79d9be4e71b171cf047bed0f59377dd9ce930d1e0020
efb79b1e806142865f63255274f88f43af0c33620021
edf78eadb1f1e69172451189aae50827dc179ea10022
ee6ee0bd34855baf755c57047bb1404ebd930c170023
26d347dec6d7f096cc41a9dac67984a3e19871050024
e04f97c78ff528b3c83c080fcb3ecade664b5c73
Thanks Loïc ㊗️❤️!
Actions