sysmo-bts
/
generic-poky
9
0
Fork 0
Code Pull Requests Releases Activity

security_flags: turn potential string format security issues into an error 

Add "-Wformat -Wformat-security -Werror=format-security" to the default
SECURITY_CFLAGS to catch potential security vulnerabilities due to the
misuse of various string formatting functions.

These flags are widely used in distributions such as Fedora and Ubuntu,
however we have 15 recipes in OE-Core which fail to build with these
flags included and thus the flags are removed for:
- busybox
- console-tools
- cmake
- expect
- gcc
- gettext
- kexec-tools
- leafpad
- libuser
- ltp
- makedevs
- oh-puzzles
- stat
- unzip
- zip

[YOCTO #9488]

(From OE-Core rev: f335f8e744fb312b3eb599c331d08a9a6e5a8ff8)

Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
Joshua Lock 2016-04-28 14:27:44 +01:00 committed by Richard Purdie
parent 8fa797d73b
commit 30f9a5072d
1 changed files with 22 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
meta/conf/distro/include/security_flags.inc
View File

@ -9,8 +9,11 @@
# -O0 which then results in a compiler warning.
lcl_maybe_fortify = "${@base_conditional('DEBUG_BUILD','1','','-D_FORTIFY_SOURCE=2',d)}"
SECURITY_CFLAGS ?= "-fstack-protector-strong -pie -fpie ${lcl_maybe_fortify}"
SECURITY_NO_PIE_CFLAGS ?= "-fstack-protector-strong ${lcl_maybe_fortify}"
# Error on use of format strings that represent possible security problems
SECURITY_STRINGFORMAT ?= "-Wformat -Wformat-security -Werror=format-security"
SECURITY_CFLAGS ?= "-fstack-protector-strong -pie -fpie ${lcl_maybe_fortify} ${SECURITY_STRINGFORMAT}"
SECURITY_NO_PIE_CFLAGS ?= "-fstack-protector-strong ${lcl_maybe_fortify} ${SECURITY_STRINGFORMAT}"
SECURITY_LDFLAGS ?= "-fstack-protector-strong -Wl,-z,relro,-z,now"
SECURITY_X_LDFLAGS ?= "-fstack-protector-strong -Wl,-z,relro"
@ -92,6 +95,23 @@ SECURITY_CFLAGS_pn-zlib = "${SECURITY_NO_PIE_CFLAGS}"
SECURITY_CFLAGS_pn-ltp = "${SECURITY_NO_PIE_CFLAGS}"
SECURITY_CFLAGS_pn-pulseaudio = "${SECURITY_NO_PIE_CFLAGS}"
# Recipes which fail to compile when elevating -Wformat-security to an error
SECURITY_STRINGFORMAT_pn-busybox = ""
SECURITY_STRINGFORMAT_pn-console-tools = ""
SECURITY_STRINGFORMAT_pn-cmake = ""
SECURITY_STRINGFORMAT_pn-expect = ""
SECURITY_STRINGFORMAT_pn-gcc = ""
SECURITY_STRINGFORMAT_pn-gettext = ""
SECURITY_STRINGFORMAT_pn-kexec-tools = ""
SECURITY_STRINGFORMAT_pn-leafpad = ""
SECURITY_STRINGFORMAT_pn-libuser = ""
SECURITY_STRINGFORMAT_pn-ltp = ""
SECURITY_STRINGFORMAT_pn-makedevs = ""
SECURITY_STRINGFORMAT_pn-oh-puzzles = ""
SECURITY_STRINGFORMAT_pn-stat = ""
SECURITY_STRINGFORMAT_pn-unzip = ""
SECURITY_STRINGFORMAT_pn-zip = ""
TARGET_CFLAGS_append_class-target = " ${SECURITY_CFLAGS}"
TARGET_LDFLAGS_append_class-target = " ${SECURITY_LDFLAGS}"