diff --git a/.gitignore b/.gitignore index 6bcd7c1..c3c88dc 100644 --- a/.gitignore +++ b/.gitignore @@ -54,3 +54,53 @@ /annobin-8.17.tar.xz /annobin-8.18.tar.xz /annobin-8.19.tar.xz +/annobin-8.20.tar.xz +/annobin-8.21.tar.xz +/annobin-8.22.tar.xz +/annobin-8.23.tar.xz +/annobin-8.24.tar.xz +/annobin-8.25.tar.xz +/annobin-8.26.tar.xz +/annobin-8.27.tar.xz +/annobin-8.29.tar.xz +/annobin-8.30.tar.xz +/annobin-8.31.tar.xz +/annobin-8.32.tar.xz +/annobin-8.33.tar.xz +/annobin-8.34.tar.xz +/annobin-8.35.tar.xz +/annobin-8.36.tar.xz +/annobin-8.37.tar.xz +/annobin-8.38.tar.xz +/annobin-8.39.tar.xz +/annobin-8.41.tar.xz +/annobin-8.44.tar.xz +/annobin-8.45.tar.xz +/annobin-8.48.tar.xz +/annobin-8.49.tar.xz +/annobin-8.50.tar.xz +/annobin-8.51.tar.xz +/annobin-8.52.tar.xz +/annobin-8.53.tar.xz +/annobin-8.55.tar.xz +/annobin-8.56.tar.xz +/annobin-8.57.tar.xz +/annobin-8.58.tar.xz +/annobin-8.59.tar.xz +/annobin-8.60.tar.xz +/annobin-8.61.tar.xz +/annobin-8.62.tar.xz +/annobin-8.63.tar.xz +/annobin-8.64.tar.xz +/annobin-8.65.tar.xz +/annobin-8.66.tar.xz +/annobin-8.67.tar.xz +/annobin-8.68.tar.xz +/annobin-8.69.tar.xz +/annobin-8.70.tar.xz +/annobin-8.71.tar.xz +/annobin-8.72.tar.xz +/annobin-8.73.tar.xz +/annobin-8.74.tar.xz +/annobin-8.76.tar.xz +/annobin-8.77.tar.xz diff --git a/annobin.spec b/annobin.spec index 81196b2..69ffe1c 100644 --- a/annobin.spec +++ b/annobin.spec @@ -1,21 +1,28 @@ -# Do not build the annobin plugin with annotation enabled. -# This is because if we are bootstrapping a new build environment we can have -# a new version of gcc installed, but without a new of annobin installed. -# (ie we are building the new version of annobin to go with the new version -# of gcc). If the *old* annobin plugin is used whilst building this new -# version, the old plugin will complain that version of gcc for which it -# was built is different from the version of gcc that is now being used, and -# then it will abort. -%undefine _annotated_build - Name: annobin Summary: Binary annotation plugin for GCC -Version: 8.19 +Version: 8.77 Release: 1.0.riscv64%{?dist} License: GPLv3+ URL: https://fedoraproject.org/wiki/Toolchain/Watermark +# Maintainer: nickc@redhat.com + + +# # Do not build the annobin plugin with annotation enabled. +# # This is because if we are bootstrapping a new build environment we can have +# # a new version of gcc installed, but without a new of annobin installed. +# # (i.e. we are building the new version of annobin to go with the new version +# # of gcc). If the *old* annobin plugin is used whilst building this new +# # version, the old plugin will complain that version of gcc for which it +# # was built is different from the version of gcc that is now being used, and +# # then it will abort. +# +# Suppress this for BZ 1630550. +# The problem should now only arise when rebasing to a new major version +# of gcc, in which case the undefine below can be temporarily reinstated. +# +# %%undefine _annotated_build # Use "--without tests" to disable the testsuite. The default is to run them. %bcond_without tests @@ -25,7 +32,7 @@ URL: https://fedoraproject.org/wiki/Toolchain/Watermark # Set this to zero to disable the requirement for a specific version of gcc. # This should only be needed if there is some kind of problem with the version -# checking logic. +# checking logic or when building on RHEL-7 or earlier. %global with_hard_gcc_version_requirement 1 #--------------------------------------------------------------------------------- @@ -37,49 +44,6 @@ Source: https://nickc.fedorapeople.org/annobin-%{version}.tar.xz #--------------------------------------------------------------------------------- -BuildRequires: gcc gcc-plugin-devel gcc-c++ - -%description -A plugin for GCC that records extra information in the files that it compiles, -and a set of scripts that analyze the recorded information. These scripts can -determine things ABI clashes in compiled binaries, or the absence of required -hardening options. - -Note - the plugin is enabled in gcc builds via flags provided by the -redhat-rpm-macros package, and the analysis tools rely upon the readelf program -from the binutils package. - -#--------------------------------------------------------------------------------- -%if %{with tests} - -%package tests -Summary: Test scripts and binaries for checking the behaviour and output of the annobin plugin - -%description tests -Provides a means to test the generation of annotated binaries and the parsing -of the resulting files. - -%endif - -#--------------------------------------------------------------------------------- -%if %{with annocheck} - -%package annocheck -Summary: A tool for checking the security hardening status of binaries - -BuildRequires: gcc elfutils elfutils-devel elfutils-libelf-devel rpm-devel binutils-devel - -%description annocheck -Installs the annocheck program which uses the notes generated by annobin to -check that the specified files were compiled with the correct security -hardening options. - -%endif - -#--------------------------------------------------------------------------------- - -%global ANNOBIN_PLUGIN_DIR %(gcc --print-file-name=plugin) - # [Stolen from gcc-python-plugin] # GCC will only load plugins that were built against exactly that build of GCC # We thus need to embed the exact GCC version as a requirement within the @@ -112,28 +76,76 @@ hardening options. # we can scrape out the "4.6.1" from the version line. # # The following implements the above: -# -# Note - gawk will emit a warning message saying: -# -# gawk: cmd. line:1: warning: escape sequence `\)' treated as plain `)' -# -# I have not been able to work out how to remove this message, but still provide -# sufficient escaping for the command line to survive intact as it is passed -# down through the sub-shell. -%global gcc_vr %(gcc --version | gawk 'match (\$0, ".*Red Hat \([^\\)-]*\)", a) { print a[1]; }') +%global gcc_vr %(gcc --version | head -n 1 | sed -e 's|.*(Red\ Hat\ ||g' -e 's|)$||g') + +# We need the major version of gcc. +%global gcc_major %(echo "%{gcc_vr}" | cut -f1 -d".") +%global gcc_next %(v="%{gcc_major}"; echo $((++v))) + +# Needed when building the srpm. +%if 0%{?gcc_major} == 0 +%global gcc_major 0 +%endif # This is a gcc plugin, hence gcc is required. %if %{with_hard_gcc_version_requirement} -Requires: gcc == %{gcc_vr} -BuildRequires: gcc == %{gcc_vr} +# BZ 1607430 - There is an exact requirement on the major version of gcc. +Requires: (gcc >= %{gcc_major} with gcc < %{gcc_next}) %else Requires: gcc %endif +BuildRequires: gcc gcc-plugin-devel gcc-c++ + +%description +Provides a plugin for GCC that records extra information in the files +that it compiles. + +Note - the plugin is automatically enabled in gcc builds via flags +provided by the redhat-rpm-macros package. + +#--------------------------------------------------------------------------------- +%if %{with tests} + +%package tests +Summary: Test scripts and binaries for checking the behaviour and output of the annobin plugin + +%description tests +Provides a means to test the generation of annotated binaries and the parsing +of the resulting files. + +%endif + +#--------------------------------------------------------------------------------- +%if %{with annocheck} + +%package annocheck +Summary: A tool for checking the security hardening status of binaries + +BuildRequires: gcc elfutils elfutils-devel elfutils-libelf-devel rpm-devel binutils-devel + +%description annocheck +Installs the annocheck program which uses the notes generated by annobin to +check that the specified files were compiled with the correct security +hardening options. + +%endif + +#--------------------------------------------------------------------------------- + +%global ANNOBIN_PLUGIN_DIR %(gcc --print-file-name=plugin) + #--------------------------------------------------------------------------------- %prep +if [ -z "%{gcc_vr}" ]; then + echo "*** Missing gcc_vr spec file macro, cannot continue." >&2 + exit 1 +fi + +echo "Requires: (gcc >= %{gcc_major} with gcc < %{gcc_next})" + %autosetup -p1 # The plugin has to be configured with the same arcane configure @@ -155,10 +167,13 @@ touch doc/annobin.info # double annotations in it. (If the build system enables annotations # for plugins by default). I have not tested this yet, but I think # that it should be OK. -cp plugin/.libs/annobin.so.0.0.0 %{_tmppath}/tmp-annobin.so +cp plugin/.libs/annobin.so.0.0.0 %{_tmppath}/tmp_annobin.so make -C plugin clean -make -C plugin CXXFLAGS="%{optflags} -fplugin=%{_tmppath}/tmp-annobin.so" -rm %{_tmppath}/tmp-annobin.so +BUILD_FLAGS="-fplugin=%{_tmppath}/tmp_annobin.so -fplugin-arg-tmp_annobin-rename" +# If building on RHEL7, enable the next option as the .attach_to_group assembler pseudo op is not available in the assembler. +# BUILD_FLAGS="$BUILD_FLAGS -fplugin-arg-tmp_annobin-no-attach" +make -C plugin CXXFLAGS="%{optflags} $BUILD_FLAGS" +rm %{_tmppath}/tmp_annobin.so #--------------------------------------------------------------------------------- @@ -170,7 +185,11 @@ rm %{_tmppath}/tmp-annobin.so %if %{with tests} %check +# On RHEL7 the assembler does not support all of the annobin tests. make check +if [ -f tests/test-suite.log ]; then + cat tests/test-suite.log +fi %endif #--------------------------------------------------------------------------------- @@ -185,26 +204,249 @@ make check %exclude %{_datadir}/doc/annobin-plugin/COPYING3 %exclude %{_datadir}/doc/annobin-plugin/LICENSE %doc %{_datadir}/doc/annobin-plugin/annotation.proposal.txt -%doc %{_infodir}/annobin.info.gz -%doc %{_mandir}/man1/annobin.1.gz -%doc %{_mandir}/man1/built-by.1.gz -%doc %{_mandir}/man1/check-abi.1.gz -%doc %{_mandir}/man1/hardened.1.gz -%doc %{_mandir}/man1/run-on-binaries.1.gz +%{_infodir}/annobin.info* +%{_mandir}/man1/annobin.1* +%{_mandir}/man1/built-by.1* +%{_mandir}/man1/check-abi.1* +%{_mandir}/man1/hardened.1* +%{_mandir}/man1/run-on-binaries-in.1* %if %{with annocheck} +%files annocheck %{_bindir}/annocheck -%doc %{_mandir}/man1/annocheck.1.gz +%{_mandir}/man1/annocheck.1* %endif #--------------------------------------------------------------------------------- %changelog -* Thu Aug 02 2018 David Abdurachmanov - 8.19-1.0.riscv64 -- Rebuilt for GCC 8.2.1 (RISC-V) +* Sat Jul 13 2019 David Abdurachmanov - 8.77-1.0.riscv64 +- Bump Release + +* Mon Jun 24 2019 Nick Clifton - 8.77-1 +- Another attempt at fixing the detection and reporting of missing -D_FORTIFY_SOURCE options. (#1703500) + +* Mon Jun 10 22:13:17 CET 2019 Igor Gnatenko - 8.76-4 +- Rebuild for RPM 4.15 + +* Mon Jun 10 15:42:00 CET 2019 Igor Gnatenko - 8.76-3 +- Rebuild for RPM 4.15 + +* Thu Jun 06 2019 Panu Matilainen - 8.76-2 +- Really enable annocheck sub-package + +* Tue Apr 30 2019 Nick Clifton - 8.76-1 +- Report a missing -D_FORTIFY_SOUCRE option if -D_GLIBCXX_ASSERTIONS was detected. (#1703499) +- Do not report problems with -fstack-protection if the binary was not built by gcc or clang. (#1703788) + +* Fri Apr 26 2019 Nick Clifton - 8.74-1 +- Add tests of clang command line options recorded in the DW_AT_producer attribute. + +* Wed Apr 24 2019 Nick Clifton - 8.73-1 +- Fix test for an executable stack segment. (#1700924) + +* Thu Apr 18 2019 Nick Clifton - 8.72-1 +- Rebuild annobin with the latest rawhide gcc sources. (#1700923) + +* Thu Feb 28 2019 Nick Clifton - 8.71-1 +- Annobin: Suppress more calls to free() which are triggering memory checker errors. (#1684148) + +* Fri Feb 01 2019 Nick Clifton - 8.70-1 +- Add section flag matching ability to section size tool. + +* Thu Jan 31 2019 Fedora Release Engineering - 8.69-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Tue Jan 29 2019 Björn Esser - 8.69-6 +- Use 'with' for rich dependency on gcc + +* Tue Jan 29 2019 Björn Esser - 8.69-5 +- Really fix rhbz#1607430. + +* Mon Jan 28 2019 Björn Esser - 8.69-4 +- Rebuilt with annotations enabled + +* Mon Jan 28 2019 Björn Esser - 8.69-3 +- Fix rpm query for gcc version. + +* Mon Jan 28 2019 Nick Clifton - 8.69-2 +- Add an exact requirement on the major version of gcc. (#1607430) + +* Thu Jan 24 2019 Nick Clifton - 8.69-1 +- Annobin: Add support for .text.startup and .text.exit sections generated by gcc 9. +- Annocheck: Add a note displaying tool. + +* Wed Jan 23 2019 Nick Clifton - 8.68-1 +- Annocheck: Skip checks for -D_FORTIFY_SOURCE and -D_GLIBCXX_ASSERTIONS if there is no compiler generated code in the binary. + +* Mon Jan 21 2019 Björn Esser - 8.67-3 +- Rebuilt with annotations enabled + +* Mon Jan 21 2019 Björn Esser - 8.67-2 +- Rebuilt for GCC 9 + +* Thu Jan 17 2019 Nick Clifton - 8.67-1 +- Annocheck: Only skip specific checks for specific symbols. (#1666823) +- Annobin: Record the setting of the -fomit-frame-pointer option. + +* Wed Jan 02 2019 Nick Clifton - 8.66-1 +- Annocheck: Do not ignore -Og when checking to see if an optimization level has been set. (#1624162) + +* Tue Dec 11 2018 Nick Clifton - 8.65-1 +- Annobin: Fix handling of multiple .text.unlikely sections. + +* Fri Nov 30 2018 Nick Clifton - 8.64-1 +- Annocheck: Skip gaps in PPC64 executables covered by start_bcax_ symbols. (#1630564) + +* Mon Nov 26 2018 Nick Clifton - 8.63-1 +- Annocheck: Disable ENDBR test for shared libraries. (#1652925) + +* Mon Nov 26 2018 Nick Clifton - 8.62-1 +- Annocheck: Add test for ENDBR instruction at entry address of x86/x86_64 executables. (#1652925) + +* Tue Nov 20 2018 David Cantrell - 8.61-2 +- Adjust how the gcc_vr macro is set. + +* Mon Nov 19 2018 Nick Clifton - 8.61-1 +- Fix building with gcc version 4. + +* Tue Nov 13 2018 Nick Clifton - 8.60-1 +- Skip -Wl,-z,now and -Wl,-z,relro checks for non-gcc produced binaries. (#1624421) + +* Mon Nov 05 2018 Nick Clifton - 8.59-1 +- Ensure GNU Property notes are 8-byte aligned in x86_64 binaries. (#1645817) + +* Thu Oct 18 2018 Nick Clifton - 8.58-1 +- Skip PPC64 linker stubs created in the middle of text sections (again). (#1630640) + +* Thu Oct 18 2018 Nick Clifton - 8.57-1 +- Suppress free of invalid pointer. (#1638371) + +* Thu Oct 18 2018 Nick Clifton - 8.56-1 +- Skip PPC64 linker stubs created in the middle of text sections. (#1630640) + +* Tue Oct 16 2018 Nick Clifton - 8.55-1 +- Reset the (PPC64) section start symbol to 0 if its section is empty. (#1638251) + +* Thu Oct 11 2018 Nick Clifton - 8.53-1 +- Also skip virtual thinks created by G++. (#1630619) + +* Wed Oct 10 2018 Nick Clifton - 8.52-1 +- Use uppercase for all fail/mayb/pass results. (#1637706) + +* Wed Oct 10 2018 Nick Clifton - 8.51-1 +- Generate notes for unlikely sections. (#1630620) + +* Mon Oct 08 2018 Nick Clifton - 8.50-1 +- Fix edge case computing section names for end symbols. (#1637039) + +* Mon Oct 08 2018 Nick Clifton - 8.49-1 +- Skip dynamic checks for binaries without a dynamic segment. (#1636606) + +* Fri Oct 05 2018 Nick Clifton - 8.48-1 +- Delay generating attach_to_group directives until the end of the compilation. (#1636265) + +* Mon Oct 01 2018 Nick Clifton - 8.47-1 +- Fix bug introduced in previous delta which would trigger a seg-fault when scanning for gaps. + +* Mon Oct 01 2018 Nick Clifton - 8.46-1 +- Annobin: Fix section name selection for startup sections. +- Annocheck: Improve gap skipping heuristics. (#1630574) + +* Mon Oct 01 2018 Nick Clifton - 8.45-1 +- Fix function section support (again). (#1630574) + +* Fri Sep 28 2018 Nick Clifton - 8.44-1 +- Skip compiler option checks for non-GNU producers. (#1633749) + +* Wed Sep 26 2018 Nick Clifton - 8.43-1 +- Fix function section support (again). (#1630574) + +* Tue Sep 25 2018 Nick Clifton - 8.42-1 +- Ignore ppc64le notes where start = end + 2. (#1632259) + +* Tue Sep 25 2018 Nick Clifton - 8.41-1 +- Make annocheck ignore symbols suffixed with ".end". (#1639618) + +* Mon Sep 24 2018 Nick Clifton - 8.40-1 +- Reinstate building annobin with annobin enabled. (#1630550) + +* Fri Sep 21 2018 Nick Clifton - 8.39-1 +- Tweak tests. + +* Fri Sep 21 2018 Nick Clifton - 8.38-1 +- Generate notes and groups for .text.hot and .text.unlikely sections. +- When -ffunction-sections is active, put notes for startup sections into .text.startup.foo rather than .text.foo. +- Similarly put exit section notes into .text.exit.foo. (#1630574) +- Change annocheck's maybe result for GNU Property note being missing into a PASS if it is not needed and a FAIL if it is needed. + +* Wed Sep 19 2018 Nick Clifton - 8.37-1 +- Make the --skip-* options skip all messages about the specified test. + +* Tue Sep 18 2018 Nick Clifton - 8.36-1 +- Improve error message when an ET_EXEC binary is detected. + +* Mon Sep 17 2018 Nick Clifton - 8.35-1 +- Skip failures for PIC vs PIE. (#1629698) + +* Mon Sep 17 2018 Nick Clifton - 8.34-1 +- Ensure 4 byte alignment of note sub-sections. (#1629671) + +* Wed Sep 12 2018 Nick Clifton - 8.33-1 +- Add timing tool to report on speed of the checks. +- Add check for conflicting use of the -fshort-enum option. +- Add check of the GNU Property notes. +- Skip check for -O2 if compiled with -Og. (#1624162) + +* Mon Sep 03 2018 Nick Clifton - 8.32-1 +- Add test for ET_EXEC binaries. (#1625627) +- Document --report-unknown option. + +* Thu Aug 30 2018 Nick Clifton - 8.31-1 +- Fix bug in hardened tool which would skip gcc compiled files if the notes were too small. +- Fix bugs in section-size tool. +- Fix bug in built-by tool. + +* Wed Aug 29 2018 Nick Clifton - 8.30-1 +- Generate notes for comdat sections. (#1619267) + +* Thu Aug 23 2018 Nick Clifton - 8.29-1 +- Add more names to the gap skip list. (#1619267) + +* Thu Aug 23 2018 Nick Clifton - 8.28-1 +- Skip gaps covered by _x86.get_pc_thunk and _savegpr symbols. (#1619267) +- Merge ranges where one is wholly covered by another. + +* Wed Aug 22 2018 Nick Clifton - 8.27-1 +- Skip gaps at the end of functions. (#1619267) + +* Tue Aug 21 2018 Nick Clifton - 8.26-1 +- Fix thinko in ppc64 gap detection code. (#1619267) + +* Mon Aug 20 2018 Nick Clifton - 8.25-1 +- Skip gaps at the end of the .text section in ppc64 binaries. (#1619267) + +* Wed Aug 15 2018 Nick Clifton - 8.24-1 +- Skip checks in stack_chk_local_fail.c +- Treat gaps as FAIL results rather than MAYBE. + +* Wed Aug 08 2018 Nick Clifton - 8.23-1 +- Skip checks in __stack_chk_local_fail. + +* Wed Aug 08 2018 Nick Clifton - 8.22-1 +- Reduce version check to gcc major version number only. Skip compiler option checks if binary not built with gcc. (#1603089) + +* Tue Aug 07 2018 Nick Clifton - 8.21-1 +- Fix bug in annobin plugin. Add --section-size=NAME option to annocheck. + +* Thu Aug 2 2018 Peter Robinson 8.20-2 +- rebuild for new gcc + +* Thu Aug 02 2018 Nick Clifton - 8.20-1 +- Correct name of man page for run-on-binaries-in script. (#1611155) * Wed Jul 25 2018 Nick Clifton - 8.19-1 -- Allow $ORIGN to be at the start of entries in DT_RPATH and DT_RUNPATH. +- Allow $ORIGIN to be at the start of entries in DT_RPATH and DT_RUNPATH. * Mon Jul 23 2018 Nick Clifton - 8.18-1 - Add support for big endian targets. @@ -226,7 +468,7 @@ make check - Fix symbol placement in functions with local assembler. * Tue Jul 17 2018 Nick Clifton - 8.12-1 -- Fix assertions in rnage checking code. Add detection of -U options. +- Fix assertions in range checking code. Add detection of -U options. * Tue Jul 17 2018 Nick Clifton - 8.11-1 - Handle function sections properly. Handle .text.startup and .text.unlikely sections. Improve gap detection and reporting. (#1601055) @@ -396,7 +638,7 @@ make check * Thu Sep 21 2017 Nick Clifton - 2.3-1 - Add annobin-tests subpackage containing some preliminary tests. -- Remove link-time test for unsuported targets. +- Remove link-time test for unsupported targets. * Wed Aug 02 2017 Fedora Release Engineering - 2.0-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild diff --git a/sources b/sources index 705ef9e..d26a196 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (annobin-8.19.tar.xz) = 2127314bb521046416b326ec8f67fc5d1e46ba9473ff880b6dacb7406dba2928c4fe260b2605a5677037ae47865d83850694dbb5223afb759688760fbcb073ca +SHA512 (annobin-8.77.tar.xz) = d9d393aa359ab58a24d295dd4108b0255e39cf9210ec99125ce3f3589adff795aba50234817b38134964caa2fc92cf04d6c6e2945ae6cc2e1145033383cc58cb