From 3be2dded725ebd671a5131d7058adf647de7c516 Mon Sep 17 00:00:00 2001 From: Nick Clifton Date: Fri, 12 Apr 2019 15:00:17 +0100 Subject: [PATCH 01/29] Initial checkin of the annobin package for the EPEL7 branch. Based on annobin 8.71. --- .gitignore | 1 + annobin.spec | 622 +++++++++++++++++++++++++++++++++++++++++++++++++++ sources | 1 + 3 files changed, 624 insertions(+) create mode 100644 annobin.spec diff --git a/.gitignore b/.gitignore index e69de29..7ab5e8b 100644 --- a/.gitignore +++ b/.gitignore @@ -0,0 +1 @@ +/annobin-8.71.tar.xz diff --git a/annobin.spec b/annobin.spec new file mode 100644 index 0000000..273f856 --- /dev/null +++ b/annobin.spec @@ -0,0 +1,622 @@ + +# Suppress this for BZ 1630550. +# The problem should now only arise when rebasing to a new major version +# of gcc, in which case the undefine below can be temporarily reinstated. +# +# # Do not build the annobin plugin with annotation enabled. +# # This is because if we are bootstrapping a new build environment we can have +# # a new version of gcc installed, but without a new of annobin installed. +# # (i.e. we are building the new version of annobin to go with the new version +# # of gcc). If the *old* annobin plugin is used whilst building this new +# # version, the old plugin will complain that version of gcc for which it +# # was built is different from the version of gcc that is now being used, and +# # then it will abort. +# %%undefine _annotated_build + +Name: annobin +Summary: Binary annotation plugin for GCC +Version: 8.71 +Release: 1%{?dist} + +License: GPLv3+ +URL: https://fedoraproject.org/wiki/Toolchain/Watermark + +# Use "--without tests" to disable the testsuite. The default is to run them. +%bcond_without tests + +# Use "--without annocheck" to disable the installation of the annocheck program. +%bcond_without annocheck + +# Set this to zero to disable the requirement for a specific version of gcc. +# This should only be needed if there is some kind of problem with the version +# checking logic. +%global with_hard_gcc_version_requirement 1 + +#--------------------------------------------------------------------------------- +Source: https://nickc.fedorapeople.org/annobin-%{version}.tar.xz +# For the latest sources use: git clone git://sourceware.org/git/annobin.git + +# Insert patches here, if needed. +# Patch01: annobin-xxx.patch + +#--------------------------------------------------------------------------------- + +# [Stolen from gcc-python-plugin] +# GCC will only load plugins that were built against exactly that build of GCC +# We thus need to embed the exact GCC version as a requirement within the +# metadata. +# +# Define "gcc_vr", a variable to hold the VERSION-RELEASE string for the gcc +# we are being built against. +# +# Unfortunately, we can't simply run: +# rpm -q --qf="%%{version}-%%{release}" +# to determine this, as there's no guarantee of a sane rpm database within +# the chroots created by our build system +# +# So we instead query the version from gcc's output. +# +# gcc.spec has: +# Version: %%{gcc_version} +# Release: %%{gcc_release}%%{?dist} +# ...snip... +# echo 'Red Hat %%{version}-%%{gcc_release}' > gcc/DEV-PHASE +# +# So, given this output: +# +# $ gcc --version +# gcc (GCC) 4.6.1 20110908 (Red Hat 4.6.1-9) +# Copyright (C) 2011 Free Software Foundation, Inc. +# This is free software; see the source for copying conditions. There is NO +# warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. +# +# we can scrape out the "4.6.1" from the version line. +# +# The following implements the above: + +%global gcc_vr %(gcc --version | head -n 1 | sed -e 's|.*(Red\ Hat\ ||g' -e 's|)$||g') + +# We need the major version of gcc. +%global gcc_major %(echo "%{gcc_vr}" | cut -f1 -d".") +%global gcc_next %(v="%{gcc_major}"; echo $((++v))) + +# Needed when building the srpm. +%if 0%{?gcc_major} == 0 +%global gcc_major 0 +%endif + +# This is a gcc plugin, hence gcc is required. +%if %{with_hard_gcc_version_requirement} +# BZ 1607430 - There is an exact requirement on the major version of gcc. +Requires: (gcc >= %{gcc_major} with gcc < %{gcc_next}) +%else +Requires: gcc +%endif + +BuildRequires: gcc gcc-plugin-devel gcc-c++ + +%description +Provides a plugin for GCC that records extra information in the files +that it compiles and a set of scripts that can analyze the recorded +information. + +Note - the plugin is automatically enabled in gcc builds via flags +provided by the redhat-rpm-macros package. + +#--------------------------------------------------------------------------------- +%if %{with tests} + +%package tests +Summary: Test scripts and binaries for checking the behaviour and output of the annobin plugin + +%description tests +Provides a means to test the generation of annotated binaries and the parsing +of the resulting files. + +%endif + +#--------------------------------------------------------------------------------- +%if %{with annocheck} + +%package annocheck +Summary: A tool for checking the security hardening status of binaries + +BuildRequires: gcc elfutils elfutils-devel elfutils-libelf-devel rpm-devel binutils-devel + +%description annocheck +Installs the annocheck program which uses the notes generated by annobin to +check that the specified files were compiled with the correct security +hardening options. + +%endif + +#--------------------------------------------------------------------------------- + +%global ANNOBIN_PLUGIN_DIR %(gcc --print-file-name=plugin) + +#--------------------------------------------------------------------------------- + +%prep +if [ -z "%{gcc_vr}" ]; then + echo "*** Missing gcc_vr spec file macro, cannot continue." >&2 + exit 1 +fi + +echo "Requires: (gcc >= %{gcc_major} with gcc < %{gcc_next})" + +%autosetup -p1 + +# The plugin has to be configured with the same arcane configure +# scripts used by gcc. Hence we must not allow the Fedora build +# system to regenerate any of the configure files. +touch aclocal.m4 plugin/config.h.in +touch configure */configure Makefile.in */Makefile.in +# Similarly we do not want to rebuild the documentation. +touch doc/annobin.info + +#--------------------------------------------------------------------------------- + +%build +%configure --quiet --with-gcc-plugin-dir=%{ANNOBIN_PLUGIN_DIR} +%make_build +# Rebuild the plugin, this time using the plugin itself! This +# ensures that the plugin works, and that it contains annotations +# of its own. This could mean that we end up with a plugin with +# double annotations in it. (If the build system enables annotations +# for plugins by default). I have not tested this yet, but I think +# that it should be OK. +cp plugin/.libs/annobin.so.0.0.0 %{_tmppath}/tmp_annobin.so +make -C plugin clean +make -C plugin CXXFLAGS="%{optflags} -fplugin=%{_tmppath}/tmp_annobin.so -fplugin-arg-tmp_annobin-rename" +rm %{_tmppath}/tmp_annobin.so + +#--------------------------------------------------------------------------------- + +%install +%make_install +%{__rm} -f %{buildroot}%{_infodir}/dir + +#--------------------------------------------------------------------------------- + +%if %{with tests} +%check +make check +%endif + +#--------------------------------------------------------------------------------- + +%files +%{ANNOBIN_PLUGIN_DIR} +%{_bindir}/built-by +%{_bindir}/check-abi +%{_bindir}/hardened +%{_bindir}/run-on-binaries-in +%license COPYING3 LICENSE +%exclude %{_datadir}/doc/annobin-plugin/COPYING3 +%exclude %{_datadir}/doc/annobin-plugin/LICENSE +%doc %{_datadir}/doc/annobin-plugin/annotation.proposal.txt +%doc %{_infodir}/annobin.info.gz +%doc %{_mandir}/man1/annobin.1.gz +%doc %{_mandir}/man1/built-by.1.gz +%doc %{_mandir}/man1/check-abi.1.gz +%doc %{_mandir}/man1/hardened.1.gz +%doc %{_mandir}/man1/run-on-binaries-in.1.gz + +%if %{with annocheck} +%{_bindir}/annocheck +%doc %{_mandir}/man1/annocheck.1.gz +%endif + +#--------------------------------------------------------------------------------- + +%changelog +* Thu Feb 28 2019 Nick Clifton - 8.71-1 +- Annobin: Suppress more calls to free() which are triggering memory checker errors. (#1684148) + +* Fri Feb 01 2019 Nick Clifton - 8.70-1 +- Add section flag matching ability to section size tool. + +* Thu Jan 31 2019 Fedora Release Engineering - 8.69-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Tue Jan 29 2019 Björn Esser - 8.69-6 +- Use 'with' for rich dependency on gcc + +* Tue Jan 29 2019 Björn Esser - 8.69-5 +- Really fix rhbz#1607430. + +* Mon Jan 28 2019 Björn Esser - 8.69-4 +- Rebuilt with annotations enabled + +* Mon Jan 28 2019 Björn Esser - 8.69-3 +- Fix rpm query for gcc version. + +* Mon Jan 28 2019 Nick Clifton - 8.69-2 +- Add an exact requirement on the major version of gcc. (#1607430) + +* Thu Jan 24 2019 Nick Clifton - 8.69-1 +- Annobin: Add support for .text.startup and .text.exit sections generated by gcc 9. +- Annocheck: Add a note displaying tool. + +* Wed Jan 23 2019 Nick Clifton - 8.68-1 +- Annocheck: Skip checks for -D_FORTIFY_SOURCE and -D_GLIBCXX_ASSERTIONS if there is no compiler generated code in the binary. + +* Mon Jan 21 2019 Björn Esser - 8.67-3 +- Rebuilt with annotations enabled + +* Mon Jan 21 2019 Björn Esser - 8.67-2 +- Rebuilt for GCC 9 + +* Thu Jan 17 2019 Nick Clifton - 8.67-1 +- Annocheck: Only skip specific checks for specific symbols. (#1666823) +- Annobin: Record the setting of the -fomit-frame-pointer option. + +* Wed Jan 02 2019 Nick Clifton - 8.66-1 +- Annocheck: Do not ignore -Og when checking to see if an optimization level has been set. (#1624162) + +* Tue Dec 11 2018 Nick Clifton - 8.65-1 +- Annobin: Fix handling of multiple .text.unlikely sections. + +* Fri Nov 30 2018 Nick Clifton - 8.64-1 +- Annocheck: Skip gaps in PPC64 executables covered by start_bcax_ symbols. (#1630564) + +* Mon Nov 26 2018 Nick Clifton - 8.63-1 +- Annocheck: Disable ENDBR test for shared libraries. (#1652925) + +* Mon Nov 26 2018 Nick Clifton - 8.62-1 +- Annocheck: Add test for ENDBR instruction at entry address of x86/x86_64 executables. (#1652925) + +* Tue Nov 20 2018 David Cantrell - 8.61-2 +- Adjust how the gcc_vr macro is set. + +* Mon Nov 19 2018 Nick Clifton - 8.61-1 +- Fix building with gcc version 4. + +* Tue Nov 13 2018 Nick Clifton - 8.60-1 +- Skip -Wl,-z,now and -Wl,-z,relro checks for non-gcc produced binaries. (#1624421) + +* Mon Nov 05 2018 Nick Clifton - 8.59-1 +- Ensure GNU Property notes are 8-byte aligned in x86_64 binaries. (#1645817) + +* Thu Oct 18 2018 Nick Clifton - 8.58-1 +- Skip PPC64 linker stubs created in the middle of text sections (again). (#1630640) + +* Thu Oct 18 2018 Nick Clifton - 8.57-1 +- Suppress free of invalid pointer. (#1638371) + +* Thu Oct 18 2018 Nick Clifton - 8.56-1 +- Skip PPC64 linker stubs created in the middle of text sections. (#1630640) + +* Tue Oct 16 2018 Nick Clifton - 8.55-1 +- Reset the (PPC64) section start symbol to 0 if its section is empty. (#1638251) + +* Thu Oct 11 2018 Nick Clifton - 8.53-1 +- Also skip virtual thinks created by G++. (#1630619) + +* Wed Oct 10 2018 Nick Clifton - 8.52-1 +- Use uppercase for all fail/mayb/pass results. (#1637706) + +* Wed Oct 10 2018 Nick Clifton - 8.51-1 +- Generate notes for unlikely sections. (#1630620) + +* Mon Oct 08 2018 Nick Clifton - 8.50-1 +- Fix edge case computing section names for end symbols. (#1637039) + +* Mon Oct 08 2018 Nick Clifton - 8.49-1 +- Skip dynamic checks for binaries without a dynamic segment. (#1636606) + +* Fri Oct 05 2018 Nick Clifton - 8.48-1 +- Delay generating attach_to_group directives until the end of the compilation. (#1636265) + +* Mon Oct 01 2018 Nick Clifton - 8.47-1 +- Fix bug introduced in previous delta which would trigger a seg-fault when scanning for gaps. + +* Mon Oct 01 2018 Nick Clifton - 8.46-1 +- Annobin: Fix section name selection for startup sections. +- Annocheck: Improve gap skipping heuristics. (#1630574) + +* Mon Oct 01 2018 Nick Clifton - 8.45-1 +- Fix function section support (again). (#1630574) + +* Fri Sep 28 2018 Nick Clifton - 8.44-1 +- Skip compiler option checks for non-GNU producers. (#1633749) + +* Wed Sep 26 2018 Nick Clifton - 8.43-1 +- Fix function section support (again). (#1630574) + +* Tue Sep 25 2018 Nick Clifton - 8.42-1 +- Ignore ppc64le notes where start = end + 2. (#1632259) + +* Tue Sep 25 2018 Nick Clifton - 8.41-1 +- Make annocheck ignore symbols suffixed with ".end". (#1639618) + +* Mon Sep 24 2018 Nick Clifton - 8.40-1 +- Reinstate building annobin with annobin enabled. (#1630550) + +* Fri Sep 21 2018 Nick Clifton - 8.39-1 +- Tweak tests. + +* Fri Sep 21 2018 Nick Clifton - 8.38-1 +- Generate notes and groups for .text.hot and .text.unlikely sections. +- When -ffunction-sections is active, put notes for startup sections into .text.startup.foo rather than .text.foo. +- Similarly put exit section notes into .text.exit.foo. (#1630574) +- Change annocheck's maybe result for GNU Property note being missing into a PASS if it is not needed and a FAIL if it is needed. + +* Wed Sep 19 2018 Nick Clifton - 8.37-1 +- Make the --skip-* options skip all messages about the specified test. + +* Tue Sep 18 2018 Nick Clifton - 8.36-1 +- Improve error message when an ET_EXEC binary is detected. + +* Mon Sep 17 2018 Nick Clifton - 8.35-1 +- Skip failures for PIC vs PIE. (#1629698) + +* Mon Sep 17 2018 Nick Clifton - 8.34-1 +- Ensure 4 byte alignment of note sub-sections. (#1629671) + +* Wed Sep 12 2018 Nick Clifton - 8.33-1 +- Add timing tool to report on speed of the checks. +- Add check for conflicting use of the -fshort-enum option. +- Add check of the GNU Property notes. +- Skip check for -O2 if compiled with -Og. (#1624162) + +* Mon Sep 03 2018 Nick Clifton - 8.32-1 +- Add test for ET_EXEC binaries. (#1625627) +- Document --report-unknown option. + +* Thu Aug 30 2018 Nick Clifton - 8.31-1 +- Fix bug in hardened tool which would skip gcc compiled files if the notes were too small. +- Fix bugs in section-size tool. +- Fix bug in built-by tool. + +* Wed Aug 29 2018 Nick Clifton - 8.30-1 +- Generate notes for comdat sections. (#1619267) + +* Thu Aug 23 2018 Nick Clifton - 8.29-1 +- Add more names to the gap skip list. (#1619267) + +* Thu Aug 23 2018 Nick Clifton - 8.28-1 +- Skip gaps covered by _x86.get_pc_thunk and _savegpr symbols. (#1619267) +- Merge ranges where one is wholly covered by another. + +* Wed Aug 22 2018 Nick Clifton - 8.27-1 +- Skip gaps at the end of functions. (#1619267) + +* Tue Aug 21 2018 Nick Clifton - 8.26-1 +- Fix thinko in ppc64 gap detection code. (#1619267) + +* Mon Aug 20 2018 Nick Clifton - 8.25-1 +- Skip gaps at the end of the .text section in ppc64 binaries. (#1619267) + +* Wed Aug 15 2018 Nick Clifton - 8.24-1 +- Skip checks in stack_chk_local_fail.c +- Treat gaps as FAIL results rather than MAYBE. + +* Wed Aug 08 2018 Nick Clifton - 8.23-1 +- Skip checks in __stack_chk_local_fail. + +* Wed Aug 08 2018 Nick Clifton - 8.22-1 +- Reduce version check to gcc major version number only. Skip compiler option checks if binary not built with gcc. (#1603089) + +* Tue Aug 07 2018 Nick Clifton - 8.21-1 +- Fix bug in annobin plugin. Add --section-size=NAME option to annocheck. + +* Thu Aug 2 2018 Peter Robinson 8.20-2 +- rebuild for new gcc + +* Thu Aug 02 2018 Nick Clifton - 8.20-1 +- Correct name of man page for run-on-binaries-in script. (#1611155) + +* Wed Jul 25 2018 Nick Clifton - 8.19-1 +- Allow $ORIGIN to be at the start of entries in DT_RPATH and DT_RUNPATH. + +* Mon Jul 23 2018 Nick Clifton - 8.18-1 +- Add support for big endian targets. + +* Mon Jul 23 2018 Nick Clifton - 8.17-1 +- Count passes and failures on a per-component basis and report gaps. + +* Fri Jul 20 2018 Nick Clifton - 8.16-1 +- Use our own copy of the targetm.asm_out.function_section() function. (#159861 comment#17) + +* Fri Jul 20 2018 Nick Clifton - 8.15-1 +- Generate grouped note section name all the time. (#159861 comment#16) + +* Thu Jul 19 2018 Nick Clifton - 8.14-1 +- Fix section conflict problem. (#1603071) + +* Wed Jul 18 2018 Nick Clifton - 8.13-1 +- Fix for building with gcc version 4. +- Fix symbol placement in functions with local assembler. + +* Tue Jul 17 2018 Nick Clifton - 8.12-1 +- Fix assertions in range checking code. Add detection of -U options. + +* Tue Jul 17 2018 Nick Clifton - 8.11-1 +- Handle function sections properly. Handle .text.startup and .text.unlikely sections. Improve gap detection and reporting. (#1601055) + +* Thu Jul 12 2018 Fedora Release Engineering - 8.10-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Thu Jul 12 2018 Nick Clifton - 8.10-1 +- Fix construction of absolute versions of --dwarf-dir and --debug-rpm options. + +* Tue Jul 10 2018 Nick Clifton - 8.9-1 +- Fix buffer overrun when very long symbol names are encountered. + +* Tue Jul 10 2018 Nick Clifton - 8.8-1 +- Do not force the generation of function notes when -ffunction-sections is active. (#1598961) + +* Mon Jul 09 2018 Nick Clifton - 8.7-1 +- Skip the .annobin_ prfix when reporting symbols. (#1599315) + +* Mon Jul 09 2018 Nick Clifton - 8.6-1 +- Use the assembler (c++ mangled) version of function names when switching sections. (#1598579) + +* Mon Jul 09 2018 Nick Clifton - 8.5-1 +- Do not call function_section. (#1598961) + +* Fri Jul 06 2018 Nick Clifton - 8.4-1 +- Ignore cross-section gaps. (#1598551) + +* Thu Jul 05 2018 Nick Clifton - 8.3-1 +- Do not skip empty range notes in object files. (#1598361) + +* Mon Jul 02 2018 Nick Clifton - 8.2-1 +- Create the start symbol at the start of the function and the end symbol at the end. (#1596823) + +* Mon Jul 02 2018 Nick Clifton - 8.1-1 +- Fix --debug-rpm when used inside a directory. + +* Thu Jun 28 2018 Nick Clifton - 8.0-1 +- Use a prefix for all annobin generated symbols, and make them hidden. +- Only generate weak symbol definitions for linkonce sections. + +* Wed Jun 27 2018 Nick Clifton - 7.1-1 +- Skip some checks for relocatable object files, and dynamic objects. +- Stop bogus complaints about stackrealignment not being enabled. + +* Mon Jun 25 2018 Nick Clifton - 7.0-1 +- Add -debug-rpm= option to annocheck. +- Only use a 2 byte offset for the initial symbol on PowerPC. + +* Fri Jun 22 2018 Nick Clifton - 6.6-1 +- Use --dwarf-path when looking for build-id based debuginfo files. + +* Fri Jun 22 2018 Nick Clifton - 6.5-1 +- Fix premature closing of dwarf handle. + +* Fri Jun 22 2018 Nick Clifton - 6.4-1 +- Fix scoping bug computing the name of a separate debuginfo file. + +* Tue Jun 19 2018 Nick Clifton - 6.3-1 +- Fix file descriptor leak. + +* Tue Jun 19 2018 Nick Clifton - 6.2-1 +- Add command line options to annocheck to disable individual tests. + +* Fri Jun 08 2018 Nick Clifton - 6.1-1 +- Remove C99-ism from annocheck sources. + +* Wed Jun 06 2018 Nick Clifton - 6.0-1 +- Add the annocheck program. + +* Fri Jun 01 2018 Nick Clifton - 5.11-1 +- Do not use the SHF_GNU_BUILD_NOTE section flag. + +* Thu May 31 2018 Nick Clifton - 5.10-1 +- Remove .sh extension from shell scripts. + +* Wed May 30 2018 Nick Clifton - 5.9-1 +- Record the setting of the -mstackrealign option for i686 binaries. + +* Mon May 14 2018 Nick Clifton - 5.8-1 +- Hide the annobin start of file symbol. + +* Tue May 08 2018 Nick Clifton - 5.7-1 +- Fix script bug in hardended.sh. (Thanks to: Stefan Sørensen ) + +* Thu May 03 2018 Nick Clifton - 5.6-3 +- Version number bump so that the plugin can be rebuilt with the latest version of GCC. + +* Mon Apr 30 2018 Nick Clifton - 5.6-2 +- Rebuild the plugin with the newly created plugin enabled. (#1573082) + +* Mon Apr 30 2018 Nick Clifton - 5.6-1 +- Skip the isa_flags check in the ABI test because the crt[in].o files are compiled with different flags from the test files. + +* Fri Apr 20 2018 Nick Clifton - 5.3-1 +- Add manual pages for annobin and the scripts. + +* Tue Apr 03 2018 Nick Clifton - 5.2-1 +- Do not record a stack protection setting of -1. (#1563141) + +* Tue Mar 20 2018 Nick Clifton - 5.1-1 +- Do not complain about a dwarf_version value of -1. (#1557511) + +* Thu Mar 15 2018 Nick Clifton - 5.0-1 +- Bias file start symbols by 2 in order to avoid them confused with function symbols. (#1554332) +- Version jump is to sync the version number with the annobin plugins internal version number. + +* Mon Mar 12 2018 Nick Clifton - 3.6-1 +- Add --ignore-gaps option to check-abi.sh script. +- Use this option in the abi-test check. +- Tweak hardening test to skip pic and stack protection checks. + +* Tue Mar 06 2018 Nick Clifton - 3.5-1 +- Handle functions with specific assembler names. (#1552018) + +* Fri Feb 23 2018 Nick Clifton - 3.4-2 +- Add an explicit requirement on the version of gcc used to built the plugin. (#1547260) + +* Fri Feb 09 2018 Nick Clifton - 3.4-1 +- Change type and size of symbols to STT_NOTYPE/0 so that they do not confuse GDB. (#1539664) +- Add run-on-binaries-in.sh script to allow the other scripts to be run over a repository. + +* Wed Feb 07 2018 Fedora Release Engineering - 3.3-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Tue Jan 30 2018 Nick Clifton - 3.3-1 +- Rebase on 3.3 release, which adds support for recording -mcet and -fcf-protection. + +* Mon Jan 29 2018 Florian Weimer - 3.2-3 +- Rebuild for GCC 8 + +* Fri Jan 26 2018 Nick Clifton - 3.2-2 +- Fix the installation of the annobin.info file. + +* Fri Jan 26 2018 Nick Clifton - 3.2-1 +- Rebase on 3.2 release, which now contains documentation! + +* Fri Jan 26 2018 Richard W.M. Jones - 3.1-3 +- Rebuild against GCC 7.3.1. + +* Tue Jan 16 2018 Nick Clifton - 3.1-2 +- Add --with-gcc-plugin-dir option to the configure command line. + +* Thu Jan 04 2018 Nick Clifton - 3.1-1 +- Rebase on version 3.1 sources. + +* Mon Dec 11 2017 Nick Clifton - 2.5.1-5 +- Do not generate notes when there is no output file. (#1523875) + +* Fri Dec 08 2017 Nick Clifton - 2.5.1-4 +- Invent an input filename when reading from a pipe. (#1523401) + +* Thu Nov 30 2017 Florian Weimer - 2.5.1-3 +- Use DECL_ASSEMBLER_NAME for symbol references (#1519165) + +* Tue Oct 03 2017 Igor Gnatenko - 2.5.1-2 +- Cleanups in spec + +* Tue Sep 26 2017 Nick Clifton - 2.5.1-1 +- Touch the auto-generated files in order to stop them from being regenerated. + +* Tue Sep 26 2017 Nick Clifton - 2.5-2 +- Stop the plugin complaining about compiler datestamp mismatches. + +* Thu Sep 21 2017 Nick Clifton - 2.4-1 +- Tweak tests so that they will run on older machines. + +* Thu Sep 21 2017 Nick Clifton - 2.3-1 +- Add annobin-tests subpackage containing some preliminary tests. +- Remove link-time test for unsupported targets. + +* Wed Aug 02 2017 Fedora Release Engineering - 2.0-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Mon Jul 31 2017 Florian Weimer - 2.0-2 +- Rebuild with binutils fix for ppc64le (#1475636) + +* Wed Jun 28 2017 Nick Clifton - 2.0-1 +- Fixes for problems reported by the package submission review: + * Add %%license entry to %%file section. + * Update License and BuildRequires tags. + * Add Requires tag. + * Remove %%clean. + * Add %%check. + * Clean up the %%changelog. +- Update to use version 2 of the specification and sources. + +* Thu May 11 2017 Nick Clifton - 1.0-1 +- Initial submission. diff --git a/sources b/sources index e69de29..8a0e40b 100644 --- a/sources +++ b/sources @@ -0,0 +1 @@ +SHA512 (annobin-8.71.tar.xz) = 32831fafd60cf02c5ae8898e3d6c0343ae8f3891e8e06ef358678093aa4e63740c94fae85c4306f3d6856b3811d81ce34885834ef975fd555dae2e21194b93e3 From 90aeb100cded5248ab81d088f1e3f4067b42724d Mon Sep 17 00:00:00 2001 From: Nick Clifton Date: Fri, 12 Apr 2019 16:13:18 +0100 Subject: [PATCH 02/29] Fixed spec file to build on RHEL 7. --- annobin.spec | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/annobin.spec b/annobin.spec index 273f856..2fc8bf9 100644 --- a/annobin.spec +++ b/annobin.spec @@ -29,8 +29,8 @@ URL: https://fedoraproject.org/wiki/Toolchain/Watermark # Set this to zero to disable the requirement for a specific version of gcc. # This should only be needed if there is some kind of problem with the version -# checking logic. -%global with_hard_gcc_version_requirement 1 +# checking logic or when building on RHEL-7 or earlier. +%global with_hard_gcc_version_requirement 0 #--------------------------------------------------------------------------------- Source: https://nickc.fedorapeople.org/annobin-%{version}.tar.xz @@ -167,7 +167,10 @@ touch doc/annobin.info # that it should be OK. cp plugin/.libs/annobin.so.0.0.0 %{_tmppath}/tmp_annobin.so make -C plugin clean -make -C plugin CXXFLAGS="%{optflags} -fplugin=%{_tmppath}/tmp_annobin.so -fplugin-arg-tmp_annobin-rename" +BUILD_FLAGS="-fplugin=%{_tmppath}/tmp_annobin.so -fplugin-arg-tmp_annobin-rename" +# Disable the use of the .attach_to_group assembler pseudo op, as it is not available in the RHEL7 assembler. +BUILD_FLAGS="$BUILD_FLAGS -fplugin-arg-tmp_annobin-no-attach" +make -C plugin CXXFLAGS="%{optflags} $BUILD_FLAGS" rm %{_tmppath}/tmp_annobin.so #--------------------------------------------------------------------------------- @@ -180,7 +183,10 @@ rm %{_tmppath}/tmp_annobin.so %if %{with tests} %check -make check +make check || : +if [ -f tests/test-suite.log ]; then + cat tests/test-suite.log +fi %endif #--------------------------------------------------------------------------------- From 837a4b187a360b7c73e2fab0701767ce3a96815a Mon Sep 17 00:00:00 2001 From: Nick Clifton Date: Wed, 24 Apr 2019 14:14:53 +0100 Subject: [PATCH 03/29] Fix test for an executable stack segment. Resolves: #1700924 --- .gitignore | 1 + annobin.spec | 5 ++++- sources | 2 +- 3 files changed, 6 insertions(+), 2 deletions(-) diff --git a/.gitignore b/.gitignore index 7ab5e8b..5d2c86f 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,2 @@ /annobin-8.71.tar.xz +/annobin-8.73.tar.xz diff --git a/annobin.spec b/annobin.spec index 2fc8bf9..d82dec2 100644 --- a/annobin.spec +++ b/annobin.spec @@ -15,7 +15,7 @@ Name: annobin Summary: Binary annotation plugin for GCC -Version: 8.71 +Version: 8.73 Release: 1%{?dist} License: GPLv3+ @@ -216,6 +216,9 @@ fi #--------------------------------------------------------------------------------- %changelog +* Wed Apr 24 2019 Nick Clifton - 8.73-1 +- Fix test for an executable stack segment. (#1700924) + * Thu Feb 28 2019 Nick Clifton - 8.71-1 - Annobin: Suppress more calls to free() which are triggering memory checker errors. (#1684148) diff --git a/sources b/sources index 8a0e40b..b3d6152 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (annobin-8.71.tar.xz) = 32831fafd60cf02c5ae8898e3d6c0343ae8f3891e8e06ef358678093aa4e63740c94fae85c4306f3d6856b3811d81ce34885834ef975fd555dae2e21194b93e3 +SHA512 (annobin-8.73.tar.xz) = 72af734ccdd1035ca46362ad0a7ca74c06407363783bfc58593ebc3fe233fee44822ccfb0544d3e235abba25c8b41ec3449ac43875e1fe4eea99ccef2c8f2b42 From 135fe88170f657cf01860b2c4295615baaed7e93 Mon Sep 17 00:00:00 2001 From: Nick Clifton Date: Wed, 15 May 2019 11:50:38 +0100 Subject: [PATCH 04/29] Report a missing -D_FORTIFY_SOUCRE option if -D_GLIBCXX_ASSERTIONS was detected. (#1703499) Do not report problems with -fstack-protection if the binary was not built by gcc or clang. (#1703788) Add tests of clang command line options recorded in the DW_AT_producer attribute. --- .gitignore | 1 + annobin.spec | 10 +++++++++- sources | 2 +- 3 files changed, 11 insertions(+), 2 deletions(-) diff --git a/.gitignore b/.gitignore index 5d2c86f..4aae29f 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,3 @@ /annobin-8.71.tar.xz /annobin-8.73.tar.xz +/annobin-8.76.tar.xz diff --git a/annobin.spec b/annobin.spec index d82dec2..62b31ed 100644 --- a/annobin.spec +++ b/annobin.spec @@ -15,7 +15,7 @@ Name: annobin Summary: Binary annotation plugin for GCC -Version: 8.73 +Version: 8.76 Release: 1%{?dist} License: GPLv3+ @@ -183,6 +183,7 @@ rm %{_tmppath}/tmp_annobin.so %if %{with tests} %check +# On RHEL7 the assembler does not support all of the annobin tests. make check || : if [ -f tests/test-suite.log ]; then cat tests/test-suite.log @@ -216,6 +217,13 @@ fi #--------------------------------------------------------------------------------- %changelog +* Tue Apr 30 2019 Nick Clifton - 8.76-1 +- Report a missing -D_FORTIFY_SOUCRE option if -D_GLIBCXX_ASSERTIONS was detected. (#1703499) +- Do not report problems with -fstack-protection if the binary was not built by gcc or clang. (#1703788) + +* Fri Apr 26 2019 Nick Clifton - 8.74-1 +- Add tests of clang command line options recorded in the DW_AT_producer attribute. + * Wed Apr 24 2019 Nick Clifton - 8.73-1 - Fix test for an executable stack segment. (#1700924) diff --git a/sources b/sources index b3d6152..b0e73ee 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (annobin-8.73.tar.xz) = 72af734ccdd1035ca46362ad0a7ca74c06407363783bfc58593ebc3fe233fee44822ccfb0544d3e235abba25c8b41ec3449ac43875e1fe4eea99ccef2c8f2b42 +SHA512 (annobin-8.76.tar.xz) = f645258802d1d2a41cea2a41d62f382b9638bcfc2dc136d7204ebeb087a5624e199b780b8faf08447fa3686372fdd783c095cafff29b5fce6c18aed64eb53d56 From 837f125eba7123b03bb8fb51190602361e0c7c9c Mon Sep 17 00:00:00 2001 From: Nick Clifton Date: Tue, 18 Jun 2019 12:50:02 +0100 Subject: [PATCH 05/29] Report a missing -D_FORTIFY_SOUCRE option if -D_GLIBCXX_ASSERTIONS was detected. (#1703499) Do not report problems with -fstack-protection if the binary was not built by gcc or clang. (#1703788) Add tests of clang command line options recorded in the DW_AT_producer attribute. --- annobin.spec | 39 +++++++++++++++++++++------------------ 1 file changed, 21 insertions(+), 18 deletions(-) diff --git a/annobin.spec b/annobin.spec index 62b31ed..9046f6e 100644 --- a/annobin.spec +++ b/annobin.spec @@ -1,18 +1,4 @@ -# Suppress this for BZ 1630550. -# The problem should now only arise when rebasing to a new major version -# of gcc, in which case the undefine below can be temporarily reinstated. -# -# # Do not build the annobin plugin with annotation enabled. -# # This is because if we are bootstrapping a new build environment we can have -# # a new version of gcc installed, but without a new of annobin installed. -# # (i.e. we are building the new version of annobin to go with the new version -# # of gcc). If the *old* annobin plugin is used whilst building this new -# # version, the old plugin will complain that version of gcc for which it -# # was built is different from the version of gcc that is now being used, and -# # then it will abort. -# %%undefine _annotated_build - Name: annobin Summary: Binary annotation plugin for GCC Version: 8.76 @@ -20,6 +6,23 @@ Release: 1%{?dist} License: GPLv3+ URL: https://fedoraproject.org/wiki/Toolchain/Watermark +# Maintainer: nickc@redhat.com + + +# # Do not build the annobin plugin with annotation enabled. +# # This is because if we are bootstrapping a new build environment we can have +# # a new version of gcc installed, but without a new of annobin installed. +# # (i.e. we are building the new version of annobin to go with the new version +# # of gcc). If the *old* annobin plugin is used whilst building this new +# # version, the old plugin will complain that version of gcc for which it +# # was built is different from the version of gcc that is now being used, and +# # then it will abort. +# +# Suppress this for BZ 1630550. +# The problem should now only arise when rebasing to a new major version +# of gcc, in which case the undefine below can be temporarily reinstated. +# +# %%undefine _annotated_build # Use "--without tests" to disable the testsuite. The default is to run them. %bcond_without tests @@ -97,8 +100,7 @@ BuildRequires: gcc gcc-plugin-devel gcc-c++ %description Provides a plugin for GCC that records extra information in the files -that it compiles and a set of scripts that can analyze the recorded -information. +that it compiles. Note - the plugin is automatically enabled in gcc builds via flags provided by the redhat-rpm-macros package. @@ -168,7 +170,7 @@ touch doc/annobin.info cp plugin/.libs/annobin.so.0.0.0 %{_tmppath}/tmp_annobin.so make -C plugin clean BUILD_FLAGS="-fplugin=%{_tmppath}/tmp_annobin.so -fplugin-arg-tmp_annobin-rename" -# Disable the use of the .attach_to_group assembler pseudo op, as it is not available in the RHEL7 assembler. +# If building on RHEL7, enable the next option as the .attach_to_group assembler pseudo op is not available in the assembler. BUILD_FLAGS="$BUILD_FLAGS -fplugin-arg-tmp_annobin-no-attach" make -C plugin CXXFLAGS="%{optflags} $BUILD_FLAGS" rm %{_tmppath}/tmp_annobin.so @@ -217,9 +219,10 @@ fi #--------------------------------------------------------------------------------- %changelog -* Tue Apr 30 2019 Nick Clifton - 8.76-1 +* Tue Jun 18 2019 Nick Clifton - 8.76-1 - Report a missing -D_FORTIFY_SOUCRE option if -D_GLIBCXX_ASSERTIONS was detected. (#1703499) - Do not report problems with -fstack-protection if the binary was not built by gcc or clang. (#1703788) +- Add tests of clang command line options recorded in the DW_AT_producer attribute. * Fri Apr 26 2019 Nick Clifton - 8.74-1 - Add tests of clang command line options recorded in the DW_AT_producer attribute. From eaa961160a85bd716fff28142d358f26c517a345 Mon Sep 17 00:00:00 2001 From: Nick Clifton Date: Tue, 18 Jun 2019 12:51:00 +0100 Subject: [PATCH 06/29] Bump NVR to enable a rebuild. --- annobin.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/annobin.spec b/annobin.spec index 9046f6e..f87492c 100644 --- a/annobin.spec +++ b/annobin.spec @@ -2,7 +2,7 @@ Name: annobin Summary: Binary annotation plugin for GCC Version: 8.76 -Release: 1%{?dist} +Release: 2%{?dist} License: GPLv3+ URL: https://fedoraproject.org/wiki/Toolchain/Watermark From b24746f6fc2e32faa3710a0b419f62e418ccde1e Mon Sep 17 00:00:00 2001 From: Nick Clifton Date: Tue, 25 Jun 2019 11:33:00 +0100 Subject: [PATCH 07/29] Another attempt at fixing the detection and reporting of missing -D_FORTIFY_SOURCE options. Relates: #1703500 --- annobin.spec | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/annobin.spec b/annobin.spec index f87492c..521a5d8 100644 --- a/annobin.spec +++ b/annobin.spec @@ -1,8 +1,8 @@ Name: annobin Summary: Binary annotation plugin for GCC -Version: 8.76 -Release: 2%{?dist} +Version: 8.77 +Release: 1%{?dist} License: GPLv3+ URL: https://fedoraproject.org/wiki/Toolchain/Watermark @@ -219,6 +219,9 @@ fi #--------------------------------------------------------------------------------- %changelog +* Mon Jun 24 2019 Nick Clifton - 8.77-1 +- Another attempt at fixing the detection and reporting of missing -D_FORTIFY_SOURCE options. (#1703500) + * Tue Jun 18 2019 Nick Clifton - 8.76-1 - Report a missing -D_FORTIFY_SOUCRE option if -D_GLIBCXX_ASSERTIONS was detected. (#1703499) - Do not report problems with -fstack-protection if the binary was not built by gcc or clang. (#1703788) From 4b5387cb51901daadf270b70be186b042d234a29 Mon Sep 17 00:00:00 2001 From: Nick Clifton Date: Tue, 25 Jun 2019 11:41:56 +0100 Subject: [PATCH 08/29] commit upload of new sources --- .gitignore | 1 + sources | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/.gitignore b/.gitignore index 4aae29f..640a7a3 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,4 @@ /annobin-8.71.tar.xz /annobin-8.73.tar.xz /annobin-8.76.tar.xz +/annobin-8.77.tar.xz diff --git a/sources b/sources index b0e73ee..d26a196 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (annobin-8.76.tar.xz) = f645258802d1d2a41cea2a41d62f382b9638bcfc2dc136d7204ebeb087a5624e199b780b8faf08447fa3686372fdd783c095cafff29b5fce6c18aed64eb53d56 +SHA512 (annobin-8.77.tar.xz) = d9d393aa359ab58a24d295dd4108b0255e39cf9210ec99125ce3f3589adff795aba50234817b38134964caa2fc92cf04d6c6e2945ae6cc2e1145033383cc58cb From 377a58266a5eb2d0006a74e224a778165458c9d0 Mon Sep 17 00:00:00 2001 From: Nick Clifton Date: Tue, 6 Aug 2019 15:46:48 +0100 Subject: [PATCH 09/29] Fix a memory allocation error in the annobin plugin. Resolves: #1737306 --- .gitignore | 1 + annobin.spec | 5 ++++- sources | 2 +- 3 files changed, 6 insertions(+), 2 deletions(-) diff --git a/.gitignore b/.gitignore index 640a7a3..2884db5 100644 --- a/.gitignore +++ b/.gitignore @@ -2,3 +2,4 @@ /annobin-8.73.tar.xz /annobin-8.76.tar.xz /annobin-8.77.tar.xz +/annobin-8.78.tar.xz diff --git a/annobin.spec b/annobin.spec index 521a5d8..baea9ee 100644 --- a/annobin.spec +++ b/annobin.spec @@ -1,7 +1,7 @@ Name: annobin Summary: Binary annotation plugin for GCC -Version: 8.77 +Version: 8.78 Release: 1%{?dist} License: GPLv3+ @@ -219,6 +219,9 @@ fi #--------------------------------------------------------------------------------- %changelog +* Tue Aug 06 2019 Nick Clifton - 8.78-1 +- Fix a memory allocation error in the annobin plugin. (#1737306) + * Mon Jun 24 2019 Nick Clifton - 8.77-1 - Another attempt at fixing the detection and reporting of missing -D_FORTIFY_SOURCE options. (#1703500) diff --git a/sources b/sources index d26a196..b815d12 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (annobin-8.77.tar.xz) = d9d393aa359ab58a24d295dd4108b0255e39cf9210ec99125ce3f3589adff795aba50234817b38134964caa2fc92cf04d6c6e2945ae6cc2e1145033383cc58cb +SHA512 (annobin-8.78.tar.xz) = 63073981b1d92d724dd70be64084cfd5e146735dd128455721fe5750c2f63d8fc0984e2907729fa39f9c5b2827e8f83c9c0801a143bff4a41d51b3a01e8a8a92 From 8d3f94b69166e53ce4d2afc938fb90f9d36cce83 Mon Sep 17 00:00:00 2001 From: Nick Clifton Date: Mon, 23 Sep 2019 13:32:26 +0100 Subject: [PATCH 10/29] Improve detection of GO binaries. Add gcc version information to annobin notes. Do not complain about missing FORTIFY_SOURCE and GLIBCXX_ASSERTIONS in LTO compilations. --- .gitignore | 1 + annobin.spec | 7 ++++++- sources | 2 +- 3 files changed, 8 insertions(+), 2 deletions(-) diff --git a/.gitignore b/.gitignore index 2884db5..007af20 100644 --- a/.gitignore +++ b/.gitignore @@ -3,3 +3,4 @@ /annobin-8.76.tar.xz /annobin-8.77.tar.xz /annobin-8.78.tar.xz +/annobin-8.81.tar.xz diff --git a/annobin.spec b/annobin.spec index baea9ee..5680f78 100644 --- a/annobin.spec +++ b/annobin.spec @@ -1,7 +1,7 @@ Name: annobin Summary: Binary annotation plugin for GCC -Version: 8.78 +Version: 8.81 Release: 1%{?dist} License: GPLv3+ @@ -219,6 +219,11 @@ fi #--------------------------------------------------------------------------------- %changelog +* Mon Sep 23 2019 Nick Clifton - 8.81-1 +- Improve detection of GO binaries. +- Add gcc version information to annobin notes. +- Do not complain about missing FORTIFY_SOURCE and GLIBCXX_ASSERTIONS in LTO compilations. + * Tue Aug 06 2019 Nick Clifton - 8.78-1 - Fix a memory allocation error in the annobin plugin. (#1737306) diff --git a/sources b/sources index b815d12..846cbdd 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (annobin-8.78.tar.xz) = 63073981b1d92d724dd70be64084cfd5e146735dd128455721fe5750c2f63d8fc0984e2907729fa39f9c5b2827e8f83c9c0801a143bff4a41d51b3a01e8a8a92 +SHA512 (annobin-8.81.tar.xz) = 5b7d6ab619be5666cae0e0742ce650babd7bb18f9f5f93724a2d14b2100191360fa640a861be3bf807fe5bff598b008fe83276e568d7d2bae229e7642a8f2508 From 977cc84ccc77423e558bbb6a33d688affa0e35e6 Mon Sep 17 00:00:00 2001 From: Nick Clifton Date: Mon, 4 Nov 2019 11:14:19 +0000 Subject: [PATCH 11/29] Generate a WARN result for code compiled with instrumentation enabled. (#1753918) Replace address checks with dladdr1. Use libabigail like checking to ensure variable address consistency. Skip generation of global notes for hot/cold sections. Generate FAIL results if -Wall or -Wformat-security are missing. If notes cannot be found in the executable look for them in the debuginfo file, if available. Generate a FAIL if notes are missing from the executable/debuginfo file. Record and report the setting of the AArcht64 specific -mbranch-protection option. --- .gitignore | 1 + annobin.spec | 12 +++++++++++- sources | 2 +- 3 files changed, 13 insertions(+), 2 deletions(-) diff --git a/.gitignore b/.gitignore index 007af20..6ba6867 100644 --- a/.gitignore +++ b/.gitignore @@ -4,3 +4,4 @@ /annobin-8.77.tar.xz /annobin-8.78.tar.xz /annobin-8.81.tar.xz +/annobin-8.89.tar.xz diff --git a/annobin.spec b/annobin.spec index 5680f78..20d27f2 100644 --- a/annobin.spec +++ b/annobin.spec @@ -1,7 +1,7 @@ Name: annobin Summary: Binary annotation plugin for GCC -Version: 8.81 +Version: 8.89 Release: 1%{?dist} License: GPLv3+ @@ -219,6 +219,16 @@ fi #--------------------------------------------------------------------------------- %changelog +* Mon Nov 04 2019 Nick Clifton - 8.89-1 +- Generate a WARN result for code compiled with instrumentation enabled. (#1753918) +- Replace address checks with dladdr1. +- Use libabigail like checking to ensure variable address consistency. +- Skip generation of global notes for hot/cold sections. +- Generate FAIL results if -Wall or -Wformat-security are missing. +- If notes cannot be found in the executable look for them in the debuginfo file, if available. +- Generate a FAIL if notes are missing from the executable/debuginfo file. +- Record and report the setting of the AArcht64 specific -mbranch-protection option. + * Mon Sep 23 2019 Nick Clifton - 8.81-1 - Improve detection of GO binaries. - Add gcc version information to annobin notes. diff --git a/sources b/sources index 846cbdd..d4b418a 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (annobin-8.81.tar.xz) = 5b7d6ab619be5666cae0e0742ce650babd7bb18f9f5f93724a2d14b2100191360fa640a861be3bf807fe5bff598b008fe83276e568d7d2bae229e7642a8f2508 +SHA512 (annobin-8.89.tar.xz) = d26551feeaf3a9cb9ccb5f9876f155e9ed9adaf5739d8becc9cf6f3644f80f78feb5715b30030b491d0e70692b0aa5f3167ecd9c84a5d7c731c357fb029888fd From 47f4a8291b21f4f4630d2e0f51540460eb481449 Mon Sep 17 00:00:00 2001 From: Nick Clifton Date: Fri, 15 Nov 2019 15:52:12 +0000 Subject: [PATCH 12/29] Annocheck: Do not skip positive results. --- .gitignore | 1 + annobin.spec | 5 ++++- sources | 2 +- 3 files changed, 6 insertions(+), 2 deletions(-) diff --git a/.gitignore b/.gitignore index 6ba6867..6ece538 100644 --- a/.gitignore +++ b/.gitignore @@ -5,3 +5,4 @@ /annobin-8.78.tar.xz /annobin-8.81.tar.xz /annobin-8.89.tar.xz +/annobin-8.90.tar.xz diff --git a/annobin.spec b/annobin.spec index 20d27f2..19621c9 100644 --- a/annobin.spec +++ b/annobin.spec @@ -1,7 +1,7 @@ Name: annobin Summary: Binary annotation plugin for GCC -Version: 8.89 +Version: 8.90 Release: 1%{?dist} License: GPLv3+ @@ -219,6 +219,9 @@ fi #--------------------------------------------------------------------------------- %changelog +* Fri Nov 15 2019 Nick Clifton - 8.90-1 +- Do not skip positive results. + * Mon Nov 04 2019 Nick Clifton - 8.89-1 - Generate a WARN result for code compiled with instrumentation enabled. (#1753918) - Replace address checks with dladdr1. diff --git a/sources b/sources index d4b418a..aabc197 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (annobin-8.89.tar.xz) = d26551feeaf3a9cb9ccb5f9876f155e9ed9adaf5739d8becc9cf6f3644f80f78feb5715b30030b491d0e70692b0aa5f3167ecd9c84a5d7c731c357fb029888fd +SHA512 (annobin-8.90.tar.xz) = 7006379b40d98c82664c789e405f37c3d011a341954ecd7c2dbd1ac830c3c3e6cd551d948247f2697c1cff62e628304cba52fbe872280a2aa622ed7b2237fb02 From d0a036a8b7627f4fb7bb9605acee1cf629c2d9cb Mon Sep 17 00:00:00 2001 From: Nick Clifton Date: Wed, 4 Mar 2020 15:59:46 +0000 Subject: [PATCH 13/29] Rebase to 9.12: - Improve builtby tool. - Stop annocheck complaining about missing notes when the binary is not compiled by either gcc or clang. - Skip the check of the ENTRY instruction for binaries not compiled by gcc or clang. (#1809656) - Fix infinite loop hangup in annocheck. - Disable debuginfod support by default. - Improve parsing of .comment section. - Fix clang plugin to use hidden symbols. - Add ability to build clang plugin (disabled by default). - Annocheck: Fix error printing out the version number. - Annobin: Add checks of the exact location of the examined switches. - Annobin: Note when stack clash notes are generated. - Annocheck: Handle multiple builder IDs in the .comment section. - Add configure option to suppress building annocheck. - Fix debuginfod test. - Correct the build requirement for building with debuginfod support. - Add debuginfod support. - Add clang plugin (experimental). - Have annocheck ignore notes with an end address of 0. - Improve checking of gcc versions. --- annobin-strncmp-fix.patch | 11 ++++ annobin.spec | 110 +++++++++++++++++++++++++++++++------- 2 files changed, 102 insertions(+), 19 deletions(-) create mode 100644 annobin-strncmp-fix.patch diff --git a/annobin-strncmp-fix.patch b/annobin-strncmp-fix.patch new file mode 100644 index 0000000..39f3c72 --- /dev/null +++ b/annobin-strncmp-fix.patch @@ -0,0 +1,11 @@ +--- annobin.orig/annocheck/built-by.c 2020-03-04 15:41:29.135051811 +0000 ++++ annobin-9.12/annocheck/built-by.c 2020-03-04 15:42:22.913813532 +0000 +@@ -183,7 +183,7 @@ builtby_note_walker (annocheck_data * + if (namedata[pos - 1] != GNU_BUILD_ATTRIBUTE_TYPE_STRING) + return false; + +- if (strncmp ((const char *) namedata + pos + 1, STR_AND_LEN ("annobin built")) != 0) ++ if (strncmp ((const char *) namedata + pos + 1, "annobin built", sizeof ("annobin built") - 1) != 0) + found ("annobin note", (const char *) ptr, namedata + pos + 1); + + return true; diff --git a/annobin.spec b/annobin.spec index 19621c9..a162a8b 100644 --- a/annobin.spec +++ b/annobin.spec @@ -1,13 +1,36 @@ Name: annobin -Summary: Binary annotation plugin for GCC -Version: 8.90 +Summary: Annotate and examine compiled binary files +Version: 9.12 Release: 1%{?dist} - License: GPLv3+ -URL: https://fedoraproject.org/wiki/Toolchain/Watermark +# ProtocolURL: https://fedoraproject.org/wiki/Toolchain/Watermark # Maintainer: nickc@redhat.com +#--------------------------------------------------------------------------------- + +# Use "--without tests" to disable the testsuite. The default is to run them. +# The default is to run the tests. +%bcond_without tests + +# Use "--without annocheck" to disable the installation of the annocheck program. +%bcond_without annocheck + +# Use "--with debuginfod" to force support for debuginfod to be compiled into +# the annocheck program. By default the configure script will check for +# availablilty at build time, but this might not match the run time situation. +# FIXME: Add a --without debuginfod option to forcefully disable the configure +# time check for debuginfod support. +%bcond_with debuginfod + +# Use "--with clangplugin" to build the annobin plugin for clang. +# The default is not to build the plugin. +%bcond_with clangplugin + +# Set this to zero to disable the requirement for a specific version of gcc. +# This should only be needed if there is some kind of problem with the version +# checking logic or when building on RHEL-7 or earlier. +%global with_hard_gcc_version_requirement 0 # # Do not build the annobin plugin with annotation enabled. # # This is because if we are bootstrapping a new build environment we can have @@ -24,23 +47,13 @@ URL: https://fedoraproject.org/wiki/Toolchain/Watermark # # %%undefine _annotated_build -# Use "--without tests" to disable the testsuite. The default is to run them. -%bcond_without tests - -# Use "--without annocheck" to disable the installation of the annocheck program. -%bcond_without annocheck - -# Set this to zero to disable the requirement for a specific version of gcc. -# This should only be needed if there is some kind of problem with the version -# checking logic or when building on RHEL-7 or earlier. -%global with_hard_gcc_version_requirement 0 - #--------------------------------------------------------------------------------- + Source: https://nickc.fedorapeople.org/annobin-%{version}.tar.xz # For the latest sources use: git clone git://sourceware.org/git/annobin.git # Insert patches here, if needed. -# Patch01: annobin-xxx.patch +Patch01: annobin-strncmp-fix.patch #--------------------------------------------------------------------------------- @@ -97,6 +110,9 @@ Requires: gcc %endif BuildRequires: gcc gcc-plugin-devel gcc-c++ +%if %{with clangplugin} +BuildRequires: clang clang-devel llvm llvm-devel +%endif %description Provides a plugin for GCC that records extra information in the files @@ -105,6 +121,10 @@ that it compiles. Note - the plugin is automatically enabled in gcc builds via flags provided by the redhat-rpm-macros package. +%if %{with clangplugin} +Also provides a plugin for clang which performs a similar function. +%endif + #--------------------------------------------------------------------------------- %if %{with tests} @@ -124,6 +144,9 @@ of the resulting files. Summary: A tool for checking the security hardening status of binaries BuildRequires: gcc elfutils elfutils-devel elfutils-libelf-devel rpm-devel binutils-devel +%if %{with debuginfod} +BuildRequires: elfutils-debuginfod-client-devel +%endif %description annocheck Installs the annocheck program which uses the notes generated by annobin to @@ -134,7 +157,15 @@ hardening options. #--------------------------------------------------------------------------------- -%global ANNOBIN_PLUGIN_DIR %(gcc --print-file-name=plugin) +%global ANNOBIN_GCC_PLUGIN_DIR %(gcc --print-file-name=plugin) + +%if %{with clangplugin} +# FIXME: Clang does not appear to have an official plugin directory. +# Instead it just uses dlopen() with no pathname prefix. So we +# construct a (hopefully good) path and rely upon users of annobin +# knowing about this location. +%global ANNOBIN_CLANG_PLUGIN_DIR /usr/lib64/clang/%(clang --dumpversion)/lib +%endif #--------------------------------------------------------------------------------- @@ -159,7 +190,13 @@ touch doc/annobin.info #--------------------------------------------------------------------------------- %build -%configure --quiet --with-gcc-plugin-dir=%{ANNOBIN_PLUGIN_DIR} + +%if %{with debuginfod} +%configure --quiet --with-gcc-plugin-dir=%{ANNOBIN_GCC_PLUGIN_DIR} --with-debuginfod +%else +%configure --quiet --with-gcc-plugin-dir=%{ANNOBIN_GCC_PLUGIN_DIR} +%endif + %make_build # Rebuild the plugin, this time using the plugin itself! This # ensures that the plugin works, and that it contains annotations @@ -175,12 +212,22 @@ BUILD_FLAGS="$BUILD_FLAGS -fplugin-arg-tmp_annobin-no-attach" make -C plugin CXXFLAGS="%{optflags} $BUILD_FLAGS" rm %{_tmppath}/tmp_annobin.so +%if %{with clangplugin} +# FIXME: The symbolic link should not be needed. +ln -f -s ../annobin-global.h clang-plugin +make -C clang-plugin annobin.so +%endif + #--------------------------------------------------------------------------------- %install %make_install %{__rm} -f %{buildroot}%{_infodir}/dir +%if %{with clangplugin} +cp clang-plugin/annobin.so %{ANNOBIN_CLANG_PLUGIN_DIR} +%endif + #--------------------------------------------------------------------------------- %if %{with tests} @@ -195,7 +242,7 @@ fi #--------------------------------------------------------------------------------- %files -%{ANNOBIN_PLUGIN_DIR} +%{ANNOBIN_GCC_PLUGIN_DIR} %{_bindir}/built-by %{_bindir}/check-abi %{_bindir}/hardened @@ -211,6 +258,10 @@ fi %doc %{_mandir}/man1/hardened.1.gz %doc %{_mandir}/man1/run-on-binaries-in.1.gz +%if %{with clangplugin} +%{ANNOBIN_CLANG_PLUGIN_DIR} +%endif + %if %{with annocheck} %{_bindir}/annocheck %doc %{_mandir}/man1/annocheck.1.gz @@ -219,6 +270,27 @@ fi #--------------------------------------------------------------------------------- %changelog +* Wed Mar 04 2020 Nick Clifton - 9.12-1 +- Improve builtby tool. +- Stop annocheck complaining about missing notes when the binary is not compiled by either gcc or clang. +- Skip the check of the ENTRY instruction for binaries not compiled by gcc or clang. (#1809656) +- Fix infinite loop hangup in annocheck. +- Disable debuginfod support by default. +- Improve parsing of .comment section. +- Fix clang plugin to use hidden symbols. +- Add ability to build clang plugin (disabled by default). +- Annocheck: Fix error printing out the version number. +- Annobin: Add checks of the exact location of the examined switches. +- Annobin: Note when stack clash notes are generated. +- Annocheck: Handle multiple builder IDs in the .comment section. +- Add configure option to suppress building annocheck. +- Fix debuginfod test. +- Correct the build requirement for building with debuginfod support. +- Add debuginfod support. +- Add clang plugin (experimental). +- Have annocheck ignore notes with an end address of 0. +- Improve checking of gcc versions. + * Fri Nov 15 2019 Nick Clifton - 8.90-1 - Do not skip positive results. From 3eef7e6661e8a117b884aedc23fa7d937067a795 Mon Sep 17 00:00:00 2001 From: Nick Clifton Date: Wed, 4 Mar 2020 16:14:18 +0000 Subject: [PATCH 14/29] oops forgot to attach the new sources --- .gitignore | 1 + sources | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/.gitignore b/.gitignore index 6ece538..1685b13 100644 --- a/.gitignore +++ b/.gitignore @@ -6,3 +6,4 @@ /annobin-8.81.tar.xz /annobin-8.89.tar.xz /annobin-8.90.tar.xz +/annobin-9.12.tar.xz diff --git a/sources b/sources index aabc197..b55d8e1 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (annobin-8.90.tar.xz) = 7006379b40d98c82664c789e405f37c3d011a341954ecd7c2dbd1ac830c3c3e6cd551d948247f2697c1cff62e628304cba52fbe872280a2aa622ed7b2237fb02 +SHA512 (annobin-9.12.tar.xz) = cfe9d67ebf53816932310f1f686b4d94554506488c217870c5c440d2d1f8cb3a757f96c07e373540f2358c4e1adcf432b746c6936c237f7b44769993210bc8aa From 4663ff10304960a31de459f4b120c38436e5e9aa Mon Sep 17 00:00:00 2001 From: Nick Clifton Date: Thu, 26 Mar 2020 15:55:15 +0000 Subject: [PATCH 15/29] Use offsets stored in gcc's cl_option structure to access the global_options array, thus removing the need to check for changes in the size of this structure. Rename gcc plugin directory to gcc-plugin. Stop annocheck from complaining about missing options when the binary has been built in a mixed environment. --- .gitignore | 1 + annobin.spec | 15 ++++++++++----- sources | 2 +- 3 files changed, 12 insertions(+), 6 deletions(-) diff --git a/.gitignore b/.gitignore index 1685b13..e24c3db 100644 --- a/.gitignore +++ b/.gitignore @@ -7,3 +7,4 @@ /annobin-8.89.tar.xz /annobin-8.90.tar.xz /annobin-9.12.tar.xz +/annobin-9.14.tar.xz diff --git a/annobin.spec b/annobin.spec index a162a8b..f1504a7 100644 --- a/annobin.spec +++ b/annobin.spec @@ -1,7 +1,7 @@ Name: annobin Summary: Annotate and examine compiled binary files -Version: 9.12 +Version: 9.14 Release: 1%{?dist} License: GPLv3+ # ProtocolURL: https://fedoraproject.org/wiki/Toolchain/Watermark @@ -182,7 +182,7 @@ echo "Requires: (gcc >= %{gcc_major} with gcc < %{gcc_next})" # The plugin has to be configured with the same arcane configure # scripts used by gcc. Hence we must not allow the Fedora build # system to regenerate any of the configure files. -touch aclocal.m4 plugin/config.h.in +touch aclocal.m4 gcc-plugin/config.h.in touch configure */configure Makefile.in */Makefile.in # Similarly we do not want to rebuild the documentation. touch doc/annobin.info @@ -204,12 +204,12 @@ touch doc/annobin.info # double annotations in it. (If the build system enables annotations # for plugins by default). I have not tested this yet, but I think # that it should be OK. -cp plugin/.libs/annobin.so.0.0.0 %{_tmppath}/tmp_annobin.so -make -C plugin clean +cp gcc-plugin/.libs/annobin.so.0.0.0 %{_tmppath}/tmp_annobin.so +make -C gcc-plugin clean BUILD_FLAGS="-fplugin=%{_tmppath}/tmp_annobin.so -fplugin-arg-tmp_annobin-rename" # If building on RHEL7, enable the next option as the .attach_to_group assembler pseudo op is not available in the assembler. BUILD_FLAGS="$BUILD_FLAGS -fplugin-arg-tmp_annobin-no-attach" -make -C plugin CXXFLAGS="%{optflags} $BUILD_FLAGS" +make -C gcc-plugin CXXFLAGS="%{optflags} $BUILD_FLAGS" rm %{_tmppath}/tmp_annobin.so %if %{with clangplugin} @@ -270,6 +270,11 @@ fi #--------------------------------------------------------------------------------- %changelog +* Thu Mar 26 2020 Nick Clifton - 9.14-1 +- Use offsets stored in gcc's cl_option structure to access the global_options array, thus removing the need to check for changes in the size of this structure. +- Rename gcc plugin directory to gcc-plugin. +- Stop annocheck from complaining about missing options when the binary has been built in a mixed environment. + * Wed Mar 04 2020 Nick Clifton - 9.12-1 - Improve builtby tool. - Stop annocheck complaining about missing notes when the binary is not compiled by either gcc or clang. diff --git a/sources b/sources index b55d8e1..717d46c 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (annobin-9.12.tar.xz) = cfe9d67ebf53816932310f1f686b4d94554506488c217870c5c440d2d1f8cb3a757f96c07e373540f2358c4e1adcf432b746c6936c237f7b44769993210bc8aa +SHA512 (annobin-9.14.tar.xz) = 39d2b6d67ce6303bf375b157c04dc58a46cba3467f8003f50892caffa8d7c8e4f3fddbf5f09468aa29b05fc7deb7a7610a153a84e0d6d3b10bd04f9e990eb1c6 From 3cafbe58a064d251dccbbbc08061f0ad269e9369 Mon Sep 17 00:00:00 2001 From: Nick Clifton Date: Fri, 27 Mar 2020 13:05:36 +0000 Subject: [PATCH 16/29] Fix bug in previous delta --- .gitignore | 1 + annobin.spec | 5 ++++- sources | 2 +- 3 files changed, 6 insertions(+), 2 deletions(-) diff --git a/.gitignore b/.gitignore index e24c3db..efd0172 100644 --- a/.gitignore +++ b/.gitignore @@ -8,3 +8,4 @@ /annobin-8.90.tar.xz /annobin-9.12.tar.xz /annobin-9.14.tar.xz +/annobin-9.17.tar.xz diff --git a/annobin.spec b/annobin.spec index f1504a7..85bf4b7 100644 --- a/annobin.spec +++ b/annobin.spec @@ -1,7 +1,7 @@ Name: annobin Summary: Annotate and examine compiled binary files -Version: 9.14 +Version: 9.17 Release: 1%{?dist} License: GPLv3+ # ProtocolURL: https://fedoraproject.org/wiki/Toolchain/Watermark @@ -270,6 +270,9 @@ fi #--------------------------------------------------------------------------------- %changelog +* Fri Mar 27 2020 Nick Clifton - 9.17-1 +- Annobin: Fix access to the -flto and -fsanitize flags. + * Thu Mar 26 2020 Nick Clifton - 9.14-1 - Use offsets stored in gcc's cl_option structure to access the global_options array, thus removing the need to check for changes in the size of this structure. - Rename gcc plugin directory to gcc-plugin. diff --git a/sources b/sources index 717d46c..b5d79a5 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (annobin-9.14.tar.xz) = 39d2b6d67ce6303bf375b157c04dc58a46cba3467f8003f50892caffa8d7c8e4f3fddbf5f09468aa29b05fc7deb7a7610a153a84e0d6d3b10bd04f9e990eb1c6 +SHA512 (annobin-9.17.tar.xz) = bdbaba191e0e9197a457b78859f0192b2a610ae737bd2fd9d589528aaadaf1b43fa646621ab8de8a43bc1aa833b603dda06444e3adc563341a1c5465a1be1384 From 26adffdbef7426c78c7f6e9cec9a38976e5e6479 Mon Sep 17 00:00:00 2001 From: Nick Clifton Date: Mon, 30 Mar 2020 17:09:25 +0100 Subject: [PATCH 17/29] Annocheck: Fix a division by zero error when parsing GO binaries. Resolves: #1818863 --- .gitignore | 1 + annobin.spec | 5 ++++- sources | 2 +- 3 files changed, 6 insertions(+), 2 deletions(-) diff --git a/.gitignore b/.gitignore index efd0172..5441759 100644 --- a/.gitignore +++ b/.gitignore @@ -9,3 +9,4 @@ /annobin-9.12.tar.xz /annobin-9.14.tar.xz /annobin-9.17.tar.xz +/annobin-9.18.tar.xz diff --git a/annobin.spec b/annobin.spec index 85bf4b7..3af8507 100644 --- a/annobin.spec +++ b/annobin.spec @@ -1,7 +1,7 @@ Name: annobin Summary: Annotate and examine compiled binary files -Version: 9.17 +Version: 9.18 Release: 1%{?dist} License: GPLv3+ # ProtocolURL: https://fedoraproject.org/wiki/Toolchain/Watermark @@ -270,6 +270,9 @@ fi #--------------------------------------------------------------------------------- %changelog +* Mon Mar 30 2020 Nick Clifton - 9.18-1 +- Annocheck: Fix a division by zero error when parsing GO binaries. (#1818863) + * Fri Mar 27 2020 Nick Clifton - 9.17-1 - Annobin: Fix access to the -flto and -fsanitize flags. diff --git a/sources b/sources index b5d79a5..9314557 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (annobin-9.17.tar.xz) = bdbaba191e0e9197a457b78859f0192b2a610ae737bd2fd9d589528aaadaf1b43fa646621ab8de8a43bc1aa833b603dda06444e3adc563341a1c5465a1be1384 +SHA512 (annobin-9.18.tar.xz) = cd7b19ffde8dcab6bcf75e997d743ccbbd3bcd17690061cb1a2ff05651bfbb43b37df408b6efc4e683d52ae5654dfaf23b56e1c3c58928759610576afdcd9346 From 855edcbf90f540f2b798d970fe681eeeb9f28d53 Mon Sep 17 00:00:00 2001 From: Nick Clifton Date: Wed, 1 Apr 2020 14:06:02 +0100 Subject: [PATCH 18/29] Annobin: If option name mismatch occurs, seach for the real option. (#1817452) --- .gitignore | 1 + annobin.spec | 5 ++++- sources | 2 +- 3 files changed, 6 insertions(+), 2 deletions(-) diff --git a/.gitignore b/.gitignore index 5441759..036bf7b 100644 --- a/.gitignore +++ b/.gitignore @@ -10,3 +10,4 @@ /annobin-9.14.tar.xz /annobin-9.17.tar.xz /annobin-9.18.tar.xz +/annobin-9.19.tar.xz diff --git a/annobin.spec b/annobin.spec index 3af8507..6a12d07 100644 --- a/annobin.spec +++ b/annobin.spec @@ -1,7 +1,7 @@ Name: annobin Summary: Annotate and examine compiled binary files -Version: 9.18 +Version: 9.19 Release: 1%{?dist} License: GPLv3+ # ProtocolURL: https://fedoraproject.org/wiki/Toolchain/Watermark @@ -270,6 +270,9 @@ fi #--------------------------------------------------------------------------------- %changelog +* Wed Apr 01 2020 Nick Clifton - 9.19-1 +- Annobin: If option name mismatch occurs, seach for the real option. (#1817452) + * Mon Mar 30 2020 Nick Clifton - 9.18-1 - Annocheck: Fix a division by zero error when parsing GO binaries. (#1818863) diff --git a/sources b/sources index 9314557..14c198d 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (annobin-9.18.tar.xz) = cd7b19ffde8dcab6bcf75e997d743ccbbd3bcd17690061cb1a2ff05651bfbb43b37df408b6efc4e683d52ae5654dfaf23b56e1c3c58928759610576afdcd9346 +SHA512 (annobin-9.19.tar.xz) = 5fbedd42123f1c7ff73a3bd4afca3941cfcc702bc49e2de7b32548badd2f06cd0c69abea676fc11fb96c6e0ccdb94bbe9e445bbc6a0c4866d6353280cfc4248b From cc072d4bd72da065242c039897128b2a3a09af03 Mon Sep 17 00:00:00 2001 From: Nick Clifton Date: Thu, 16 Apr 2020 16:28:16 +0100 Subject: [PATCH 19/29] Annocheck: Detect Fortran compiled programs. (#1824393) --- .gitignore | 1 + annobin.spec | 5 ++++- sources | 2 +- 3 files changed, 6 insertions(+), 2 deletions(-) diff --git a/.gitignore b/.gitignore index 036bf7b..9f4ae9c 100644 --- a/.gitignore +++ b/.gitignore @@ -11,3 +11,4 @@ /annobin-9.17.tar.xz /annobin-9.18.tar.xz /annobin-9.19.tar.xz +/annobin-9.20.tar.xz diff --git a/annobin.spec b/annobin.spec index 6a12d07..1a9d895 100644 --- a/annobin.spec +++ b/annobin.spec @@ -1,7 +1,7 @@ Name: annobin Summary: Annotate and examine compiled binary files -Version: 9.19 +Version: 9.20 Release: 1%{?dist} License: GPLv3+ # ProtocolURL: https://fedoraproject.org/wiki/Toolchain/Watermark @@ -270,6 +270,9 @@ fi #--------------------------------------------------------------------------------- %changelog +* Thu Apr 16 2020 Nick Clifton - 9.20-1 +- Annocheck: Detect Fortran compiled programs. (#1824393) + * Wed Apr 01 2020 Nick Clifton - 9.19-1 - Annobin: If option name mismatch occurs, seach for the real option. (#1817452) diff --git a/sources b/sources index 14c198d..4ba60fc 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (annobin-9.19.tar.xz) = 5fbedd42123f1c7ff73a3bd4afca3941cfcc702bc49e2de7b32548badd2f06cd0c69abea676fc11fb96c6e0ccdb94bbe9e445bbc6a0c4866d6353280cfc4248b +SHA512 (annobin-9.20.tar.xz) = 6cf4593da7eae3320c18d99df4580ad9bc25f1e275b8534510432246442c2e21cd11b75af4a682167e7f2068008a6a51012b8d472740c70d1c5ccd47a1dc7b3c From 11072fae9d3ea85740f1a90e0a3d42992b23d59e Mon Sep 17 00:00:00 2001 From: Nick Clifton Date: Mon, 9 Nov 2020 11:50:35 +0000 Subject: [PATCH 20/29] Rebase to 9.39. Might fix 1894849. --- .gitignore | 1 + annobin-strncmp-fix.patch | 11 --- annobin.spec | 165 +++++++++++++++++++++++++++----------- sources | 2 +- 4 files changed, 118 insertions(+), 61 deletions(-) delete mode 100644 annobin-strncmp-fix.patch diff --git a/.gitignore b/.gitignore index 9f4ae9c..ae220f1 100644 --- a/.gitignore +++ b/.gitignore @@ -12,3 +12,4 @@ /annobin-9.18.tar.xz /annobin-9.19.tar.xz /annobin-9.20.tar.xz +/annobin-9.39.tar.xz diff --git a/annobin-strncmp-fix.patch b/annobin-strncmp-fix.patch deleted file mode 100644 index 39f3c72..0000000 --- a/annobin-strncmp-fix.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- annobin.orig/annocheck/built-by.c 2020-03-04 15:41:29.135051811 +0000 -+++ annobin-9.12/annocheck/built-by.c 2020-03-04 15:42:22.913813532 +0000 -@@ -183,7 +183,7 @@ builtby_note_walker (annocheck_data * - if (namedata[pos - 1] != GNU_BUILD_ATTRIBUTE_TYPE_STRING) - return false; - -- if (strncmp ((const char *) namedata + pos + 1, STR_AND_LEN ("annobin built")) != 0) -+ if (strncmp ((const char *) namedata + pos + 1, "annobin built", sizeof ("annobin built") - 1) != 0) - found ("annobin note", (const char *) ptr, namedata + pos + 1); - - return true; diff --git a/annobin.spec b/annobin.spec index 1a9d895..60a9c24 100644 --- a/annobin.spec +++ b/annobin.spec @@ -1,7 +1,7 @@ Name: annobin Summary: Annotate and examine compiled binary files -Version: 9.20 +Version: 9.39 Release: 1%{?dist} License: GPLv3+ # ProtocolURL: https://fedoraproject.org/wiki/Toolchain/Watermark @@ -9,8 +9,7 @@ License: GPLv3+ #--------------------------------------------------------------------------------- -# Use "--without tests" to disable the testsuite. The default is to run them. -# The default is to run the tests. +# Use "--without tests" to disable the testsuite. %bcond_without tests # Use "--without annocheck" to disable the installation of the annocheck program. @@ -23,29 +22,31 @@ License: GPLv3+ # time check for debuginfod support. %bcond_with debuginfod -# Use "--with clangplugin" to build the annobin plugin for clang. -# The default is not to build the plugin. +# Use "--with clangplugin" to build the annobin plugin for Clang. %bcond_with clangplugin +# Use "--with llvmplugin" to enable the building of the annobin plugin for LLVM. +%bcond_with llvmplugin + # Set this to zero to disable the requirement for a specific version of gcc. # This should only be needed if there is some kind of problem with the version # checking logic or when building on RHEL-7 or earlier. %global with_hard_gcc_version_requirement 0 -# # Do not build the annobin plugin with annotation enabled. -# # This is because if we are bootstrapping a new build environment we can have -# # a new version of gcc installed, but without a new of annobin installed. -# # (i.e. we are building the new version of annobin to go with the new version -# # of gcc). If the *old* annobin plugin is used whilst building this new -# # version, the old plugin will complain that version of gcc for which it -# # was built is different from the version of gcc that is now being used, and -# # then it will abort. +%bcond_with annobin_plugin +# Allow the building of annobin without using annobin itself. +# This is because if we are bootstrapping a new build environment we can have +# a new version of gcc installed, but without a new of annobin installed. +# (i.e. we are building the new version of annobin to go with the new version +# of gcc). If the *old* annobin plugin is used whilst building this new +# version, the old plugin will complain that version of gcc for which it +# was built is different from the version of gcc that is now being used, and +# then it will abort. # -# Suppress this for BZ 1630550. -# The problem should now only arise when rebasing to a new major version -# of gcc, in which case the undefine below can be temporarily reinstated. -# -# %%undefine _annotated_build +# The default is to use annobin. cf BZ 1630550. +%if %{without annobin_plugin} +%undefine _annotated_build +%endif #--------------------------------------------------------------------------------- @@ -53,7 +54,7 @@ Source: https://nickc.fedorapeople.org/annobin-%{version}.tar.xz # For the latest sources use: git clone git://sourceware.org/git/annobin.git # Insert patches here, if needed. -Patch01: annobin-strncmp-fix.patch +# Patch01: annobin-xxx.patch #--------------------------------------------------------------------------------- @@ -110,8 +111,13 @@ Requires: gcc %endif BuildRequires: gcc gcc-plugin-devel gcc-c++ +# The documentation uses pod2man... +BuildRequires: perl perl-podlators %if %{with clangplugin} -BuildRequires: clang clang-devel llvm llvm-devel +BuildRequires: clang clang-devel llvm llvm-devel compiler-rt gawk +%endif +%if %{with llvmplugin} +BuildRequires: clang clang-devel llvm llvm-devel compiler-rt gawk %endif %description @@ -122,7 +128,11 @@ Note - the plugin is automatically enabled in gcc builds via flags provided by the redhat-rpm-macros package. %if %{with clangplugin} -Also provides a plugin for clang which performs a similar function. +Also provides a plugin for Clang which performs a similar function. +%endif + +%if %{with llvmplugin} +Also provides a plugin for LLVM which performs a similar function. %endif #--------------------------------------------------------------------------------- @@ -159,12 +169,14 @@ hardening options. %global ANNOBIN_GCC_PLUGIN_DIR %(gcc --print-file-name=plugin) -%if %{with clangplugin} -# FIXME: Clang does not appear to have an official plugin directory. -# Instead it just uses dlopen() with no pathname prefix. So we -# construct a (hopefully good) path and rely upon users of annobin -# knowing about this location. -%global ANNOBIN_CLANG_PLUGIN_DIR /usr/lib64/clang/%(clang --dumpversion)/lib +%if %{with clangplugin} || %{with llvmplugin} +# FIXME: We currently assume that the first directory listed in clang's +# search directory output is the one that we should use for plugins. +# This might not be correct. +# The gensub() below is because without it $2 would look like: +# " =/usr/lib64/clang/8.0.0" +# Note - we install LLVM plugins into the same directory as Clang plugins. +%global ANNOBIN_CLANG_PLUGIN_DIR %(clang --print-search-dirs | gawk -e'BEGIN { FS = ":" } /libraries/ { print gensub(" =","",1,$2) } END { }') %endif #--------------------------------------------------------------------------------- @@ -175,7 +187,7 @@ if [ -z "%{gcc_vr}" ]; then exit 1 fi -echo "Requires: (gcc >= %{gcc_major} with gcc < %{gcc_next})" +echo "Requires: (gcc >= %{gcc_major} and gcc < %{gcc_next})" %autosetup -p1 @@ -191,43 +203,72 @@ touch doc/annobin.info %build +CONFIG_ARGS= + %if %{with debuginfod} -%configure --quiet --with-gcc-plugin-dir=%{ANNOBIN_GCC_PLUGIN_DIR} --with-debuginfod +CONFIG_ARGS="$CONFIG_ARGS --with-debuginfod" %else -%configure --quiet --with-gcc-plugin-dir=%{ANNOBIN_GCC_PLUGIN_DIR} +CONFIG_ARGS="$CONFIG_ARGS --without-debuginfod" %endif +%if %{with clangplugin} +CONFIG_ARGS="$CONFIG_ARGS --with-clang" +%endif + +%if %{with llvmplugin} +CONFIG_ARGS="$CONFIG_ARGS --with-llvm" +%endif + +%if %{without tests} +CONFIG_ARGS="$CONFIG_ARGS --without-test" +%endif + +%configure --quiet --with-gcc-plugin-dir=%{ANNOBIN_GCC_PLUGIN_DIR} ${CONFIG_ARGS} || cat config.log + %make_build -# Rebuild the plugin, this time using the plugin itself! This + +%if %{with annobin_plugin} +# Rebuild the plugin(s), this time using the plugin itself! This # ensures that the plugin works, and that it contains annotations -# of its own. This could mean that we end up with a plugin with -# double annotations in it. (If the build system enables annotations -# for plugins by default). I have not tested this yet, but I think -# that it should be OK. +# of its own. cp gcc-plugin/.libs/annobin.so.0.0.0 %{_tmppath}/tmp_annobin.so make -C gcc-plugin clean -BUILD_FLAGS="-fplugin=%{_tmppath}/tmp_annobin.so -fplugin-arg-tmp_annobin-rename" -# If building on RHEL7, enable the next option as the .attach_to_group assembler pseudo op is not available in the assembler. +BUILD_FLAGS="-fplugin=%{_tmppath}/tmp_annobin.so" + +# Disable the standard annobin plugin so that we do get conflicts. +# Note: the "-fplugin=annobin" is here, despite the fact that it will also +# be automatically added to the gcc command line via +# "-specs=/usr/lib/rpm/redhat/redhat-annobin-cc1" because of a bug in gcc's +# plugin command line options handling. GCC will issue an error saying that +# there is no plugin called "annobin" matching the -fplugin-arg-annobin-disable +# option, despite the fact that there patently is. +BUILD_FLAGS="$BUILD_FLAGS -fplugin=annobin -fplugin-arg-annobin-disable" + +# If building on RHEL7, enable the next option as the .attach_to_group +# assembler pseudo op is not available in the assembler. BUILD_FLAGS="$BUILD_FLAGS -fplugin-arg-tmp_annobin-no-attach" + make -C gcc-plugin CXXFLAGS="%{optflags} $BUILD_FLAGS" rm %{_tmppath}/tmp_annobin.so +%endif %if %{with clangplugin} -# FIXME: The symbolic link should not be needed. -ln -f -s ../annobin-global.h clang-plugin -make -C clang-plugin annobin.so +cp clang-plugin/annobin-for-clang.so %{_tmppath}/tmp_annobin.so +make -C clang-plugin all CXXFLAGS="%{optflags} $BUILD_FLAGS" +%endif + +%if %{with llvmplugin} +cp llvm-plugin/annobin-for-llvm.so %{_tmppath}/tmp_annobin.so +make -C llvm-plugin all CXXFLAGS="%{optflags} $BUILD_FLAGS" %endif #--------------------------------------------------------------------------------- +# PLUGIN_INSTALL_DIR is used by the Clang and LLVM makefiles... %install -%make_install +%make_install PLUGIN_INSTALL_DIR=$RPM_BUILD_ROOT%{ANNOBIN_CLANG_PLUGIN_DIR} %{__rm} -f %{buildroot}%{_infodir}/dir -%if %{with clangplugin} -cp clang-plugin/annobin.so %{ANNOBIN_CLANG_PLUGIN_DIR} -%endif - #--------------------------------------------------------------------------------- %if %{with tests} @@ -243,10 +284,6 @@ fi %files %{ANNOBIN_GCC_PLUGIN_DIR} -%{_bindir}/built-by -%{_bindir}/check-abi -%{_bindir}/hardened -%{_bindir}/run-on-binaries-in %license COPYING3 LICENSE %exclude %{_datadir}/doc/annobin-plugin/COPYING3 %exclude %{_datadir}/doc/annobin-plugin/LICENSE @@ -261,6 +298,9 @@ fi %if %{with clangplugin} %{ANNOBIN_CLANG_PLUGIN_DIR} %endif +%if %{with llvmplugin} +%{ANNOBIN_CLANG_PLUGIN_DIR} +%endif %if %{with annocheck} %{_bindir}/annocheck @@ -270,6 +310,33 @@ fi #--------------------------------------------------------------------------------- %changelog +* Mon Nov 09 2020 Nick Clifton - 9.38-1 +- Rebase to 9.39 +- Annocheck: Add fixes for building on RHEL-7. +- Annocheck: Fix bug parsing DW_AT_producer. +- Add test of .note.gnu.property section for PowerPC. +- Add test of objcopy's ability to merge notes. +- Record the -flto setting and produce a soft warning if it is absent. +- Suppress warnings about _D_GLIBCXX_ASSERTIONS if the source code is known to be something other than C++. +- Correct the directory chosen for 32-bit LLVM and Clang plugins. (#1884951) +- Allow the use of the SHF_LINK_ORDER section flag to discard unused notes. (Experimental). +- Enable the build and installation of the LLVM and Clang plugins. (Experimental). +- gcc-plugin: Fix test for empty PowerPC sections. (#1880634) +- annocheck: Add tests for the AArch64 BTI and PAC security features. (#1862478) +- gcc plugin: Use a 4 byte offset for PowerPC start symbols, so that they do not break disassemblies. +- gcc plugin: Correct the detection of 32-bit x86 builds. (#1876197) +- gcc plugin: Detect any attempt to access the global_options array. +- gcc plugin: Do not complain about missing pre-processor options when examining a preprocessed input file. (#1862718) +- Use more robust checks for AArch64 options. +- Detect CLANG compiled assembler that is missing IBT support. +- Improved target pointer size discovery. +- Rebuild with plugin enabled to check that suppression works. +- Add support for installing clang and llvm plugins. +- Temporary suppression of aarch64 pointer size check. (#1860549) +- Annocheck: Do not skip tests of the short-enums notes. (#1743635) +- Add (optional) llvm plugin. +- Annobin: Fall back on using the flags if the option cannot be found in cl_options. (#1817659) + * Thu Apr 16 2020 Nick Clifton - 9.20-1 - Annocheck: Detect Fortran compiled programs. (#1824393) diff --git a/sources b/sources index 4ba60fc..3213384 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (annobin-9.20.tar.xz) = 6cf4593da7eae3320c18d99df4580ad9bc25f1e275b8534510432246442c2e21cd11b75af4a682167e7f2068008a6a51012b8d472740c70d1c5ccd47a1dc7b3c +SHA512 (annobin-9.39.tar.xz) = 0bda62a0397998dfac88c4fd839f71c81ea262e2bbafc2042261b1b56e96377a2589bc1c323c58c7a691b635dc3af612c6c331fffc97142059ac6c2d515a6126 From f3a331eebbe4da3095cc481f673f530f26a511da Mon Sep 17 00:00:00 2001 From: Nick Clifton Date: Tue, 10 Nov 2020 16:56:26 +0000 Subject: [PATCH 21/29] annocheck: Add handling of gimple compiled files --- .gitignore | 1 + annobin.spec | 5 ++++- sources | 2 +- 3 files changed, 6 insertions(+), 2 deletions(-) diff --git a/.gitignore b/.gitignore index ae220f1..cdaa001 100644 --- a/.gitignore +++ b/.gitignore @@ -13,3 +13,4 @@ /annobin-9.19.tar.xz /annobin-9.20.tar.xz /annobin-9.39.tar.xz +/annobin-9.41.tar.xz diff --git a/annobin.spec b/annobin.spec index 60a9c24..637ba12 100644 --- a/annobin.spec +++ b/annobin.spec @@ -1,7 +1,7 @@ Name: annobin Summary: Annotate and examine compiled binary files -Version: 9.39 +Version: 9.41 Release: 1%{?dist} License: GPLv3+ # ProtocolURL: https://fedoraproject.org/wiki/Toolchain/Watermark @@ -310,6 +310,9 @@ fi #--------------------------------------------------------------------------------- %changelog +* Tue Nov 10 2020 Nick Clifton - 9.41-1 +- Annocheck: Handle gimple compiled binaries. + * Mon Nov 09 2020 Nick Clifton - 9.38-1 - Rebase to 9.39 - Annocheck: Add fixes for building on RHEL-7. diff --git a/sources b/sources index 3213384..885c368 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (annobin-9.39.tar.xz) = 0bda62a0397998dfac88c4fd839f71c81ea262e2bbafc2042261b1b56e96377a2589bc1c323c58c7a691b635dc3af612c6c331fffc97142059ac6c2d515a6126 +SHA512 (annobin-9.41.tar.xz) = bd9ecd49abf9cd53b9f9e86563de6f47ec9b5d28ea3e9e30aebb2882daf20256d4f62259d52f603e937ff676a01bf07eb0c8acf8caa83a8b9da503832daecec8 From 3d3314b17142edb705d1971cddaf3a93a4da2fdd Mon Sep 17 00:00:00 2001 From: Nick Clifton Date: Tue, 24 Nov 2020 10:34:31 +0000 Subject: [PATCH 22/29] - Annocheck: Disable reporting future fails by default. - GCC plugin: Always record global notes for the .text.startup, .text.exit, .text.hot and .text.cold sections. - Clang plugin: Add -lLLVM to the build command line. - Annocheck: Improve reporting of missing -D_FORTIFY_SOURCE option. (#1898075) - Annocheck: Improve reporting of missing LTO option. --- annobin.spec | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/annobin.spec b/annobin.spec index 637ba12..f035916 100644 --- a/annobin.spec +++ b/annobin.spec @@ -1,7 +1,7 @@ Name: annobin Summary: Annotate and examine compiled binary files -Version: 9.41 +Version: 9.46 Release: 1%{?dist} License: GPLv3+ # ProtocolURL: https://fedoraproject.org/wiki/Toolchain/Watermark @@ -225,7 +225,10 @@ CONFIG_ARGS="$CONFIG_ARGS --without-test" %configure --quiet --with-gcc-plugin-dir=%{ANNOBIN_GCC_PLUGIN_DIR} ${CONFIG_ARGS} || cat config.log -%make_build +# Disable the reporting of future fail results by default - it confuses package maintainers scanning rpmdiff resutls. +# (They can still be enabled via the --test-future command line option). + +%make_build CFLAGS="$CFLAGS -DDISABLE_FUTURE_FAIL" %if %{with annobin_plugin} # Rebuild the plugin(s), this time using the plugin itself! This @@ -310,6 +313,14 @@ fi #--------------------------------------------------------------------------------- %changelog +* Tue Nov 24 2020 Nick Clifton - 9.46-1 +- Annocheck: Disable reporting future fails by default. +- GCC plugin: Always record global notes for the .text.startup, + .text.exit, .text.hot and .text.cold sections. +- Clang plugin: Add -lLLVM to the build command line. +- Annocheck: Improve reporting of missing -D_FORTIFY_SOURCE option. (#1898075) +- Annocheck: Improve reporting of missing LTO option. + * Tue Nov 10 2020 Nick Clifton - 9.41-1 - Annocheck: Handle gimple compiled binaries. From a99316669788f4f77e14d23abe3f3ad3c1020c3d Mon Sep 17 00:00:00 2001 From: Nick Clifton Date: Tue, 24 Nov 2020 10:40:46 +0000 Subject: [PATCH 23/29] - Annocheck: Disable reporting future fails by default. - GCC plugin: Always record global notes for the .text.startup, .text.exit, .text.hot and .text.cold sections. - Clang plugin: Add -lLLVM to the build command line. - Annocheck: Improve reporting of missing -D_FORTIFY_SOURCE option. (#1898075) - Annocheck: Improve reporting of missing LTO option. --- .gitignore | 1 + sources | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/.gitignore b/.gitignore index cdaa001..fb9d4da 100644 --- a/.gitignore +++ b/.gitignore @@ -14,3 +14,4 @@ /annobin-9.20.tar.xz /annobin-9.39.tar.xz /annobin-9.41.tar.xz +/annobin-9.46.tar.xz diff --git a/sources b/sources index 885c368..10b39ea 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (annobin-9.41.tar.xz) = bd9ecd49abf9cd53b9f9e86563de6f47ec9b5d28ea3e9e30aebb2882daf20256d4f62259d52f603e937ff676a01bf07eb0c8acf8caa83a8b9da503832daecec8 +SHA512 (annobin-9.46.tar.xz) = f040247a48319f7b3c4e897431b3208c6cdf5eba0f1df716297193cd0bff611558f233e3a64ac81218314bda981e3567ad4ca89e3a94ebdbd5a610126b7bbc5d From 86a3a8bd6c93ef1c5d9df9566066046cd76e64c9 Mon Sep 17 00:00:00 2001 From: Nick Clifton Date: Wed, 20 Jan 2021 11:02:37 +0000 Subject: [PATCH 24/29] Update to annobin 9.59. --- .gitignore | 1 + annobin.spec | 17 ++++++++++++++++- sources | 2 +- 3 files changed, 18 insertions(+), 2 deletions(-) diff --git a/.gitignore b/.gitignore index fb9d4da..369c7a9 100644 --- a/.gitignore +++ b/.gitignore @@ -15,3 +15,4 @@ /annobin-9.39.tar.xz /annobin-9.41.tar.xz /annobin-9.46.tar.xz +/annobin-9.59.tar.xz diff --git a/annobin.spec b/annobin.spec index f035916..0735818 100644 --- a/annobin.spec +++ b/annobin.spec @@ -1,7 +1,7 @@ Name: annobin Summary: Annotate and examine compiled binary files -Version: 9.46 +Version: 9.59 Release: 1%{?dist} License: GPLv3+ # ProtocolURL: https://fedoraproject.org/wiki/Toolchain/Watermark @@ -313,6 +313,21 @@ fi #--------------------------------------------------------------------------------- %changelog +* Wed Jan 20 2021 Nick Clifton - 9.59-1 +- Add a future fail for the presence of RPATH in the dynamic tags. +- Add the ability to disable the warning message about -D_FORTIFY_SOURCE being missing. +- Workaround for elflint problems with PPC compiled files. (#1880634) +- Fix bogus AArch64 test failures. +- Improved testing by annocheck. Add fixed format message mode. +- Fix inconsistency reporting -fcf-protection and -fstack-clash-protection results. +- Add support for -D_FORTIFY_SOURCE=3. +- annocheck: When a binary is produced both by GAS and GCC, select GAS as the real producer. (#1906171) +- annocheck: Improve test for LTO compiled binaries that do not have -Wall annotations. (#1906171) +- annocheck: Mark a missining -D_FORTIFY_SOURCE as a FAIL. +- annocheck: Fix notes analyzer to accept empty PPC64 notes. +- gcc plugin: Tweak generation of end symbols for PPC64 when LTO is active. (#1898075) +- gcc plugin: Add support for GCC 11's cl_vars array. + * Tue Nov 24 2020 Nick Clifton - 9.46-1 - Annocheck: Disable reporting future fails by default. - GCC plugin: Always record global notes for the .text.startup, diff --git a/sources b/sources index 10b39ea..8ef90c9 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (annobin-9.46.tar.xz) = f040247a48319f7b3c4e897431b3208c6cdf5eba0f1df716297193cd0bff611558f233e3a64ac81218314bda981e3567ad4ca89e3a94ebdbd5a610126b7bbc5d +SHA512 (annobin-9.59.tar.xz) = da4560b84f3be06da37b243addb0f34f6f0b247e8bcfb273c0ecab6f131241e14dddf85546dde2281fb2e4afdec07604ae61102f1a16af9506869a8b6701c5ad From 9b1cf0ac0a938c0358609397b621e356afb60838 Mon Sep 17 00:00:00 2001 From: Nick Clifton Date: Wed, 3 Mar 2021 10:15:20 +0000 Subject: [PATCH 25/29] Annocheck: Fix detection of special function names. (#1934189) Annocheck: FAIL the deliberate use of -fno-stack-protector, but add some exceptions for glibc. (#1923439) Annocheck: Add colour to some messages. Skip the deliberate use of -fno-stack-protector. (#1923439) Annocheck: Fix some problems with tests for missing notes. Add some GO tests to annocheck. --- .gitignore | 1 + annobin.spec | 9 ++++++++- sources | 2 +- 3 files changed, 10 insertions(+), 2 deletions(-) diff --git a/.gitignore b/.gitignore index 369c7a9..48d4e3c 100644 --- a/.gitignore +++ b/.gitignore @@ -16,3 +16,4 @@ /annobin-9.41.tar.xz /annobin-9.46.tar.xz /annobin-9.59.tar.xz +/annobin-9.64.tar.xz diff --git a/annobin.spec b/annobin.spec index 0735818..8cd2ac0 100644 --- a/annobin.spec +++ b/annobin.spec @@ -1,7 +1,7 @@ Name: annobin Summary: Annotate and examine compiled binary files -Version: 9.59 +Version: 9.64 Release: 1%{?dist} License: GPLv3+ # ProtocolURL: https://fedoraproject.org/wiki/Toolchain/Watermark @@ -313,6 +313,13 @@ fi #--------------------------------------------------------------------------------- %changelog +* Wed Mar 03 2021 Nick Clifton - 9.64-1 +- Annocheck: Fix detection of special function names. (#1934189) +- Annocheck: FAIL the deliberate use of -fno-stack-protector, but add some exceptions for glibc. (#1923439) +- Annocheck: Add colour to some messages. Skip the deliberate use of -fno-stack-protector. (#1923439) +- Annocheck: Fix some problems with tests for missing notes. +- Add some GO tests to annocheck. + * Wed Jan 20 2021 Nick Clifton - 9.59-1 - Add a future fail for the presence of RPATH in the dynamic tags. - Add the ability to disable the warning message about -D_FORTIFY_SOURCE being missing. diff --git a/sources b/sources index 8ef90c9..403081f 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (annobin-9.59.tar.xz) = da4560b84f3be06da37b243addb0f34f6f0b247e8bcfb273c0ecab6f131241e14dddf85546dde2281fb2e4afdec07604ae61102f1a16af9506869a8b6701c5ad +SHA512 (annobin-9.64.tar.xz) = 7ae7fbaf5d41a2e7e52f8b2bb3aebd8fbb3899f60ba7060bbefcd0aaa1a53656e2aed49d3ce268f3efd53538c9f6545de213f204adefd9e9a87212c55d063db9 From 271c365301a27c0500da58a2aa2964d48f82c5b8 Mon Sep 17 00:00:00 2001 From: Nick Clifton Date: Wed, 5 May 2021 17:13:58 +0100 Subject: [PATCH 26/29] Rebase to 9.71 --- .gitignore | 1 + annobin.spec | 17 ++++++++++++++++- sources | 2 +- 3 files changed, 18 insertions(+), 2 deletions(-) diff --git a/.gitignore b/.gitignore index 48d4e3c..a626c6e 100644 --- a/.gitignore +++ b/.gitignore @@ -17,3 +17,4 @@ /annobin-9.46.tar.xz /annobin-9.59.tar.xz /annobin-9.64.tar.xz +/annobin-9.71.tar.xz diff --git a/annobin.spec b/annobin.spec index 8cd2ac0..7c1cd4e 100644 --- a/annobin.spec +++ b/annobin.spec @@ -1,7 +1,7 @@ Name: annobin Summary: Annotate and examine compiled binary files -Version: 9.64 +Version: 9.71 Release: 1%{?dist} License: GPLv3+ # ProtocolURL: https://fedoraproject.org/wiki/Toolchain/Watermark @@ -313,6 +313,21 @@ fi #--------------------------------------------------------------------------------- %changelog +* Wed May 05 2021 Nick Clifton - 9.71-1 +- timing: do not initialise the clock if the timing tool is disabled. +- gcc-plugin: Replace ICE messsages with verbose messages. +- Fix the testsuite so that it can be run in parallel. +- Annocheck: WARN if the annobin plugin was built for a newer version of the compiler than the one on which it was run. (#1950657) +- Obsolete annobin < 9.66-1 (bug #1949570) +- Annocheck: Improve detection of missing GNU-stack support. +- Correct a package rename (bug #1949570) +- Require docs subpackage by the other ones because of a license +- Build-requiring perl-interpreter is enough +- Fix bz1949570 +- Fix anomolies reported by covscan. +- Move documentation into a sub-package. +- gcc-plugin: Use a fixed filename when running in LTO mode. + * Wed Mar 03 2021 Nick Clifton - 9.64-1 - Annocheck: Fix detection of special function names. (#1934189) - Annocheck: FAIL the deliberate use of -fno-stack-protector, but add some exceptions for glibc. (#1923439) diff --git a/sources b/sources index 403081f..35f90a6 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (annobin-9.64.tar.xz) = 7ae7fbaf5d41a2e7e52f8b2bb3aebd8fbb3899f60ba7060bbefcd0aaa1a53656e2aed49d3ce268f3efd53538c9f6545de213f204adefd9e9a87212c55d063db9 +SHA512 (annobin-9.71.tar.xz) = 406ad934a42248e427139875839ed15e732d5fcac69d30ac55e36f20b916ea0a0ea90fcbfb495db6df6224de8e3ae589163fb9bff9047889fb36ba1781a9d635 From 439eb59b5a5581f654510142c66b4dbba96130ef Mon Sep 17 00:00:00 2001 From: Nick Clifton Date: Tue, 13 Jul 2021 15:54:45 +0100 Subject: [PATCH 27/29] Annocheck: Add some more test exceptions. Tests: Skip glibc-notes test if the assembler does not support --generate-missing-build-notes. (#1978573) Tests: Skip objcopy test if objcopy does not support --merge-notes. Annocheck: Fix spelling mistake in -mstack-realign failure message. (#1977349) gcc-plugin: Do not record global versions of stack protection settings in LTO mode, if not set. (#1958954) Annocheck: Remove limit on number of input files. clang/llvm plugins: Build with correct security options. Annocheck: Better detection of GO compiler version. Annocheck: Better support for symbolic links. Annocheck: In verbose mode, report the reason for skipping specific tests. (#1969584) Annocheck: Improve detection of shared libraries. (#1958954) Annocheck: Accept 0 as a valid number for gcc minor versions and release numbers. gcc-plugin: Add support for ARM and RISCV targets. --- .gitignore | 1 + annobin.spec | 20 +++++++++++++++++--- annocheck-no-build-with-plugin.patch | 21 +++++++++++++++++++++ sources | 2 +- 4 files changed, 40 insertions(+), 4 deletions(-) create mode 100644 annocheck-no-build-with-plugin.patch diff --git a/.gitignore b/.gitignore index a626c6e..9a8ae40 100644 --- a/.gitignore +++ b/.gitignore @@ -18,3 +18,4 @@ /annobin-9.59.tar.xz /annobin-9.64.tar.xz /annobin-9.71.tar.xz +/annobin-9.81.tar.xz diff --git a/annobin.spec b/annobin.spec index 7c1cd4e..c176cb9 100644 --- a/annobin.spec +++ b/annobin.spec @@ -1,7 +1,7 @@ Name: annobin Summary: Annotate and examine compiled binary files -Version: 9.71 +Version: 9.81 Release: 1%{?dist} License: GPLv3+ # ProtocolURL: https://fedoraproject.org/wiki/Toolchain/Watermark @@ -53,8 +53,7 @@ License: GPLv3+ Source: https://nickc.fedorapeople.org/annobin-%{version}.tar.xz # For the latest sources use: git clone git://sourceware.org/git/annobin.git -# Insert patches here, if needed. -# Patch01: annobin-xxx.patch +Patch01: annocheck-no-build-with-plugin.patch #--------------------------------------------------------------------------------- @@ -313,6 +312,21 @@ fi #--------------------------------------------------------------------------------- %changelog +* Tue Jul 13 2021 Nick Clifton - 9.81-1 +- Annocheck: Add some more test exceptions. +- Tests: Skip glibc-notes test if the assembler does not support --generate-missing-build-notes. (#1978573) +- Tests: Skip objcopy test if objcopy does not support --merge-notes. +- Annocheck: Fix spelling mistake in -mstack-realign failure message. (#1977349) +- gcc-plugin: Do not record global versions of stack protection settings in LTO mode, if not set. (#1958954) +- Annocheck: Remove limit on number of input files. +- clang/llvm plugins: Build with correct security options. +- Annocheck: Better detection of GO compiler version. +- Annocheck: Better support for symbolic links. +- Annocheck: In verbose mode, report the reason for skipping specific tests. (#1969584) +- Annocheck: Improve detection of shared libraries. (#1958954) +- Annocheck: Accept 0 as a valid number for gcc minor versions and release numbers. +- gcc-plugin: Add support for ARM and RISCV targets. + * Wed May 05 2021 Nick Clifton - 9.71-1 - timing: do not initialise the clock if the timing tool is disabled. - gcc-plugin: Replace ICE messsages with verbose messages. diff --git a/annocheck-no-build-with-plugin.patch b/annocheck-no-build-with-plugin.patch new file mode 100644 index 0000000..6e29f66 --- /dev/null +++ b/annocheck-no-build-with-plugin.patch @@ -0,0 +1,21 @@ +diff -rup annobin.orig/annocheck/Makefile.am annobin-9.81/annocheck/Makefile.am +--- annobin.orig/annocheck/Makefile.am 2021-07-13 15:47:16.345084083 +0100 ++++ annobin-9.81/annocheck/Makefile.am 2021-07-13 15:48:12.145778656 +0100 +@@ -9,4 +9,4 @@ bin_PROGRAMS = annocheck + annocheck_SOURCES = annocheck.c timing.c size.c notes.c hardened.c built-by.c annocheck.h ../annobin-global.h + annocheck_LDADD = -lelf -ldw $(RPMLIBS) -liberty $(LIBDEBUGINFOD) + annocheck_LDFLAGS = -Wl,-z,now +-annocheck_CFLAGS = -O2 -ansi -g -Wall -Werror -fpie -D_FORTIFY_SOURCE=2 -fplugin=annobin -fstack-protector-strong ++annocheck_CFLAGS = -O2 -ansi -g -Wall -Werror -fpie -D_FORTIFY_SOURCE=2 -fstack-protector-strong +diff -rup annobin.orig/annocheck/Makefile.in annobin-9.81/annocheck/Makefile.in +--- annobin.orig/annocheck/Makefile.in 2021-07-13 15:47:16.345084083 +0100 ++++ annobin-9.81/annocheck/Makefile.in 2021-07-13 15:48:24.098713222 +0100 +@@ -334,7 +334,7 @@ AUTOMAKE_OPTIONS = no-dependencies + annocheck_SOURCES = annocheck.c timing.c size.c notes.c hardened.c built-by.c annocheck.h ../annobin-global.h + annocheck_LDADD = -lelf -ldw $(RPMLIBS) -liberty $(LIBDEBUGINFOD) + annocheck_LDFLAGS = -Wl,-z,now +-annocheck_CFLAGS = -O2 -ansi -g -Wall -Werror -fpie -D_FORTIFY_SOURCE=2 -fplugin=annobin -fstack-protector-strong ++annocheck_CFLAGS = -O2 -ansi -g -Wall -Werror -fpie -D_FORTIFY_SOURCE=2 -fstack-protector-strong + all: all-am + + .SUFFIXES: diff --git a/sources b/sources index 35f90a6..5e23609 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (annobin-9.71.tar.xz) = 406ad934a42248e427139875839ed15e732d5fcac69d30ac55e36f20b916ea0a0ea90fcbfb495db6df6224de8e3ae589163fb9bff9047889fb36ba1781a9d635 +SHA512 (annobin-9.81.tar.xz) = 67d98292eab0f24b9c30cdd6d1fe425d8933706d491247740df03d784e7ae5359bce4f91acfa2ba589718596638bc0272a9848208307c58af062eafbba848249 From e14a54023c9c26a036ca31851b6c56b37eeb6c26 Mon Sep 17 00:00:00 2001 From: Nick Clifton Date: Fri, 23 Jul 2021 13:48:26 +0100 Subject: [PATCH 28/29] Annocheck: Reverse AArch64 PAC+BTI check, ie fail if they are enabled. (#1984995) --- .gitignore | 1 + annobin.spec | 6 +++++- sources | 2 +- 3 files changed, 7 insertions(+), 2 deletions(-) diff --git a/.gitignore b/.gitignore index 9a8ae40..3b8f264 100644 --- a/.gitignore +++ b/.gitignore @@ -19,3 +19,4 @@ /annobin-9.64.tar.xz /annobin-9.71.tar.xz /annobin-9.81.tar.xz +/annobin-9.83.tar.xz diff --git a/annobin.spec b/annobin.spec index c176cb9..75cbad0 100644 --- a/annobin.spec +++ b/annobin.spec @@ -1,7 +1,7 @@ Name: annobin Summary: Annotate and examine compiled binary files -Version: 9.81 +Version: 9.83 Release: 1%{?dist} License: GPLv3+ # ProtocolURL: https://fedoraproject.org/wiki/Toolchain/Watermark @@ -312,6 +312,10 @@ fi #--------------------------------------------------------------------------------- %changelog +* Fri Jul 23 2021 Nick Clifton - 9.83-1 +- Annocheck: Reverse AArch64 PAC+BTI check, ie fail if they are enabled. (#1984995) +- Annocheck: Add another test exceptions. + * Tue Jul 13 2021 Nick Clifton - 9.81-1 - Annocheck: Add some more test exceptions. - Tests: Skip glibc-notes test if the assembler does not support --generate-missing-build-notes. (#1978573) diff --git a/sources b/sources index 5e23609..b661f6e 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (annobin-9.81.tar.xz) = 67d98292eab0f24b9c30cdd6d1fe425d8933706d491247740df03d784e7ae5359bce4f91acfa2ba589718596638bc0272a9848208307c58af062eafbba848249 +SHA512 (annobin-9.83.tar.xz) = 346897f99712869bfb8d0444cc708a8b9553c8722636e35ff0b76d3bd4ee5f1a455063bae62be54a8790ba411e634b1448d81b6d3b0f06ed8394815438f2d367 From 0243a53cf1e70c421bbb2ce23e1f36449f530772 Mon Sep 17 00:00:00 2001 From: Nick Clifton Date: Tue, 6 Dec 2022 12:45:29 +0000 Subject: [PATCH 29/29] Rebase to 10.94 --- .gitignore | 1 + annobin.spec | 527 +++++++++++++++++++++++++++++++++++++++++---------- sources | 2 +- 3 files changed, 434 insertions(+), 96 deletions(-) diff --git a/.gitignore b/.gitignore index 3b8f264..9ffb687 100644 --- a/.gitignore +++ b/.gitignore @@ -20,3 +20,4 @@ /annobin-9.71.tar.xz /annobin-9.81.tar.xz /annobin-9.83.tar.xz +/annobin-10.94.tar.xz diff --git a/annobin.spec b/annobin.spec index 75cbad0..a463bdc 100644 --- a/annobin.spec +++ b/annobin.spec @@ -1,16 +1,17 @@ Name: annobin Summary: Annotate and examine compiled binary files -Version: 9.83 +Version: 10.94 Release: 1%{?dist} License: GPLv3+ -# ProtocolURL: https://fedoraproject.org/wiki/Toolchain/Watermark +URL: https://sourceware.org/annobin/ # Maintainer: nickc@redhat.com +# Watermark Protocol: https://fedoraproject.org/wiki/Toolchain/Watermark #--------------------------------------------------------------------------------- -# Use "--without tests" to disable the testsuite. -%bcond_without tests +# Use "--with tests" to enable the testsuite. +%bcond_with tests # Use "--without annocheck" to disable the installation of the annocheck program. %bcond_without annocheck @@ -50,13 +51,147 @@ License: GPLv3+ #--------------------------------------------------------------------------------- -Source: https://nickc.fedorapeople.org/annobin-%{version}.tar.xz +%global annobin_sources annobin-%{version}.tar.xz +Source: https://nickc.fedorapeople.org/%{annobin_sources} # For the latest sources use: git clone git://sourceware.org/git/annobin.git -Patch01: annocheck-no-build-with-plugin.patch +# This is where a copy of the sources will be installed. +%global annobin_source_dir %{_usrsrc}/annobin + +# Patch01: annocheck-no-build-with-plugin.patch #--------------------------------------------------------------------------------- +# Make sure that the necessary sub-packages are built. + +%if %{with gccplugin} +Requires: %{name}-plugin-gcc +%endif + +%if %{with llvmplugin} +Requires: %{name}-plugin-llvm +%endif + +%if %{with clangplugin} +Requires: %{name}-plugin-clang +%endif + +#--------------------------------------------------------------------------------- + +%description +This package contains the tools needed to annotate binary files created by +compilers, and also the tools needed to examine those annotations. + +%if %{with gccplugin} +One of the tools is a plugin for GCC that records information about the +security options that were in effect when the binary was compiled. + +Note - the plugin is automatically enabled in gcc builds via flags +provided by the redhat-rpm-macros package. +%endif + +%if %{with clangplugin} +One of the tools is a plugin for Clang that records information about the +security options that were in effect when the binary was compiled. +%endif + +%if %{with llvmplugin} +One of the tools is a plugin for LLVM that records information about the +security options that were in effect when the binary was compiled. +%endif + +%if %{with annocheck} +One of the tools is a security checker which analyses the notes present in +annotated files and reports on any missing security options. +%endif + +#--------------------------------------------------------------------------- + +# Now that we have sub-packages for all of the plugins and for annocheck, +# there are no executables left to go into the "annobin" rpm. But top-level +# packages cannot have "BuildArch: noarch" if sub-packages do have +# architecture requirements, and rpmlint generates an error if an +# architecture specific rpm does not contain any binaries. So instead all of +# the documentation has been moved into an architecture neutral sub-package, +# and there no longer is a top level annobin rpm at all. + +%package docs +Summary: Documentation and shell scripts for use with annobin +BuildArch: noarch +# The documentation uses pod2man... +BuildRequires: perl-interpreter perl-podlators gawk make sharutils + +%description docs +Provides the documentation files and example shell scripts for use with annobin. + +#---------------------------------------------------------------------------- +%if %{with tests} + +%package tests +Summary: Test scripts and binaries for checking the behaviour and output of the annobin plugin +Requires: %{name}-docs = %{version}-%{release} + +%description tests +Provides a means to test the generation of annotated binaries and the parsing +of the resulting files. + +BuildRequires: make + +%if %{with debuginfod} +BuildRequires: elfutils-debuginfod-client-devel +%endif + +%endif + +#---------------------------------------------------------------------------- +%if %{with annocheck} + +%package annocheck +Summary: A tool for checking the security hardening status of binaries + +BuildRequires: gcc elfutils elfutils-devel elfutils-libelf-devel rpm-devel binutils-devel make + +%if %{with debuginfod} +BuildRequires: elfutils-debuginfod-client-devel +%endif + +Requires: %{name}-docs = %{version}-%{release} +Requires: cpio rpm + +%description annocheck +Installs the annocheck program which uses the notes generated by annobin to +check that the specified files were compiled with the correct security +hardening options. + +%package libannocheck +Summary: A library for checking the security hardening status of binaries + +BuildRequires: gcc elfutils elfutils-devel elfutils-libelf-devel rpm-devel binutils-devel make + +%if %{with debuginfod} +BuildRequires: elfutils-debuginfod-client-devel +%endif + +Requires: %{name}-docs = %{version}-%{release} +Requires: binutils-devel + +%description libannocheck +Installs the libannocheck library which uses the notes generated by the +annobin plugins to check that the specified files were compiled with the +correct security hardening options. + +%endif + +#---------------------------------------------------------------------------- +%if %{with gccplugin} + +%package plugin-gcc +Summary: annobin gcc plugin + +Requires: %{name}-docs = %{version}-%{release} +Conflicts: %{name} <= 9.60-1 +BuildRequires: gcc-c++ gcc-plugin-devel + # [Stolen from gcc-python-plugin] # GCC will only load plugins that were built against exactly that build of GCC # We thus need to embed the exact GCC version as a requirement within the @@ -101,7 +236,7 @@ Patch01: annocheck-no-build-with-plugin.patch %global gcc_major 0 %endif -# This is a gcc plugin, hence gcc is required. +# For a gcc plugin gcc is required. %if %{with_hard_gcc_version_requirement} # BZ 1607430 - There is an exact requirement on the major version of gcc. Requires: (gcc >= %{gcc_major} with gcc < %{gcc_next}) @@ -109,74 +244,54 @@ Requires: (gcc >= %{gcc_major} with gcc < %{gcc_next}) Requires: gcc %endif -BuildRequires: gcc gcc-plugin-devel gcc-c++ -# The documentation uses pod2man... -BuildRequires: perl perl-podlators -%if %{with clangplugin} -BuildRequires: clang clang-devel llvm llvm-devel compiler-rt gawk +# Information about the gcc plugin is recorded in this file. +%global aver annobin-plugin-version-info + +%description plugin-gcc +Installs an annobin plugin that can be used by gcc. + %endif + +#--------------------------------------------------------------------------------- %if %{with llvmplugin} -BuildRequires: clang clang-devel llvm llvm-devel compiler-rt gawk + +%package plugin-llvm +Summary: annobin llvm plugin + +Requires: %{name}-docs = %{version}-%{release} +Requires: llvm-libs +Conflicts: %{name} <= 9.60-1 +BuildRequires: clang clang-devel llvm llvm-devel compiler-rt + +%description plugin-llvm +Installs an annobin plugin that can be used by LLVM tools. + %endif -%description -Provides a plugin for GCC that records extra information in the files -that it compiles. - -Note - the plugin is automatically enabled in gcc builds via flags -provided by the redhat-rpm-macros package. - +#--------------------------------------------------------------------------------- %if %{with clangplugin} -Also provides a plugin for Clang which performs a similar function. -%endif -%if %{with llvmplugin} -Also provides a plugin for LLVM which performs a similar function. -%endif +%package plugin-clang +Summary: annobin clang plugin -#--------------------------------------------------------------------------------- -%if %{with tests} +Requires: %{name}-docs = %{version}-%{release} +Requires: llvm-libs +Conflicts: %{name} <= 9.60-1 +BuildRequires: clang clang-devel llvm llvm-devel compiler-rt -%package tests -Summary: Test scripts and binaries for checking the behaviour and output of the annobin plugin - -%description tests -Provides a means to test the generation of annotated binaries and the parsing -of the resulting files. +%description plugin-clang +Installs an annobin plugin that can be used by Clang. %endif #--------------------------------------------------------------------------------- -%if %{with annocheck} -%package annocheck -Summary: A tool for checking the security hardening status of binaries - -BuildRequires: gcc elfutils elfutils-devel elfutils-libelf-devel rpm-devel binutils-devel -%if %{with debuginfod} -BuildRequires: elfutils-debuginfod-client-devel -%endif - -%description annocheck -Installs the annocheck program which uses the notes generated by annobin to -check that the specified files were compiled with the correct security -hardening options. - -%endif - -#--------------------------------------------------------------------------------- +# Decide where the plugins will live. Change if necessary. %global ANNOBIN_GCC_PLUGIN_DIR %(gcc --print-file-name=plugin) -%if %{with clangplugin} || %{with llvmplugin} -# FIXME: We currently assume that the first directory listed in clang's -# search directory output is the one that we should use for plugins. -# This might not be correct. -# The gensub() below is because without it $2 would look like: -# " =/usr/lib64/clang/8.0.0" -# Note - we install LLVM plugins into the same directory as Clang plugins. -%global ANNOBIN_CLANG_PLUGIN_DIR %(clang --print-search-dirs | gawk -e'BEGIN { FS = ":" } /libraries/ { print gensub(" =","",1,$2) } END { }') -%endif +%{!?llvm_plugin_dir:%global llvm_plugin_dir %{_libdir}/llvm/plugins} +%{!?clang_plugin_dir:%global clang_plugin_dir %{_libdir}/clang/plugins} #--------------------------------------------------------------------------------- @@ -202,11 +317,17 @@ touch doc/annobin.info %build -CONFIG_ARGS= +CONFIG_ARGS="--quiet" %if %{with debuginfod} CONFIG_ARGS="$CONFIG_ARGS --with-debuginfod" %else +# Note - we explicitly disable debuginfod support if it was not configured. +# This is because by default annobin's configue script will assume --with-debuginfod=auto +# and then run a build time test to see if debugingfod is available. It +# may well be, but the build time environment may not match the run time +# environment, and the rpm will not have a Requirement on the debuginfod +# client. CONFIG_ARGS="$CONFIG_ARGS --without-debuginfod" %endif @@ -214,68 +335,105 @@ CONFIG_ARGS="$CONFIG_ARGS --without-debuginfod" CONFIG_ARGS="$CONFIG_ARGS --with-clang" %endif +%if %{without gccplugin} +CONFIG_ARGS="$CONFIG_ARGS --without-gcc-plugin" +%else +CONFIG_ARGS="$CONFIG_ARGS --with-gcc-plugin-dir=%{ANNOBIN_GCC_PLUGIN_DIR}" +%endif + %if %{with llvmplugin} CONFIG_ARGS="$CONFIG_ARGS --with-llvm" %endif %if %{without tests} -CONFIG_ARGS="$CONFIG_ARGS --without-test" +CONFIG_ARGS="$CONFIG_ARGS --without-tests" %endif -%configure --quiet --with-gcc-plugin-dir=%{ANNOBIN_GCC_PLUGIN_DIR} ${CONFIG_ARGS} || cat config.log +%if %{without annocheck} +CONFIG_ARGS="$CONFIG_ARGS --without-annocheck" +%endif -# Disable the reporting of future fail results by default - it confuses package maintainers scanning rpmdiff resutls. -# (They can still be enabled via the --test-future command line option). +%set_build_flags -%make_build CFLAGS="$CFLAGS -DDISABLE_FUTURE_FAIL" +export CFLAGS="$CFLAGS $RPM_OPT_FLAGS %build_cflags" +export LDFLAGS="$LDFLAGS %build_ldflags" -%if %{with annobin_plugin} +%ifarch %{ix86} x86_64 +# FIXME: There should be a better way to do this. +export CLANG_TARGET_OPTIONS="-fcf-protection" +%endif + +CFLAGS="$CFLAGS" LDFLAGS="$LDFLAGS" CXXFLAGS="$CFLAGS" %configure ${CONFIG_ARGS} || cat config.log + +%make_build + +%if %{with plugin_rebuild} # Rebuild the plugin(s), this time using the plugin itself! This # ensures that the plugin works, and that it contains annotations # of its own. + +%if %{with gccplugin} cp gcc-plugin/.libs/annobin.so.0.0.0 %{_tmppath}/tmp_annobin.so make -C gcc-plugin clean BUILD_FLAGS="-fplugin=%{_tmppath}/tmp_annobin.so" # Disable the standard annobin plugin so that we do get conflicts. -# Note: the "-fplugin=annobin" is here, despite the fact that it will also -# be automatically added to the gcc command line via -# "-specs=/usr/lib/rpm/redhat/redhat-annobin-cc1" because of a bug in gcc's -# plugin command line options handling. GCC will issue an error saying that -# there is no plugin called "annobin" matching the -fplugin-arg-annobin-disable -# option, despite the fact that there patently is. -BUILD_FLAGS="$BUILD_FLAGS -fplugin=annobin -fplugin-arg-annobin-disable" +OPTS="$(rpm --eval '%undefine _annotated_build %build_cflags %build_ldflags')" -# If building on RHEL7, enable the next option as the .attach_to_group -# assembler pseudo op is not available in the assembler. -BUILD_FLAGS="$BUILD_FLAGS -fplugin-arg-tmp_annobin-no-attach" +# If building on systems with an assembler that does not support the +# .attach_to_group pseudo op (eg RHEL-7) then enable the next line. +# BUILD_FLAGS="$BUILD_FLAGS -fplugin-arg-tmp_annobin-no-attach" -make -C gcc-plugin CXXFLAGS="%{optflags} $BUILD_FLAGS" +make -C gcc-plugin CXXFLAGS="$OPTS $BUILD_FLAGS" rm %{_tmppath}/tmp_annobin.so %endif %if %{with clangplugin} cp clang-plugin/annobin-for-clang.so %{_tmppath}/tmp_annobin.so -make -C clang-plugin all CXXFLAGS="%{optflags} $BUILD_FLAGS" +make -C clang-plugin all CXXFLAGS="$OPTS $BUILD_FLAGS" %endif %if %{with llvmplugin} cp llvm-plugin/annobin-for-llvm.so %{_tmppath}/tmp_annobin.so -make -C llvm-plugin all CXXFLAGS="%{optflags} $BUILD_FLAGS" +make -C llvm-plugin all CXXFLAGS="$OPTS $BUILD_FLAGS" +%endif + +# endif for %%if {with_plugin_rebuild} %endif #--------------------------------------------------------------------------------- -# PLUGIN_INSTALL_DIR is used by the Clang and LLVM makefiles... %install -%make_install PLUGIN_INSTALL_DIR=$RPM_BUILD_ROOT%{ANNOBIN_CLANG_PLUGIN_DIR} -%{__rm} -f %{buildroot}%{_infodir}/dir + +# PLUGIN_INSTALL_DIR is used by the Clang and LLVM makefiles... +%make_install PLUGIN_INSTALL_DIR=%{buildroot}/%{llvm_plugin_dir} + +%if %{with clangplugin} +# Move the clang plugin to a seperate directory. +mkdir -p %{buildroot}/%{clang_plugin_dir} +mv %{buildroot}/%{llvm_plugin_dir}/annobin-for-clang.so %{buildroot}/%{clang_plugin_dir} +%endif + +%if %{with gccplugin} +# Record the version of gcc that built this plugin. +# Note - we cannot just store %%{gcc_vr} as sometimes the gcc rpm version changes +# without the NVR being altered. See BZ #2030671 for more discussion on this. +mkdir -p %{buildroot}/%{ANNOBIN_GCC_PLUGIN_DIR} +cat `gcc --print-file-name=rpmver` > %{buildroot}/%{ANNOBIN_GCC_PLUGIN_DIR}/%{aver} + +# Also install a copy of the sources into the build tree. +mkdir -p %{buildroot}%{annobin_source_dir} +cp %{_sourcedir}/%{annobin_sources} %{buildroot}%{annobin_source_dir}/latest-annobin.tar.xz +%endif + +rm -f %{buildroot}%{_infodir}/dir #--------------------------------------------------------------------------------- %if %{with tests} %check -# On RHEL7 the assembler does not support all of the annobin tests. +# Change the following line to "make check || :" on RHEL7 or if you need to see the +# test suite logs in order to diagnose a test failure. make check || : if [ -f tests/test-suite.log ]; then cat tests/test-suite.log @@ -284,34 +442,213 @@ fi #--------------------------------------------------------------------------------- -%files -%{ANNOBIN_GCC_PLUGIN_DIR} +%files docs %license COPYING3 LICENSE %exclude %{_datadir}/doc/annobin-plugin/COPYING3 %exclude %{_datadir}/doc/annobin-plugin/LICENSE %doc %{_datadir}/doc/annobin-plugin/annotation.proposal.txt -%doc %{_infodir}/annobin.info.gz -%doc %{_mandir}/man1/annobin.1.gz -%doc %{_mandir}/man1/built-by.1.gz -%doc %{_mandir}/man1/check-abi.1.gz -%doc %{_mandir}/man1/hardened.1.gz -%doc %{_mandir}/man1/run-on-binaries-in.1.gz +%{_infodir}/annobin.info* +%{_mandir}/man1/annobin.1* +%exclude %{_mandir}/man1/built-by.1* +%exclude %{_mandir}/man1/check-abi.1* +%exclude %{_mandir}/man1/hardened.1* +%exclude %{_mandir}/man1/run-on-binaries-in.1* + +%if %{with llvmplugin} +%files plugin-llvm +%dir %{llvm_plugin_dir} +%{llvm_plugin_dir}/annobin-for-llvm.so +%endif %if %{with clangplugin} -%{ANNOBIN_CLANG_PLUGIN_DIR} +%files plugin-clang +%dir %{clang_plugin_dir} +%{clang_plugin_dir}/annobin-for-clang.so %endif -%if %{with llvmplugin} -%{ANNOBIN_CLANG_PLUGIN_DIR} + +%if %{with gccplugin} +%files plugin-gcc +%dir %{ANNOBIN_GCC_PLUGIN_DIR} +%{ANNOBIN_GCC_PLUGIN_DIR}/annobin.so +%{ANNOBIN_GCC_PLUGIN_DIR}/annobin.so.0 +%{ANNOBIN_GCC_PLUGIN_DIR}/annobin.so.0.0.0 +%{ANNOBIN_GCC_PLUGIN_DIR}/%{aver} +%{annobin_source_dir}/latest-annobin.tar.xz %endif %if %{with annocheck} +%files annocheck %{_bindir}/annocheck -%doc %{_mandir}/man1/annocheck.1.gz +%{_mandir}/man1/annocheck.1* + +%files libannocheck +%{_includedir}/libannocheck.h +%{_libdir}/libannocheck.* +%{_libdir}/pkgconfig/libannocheck.pc %endif #--------------------------------------------------------------------------------- %changelog +* Tue Dec 06 2022 Nick Clifton - 10.94-1 +- Rebase to 10.94 +- Annocheck: Better detection of binaries which do not contain code. (#2144533) +- Annocheck: Provide more information when a test is skipped because the file being tested was not compiled. +- Annocheck: Try harder not to run mutually exclusive tests. +- Tests: Fix future-test so that it properly handles the situation where the compiler does not support the new options. +- Libannocheck: Actually set result fields after tests are run. +- Libannocheck: Replace libannocheck_version variable with LIBANNOCHECK_VERSION define. +- Libannocheck: Remove 'Requires binutils-devel' from libannocheck.pc. +- Libannocheck: Move into separate sub-package. +- Libannocheck: Add libannocheck.pc pkgconfig file. +- Libannocheck: Add libannocheck_reinit(). +- GCC Plugin: Record -ftrivial-auto-var-init and -fzero-call-used-regs. +- Annocheck: Add future tests for -ftrivial-auto-var-init and -fzero-call-used-regs. +- Clang Plugin: Fix for building with Clang-15. (#2125875) +- Annocheck: Add a test for the inconsistent use of -Ofast. (#1248744) +- Plugin: Fix top level configuration support for RiscV. +- Annocheck: Improvements to the size tool. +- Annocheck: Fixes for libannocheck.h. +- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild +- Annocheck: Add automatic profile selection. +- Annocheck: Improve gap detection and reporting. +- Spec File: Use the %%dir directive in the %%files section to ensure that +- plugin directories are useable. (#2080454) +- Spec File: Remove bogus Provides from annobin-docs subpackage. +- Annocheck: Check build-id of separate debuginfo files. +- Annocheck: Add GAPS test replacing --ignore-gaps. +- Annocheck: Fix covscan detected race condition between stat() and open(). +- Annocheck: Handle binaries created by Rust 1.18. (#2094420) +- Annocheck: Add optional function name to --skip arguments. (PR 29229) +- Annocheck: Fix handling of command line options that take arguments. (#2086850) +- Annocheck: Do not complain about unenabled -mbranch-protection option in AArch64 binaries. (#2078909) +- gcc-plugin: Fix typo in configure.ac. +- gcc-plugin: Add support for RISC-V. +- Annocheck: Add another special case for glibc rpms. (#2083070) +- Annocheck: Do not complain about unenabled -mbranch-protection option in AArch64 binaries if compiled using LTO. (#2082146) +- Annocheck: Add more glibc exceptions + check PT_TLS segments. (#2081131) +- Annocheck: Do not complain about missing -mbranch-protection option in AArch64 binaries if compiled by golang. +- Annocheck: Do not complain about missing -mbranch-protection option in AArch64 binaries if compiled in LTO mode. +- gcc-plugin: Add support for CLVC_INTEGER options. +- Annocheck: Even more special cases for AArch64 glibc on RHEL-8. (#2072082) +- Annocheck: Add more special cases for AArch64 glibc on RHEL-8. (#2072082) +- llvm-plugin: Fix a thinko in the sources. +- gcc-plugin: Add remap of OPT_Wall. +- configure: Fix typo in top level configure.ac. +- Add support for building using meson+ninja. +- Rebuilt against new LLVM release, with patch. +- Annocheck: Fix test for AArch64 property notes. (#2068657) +- gcc-plugin: Do not issue warning messages for autoconf generated source files. (#2009958) +- Annocheck: Update documentation and fix typo in annocheck. (#2061291) +- Annocheck: Add option to enable/disable following symbolic links. +- Always identify Rust binaries, even if built on a host that does not know about Rust. (#2057737) +- Spec File: Use a different method to disable the annobin plugin (#2054571) +- Annocheck: Skip PIE anf PIC tests for GO binaries. +- gcc-plugin: Fix libtool so that extraneous runpaths are not added to the plugin. (#2030667) +- gcc-plugin: Use canonical_option field of save_decoded_options array. (#2047148) +- Rebuild for new gcc version +- Annocheck: Add an option to disable the use of debuginfod (if available). +- Annocheck: Add more glibc special file names. +- Annocheck: Skip some tests for BPF binaries. +- Annocheck: Add another glibc static library symbol. (#2043047) +- Annocheck: Skip property note test for GO binaries. (#204300) +- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild +- GCC Plugin: Do not fail if a section cannot be attached to a group. +- Annocheck: Improve detection of kernel modules. +- GCC Plugin: Only default to link-once when using gcc-12 or later. (#2039297) +- Annocheck: Add option to disable instrumentation test. +- GCC Plugin: Replace CLVC_BOOLEAN with CLVC_BIT_SET/CLVC_BIT_CLEAR. +- Rebuild against new GCC. +- Rebuild against new GCC. +- Rebuild against new GCC. +- Annocheck: Add even more glibc function names. (#2037333) +- Annocheck: ARM: Do not fail tests that rely upon annobin notes. +- Annocheck: Extend list of known glibc functions. (#2037333) +- Annocheck: Ignore gaps that contain the _start symbol (for AArch64). (#1995224) +- Annocheck: Ignore more glibc special binaries. (#2037220) +- Annocheck: Do not complaining about missing stack clash notes if the compilation used LTO. (#2034946) +- Annocheck: Add /usr/lib/ld-linux-aarch64.so.1 to the list of known glibc binaries. (#2033255) +- Doc: Note that ENDBR is only needed as the landing pad for indirect branches/calls. (#28705) +- Spec File: Store full gcc version release string in plugin info file. (#2030671) +- Annocheck: Add special case for x86_64 RHEL-7 gaps. (#2031133) +- Annocheck: Do not complaining about missing -mstackrealign notes in LTO mode. (#2030298) +- GCC Plugin: Do not record missing -mstackrealign in LTO mode. (#2030298) +- Tests: Fix fortify and debuginfod tests to use newly built annobin plugin. +- Tests: Fix gaps and stat tests to use newly built annobin plugin. (#2028063) +- Annocheck: Ignore gaps in binaries at least partial built by golang. (#2028583) +- Annocheck: Allow spaces in golang symbols. +- Annocheck: Initial deployment of libannocheck. +- gcc-plugin: Fix bug creating empty attachments. +- Annocheck: Change MAYB result to SKIP for DT_RPATH. (#2026300) +- Annocheck: Skip missing fortify/warning notes for ARM32. +- gcc-plugin: Try another fix for ppc64le section grouping. (#2023437) +- gcc-plugin: Revert 10.22 change. (#2023437) +- Annocheck: Add exception for /usr/sbin/ldconfig. (#2022973) +- Annocheck: Add a test for unicode characters in identifiers. +- gcc-plugin: Default to link-order grouping for PPC64LE. (#2016458) +- Annocheck: Do not fail if a --skip- option does not match a known test. +- ldconfig-test: Skip the LTO check. +- Annocheck: Add more glibc function names. +- gcc-plugin: Fix attaching the .text section to the .text.group section. +- Complain about DT_RPATH for Fedora binaries. +- Better reporting of problems in object files. (#2013708) +- Add a requirement on llvm-libs for clang and llvm plugins. (#2014573) +- Fix configuring annocheck without gcc-plugin. +- Annocheck: Better reporting of debuginfod problems. +- Tests: Fix bugs in debuginfod test. +- Annocheck: Add tests based upon recent bug fixes. +- Annocheck: Another tweak to glibc detection code. +- Rebuild for llvm-13.0.0 +- Annocheck: Fix memory corruptions when using --debug-path and when a corrupt note is found. (#20011438) +- Annocheck: Fix MAYB results for mixed GO/C files. +- Annocheck: Move some messages from VERBOSE to VERBOSE2. +- Annocheck: Scan zero-length tool notes. +- Annocheck: Fix covscan detected flaws. +- plugins: Add more required build options. +- Annocheck: Fix cf-prot test to fail if the CET notes are missing. +- Annocheck: Skip gaps in the .plt section. +- Plugins: Add -g option when building LLVM and Clang. +- Annocheck: Add more cases of glibc startup functions. +- Annocheck: Fix covscan detected problems. +- Annocheck: Add --profile=el8. +- gcc-plugin: Conditionalize generation of branch protection note. +- Annocheck: Ignore gaps containing NOP instructions. +- GCC Plugin: Fix detection of running inside the LTO compiler. (#2004917) +- Annocheck: Do not insist on the DT_AARCH64_PAC_PLT flag being present in AArch64 binaries. +- Annocheck: With gaps at the start/end of the .text section, check for special symbols before displaying a MAYB result. +- Annocheck: Do not set CFLAGS/LDFLAGS when building. Take from environment instead. +- Annocheck: Fix exit code when tests PASS. +- Documentation: Add node for each hardening test. +- Documentation: Install online. +- Annocheck: Annote FAIL and MAYB results with URL to documentation +- Annocheck: Add --no-urls and --provide-urls options +- Annocheck: Add --help- option. +- Annocheck: Fix fuzzing detected failures. +- Annocheck: Add --profile option. +- Docs: Document --profile option and rpminspect.yaml. +- Annocheck: Skip GO/CET checks. Fix fuzzing detected failures. +- LLVM Plugin: Automatically choose the correct tests to run, based upon the version of Clang installed. (#1997444) +- spec file: Add the installation of the annobon sources into /usr/src/annobin. +- Annocheck: Fix memory corruption. (#1996963) +- spec file: Add the creation of a gcc-plugin version info file in /usr/lib/rpm/redhat. +- Annocheck: Fix conditionalization of AArch64's PAC+BTI detection. +- Annocheck: Add linker generated function for ppc64le exceptions. (#1981410) +- LLVM Plugin: Allow checks to be selected from the command line. +- Annocheck: Examine DW_AT_producer for -flto. +- Annocheck: Conditionalize detection of AArch64's PAC+BTI protection. +- Annocheck: Add linker generated function for s390x exceptions. (#1981410) +- Annocheck: Generate MAYB results for gaps in notes covering the .text section. (#1991943) +- Annocheck: Close DWARF file descriptors once the debug info is no longer needed. (#1981410) +- LLVM Plugin: Update to build with Clang v13. (Thanks to: Tom Stellard ) +- Rebuild for LLVM 13.0.0-rc1 +- Annocheck: Fix memory corruption. (#1988715) +- Annocheck: Skip certain tests for kernel modules. +- Annocheck: Detect a missing CET note. (#1991931) +- Annocheck: Do not report future fails for AArch64 notes. +- Annocheck: Warn about multiple --debug-file, --debug-rpm and --debug-dir options. +- Annocheck: Process files in command line order. (#1988714) +- Annocheck: Reverse AArch64 PAC+BTI check, ie fail if they are enabled. (#1984995) + * Fri Jul 23 2021 Nick Clifton - 9.83-1 - Annocheck: Reverse AArch64 PAC+BTI check, ie fail if they are enabled. (#1984995) - Annocheck: Add another test exceptions. diff --git a/sources b/sources index b661f6e..a22ea39 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (annobin-9.83.tar.xz) = 346897f99712869bfb8d0444cc708a8b9553c8722636e35ff0b76d3bd4ee5f1a455063bae62be54a8790ba411e634b1448d81b6d3b0f06ed8394815438f2d367 +SHA512 (annobin-10.94.tar.xz) = da6cee60c5640ed30ee8c359e0f0450cafd41164a0136144350216403347de90e8ed417b370007f444eba202dcd45e13639c4defcf4e6da90337d4d65f3e2187