From: Nick Clifton <nickc@redhat.com>
Date: Wed, 30 May 2018 10:48:23 +0000 (+0100)
Subject: Add recording of the -mstackrealign option for i686 binaries
X-Git-Url: https://sourceware.org/git/?a=commitdiff_plain;h=1af5656b1f73fd447d3760aae8bdc5176b052c57;p=annobin.git

Add recording of the -mstackrealign option for i686 binaries
---

diff --git a/doc/annobin.info b/doc/annobin.info
index 9cf532e..9c9e318 100644
--- a/doc/annobin.info
+++ b/doc/annobin.info
@@ -26,7 +26,7 @@ Annotating Binaries: How Was Your Program Built ?
 This manual describes the ANNOBIN plugin, and how you can use it to
 determine what security features were used when building your binary.
 
-   This manual is for 'annobin' (Annobin) version 5.1.
+   This manual is for 'annobin' (Annobin) version 5.9.
 
    This document is distributed under the terms of the GNU Free
 Documentation License version 1.3.  A copy of the license is included in
@@ -625,7 +625,7 @@ File: annobin.info,  Node: Hardening Checks,  Next: Checking Archives,  Prev: AB
        [-not-hardened]
        [-all]
        [-file-type=AUTO|LIB|EXEC|OBJ]
-       [-skip=OPT|STACK|FORT|NOW|RELRO|PIC|OPERATOR|CLASH|CF|CET]
+       [-skip=OPT|STACK|FORT|NOW|RELRO|PIC|OPERATOR|CLASH|CF|CET|REALIGN]
        [-readelf=path]
        [-tmpdir=dir]
        [-]
@@ -736,10 +736,16 @@ compiled with '-O2' or higher and the '-fstack-protector-strong',
           Disables checks for stack clash protection.
 
      'cf'
-          Disables checks for control flow protections.
+          Disables checks for control flow protection.  Note - these
+          checks are only run on x86_64 binaries.
 
      'cet'
-          Disables checks for control flow enforcement.
+          Disables checks for control flow enforcement.  Note - these
+          checks are only run on x86_64 binaries.
+
+     'realign'
+          Disable checks for stack realignment.  Note - these checks are
+          only run on i686 binaries.
 
 '--readelf=path'
 '-r=path'
@@ -1337,7 +1343,7 @@ Node: Using15621
 Node: Who Built Me16136
 Node: ABI Checking18899
 Node: Hardening Checks21016
-Node: Checking Archives24844
-Node: GNU FDL27272
+Node: Checking Archives25105
+Node: GNU FDL27533
 
 End Tag Table
diff --git a/doc/annobin.texi b/doc/annobin.texi
index 56a0208..6e5ecb8 100644
--- a/doc/annobin.texi
+++ b/doc/annobin.texi
@@ -5,9 +5,9 @@
 @setchapternewpage odd
 
 @c man begin INCLUDE
-@set VERSION 5.1
+@set VERSION 5.9
 @set VERSION_PACKAGE (Annobin) 
-@set UPDATED March 2018
+@set UPDATED May 2018
 @c man end
 
 @ifnottex
@@ -715,7 +715,7 @@ hardened.sh
   [@b{--not-hardened}]
   [@b{--all}]
   [@b{--file-type=}@var{auto|lib|exec|obj}]
-  [@b{--skip=}@var{opt|stack|fort|now|relro|pic|operator|clash|cf|cet}]
+  [@b{--skip=}@var{opt|stack|fort|now|relro|pic|operator|clash|cf|cet|realign}]
   [@b{--readelf=}@file{path}]
   [@b{--tmpdir=}@file{dir}]
   [@b{--}]
@@ -834,10 +834,16 @@ Disables checks for @samp{-D_GLIBCXX_ASSERTIONS}.
 Disables checks for stack clash protection.
 
 @item cf
-Disables checks for control flow protections.
+Disables checks for control flow protection.
+Note - these checks are only run on x86_64 binaries.
 
 @item cet
 Disables checks for control flow enforcement.
+Note - these checks are only run on x86_64 binaries.
+
+@item realign
+Disable checks for stack realignment.
+Note - these checks are only run on i686 binaries.
 @end table
 
 @item --readelf=@file{path}
diff --git a/doc/hardened.1 b/doc/hardened.1
index 7b6ec6d..17fb615 100644
--- a/doc/hardened.1
+++ b/doc/hardened.1
@@ -129,7 +129,7 @@
 .\" ========================================================================
 .\"
 .IX Title "HARDENED 1"
-.TH HARDENED 1 "2018-04-20" "annobin-1" "RPM Development Tools"
+.TH HARDENED 1 "2018-05-30" "annobin-1" "RPM Development Tools"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -149,7 +149,7 @@ hardened.sh
   [\fB\-\-not\-hardened\fR]
   [\fB\-\-all\fR]
   [\fB\-\-file\-type=\fR\fIauto|lib|exec|obj\fR]
-  [\fB\-\-skip=\fR\fIopt|stack|fort|now|relro|pic|operator|clash|cf|cet\fR]
+  [\fB\-\-skip=\fR\fIopt|stack|fort|now|relro|pic|operator|clash|cf|cet|realign\fR]
   [\fB\-\-readelf=\fR\fIpath\fR]
   [\fB\-\-tmpdir=\fR\fIdir\fR]
   [\fB\-\-\fR]
@@ -305,10 +305,16 @@ Disables checks for \fB\-D_GLIBCXX_ASSERTIONS\fR.
 Disables checks for stack clash protection.
 .IP "\fBcf\fR" 4
 .IX Item "cf"
-Disables checks for control flow protections.
+Disables checks for control flow protection.
+Note \- these checks are only run on x86_64 binaries.
 .IP "\fBcet\fR" 4
 .IX Item "cet"
 Disables checks for control flow enforcement.
+Note \- these checks are only run on x86_64 binaries.
+.IP "\fBrealign\fR" 4
+.IX Item "realign"
+Disable checks for stack realignment.
+Note \- these checks are only run on i686 binaries.
 .RE
 .RS 4
 .RE
diff --git a/plugin/annobin.cc b/plugin/annobin.cc
index f5b17f1..8c6a32b 100644
--- a/plugin/annobin.cc
+++ b/plugin/annobin.cc
@@ -77,8 +77,8 @@ static char *         compiler_version = NULL;
 static unsigned       verbose_level = 0;
 static char *         annobin_current_filename = NULL;
 static char *         annobin_current_endname  = NULL;
-static unsigned char  annobin_version = 5; /* NB. Keep in sync with version_string below.  */
-static const char *   version_string = N_("Version 5");
+static unsigned char  annobin_version = 6; /* NB. Keep in sync with version_string below.  */
+static const char *   version_string = N_("Version 6");
 static const char *   help_string =  N_("Supported options:\n\
    disable                Disable this plugin\n\
    enable                 Enable this plugin\n\
diff --git a/plugin/x86_64.annobin.cc b/plugin/x86_64.annobin.cc
index 0bff27a..0ff0382 100644
--- a/plugin/x86_64.annobin.cc
+++ b/plugin/x86_64.annobin.cc
@@ -36,9 +36,10 @@
 #define GNU_PROPERTY_X86_ISA_1_AVX512DQ      (1U << 16)
 #define GNU_PROPERTY_X86_ISA_1_AVX512BW      (1U << 17)
 
-static unsigned long global_x86_isa = 0;
-static unsigned long min_x86_isa = 0;
-static unsigned long max_x86_isa = 0;
+static unsigned long  global_x86_isa = 0;
+static unsigned long  min_x86_isa = 0;
+static unsigned long  max_x86_isa = 0;
+static int            global_stack_realign = 0;
 
 #ifdef flag_cet
 static int                     global_cet = -1;
@@ -89,6 +90,16 @@ annobin_record_global_target_notes (void)
 			       "numeric: ABI", NULL, NULL, OPEN);
   annobin_inform (1, "Record global isa of %lx", global_x86_isa);
 
+  {
+    global_stack_realign = ix86_force_align_arg_pointer;
+
+    char buffer [128];
+    unsigned len = sprintf (buffer, "GA%cstack_realign", global_stack_realign ? BOOL_T : BOOL_F);
+    annobin_output_static_note (buffer, len + 1, true, "bool: -mstackrealign status",
+				NULL, NULL, OPEN);
+    annobin_inform (1, "Record global stack realign setting of %s", global_stack_realign ? "false" : "true");
+  }
+			       
 #ifdef flag_cet
   global_cet = flag_cet;
   global_set_switch = flag_cet_switch;
@@ -116,6 +127,16 @@ annobin_target_specific_function_notes (const char * aname, const char * aname_e
 	max_x86_isa = ix86_isa_flags;
     }
 
+  if (ix86_force_align_arg_pointer != global_stack_realign)
+    {
+      char buffer [128];
+      unsigned len = sprintf (buffer, "GA%cstack_realign", ix86_force_align_arg_pointer ? BOOL_T : BOOL_F);
+      annobin_output_static_note (buffer, len + 1, true, "bool: -mstackrealign status",
+				  aname, aname_end, FUNC);
+      annobin_inform (1, "Record function specific stack realign setting of %s for %s",
+		      ix86_force_align_arg_pointer ? "false" : "true", aname);
+    }
+
 #ifdef flag_cet
   if (global_cet != flag_cet)
     fprintf (stderr, "1\n");
diff --git a/scripts/hardened.sh b/scripts/hardened.sh
index 672ea07..1c8f1b3 100755
--- a/scripts/hardened.sh
+++ b/scripts/hardened.sh
@@ -29,7 +29,7 @@
 #    * Allow arguments to command line options to be separated from the
 #      the option name by a space.  Eg: --readelf foobar
 
-version=3.1
+version=3.2
 
 help ()
 {
@@ -61,6 +61,11 @@ Plus for RHEL-8:
 
    -D_GLIBCXX_ASSERTIONS
    -fstack-clash-protection
+
+Plus for x86 binaries:
+   -mstackrealign
+
+Plus for x86_64 binaries:
    -fcf-protection=full
    -mcet
 
@@ -94,7 +99,8 @@ Usage: $prog {files|options}
   -k=clash    --skip=clash     Skip check for stack clash protection.
   -k=cf       --skip=cf        Skip check for control flow protection.
   -k=cet      --skip-cet       Skip check for control flow enforcement technology.
- [These options stack]
+  -k=realign  --skip-realign   Skip check for stack realignment.
+ [These options accumulate]
   
   -i        --ignore-unknown   Silently skip any file that is not an ELF binary.
 
@@ -205,6 +211,7 @@ init ()
     skip_clash=0
     skip_cf=0
     skip_cet=0
+    skip_realign=0
     
     ignore_unknown=0
     scanner=readelf
@@ -327,6 +334,9 @@ parse_args ()
 		    cet)
 			skip_cet=1;
 			;;
+		    realign)
+			skip_realign=1;
+			;;
 		    *)
 			report "unknown argument to $optname: $sk"
 			;;
@@ -417,6 +427,8 @@ scan_files ()
 scan_file ()
 {
     local file
+    local is_x86_64
+    local is_i686
 
     # Paranoia checks - the user should never encounter these.
     if test "x$1" = "x" ;
@@ -468,7 +480,9 @@ scan_file ()
 	return
     fi
 
-    file $file | grep --silent -e ELF
+    file $file > $tmpfile
+
+    grep --silent -e ELF $tmpfile
     if [ $? != 0 ];
     then
 	if [ $ignore_unknown -eq 0 ];
@@ -479,6 +493,22 @@ scan_file ()
 	return
     fi
 
+    grep --silent -e x86-64 $tmpfile
+    if [ $? != 0 ];
+    then
+	is_x86_64=0;
+    else
+	is_x86_64=1;
+    fi
+
+    grep --silent -e 80386 $tmpfile
+    if [ $? != 0 ];
+    then
+	is_i686=0;
+    else
+	is_i686=1;
+    fi
+
     $scanner --wide --notes --debug-dump=info --dynamic --segments $file > $tmpfile 2>&1
     if [ $? != 0 ];
     then
@@ -552,15 +582,25 @@ scan_file ()
 	check_stack_clash
     fi
 
-    if [ $skip_cf -eq 0 ];
+    if [ $is_i686 -ne 0 ];
     then
-	check_control_flow_protection
+	if [ $skip_realign -eq 0 ];
+	then
+	    check_stack_realign
+	fi
     fi
 
-    # FIXME: This check should only be applied to x86_64 binaries...
-    if [ $skip_cet -eq 0 ];
+    if [ $is_x86_64 -ne 0 ];
     then
-	check_control_flow_enforcement_technology
+	if [ $skip_cf -eq 0 ];
+	then
+	    check_control_flow_protection
+	fi
+
+	if [ $skip_cet -eq 0 ];
+	then
+	    check_control_flow_enforcement_technology
+	fi
     fi
 
     # If we found a vulnerable file then consider the check to have failed.
@@ -809,7 +849,7 @@ check_optimization_level ()
 check_for_bind_now ()
 {
     # Look for the DT_BIND_NOW dynamic tag
-    eval hard='($(grep -e BIND_NOW $tmpfile))'
+    eval hard='($(grep -e NOW $tmpfile))'
 
     verbose "BIND_NOW tags: ${hard[*]}"
 
@@ -964,6 +1004,34 @@ check_control_flow_enforcement_technology ()
     fi
 }
 
+check_stack_realign ()
+{
+    # Turn:
+    #   GA+stack_realign:true          0x00000000	OPEN	    Applies to region from 0 to 0x3a
+    # into:
+    #   true
+    eval 'hard=($(grep -e "stack_realign" $tmpfile | cut -f 2 -d ":" | cut -f 1 -d " " | sort -u))'
+
+    verbose "Stack Realign Info: ${hard[*]}"
+
+    if [ ${#hard[*]} -lt 1 ];
+    then
+	maybe "does not record stack realignment setting"
+    else
+	if [ ${#hard[*]} -gt 1 ];
+	then
+	    fail "some parts built without stack realignment enabled"
+	else
+	    if [ "x${hard[0]}" == "xtrue" ];
+	    then
+		pass "compiled with stack realignment enabled"
+	    else
+		fail "compiled with stack realignment disabled"
+	    fi
+	fi
+    fi
+}
+
 
 # Invoke main
 main ${1+"$@"}