Just to share with fellow developers, in particular those who maintain scientific software projects which still quite often come without thorough unittests batteries.
Within NeuroDebian we have been preparing a package of AFNI (which now could soon be uploaded to Debian proper) which, unfortunately, does not have/ship any test suite. To add oil into the fire, for "proper" building we maintain a separate cmake build infrastructure. Recently I have (blindly) enabled hardening flags and was pleasantly surprised that no major issues popped up. Yesterday I got a report from users that a command providing a simple 'math' interface fails to compute a simple product: $> /usr/lib/afni/bin/ccalc -eval 1000 \* 10 10.000000 long story short -- reason was the combination of optimization (-O1 was enough) + -D_FORTIFY_SOURCE=2 to fall into the "undefined" darkness of C standard(s) in s*printf() functions (man 3 sprintf, search for undefined or NOTES). Original report https://sourceware.org/bugzilla/show_bug.cgi?id=7075 On "your" code you could look for some (no multiline or more complex expressions, no snprintf) hits in sprintf with following grep grep -re 'sprintf(\s*\(\w\+\)\s*,[^,]\+,\s*\1\>' * unfortunately codesearch.d.n seems to not have support for referencing a group in regexp yet, thus couldn't search for obvious hits within archive. If anyone comes up with proper parser/analyzer to catch those -- I would be very grateful (I am surprised that gcc doesn't issue any warning). To mitigate this issue, besides reporting upstream, for now I had to disable this fortification with DEB_BUILD_HARDENING_FORTIFY := 0 preceding inclusion of /usr/share/hardening-includes/hardening.make P.S. Written with the sole hope to save someone unpleasant (or even painful) moments of stepping into this issue on your own. Best regards, -- Yaroslav O. Halchenko, Ph.D. http://neuro.debian.net http://www.pymvpa.org http://www.fail2ban.org Senior Research Associate, Psychological and Brain Sciences Dept. Dartmouth College, 419 Moore Hall, Hinman Box 6207, Hanover, NH 03755 Phone: +1 (603) 646-9834 Fax: +1 (603) 646-1419 WWW: http://www.linkedin.com/in/yarik -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130920190537.gz27...@onerussian.com
