This is an automated email from the git hooks/post-receive script. guillem pushed a commit to branch main in repository dpkg.
View the commit online: https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=8f5aca71c1435c9913d5562b8cae68b751dff663 commit 8f5aca71c1435c9913d5562b8cae68b751dff663 Author: Guillem Jover <[email protected]> AuthorDate: Sat Jun 4 06:53:39 2022 +0200 Dpkg::Vendor::Debian: Add support for new hardening branch feature Closes: #1021292 --- man/dpkg-buildflags.pod | 9 +++++++++ scripts/Dpkg/Vendor/Debian.pm | 19 +++++++++++++++++++ scripts/t/Dpkg_BuildFlags.t | 1 + 3 files changed, 29 insertions(+) diff --git a/man/dpkg-buildflags.pod b/man/dpkg-buildflags.pod index 9f8d7449e..24625fb89 100644 --- a/man/dpkg-buildflags.pod +++ b/man/dpkg-buildflags.pod @@ -536,6 +536,15 @@ Disabling B<stackprotector> will also disable this setting. This feature has the same requirements as B<stackprotector>, and in addition also requires gcc 4.9 and later. +=item B<branch> + +This setting (since dpkg 1.22.0; enabled by default) adds B<-fcf-protection> +on B<amd64> and B<-mbranch-protection=standard> on B<arm64> to +B<CFLAGS>, B<CXXFLAGS>, B<OBJCFLAGS>, B<OBJCXXFLAGS>, +B<GCJFLAGS>, B<FFLAGS> and B<FCFLAGS>. +This adds branch protection to indirect calls, jumps and returns to check +whether these are valid at run-time. + =item B<relro> This setting (since dpkg 1.16.1; enabled by default) adds diff --git a/scripts/Dpkg/Vendor/Debian.pm b/scripts/Dpkg/Vendor/Debian.pm index 032518ad1..8d0023aa1 100644 --- a/scripts/Dpkg/Vendor/Debian.pm +++ b/scripts/Dpkg/Vendor/Debian.pm @@ -143,6 +143,7 @@ sub set_build_features { format => 1, relro => 1, bindnow => 0, + branch => 1, }, ); @@ -338,6 +339,12 @@ sub set_build_features { # relro not implemented on ia64, hppa. $use_feature{hardening}{relro} = 0; } + if (none { $cpu eq $_ } qw(amd64 arm64)) { + # On amd64 use -fcf-protection. + # On arm64 use -mbranch-protection=standard. + $use_feature{hardening}{branch} = 0; + } + $flags->set_option_value('hardening-branch-cpu', $cpu); # Mask features that might be influenced by other flags. if ($flags->get_option_value('optimize-level') == 0) { @@ -554,6 +561,18 @@ sub _add_build_flags { if ($flags->use_feature('hardening', 'bindnow')) { $flags->append('LDFLAGS', '-Wl,-z,now'); } + + # Branch protection + if ($flags->use_feature('hardening', 'branch')) { + my $cpu = $flags->get_option_value('hardening-branch-cpu'); + my $flag; + if ($cpu eq 'arm64') { + $flag = '-mbranch-protection=standard'; + } elsif ($cpu eq 'amd64') { + $flag = '-fcf-protection'; + } + $flags->append($_, $flag) foreach @compile_flags; + } } sub _build_tainted_by { diff --git a/scripts/t/Dpkg_BuildFlags.t b/scripts/t/Dpkg_BuildFlags.t index d12ccc065..d9234a9f1 100644 --- a/scripts/t/Dpkg_BuildFlags.t +++ b/scripts/t/Dpkg_BuildFlags.t @@ -109,6 +109,7 @@ my %known_features = ( ) ], hardening => [ qw( bindnow + branch format fortify pie -- Dpkg.Org's dpkg
