diff --git a/.annobin.metadata b/.annobin.metadata index 59080ac..298d556 100644 --- a/.annobin.metadata +++ b/.annobin.metadata @@ -1 +1 @@ -8f065c03bd8a5b86e99a66cfc9caa28ea362793f SOURCES/annobin-9.65.tar.xz +3286c3d821187e9d4d9373a100f89ad49368dd50 SOURCES/annobin-10.06.tar.xz diff --git a/.gitignore b/.gitignore index 2fcb5e5..1261f3f 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/annobin-9.65.tar.xz +SOURCES/annobin-10.06.tar.xz diff --git a/SOURCES/annobin-aarch64-branch-protection.patch b/SOURCES/annobin-aarch64-branch-protection.patch new file mode 100644 index 0000000..56c32da --- /dev/null +++ b/SOURCES/annobin-aarch64-branch-protection.patch @@ -0,0 +1,18 @@ +--- annobin.orig/gcc-plugin/aarch64.annobin.cc 2021-09-29 16:46:01.346694370 +0100 ++++ annobin-10.06/gcc-plugin/aarch64.annobin.cc 2021-09-29 17:01:58.087076291 +0100 +@@ -42,6 +42,7 @@ annobin_get_target_pointer_size (void) + return 64; + } + ++#ifdef aarch64_branch_protection_string + static void + record_branch_protection_note (bool is_global, annobin_function_info * info) + { +@@ -70,6 +71,7 @@ record_branch_protection_note (bool is_g + annobin_output_note (buffer, len + 1, true, "string: -mbranch-protection status", + is_global, info); + } ++#endif + + void + annobin_record_global_target_notes (annobin_function_info * info) diff --git a/SOURCES/annobin-glibc-test-skip-lto.patch b/SOURCES/annobin-glibc-test-skip-lto.patch new file mode 100644 index 0000000..673b19d --- /dev/null +++ b/SOURCES/annobin-glibc-test-skip-lto.patch @@ -0,0 +1,11 @@ +--- annobin.orig/tests/glibc-notes-test 2021-09-29 16:46:01.347694363 +0100 ++++ annobin-10.06/tests/glibc-notes-test 2021-09-29 16:46:42.253411494 +0100 +@@ -44,7 +44,7 @@ $GCC -pie -Wl,-z,now hello.o hello2.o he + + # Run annocheck + +-$ANNOCHECK glibc-notes.exe --skip-cf-protection --skip-property-note --skip-stack-realign --ignore-gaps --skip-entry --skip-dynamic-tags > glibc-notes.out ++$ANNOCHECK glibc-notes.exe --skip-cf-protection --skip-property-note --skip-stack-realign --ignore-gaps --skip-entry --skip-dynamic-tags --skip-lto > glibc-notes.out + grep -e "PASS" glibc-notes.out + if [ $? != 0 ]; + then diff --git a/SOURCES/annobin-nop.patch b/SOURCES/annobin-nop.patch new file mode 100644 index 0000000..0478c64 --- /dev/null +++ b/SOURCES/annobin-nop.patch @@ -0,0 +1,12 @@ +diff -rup annobin.orig/gcc-plugin/annobin.cc annobin-9.72/gcc-plugin/annobin.cc +--- annobin.orig/gcc-plugin/annobin.cc 2021-05-17 17:25:32.693441649 +0100 ++++ annobin-9.72/gcc-plugin/annobin.cc 2021-05-17 17:25:50.176331776 +0100 +@@ -1722,7 +1722,7 @@ annobin_emit_start_sym_and_version_note + Ensure that we do not have empty special text sections so that the + annobin start symbols are never beyond the end of the sections. */ + if (* suffix && enable_ppc64_nops) +- annobin_emit_asm (".nop", "Inserted by the annobin plugin. Disable with -fplugin-arg-annobin-no-ppc64-nops"); ++ annobin_emit_asm ("nop", "Inserted by the annobin plugin. Disable with -fplugin-arg-annobin-no-ppc64-nops"); + } + else + fprintf (asm_out_file, "\t.equiv %s%s, .\n", annobin_output_filesym, suffix); diff --git a/SOURCES/annobin-skip-stack-prot.patch b/SOURCES/annobin-skip-stack-prot.patch deleted file mode 100644 index 2536c63..0000000 --- a/SOURCES/annobin-skip-stack-prot.patch +++ /dev/null @@ -1,31 +0,0 @@ -diff --git a/annocheck/hardened.c b/annocheck/hardened.c -index d41c740..83645a7 100644 ---- a/annocheck/hardened.c -+++ b/annocheck/hardened.c -@@ -3523,8 +3523,12 @@ finish (annocheck_data * data) - case TEST_STACK_PROT: - if (per_file.current_tool == TOOL_GO) - skip (data, i, SOURCE_FINAL_SCAN, "GO is stack safe"); -+ else if (per_file.seen_tools == TOOL_GAS -+ || (per_file.gcc_from_comment && per_file.seen_tools == (TOOL_GAS | TOOL_GCC))) -+ skip (data, i, SOURCE_FINAL_SCAN, "no compiled code found"); - else if (is_C_compiler (per_file.seen_tools)) -- maybe (data, i, SOURCE_FINAL_SCAN, "no valid notes found regarding this test"); -+ /* The skip is necessary because some glibc code is built this way. */ -+ skip (data, i, SOURCE_FINAL_SCAN, "no notes found regarding this feature"); - else - skip (data, i, SOURCE_FINAL_SCAN, "not compiled code"); - break; -diff --git a/tests/glibc-notes-test b/tests/glibc-notes-test -index ab9e639..8496af8 100755 ---- a/tests/glibc-notes-test -+++ b/tests/glibc-notes-test -@@ -31,7 +31,7 @@ $GCC -pie -Wl,-z,now hello.o hello2.o hello3.o -L. -lhello -o glibc-notes.exe - - # Run annocheck - --$ANNOCHECK glibc-notes.exe --skip-cf-protection --skip-property-note --ignore-gaps > glibc-notes.out -+$ANNOCHECK glibc-notes.exe --skip-cf-protection --skip-property-note --skip-stack-realign --ignore-gaps > glibc-notes.out - grep -e "PASS" glibc-notes.out - if [ $? != 0 ]; - then diff --git a/SPECS/annobin.spec b/SPECS/annobin.spec index d02ac21..65b6591 100644 --- a/SPECS/annobin.spec +++ b/SPECS/annobin.spec @@ -1,8 +1,8 @@ Name: annobin Summary: Annotate and examine compiled binary files -Version: 9.65 -Release: 1%{?dist}.0.1 +Version: 10.06 +Release: 1%{?dist} License: GPLv3+ # ProtocolURL: https://fedoraproject.org/wiki/Toolchain/Watermark # Maintainer: nickc@redhat.com @@ -55,7 +55,9 @@ Source: annobin-%{version}.tar.xz # For the latest sources use: git clone git://sourceware.org/git/annobin.git # Insert patches here, if needed. -Patch01: annobin-skip-stack-prot.patch +Patch01: annobin-nop.patch +Patch02: annobin-glibc-test-skip-lto.patch +Patch03: annobin-aarch64-branch-protection.patch #--------------------------------------------------------------------------------- @@ -278,6 +280,7 @@ make -C llvm-plugin all CXXFLAGS="%{optflags} $BUILD_FLAGS" # Change the following line to "make check || :" on RHEL7 or if you need to see the # test suite logs in order to diagnose a test failure. make check + if [ -f tests/test-suite.log ]; then cat tests/test-suite.log fi @@ -317,6 +320,69 @@ fi #--------------------------------------------------------------------------------- %changelog +* Wed Sep 29 2021 Nick Clifton - 10.06-1 +- Rebase to 10.06. (#2002351) +- GCC Plugin: Fix detection of running inside the LTO compiler. (#2004917) +- Annocheck: Do not insist on the DT_AARCH64_PAC_PLT flag being present in AArch64 binaries. +- Annocheck: With gaps at the start/end of the .text section, check for special symbols before displaying a MAYB result. +- Annocheck: Do not set CFLAGS/LDFLAGS when building. Take from environment instead. +- Annocheck: Fix exit code when tests PASS. +- Documentation: Add node for each hardening test. +- Documentation: Install online. +- Annocheck: Annote FAIL and MAYB results with URL to documentation +- Annocheck: Add --no-urls and --provide-urls options +- Annocheck: Add --help- option. +- Annocheck: Fix fuzzing detected failures. +- Annocheck: Add --profile option. +- Docs: Document --profile option and rpminspect.yaml. +- Annocheck: Skip GO/CET checks. Fix fuzzing detected failures. +- LLVM Plugin: Automatically choose the correct tests to run, based upon the version of Clang installed. (#1997444) +- Annocheck: Fix memory corruption. (#1996963) +- Annocheck: Fix conditionalization of AArch64's PAC+BTI detection. +- Annocheck: Add linker generated function for ppc64le exceptions. (#1981410) +- LLVM Plugin: Allow checks to be selected from the command line. +- Annocheck: Examine DW_AT_producer for -flto. +- Annocheck: Conditionalize detection of AArch64's PAC+BTI protection. +- Annocheck: Add linker generated function for s390x exceptions. (#1981410) +- Annocheck: Generate MAYB results for gaps in notes covering the .text section. (#1991943) +- Annocheck: Close DWARF file descriptors once the debug info is no longer needed. (#1981410) +- LLVM Plugin: Update to build with Clang v13. (Thanks to: Tom Stellard ) +- Annocheck: Fix memory corruption. (#1988715) +- Annocheck: Skip certain tests for kernel modules. +- Annocheck: Detect a missing CET note. (#1991931) +- Annocheck: Do not report future fails for AArch64 notes. +- Annocheck: Warn about multiple --debug-file, --debug-rpm and --debug-dir options. +- Annocheck: Process files in command line order. (#1988714) +- Annocheck: Reverse AArch64 PAC+BTI check, ie fail if they are enabled. (#1984995) +- Annocheck: Add another test exceptions. +- Annocheck: Add some more test exceptions. +- Tests: Skip glibc-notes test if the assembler does not support --generate-missing-build-notes. (#1978573) +- Tests: Skip objcopy test if objcopy does not support --merge-notes. +- Annocheck: Fix spelling mistake in -mstack-realign failure message. (#1977349) +- gcc-plugin: Do not record global versions of stack protection settings in LTO mode, if not set. (#1958954) +- Annocheck: Remove limit on number of input files. +- clang/llvm plugins: Build with correct security options. +- Annocheck: Better detection of GO compiler version. +- Annocheck: Better support for symbolic links. +- Annocheck: In verbose mode, report the reason for skipping specific tests. (#1969584) +- Annocheck: Improve detection of shared libraries. (#1958954) + +* Mon May 17 2021 Nick Clifton - 9.72-1 +- Rebase to 9.72. (#1960299) +- annocheck: Accept 0 as a valid number for gcc minor versions and release numbers. +- gcc-plugin: Add support for ARM and RISCV targets. +- timing: do not initialise the clock if the timing tool is disabled. +- gcc-plugin: Replace ICE messsages with verbose messages. +- Fix the testsuite so that it can be run in parallel. +- Annocheck: WARN if the annobin plugin was built for a newer version of the compiler than the one on which it was run. (#1950657) +- Annocheck: Improve detection of missing GNU-stack support. +- Correct a package rename (bug #1949570) +- Require docs subpackage by the other ones because of a license +- Build-requiring perl-interpreter is enough +- Fix bz1949570 +- Fix anomolies reported by covscan. +- Move documentation into a sub-package. + * Wed Mar 17 2021 Nick Clifton - 9.65-1 - gcc-plugin: Use a fixed filename when running in LTO mode.