At 2017-04-07T14:10:06+0200, Graham Inggs wrote: > On 07/04/2017 13:12, G. Branden Robinson wrote: > > compile_rom is an utility internal to the build. It's not shipped and > > thus not subject to attacks. I'm considering adding an --ignore-line > > for it, but I need to figure out how to embed this information in the > > package itself so the buildd log scanner knows to use this flag itself. > > Is there any harm in linking compile_rom with those flags?
Probably not, but what's the use case? This compile_rom utility is only useful for, and only used to, embed Z-80 instructions into the memory map of an emulated TRS-80 computer; specifically _this_ emulator, xtrs. All of this hardening stuff, as I understand it, involves mitigation strategies for unsafe memory usage in the C language family in the ELF object file format. Again, the tool is not shipped. I am having trouble thinking of any attack vector involving compile_rom that isn't dwarfed by the fact that it would have to be expoited during a package build, at which time there are much simpler and nastier ways to attack a host, such as by embedding hostile code into a maintainer script. Those kinds of exploits are much easier to write and we don't really screen for them. Just the other I saw on #debian-devel that we had a package that goofed up an rm -rf command in its postinst and trashed /usr/bin or something like that. My preference is to be fastidious about things, but I also have a strong antipathy towards cargo-cult software engineering. I cannot think of any benefit of hardening compile_rom that is not extremely speculative. Can you? > > Please advise if you think the attachments don't address the issue. > > All looks good, thanks! I see the 'format not a string literal and no > format arguments' errors are already fixed in upstream 4.9d. Yes, and in the forthcoming -3 I fixed a bunch more that were exposed when I compiled with -std=c11. See attached patch. Regards, Branden
Align build with the ISO C11 standard. -- Branden Robinson, 2017-04-04T09:40:13-0400 --- a/debug.c +++ b/debug.c @@ -18,6 +18,8 @@ $Id: debug.c,v 1.28 2009/06/16 00:10:39 mann Exp $ */ +#define _POSIX_C_SOURCE 200112L /* signal.h: sigemptyset(), ... */ + #include "z80.h" #include "trs.h" @@ -25,6 +27,7 @@ #include <signal.h> #include <errno.h> #include <string.h> +#include <strings.h> /* strcasecmp() */ #ifdef READLINE #include <readline/readline.h> @@ -318,7 +321,7 @@ int i; traps = (Uchar *) malloc(ADDRESS_SPACE * sizeof(Uchar)); - bzero(traps, ADDRESS_SPACE * sizeof(Uchar)); + memset(traps, 0, ADDRESS_SPACE * sizeof(Uchar)); for(i = 0; i < MAX_TRAPS; ++i) trap_table[i].valid = 0; --- a/cmddump.c +++ b/cmddump.c @@ -27,6 +27,9 @@ * -p foo select PDS entry "foo" (padded to 8 bytes with spaces) * -x ignore anything after the first xfer address */ + +#define _XOPEN_SOURCE /* unistd.h: getopt(), optarg, optind, opterr */ + #include <stdlib.h> #include <string.h> #include <unistd.h> --- a/mkdisk.c +++ b/mkdisk.c @@ -15,6 +15,8 @@ /* If available, use C11 fopen()'s exclusive open flag. Option -f overrides. */ #define _ISOC11_SOURCE 1 +#define _XOPEN_SOURCE 500 /* unistd.h: getopt(), ...; sys/stat.h: fchmod() */ + #include <stdio.h> #include <unistd.h> #include <time.h> --- a/trs_cassette.c +++ b/trs_cassette.c @@ -50,6 +50,9 @@ * Fabio Ferrari contributed the SB_SOUND implementation. */ +#define _POSIX_C_SOURCE 200112L /* signal.h: sigemptyset(), ... + stdio.h: fileno() */ + #if __linux #define HAVE_OSS 1 #define OSS_SOUND 1 --- a/trs_disk.c +++ b/trs_disk.c @@ -26,6 +26,8 @@ #define SIZERETRY 1 /* Retry in different sizes on real_read */ #define DMK_MARK_IAM 0 /* Mark IAMs in track header; poor idea */ +#define _XOPEN_SOURCE 500 /* signal.h: SA_RESTART */ + #include "z80.h" #include "trs.h" #include "trs_disk.h" --- a/trs_imp_exp.c +++ b/trs_imp_exp.c @@ -13,6 +13,8 @@ * easier. */ +#define _XOPEN_SOURCE 500 /* ftruncate(), strdup() */ + #include <stdio.h> #include <errno.h> #include <signal.h> --- a/trs_interrupt.c +++ b/trs_interrupt.c @@ -10,6 +10,8 @@ * Emulate interrupts */ +#define _XOPEN_SOURCE 500 /* signal.h: SA_RESTART */ + #include "z80.h" #include "trs.h" #include <stdio.h> --- a/trs_uart.c +++ b/trs_uart.c @@ -10,6 +10,8 @@ * Emulation of the Radio Shack TRS-80 Model I/III/4/4P serial port. */ +#define _POSIX_C_SOURCE 200112L /* signal.h: sigemptyset(), ... */ + #include <errno.h> #include <termios.h> #include <unistd.h> --- a/trs_xinterface.c +++ b/trs_xinterface.c @@ -28,6 +28,9 @@ * X Windows interface for TRS-80 simulator */ +#define _DEFAULT_SOURCE /* string.h: strcasecmp() */ +#define _XOPEN_SOURCE 500 /* string.h: strdup() */ + #include <stdio.h> #include <fcntl.h> #include <signal.h> --- a/Makefile +++ b/Makefile @@ -149,7 +149,7 @@ include Makefile.local CFLAGS += $(DEBUG) $(ENDIAN) $(DEFAULT_ROM) $(READLINE) $(DISKDIR) $(IFLAGS) \ - $(APPDEFAULTS) -DKBWAIT + $(APPDEFAULTS) -DKBWAIT -std=c11 LIBS = $(XLIB) $(READLINELIBS) $(EXTRALIBS) ZMACFLAGS = -h
signature.asc
Description: PGP signature