phantom/bitcoin
1
0
Fork 0
mirror of https://github.com/bitcoin/bitcoin.git synced 2025-01-25 10:43:19 -03:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

scripts: add MACHO Canary check to security-check.py

Browse source
This commit is contained in:
fanquake 2020-04-21 09:41:17 +08:00
parent c4c3f110eb
commit 7b99c7454c
No known key found for this signature in database
GPG key ID: 2EEB9F5CC09526C1
2 changed files with 22 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

17
contrib/devtools/security-check.py
View file

@ -223,6 +223,20 @@ def check_MACHO_LAZY_BINDINGS(executable) -> bool:
return False return False
return True return True
def check_MACHO_Canary(executable) -> bool:
'''
Check for use of stack canary
'''
p = subprocess.Popen([OTOOL_CMD, '-Iv', executable], stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE, universal_newlines=True)
(stdout, stderr) = p.communicate()
if p.returncode:
raise IOError('Error opening file')
ok = False
for line in stdout.splitlines():
if '___stack_chk_fail' in line:
ok = True
return ok
CHECKS = { CHECKS = {
'ELF': [ 'ELF': [
('PIE', check_ELF_PIE), ('PIE', check_ELF_PIE),
@ -239,7 +253,8 @@ CHECKS = {
('PIE', check_MACHO_PIE), ('PIE', check_MACHO_PIE),
('NOUNDEFS', check_MACHO_NOUNDEFS), ('NOUNDEFS', check_MACHO_NOUNDEFS),
('NX', check_MACHO_NX), ('NX', check_MACHO_NX),
('LAZY_BINDINGS', check_MACHO_LAZY_BINDINGS) ('LAZY_BINDINGS', check_MACHO_LAZY_BINDINGS),
('Canary', check_MACHO_Canary)
] ]
} }

10
contrib/devtools/test-security-check.py
View file

@ -64,13 +64,15 @@ class TestSecurityChecks(unittest.TestCase):
cc = 'clang' cc = 'clang'
write_testcode(source) write_testcode(source)
self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-no_pie','-Wl,-flat_namespace', '-Wl,-allow_stack_execute']), self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-no_pie','-Wl,-flat_namespace','-Wl,-allow_stack_execute','-fno-stack-protector']),
(1, executable+': failed PIE NOUNDEFS NX Canary'))
self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-no_pie','-Wl,-flat_namespace','-Wl,-allow_stack_execute','-fstack-protector-all']),
(1, executable+': failed PIE NOUNDEFS NX')) (1, executable+': failed PIE NOUNDEFS NX'))
self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-no_pie','-Wl,-flat_namespace']), self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-no_pie','-Wl,-flat_namespace','-fstack-protector-all']),
(1, executable+': failed PIE NOUNDEFS')) (1, executable+': failed PIE NOUNDEFS'))
self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-no_pie']), self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-no_pie','-fstack-protector-all']),
(1, executable+': failed PIE')) (1, executable+': failed PIE'))
self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-pie']), self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-pie','-fstack-protector-all']),
(0, '')) (0, ''))
if __name__ == '__main__': if __name__ == '__main__':