Last active
December 1, 2021 04:52
-
-
Save siddhesh/e7e71ed9d2f9c20d0646e49d9d19380c to your computer and use it in GitHub Desktop.
Test gcc implementation of __builtin_dynamic_object_size on Fedora package builds
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # This is only intended to be used inside a scratch VM or test machine to build | |
| # Fedora packages with _FORTIFY_SOURCE=3 to compare fortification with the | |
| # current build. The script needs to be run as root since it installs packages. | |
| set -ex | |
| uid=$(id -u) | |
| if [ $uid -ne 0 ]; then | |
| echo "Run the script as root." | |
| echo "READ THE SCRIPT FIRST! I AM NOT RESPONSIBLE IF YOUR MACHINE GETS NUKED AS A RESULT OF RUNNING THIS SCRIPT AS ROOT." | |
| exit 1 | |
| fi | |
| packages="bash wpa_supplicant" | |
| gccversion="gcc-12.0-6.fc36.0.bdostest" | |
| glibcversion="glibc-2.34.9000-21.fc36.0.bdostest" | |
| rrcversion="redhat-rpm-config-205-1.fc36.0.bdostest" | |
| cat > /etc/yum.repos.d/gcc-bdostest.repo <<EOF | |
| [gcc-bdostest] | |
| name=gcc bdostest repo | |
| baseurl=https://siddhesh.fedorapeople.org/bdos-repo | |
| type=rpm | |
| enabled=1 | |
| repo_gpgcheck=0 | |
| gpgcheck=0 | |
| skip_if_unavailable=False | |
| EOF | |
| dnf install --refresh -y rpm-build make git wget python3-magic dnf-utils | |
| dnf update -y gcc gcc-c++ redhat-rpm-config glibc-devel | |
| if rpm -q $gccversion && rpm -q $glibcversion rpm -q $rrcversion; then | |
| echo "Build environment supports _FORTIFY_SOURCE=3: $gccversion, $glibcversion, $rrcversion" | |
| else | |
| echo "Build environment does not support _FORTIFY_SOURCE=3: $(rpm -q gcc glibc redhat-rpm-config)" | |
| # exit 1 | |
| fi | |
| if ! [ -e fortify-metrics ]; then | |
| git clone https://github.com/siddhesh/fortify-metrics | |
| fi | |
| rm -rf outputs && mkdir outputs | |
| for p in $packages; do | |
| # Make a clean rpmbuild for every package. This allows the script to | |
| # work on smaller vms and also eliminates any issues due to residual | |
| # packages. | |
| rm -rf rpmbuild && mkdir rpmbuild && pushd rpmbuild | |
| yumdownloader --source $p | |
| rpm -iv $p*.rpm | |
| sed -i '1i\%undefine _annotated_build' SPECS/$p.spec | |
| yum-builddep -y SPECS/$p.spec | |
| # The rawhide package, already built with _FORTIFY_SOURCE=2. | |
| yumdownloader $p | |
| mkdir instroot && pushd instroot | |
| rpm2cpio ../$p-*.x86_64.rpm | cpio -di | |
| ~/fortify-metrics/fortify-metrics.py -l -p $p . | sort > ~/outputs/$p-2.out | |
| popd | |
| # Rebuild with gcc-12 and _FORTIFY_SOURCE=3 | |
| rpmbuild -bb SPECS/$p.spec > ~/outputs/build-$p.log 2>&1 | |
| rm -rf instroot && mkdir instroot && pushd instroot | |
| rpm2cpio ../RPMS/x86_64/*.rpm | cpio -di | |
| ~/fortify-metrics/fortify-metrics.py -l -p $p . | sort > ~/outputs/$p-3.out | |
| popd | |
| python3 > ~/outputs/$p-fortified.out <<EOF | |
| cols1 = [] | |
| res = {} | |
| with open("$HOME/outputs/$p-2.out") as f1, open("$HOME/outputs/$p-3.out") as f2: | |
| cols = zip([l.strip().split(',') for l in f1], [l.strip().split(',') for l in f2]) | |
| res = [[l1[0], l1[1], l1[2], l1[3], l1[4], l2[3], l2[4]] for (l1, l2) in cols \ | |
| if int(l1[3]) != 0 or int(l1[4]) != 0 or int(l2[3]) != 0 or int(l2[4]) != 0] | |
| for r in res: | |
| print('%s, %s, %s, %s, %s, %s, %s' % (r[0], r[1], r[2], r[3], r[4], r[5], r[6])) | |
| EOF | |
| popd | |
| done |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment