hardening-check: add support for detecting stack clash protected binaries

The attachment "debdiff against current version in disco to add this feature" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

Updated debdiff with some minor improvements to the proposed changes to be a bit more efficient and add some more comments

Update the debdiff again to fix a possible runtime failure in a highly unlikely corner case.

Will let the foundations team decide on the importance of this but the security team is keen for this to land in 19.10 / EE to support the toolchain hardening updates so I hope this is seen as a higher priority than Wishlist.

It looks like the stack-clash detection is getting tripped up on optimization:

ubuntu@stensal-disco-server-amd64:~$ gcc -O2 -o stack-clash -fstack-clash-protection stack-clash.c
ubuntu@stensal-disco-server-amd64:~$ ./hardening-check ./stack-clash
./stack-clash:
 Position Independent Executable: yes
 Stack protected: yes
 Fortify Source functions: no, only unprotected functions found!
 Read-only relocations: yes
 Immediate binding: yes
 Stack clash protection: no, not found!
ubuntu@stensal-disco-server-amd64:~$ gcc -o stack-clash -fstack-clash-protection stack-clash.c
ubuntu@stensal-disco-server-amd64:~$ ./hardening-check ./stack-clash
./stack-clash:
 Position Independent Executable: yes
 Stack protected: yes
 Fortify Source functions: no, only unprotected functions found!
 Read-only relocations: yes
 Immediate binding: yes
 Stack clash protection: yes

The attached should is more robust to optimisation in gcc and is updated against the latest devscripts in disco

Relaxed some of the checks to find additional stack-clash-protected binaries due to more optimisation shenanigans

Subscribing Mattia Rizzolo, who co-maintains devscripts in Debian.

Could you please submit this in the form of a MR against https://salsa.debian.org/debian/devscripts ?

I would be happy to review and merge such contribution once an MR is opened there (as a first look the patch doesn't look crazy, but I would need to look deeper - I'm not familiar with that particular script).

The hardening-check script does not have a test suite, but if you could also consider contributing one (since it's perl, just add a test/t/hardening-checks.t using Test::More) it would be really awesome (not required to get this patch merged, though)

Also, I would love if you could refrain from uploading such diffs to Ubuntu, given that I'm open to get such changes in Debian directly (removing ~ubuntu-sponsors as such…)

Sure I'll see what I can do - my understanding was the process was to get it into Ubuntu first and then submit it back to Debian but am happy to go the other way round.

MR submitted in https://salsa.debian.org/debian/devscripts/merge_requests/121

Will still try and work on the tests for it in addition so expect a follow up MR later.

It's committed, will be in the next release.

This bug was fixed in the package devscripts - 2.19.6

---------------
devscripts (2.19.6) unstable; urgency=medium

  [ Christoph Berg ]
  * origtargz:
    + Support unpacking tarballs where the files are in /.

  [ Alex Murray ]
  * hardening-check:
    + Add support for detecting binaries compiled with
      -fstack-clash-protection. LP: #1820798; MR: !121
    + Add detection for -fcf-protection. MR: !127

  [ laokz ]
  * uscan:
    + Fix typo in documentation. MR: !125
    + Remove redundant, misleading string in a debug message. MR: !126

  [ Thomas Goirand ]
  * debchange:
    + Target buster-backports with --bpo. Closes: #931614

  [ Paul Wise ]
  * Devscripts::Config:
    + Improve handling (prevent code execution and errors with spaces and
      newlines) of the configuration files. MR: !124
      - Move String::ShellQuote from Recommends to Depends.

  [ Xavier Guimard ]
  * Reformat code following the changes in the new perltify 20181102. MR: !129
  * debi:
    + Replace dpkg + apt-get by "apt-get install" on .change file.
      Closes: #810294; MR: !45
  * salsa:
    + Add "join" command. Closes: #921314; MR: !108
    + Add "push" command. MR: !108
    + Update doc: completion for aliases. MR: !108
  * uscan:
    + Ignore --download-version when component is marked as "ignore". MR: !130
    + Fix download when <base> tag is relative. Closes: #932399; MR: !133

  [ Mattia Rizzolo ]
  * d/control:
    + Bump Standards-Version to 4.4.0, no changes needed.

  [ Nick Gerow ]
  * debchange:
    + Make sure to escape special characters in the maintainer name. MR: !128

  [ Simon McVittie ]
  * uscan:
    + Don't recurse into directories named .git when searching for
      Debian packages. MR: !132

  [ Unit 193 ]
  * dcmd:
    + Consider .asc files as part of the upstream orig files.
    + Also add .zst as an allowed extension for upstream orig files.

  [ Sean Whitton ]
  * git-deborig:
    + New --just-print-tag-names option. Closes: #931180; MR: !131

 -- Mattia Rizzolo <email address hidden> Sat, 20 Jul 2019 10:43:35 +0200