siddhesh · December 1, 2021 04:52
diff --git a/test-gcc-bdos.sh b/test-gcc-bdos.sh
 #!/bin/bash
 # This is only intended to be used inside a scratch VM or test machine to build
 # Fedora packages with _FORTIFY_SOURCE=3 to compare fortification with the
 # current build.  The script needs to be run as root since it installs packages.

 set -ex

 uid=$(id -u)

 if [ $uid -ne 0 ]; then
 	echo "Run the script as root."
 	echo "READ THE SCRIPT FIRST!  I AM NOT RESPONSIBLE IF YOUR MACHINE GETS NUKED AS A RESULT OF RUNNING THIS SCRIPT AS ROOT."
 	exit 1
 fi

 packages="bash wpa_supplicant"

 gccversion="gcc-12.0-6.fc36.0.bdostest"
 glibcversion="glibc-2.34.9000-21.fc36.0.bdostest"
 rrcversion="redhat-rpm-config-205-1.fc36.0.bdostest"

 cat > /etc/yum.repos.d/gcc-bdostest.repo <<EOF
 [gcc-bdostest]
 name=gcc bdostest repo
 baseurl=https://siddhesh.fedorapeople.org/bdos-repo
 type=rpm
 enabled=1
 repo_gpgcheck=0
 gpgcheck=0
 skip_if_unavailable=False
 EOF

 dnf install --refresh -y rpm-build make git wget python3-magic dnf-utils
 dnf update -y gcc gcc-c++ redhat-rpm-config glibc-devel
 if rpm -q $gccversion && rpm -q $glibcversion rpm -q $rrcversion; then
 	echo "Build environment supports _FORTIFY_SOURCE=3: $gccversion, $glibcversion, $rrcversion"
 else
 	echo "Build environment does not support _FORTIFY_SOURCE=3: $(rpm -q gcc glibc redhat-rpm-config)"
 #	exit 1
 fi

 if ! [ -e fortify-metrics ]; then
 	git clone https://github.com/siddhesh/fortify-metrics
 fi
 rm -rf outputs && mkdir outputs

 for p in $packages; do
 	# Make a clean rpmbuild for every package.  This allows the script to
 	# work on smaller vms and also eliminates any issues due to residual
 	# packages.
 	rm -rf rpmbuild && mkdir rpmbuild && pushd rpmbuild
 	yumdownloader --source $p
 	rpm -iv $p*.rpm
 	sed -i '1i\%undefine _annotated_build' SPECS/$p.spec
 	yum-builddep -y SPECS/$p.spec

 	# The rawhide package, already built with _FORTIFY_SOURCE=2.
 	yumdownloader $p
 	mkdir instroot && pushd instroot
 	rpm2cpio ../$p-*.x86_64.rpm | cpio -di
 	~/fortify-metrics/fortify-metrics.py -l -p $p . | sort > ~/outputs/$p-2.out
 	popd
 	# Rebuild with gcc-12 and _FORTIFY_SOURCE=3
 	rpmbuild -bb SPECS/$p.spec > ~/outputs/build-$p.log 2>&1
 	rm -rf instroot && mkdir instroot && pushd instroot
 	rpm2cpio ../RPMS/x86_64/*.rpm | cpio -di
 	~/fortify-metrics/fortify-metrics.py -l -p $p . | sort > ~/outputs/$p-3.out
 	popd
 	python3 > ~/outputs/$p-fortified.out <<EOF
 cols1 = []
 res = {}
 with open("$HOME/outputs/$p-2.out") as f1, open("$HOME/outputs/$p-3.out") as f2:
    cols = zip([l.strip().split(',') for l in f1], [l.strip().split(',') for l in f2])
    res = [[l1[0], l1[1], l1[2], l1[3], l1[4], l2[3], l2[4]] for (l1, l2) in cols \
 	    if int(l1[3]) != 0 or int(l1[4]) != 0 or int(l2[3]) != 0 or int(l2[4]) != 0]
    for r in res:
        print('%s, %s, %s, %s, %s, %s, %s' % (r[0], r[1], r[2], r[3], r[4], r[5], r[6]))
 EOF
 	popd
 done
	#!/bin/bash
	# This is only intended to be used inside a scratch VM or test machine to build
	# Fedora packages with _FORTIFY_SOURCE=3 to compare fortification with the
	# current build. The script needs to be run as root since it installs packages.

	set -ex

	uid=$(id -u)

	if [ $uid -ne 0 ]; then
	echo "Run the script as root."
	echo "READ THE SCRIPT FIRST! I AM NOT RESPONSIBLE IF YOUR MACHINE GETS NUKED AS A RESULT OF RUNNING THIS SCRIPT AS ROOT."
	exit 1
	fi

	packages="bash wpa_supplicant"

	gccversion="gcc-12.0-6.fc36.0.bdostest"
	glibcversion="glibc-2.34.9000-21.fc36.0.bdostest"
	rrcversion="redhat-rpm-config-205-1.fc36.0.bdostest"

	cat > /etc/yum.repos.d/gcc-bdostest.repo <<EOF
	[gcc-bdostest]
	name=gcc bdostest repo
	baseurl=https://siddhesh.fedorapeople.org/bdos-repo
	type=rpm
	enabled=1
	repo_gpgcheck=0
	gpgcheck=0
	skip_if_unavailable=False
	EOF

	dnf install --refresh -y rpm-build make git wget python3-magic dnf-utils
	dnf update -y gcc gcc-c++ redhat-rpm-config glibc-devel
	if rpm -q $gccversion && rpm -q $glibcversion rpm -q $rrcversion; then
	echo "Build environment supports _FORTIFY_SOURCE=3: $gccversion, $glibcversion, $rrcversion"
	else
	echo "Build environment does not support _FORTIFY_SOURCE=3: $(rpm -q gcc glibc redhat-rpm-config)"
	# exit 1
	fi

	if ! [ -e fortify-metrics ]; then
	git clone https://github.com/siddhesh/fortify-metrics
	fi
	rm -rf outputs && mkdir outputs

	for p in $packages; do
	# Make a clean rpmbuild for every package. This allows the script to
	# work on smaller vms and also eliminates any issues due to residual
	# packages.
	rm -rf rpmbuild && mkdir rpmbuild && pushd rpmbuild
	yumdownloader --source $p
	rpm -iv $p*.rpm
	sed -i '1i\%undefine _annotated_build' SPECS/$p.spec
	yum-builddep -y SPECS/$p.spec

	# The rawhide package, already built with _FORTIFY_SOURCE=2.
	yumdownloader $p
	mkdir instroot && pushd instroot
	rpm2cpio ../$p-*.x86_64.rpm \| cpio -di
	~/fortify-metrics/fortify-metrics.py -l -p $p . \| sort > ~/outputs/$p-2.out
	popd
	# Rebuild with gcc-12 and _FORTIFY_SOURCE=3
	rpmbuild -bb SPECS/$p.spec > ~/outputs/build-$p.log 2>&1
	rm -rf instroot && mkdir instroot && pushd instroot
	rpm2cpio ../RPMS/x86_64/*.rpm \| cpio -di
	~/fortify-metrics/fortify-metrics.py -l -p $p . \| sort > ~/outputs/$p-3.out
	popd
	python3 > ~/outputs/$p-fortified.out <<EOF
	cols1 = []
	res = {}
	with open("$HOME/outputs/$p-2.out") as f1, open("$HOME/outputs/$p-3.out") as f2:
	cols = zip([l.strip().split(',') for l in f1], [l.strip().split(',') for l in f2])
	res = [[l1[0], l1[1], l1[2], l1[3], l1[4], l2[3], l2[4]] for (l1, l2) in cols \
	if int(l1[3]) != 0 or int(l1[4]) != 0 or int(l2[3]) != 0 or int(l2[4]) != 0]
	for r in res:
	print('%s, %s, %s, %s, %s, %s, %s' % (r[0], r[1], r[2], r[3], r[4], r[5], r[6]))
	EOF
	popd
	done