[OpenWrt-Devel] openwrt/hardening: Fix CFLAGS usage for -D_FORTIFY_SOURCE

Fix the following configure error with c-ares by using CPPFLAGS for -D_FORTIFY_SOURCE.
Not sure if any other packages suffer from the same issue.

configure: using CFLAGS: -Os -pipe -march=74kc -fno-caller-saves -mno-branch-likely -g3 -fno-caller-saves -fhonour-copts -Wno-error=unused-but-set-variable -msoft-float -D_FORTIFY_SOURCE=1 -Wl,-z,now -Wl,-z,relro
configure: CFLAGS error: CFLAGS may only be used to specify C compiler flags, not macro definitions. Use CPPFLAGS for: -D_FORTIFY_SOURCE=1
configure: error: Can not continue. Fix errors mentioned immediately above this line.

Signed-off-by: Helmut Schaa <helmut.schaa@googlemail.com>
---
 include/hardening.mk | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

NAK.
Not many package build systems honors CPPFLAGS so this solution is impractical,
since it effectively disables fortification for many of them.

To my knowledge c-ares is the only package enforcing this kind of behavior
so it should be fixed to work with our buildsystem instead.

Hi
Am 07.09.2015 um 17:32 schrieb Helmut Schaa:
> Fix the following configure error with c-ares by using CPPFLAGS for -D_FORTIFY_SOURCE.
> Not sure if any other packages suffer from the same issue.
> 
> configure: using CFLAGS: -Os -pipe -march=74kc -fno-caller-saves -mno-branch-likely -g3 -fno-caller-saves -fhonour-copts -Wno-error=unused-but-set-variable -msoft-float -D_FORTIFY_SOURCE=1 -Wl,-z,now -Wl,-z,relro
> configure: CFLAGS error: CFLAGS may only be used to specify C compiler flags, not macro definitions. Use CPPFLAGS for: -D_FORTIFY_SOURCE=1
> configure: error: Can not continue. Fix errors mentioned immediately above this line.

Did you get this in the CC branch?

According to
https://github.com/openwrt/packages/pull/1464
this should be fixed in master and applying this patch on top of the CC
branch worked for me.

With kind regards

Stefan Peter

On Mon, Sep 7, 2015 at 6:19 PM, Steven Barth <cyrus@openwrt.org> wrote:
> NAK.
> Not many package build systems honors CPPFLAGS so this solution is impractical,
> since it effectively disables fortification for many of them.
>
> To my knowledge c-ares is the only package enforcing this kind of behavior
> so it should be fixed to work with our buildsystem instead.

Thanks for the info. Please drop this patch then ...
Helmut

On Tue, Sep 8, 2015 at 9:03 AM, Stefan Peter <st3fanp3t3r@gmail.com> wrote:
> Hi
> Am 07.09.2015 um 17:32 schrieb Helmut Schaa:
>> Fix the following configure error with c-ares by using CPPFLAGS for -D_FORTIFY_SOURCE.
>> Not sure if any other packages suffer from the same issue.
>>
>> configure: using CFLAGS: -Os -pipe -march=74kc -fno-caller-saves -mno-branch-likely -g3 -fno-caller-saves -fhonour-copts -Wno-error=unused-but-set-variable -msoft-float -D_FORTIFY_SOURCE=1 -Wl,-z,now -Wl,-z,relro
>> configure: CFLAGS error: CFLAGS may only be used to specify C compiler flags, not macro definitions. Use CPPFLAGS for: -D_FORTIFY_SOURCE=1
>> configure: error: Can not continue. Fix errors mentioned immediately above this line.
>
> Did you get this in the CC branch?
>
> According to
> https://github.com/openwrt/packages/pull/1464
> this should be fixed in master and applying this patch on top of the CC
> branch worked for me.

I came up with a similar patch now :) but good to know it's fixed in
master already.
Helmut

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Helmut Schaa <helmut.schaa@googlemail.com> wrote:
> On Tue, Sep 8, 2015 at 9:03 AM, Stefan Peter <st3fanp3t3r@gmail.com>
> wrote:
> > Hi
> > Am 07.09.2015 um 17:32 schrieb Helmut Schaa:
> >> Fix the following configure error with c-ares by using CPPFLAGS for -D_FORTIFY_SOURCE.
> >> Not sure if any other packages suffer from the same issue.
> >>
> >> configure: using CFLAGS: -Os -pipe -march=74kc -fno-caller-saves -mno-branch-likely -g3 -fno-caller-saves -fhonour-copts -Wno-error=unused-but-set-variable -msoft-float -D_FORTIFY_SOURCE=1 -Wl,-z,now -Wl,-z,relro
> >> configure: CFLAGS error: CFLAGS may only be used to specify C compiler flags, not macro definitions. Use CPPFLAGS for: -D_FORTIFY_SOURCE=1
> >> configure: error: Can not continue. Fix errors mentioned immediately above this line.
> >
> > Did you get this in the CC branch?
> >
> > According to
> > https://github.com/openwrt/packages/pull/1464
> > this should be fixed in master and applying this patch on top of the CC
> > branch worked for me.
> 
> I came up with a similar patch now :) but good to know it's fixed in
> master already.
> Helmut

Also, I took it up with c-ares, they largely feel that we're "wrong" but
agreed that they could probably relax their check from an error to a
warning: http://c-ares.haxx.se/mail/c-ares-archive-2015-06/0005.shtml

However, that's "in the future"

Cheers,
Karl P

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBAgAGBQJV7wXfAAoJEBmotQ/U1cr2ISAP/3so2iplIZldSEM+nvQZPbcj
nlRu2uLw8A0ZaMiu0kgdDt2Qbm+cD/ZXAPmnavOmS3A0v7v9E8DYqJq44WAJiDH+
7LHQf/UKMm0VLXBAFp1x/271mwS+hNa29qsUIZQYWsaL0rI3a7MV7vCBzkwjmtAZ
obRxrWT2zlBQYquXiHe+2bO362s7GGu51XqGFFDSFz2kYX+lKYQkpzTUuU/6jzQI
byTXcW0rNwSehcIM5lMOo7oMuXTmsZrqsC+YRxAx3C/jAgNbFwSPkAN9YQankA8m
PIvtjGvB86svimlFZXKVIurlXYFfbN48hPfYKhbGkM7ZPtanc8MJ+PtzAqI3HRR1
eDJ/RRZPEnBwShN/Waz3p1hV7UV1H0mVaEoWtOdZt7wYudRauQJTM89eIeAcaqYq
I3LZqOimeOYeY4Qaw8KoP9EecX+pfFC9EOSnvjvZnYjeFMeoXLB7g7qyy1g2SQSW
rE2zM00KDcBulRegVSLnMobnbj6kINNbk0jIK+kvDI7bd805IRB5upAtx0dHHDPE
qOivN8oKlWHOOnNKdmwpgwcMuUJzotTX8We+fMUF/Wq2hO0in76T2EaFiX3dntBJ
yoqv+wXG5vghK5vunu5+825wHwwjEBfEmiFuh8FhGpIXs5Ft2fqPQjLEzzh9c15J
w762vHTLSp0MKmba93jQ
=Dp1P
-----END PGP SIGNATURE-----