scripts: add MACHO Canary check to security-check.py

fanquake · fanquake · commit 7b99c7454cdb · 2020-04-21T11:32:01.000+08:00
diff --git a/contrib/devtools/security-check.py b/contrib/devtools/security-check.py
@@ -223,6 +223,20 @@ def check_MACHO_LAZY_BINDINGS(executable) -> bool:
                 return False
     return True
 
+def check_MACHO_Canary(executable) -> bool:
+    '''
+    Check for use of stack canary
+    '''
+    p = subprocess.Popen([OTOOL_CMD, '-Iv', executable], stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE, universal_newlines=True)
+    (stdout, stderr) = p.communicate()
+    if p.returncode:
+        raise IOError('Error opening file')
+    ok = False
+    for line in stdout.splitlines():
+        if '___stack_chk_fail' in line:
+            ok = True
+    return ok
+
 CHECKS = {
 'ELF': [
     ('PIE', check_ELF_PIE),
@@ -239,7 +253,8 @@ def check_MACHO_LAZY_BINDINGS(executable) -> bool:
     ('PIE', check_MACHO_PIE),
     ('NOUNDEFS', check_MACHO_NOUNDEFS),
     ('NX', check_MACHO_NX),
-    ('LAZY_BINDINGS', check_MACHO_LAZY_BINDINGS)
+    ('LAZY_BINDINGS', check_MACHO_LAZY_BINDINGS),
+    ('Canary', check_MACHO_Canary)
 ]
 }
 
diff --git a/contrib/devtools/test-security-check.py b/contrib/devtools/test-security-check.py
@@ -64,13 +64,15 @@ def test_MACHO(self):
         cc = 'clang'
         write_testcode(source)
 
-        self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-no_pie','-Wl,-flat_namespace', '-Wl,-allow_stack_execute']),
+        self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-no_pie','-Wl,-flat_namespace','-Wl,-allow_stack_execute','-fno-stack-protector']),
+            (1, executable+': failed PIE NOUNDEFS NX Canary'))
+        self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-no_pie','-Wl,-flat_namespace','-Wl,-allow_stack_execute','-fstack-protector-all']),
             (1, executable+': failed PIE NOUNDEFS NX'))
-        self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-no_pie','-Wl,-flat_namespace']),
+        self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-no_pie','-Wl,-flat_namespace','-fstack-protector-all']),
             (1, executable+': failed PIE NOUNDEFS'))
-        self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-no_pie']),
+        self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-no_pie','-fstack-protector-all']),
             (1, executable+': failed PIE'))
-        self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-pie']),
+        self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-pie','-fstack-protector-all']),
             (0, ''))
 
 if __name__ == '__main__':
