From 33536307de7ac300ada3ad35256d23aa9a5be0e5 Mon Sep 17 00:00:00 2001 From: LIU Hao Date: Fri, 18 Oct 2024 09:30:14 +0800 Subject: [PATCH] gcc: Improve security The language-specific compilers (cc1, cc1plus, lto-wrapper, etc.) are not in PATH, but in '/lib/gcc//'. When these compilers are invoked by GCC, they prefer DLLs in the working directory to those in PATH [1], which allows, for example, an untrusted source repo to create libgmp-10.dll in the working directory, which will get picked by cc1plus, resulting in arbitrary code execution. These programs shall be linked against all dependencies statically. After this change they depend on only GCC runtime libraries. [1] https://learn.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-security Signed-off-by: LIU Hao --- mingw-w64-gcc/3001-gcc-Improve-security.patch | 37 ++++++++ mingw-w64-gcc/PKGBUILD | 86 +++---------------- 2 files changed, 51 insertions(+), 72 deletions(-) create mode 100644 mingw-w64-gcc/3001-gcc-Improve-security.patch diff --git a/mingw-w64-gcc/3001-gcc-Improve-security.patch b/mingw-w64-gcc/3001-gcc-Improve-security.patch new file mode 100644 index 0000000000000..eb5ab32bf881a --- /dev/null +++ b/mingw-w64-gcc/3001-gcc-Improve-security.patch @@ -0,0 +1,37 @@ +From b778099750e91ca25795605bfa5772a746fa5de6 Mon Sep 17 00:00:00 2001 +From: LIU Hao +Date: Thu, 17 Oct 2024 20:15:10 +0800 +Subject: [PATCH] gcc: Improve security + +The language-specific compilers (cc1, cc1plus, lto-wrapper, etc.) are not in +PATH, but in '/lib/gcc//'. When these compilers are invoked +by GCC, they prefer DLLs in the working directory to those in PATH [1], which +allows, for example, an untrusted source repo to create libgmp-10.dll in the +working directory, which will get picked by cc1plus, resulting in arbitrary +code execution. + +These programs shall be linked against all dependencies statically. + +[1] https://learn.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-security + +Signed-off-by: LIU Hao +--- + gcc/Makefile.in | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/gcc/Makefile.in b/gcc/Makefile.in +index 059cf2e8f79..5fcf719d3b4 100644 +--- a/gcc/Makefile.in ++++ b/gcc/Makefile.in +@@ -1103,7 +1103,7 @@ ALL_CPPFLAGS = $(INCLUDES) $(CPPFLAGS) + ALL_COMPILERFLAGS = $(ALL_CXXFLAGS) $(PICFLAG) + + # This is the variable to use when using $(LINKER). +-ALL_LINKERFLAGS = $(ALL_CXXFLAGS) $(LD_PICFLAG) ++ALL_LINKERFLAGS = $(ALL_CXXFLAGS) $(LD_PICFLAG) -static + + # Build and host support libraries. + +-- +2.47.0 + diff --git a/mingw-w64-gcc/PKGBUILD b/mingw-w64-gcc/PKGBUILD index b541ed750c1ae..8c4ab6fb78358 100644 --- a/mingw-w64-gcc/PKGBUILD +++ b/mingw-w64-gcc/PKGBUILD @@ -48,7 +48,7 @@ else _sourcedir=${_realname}-${_version}-${_snapshot} _url=https://gcc.gnu.org/pub/gcc/snapshots/${_version}-${_snapshot} fi -pkgrel=1 +pkgrel=2 pkgdesc="GCC for the MinGW-w64" arch=('any') mingw_arch=('mingw32' 'mingw64' 'ucrt64') @@ -89,7 +89,8 @@ source=(${_url}/${_sourcedir}.tar.xz{,.sig} 0021-PR14940-Allow-a-PCH-to-be-mapped-to-a-different-addr.patch 0140-gcc-diagnostic-color.patch 0200-add-m-no-align-vector-insn-option-for-i386.patch - 2001-fix-building-rust-on-mingw-w64.patch) + 2001-fix-building-rust-on-mingw-w64.patch + 3001-gcc-Improve-security.patch) sha256sums=('a7b39bc69cbf9e25826c5a60ab26477001f7c08d85cec04bc0e29cabed6f3cc9' 'SKIP' 'bce81824fc89e5e62cca350de4c17a27e27a18a1a1ad5ca3492aec1fc5af3234' @@ -104,7 +105,8 @@ sha256sums=('a7b39bc69cbf9e25826c5a60ab26477001f7c08d85cec04bc0e29cabed6f3cc9' '6c272078340a27b3f147e497115b0a6e9fc0da720a2602f12b086524522caa59' 'e0a5b470f49a29f20215cc9f9d04c1cb9969dff6f0e546542799d3a693ef1c84' 'c34f9e71b5a092be1987ad4c65891742c74c9eb8ef6560100e751cd31375f579' - 'ddc1538c2b9132bce5b3b2cad2a382762d58b46b31d2ae291f6e4d963b88dfd4') + 'ddc1538c2b9132bce5b3b2cad2a382762d58b46b31d2ae291f6e4d963b88dfd4' + 'c7d21cd7f7345141087d8365870383a5c1c34099096aa7fbc9a56d76c345cab8') validpgpkeys=(F3691687D867B81B51CE07D9BBE43771487328A9 # bpiotrowski@archlinux.org 86CFFCA918CF3AF47147588051E8B148A9999C34 # evangelos@foutrelis.com 13975A70E63C361C73AE69EF6EEB81F8981C74C7 # richard.guenther@gmail.com @@ -158,7 +160,8 @@ prepare() { 0200-add-m-no-align-vector-insn-option-for-i386.patch apply_patch_with_msg \ - 2001-fix-building-rust-on-mingw-w64.patch + 2001-fix-building-rust-on-mingw-w64.patch \ + 3001-gcc-Improve-security.patch # do not expect ${prefix}/mingw symlink - this should be superceded by # 0005-Windows-Don-t-ignore-native-system-header-dir.patch .. but isn't! @@ -209,19 +212,6 @@ build() { # so libgomp DLL gets built despide static libdl export lt_cv_deplibs_check_method='pass_all' - # https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105507#c3 - # At least with mingw32 + dwarf-2 exceptions there can only be one libgcc in - # process, or exceptions will no longer work. Since some of the gcc deps are - # linked dynamically like gmp/zlib/zstd and those pull in libgcc we can't - # allow libgcc to be linked statically. The default is "-static-libstdc++ - # -static-libgcc" for both, so we drop "-static-libgcc" here: - # GCC 14 Update: Since we dropped 32bit Ada with GCC 14.1 and GCC doesn't use - # exceptions elsewhere this could in theory be removed, in case it makes problems. - _extra_config+=( - '--with-boot-ldflags="-static-libstdc++"' - '--with-stage1-ldflags="-static-libstdc++"' - ) - # In addition adaint.c does `#include ` which pulls in msxml.h, hacky hack: CPPFLAGS+=" -DCOM_NO_WINDOWS_H" @@ -324,15 +314,9 @@ package_gcc() { depends=("${MINGW_PACKAGE_PREFIX}-binutils" "${MINGW_PACKAGE_PREFIX}-crt" "${MINGW_PACKAGE_PREFIX}-headers" - "${MINGW_PACKAGE_PREFIX}-isl" - "${MINGW_PACKAGE_PREFIX}-gmp" - "${MINGW_PACKAGE_PREFIX}-mpfr" - "${MINGW_PACKAGE_PREFIX}-mpc" "${MINGW_PACKAGE_PREFIX}-${_realname}-libs=${pkgver}-${pkgrel}" "${MINGW_PACKAGE_PREFIX}-windows-default-manifest" - "${MINGW_PACKAGE_PREFIX}-winpthreads" - "${MINGW_PACKAGE_PREFIX}-zlib" - "${MINGW_PACKAGE_PREFIX}-zstd") + "${MINGW_PACKAGE_PREFIX}-winpthreads") provides=("${MINGW_PACKAGE_PREFIX}-${_realname}-base" "${MINGW_PACKAGE_PREFIX}-cc") conflicts=("${MINGW_PACKAGE_PREFIX}-${_realname}-base" @@ -428,14 +412,7 @@ package_gcc-fortran() { pkgdesc="GNU Compiler Collection (Fortran) for MinGW-w64" depends=("${MINGW_PACKAGE_PREFIX}-${_realname}=${pkgver}-${pkgrel}" "${MINGW_PACKAGE_PREFIX}-${_realname}-libgfortran=${pkgver}-${pkgrel}" - "${MINGW_PACKAGE_PREFIX}-${_realname}-libs=${pkgver}-${pkgrel}" - "${MINGW_PACKAGE_PREFIX}-gmp" - "${MINGW_PACKAGE_PREFIX}-isl" - "${MINGW_PACKAGE_PREFIX}-libwinpthread" - "${MINGW_PACKAGE_PREFIX}-mpc" - "${MINGW_PACKAGE_PREFIX}-mpfr" - "${MINGW_PACKAGE_PREFIX}-zlib" - "${MINGW_PACKAGE_PREFIX}-zstd") + "${MINGW_PACKAGE_PREFIX}-${_realname}-libs=${pkgver}-${pkgrel}") provides=("${MINGW_PACKAGE_PREFIX}-fc") cd "${srcdir}"/build-${MSYSTEM} @@ -450,14 +427,7 @@ package_gcc-fortran() { package_gcc-ada() { pkgdesc="GNU Compiler Collection (Ada) for MinGW-w64" depends=("${MINGW_PACKAGE_PREFIX}-${_realname}=${pkgver}-${pkgrel}" - "${MINGW_PACKAGE_PREFIX}-${_realname}-libs=${pkgver}-${pkgrel}" - "${MINGW_PACKAGE_PREFIX}-gmp" - "${MINGW_PACKAGE_PREFIX}-isl" - "${MINGW_PACKAGE_PREFIX}-libwinpthread" - "${MINGW_PACKAGE_PREFIX}-mpc" - "${MINGW_PACKAGE_PREFIX}-mpfr" - "${MINGW_PACKAGE_PREFIX}-zlib" - "${MINGW_PACKAGE_PREFIX}-zstd") + "${MINGW_PACKAGE_PREFIX}-${_realname}-libs=${pkgver}-${pkgrel}") cd "${srcdir}"/build-${MSYSTEM} @@ -469,14 +439,7 @@ package_gcc-ada() { package_gcc-objc() { pkgdesc="GNU Compiler Collection (ObjC,Obj-C++) for MinGW-w64" depends=("${MINGW_PACKAGE_PREFIX}-${_realname}=${pkgver}-${pkgrel}" - "${MINGW_PACKAGE_PREFIX}-${_realname}-libs=${pkgver}-${pkgrel}" - "${MINGW_PACKAGE_PREFIX}-gmp" - "${MINGW_PACKAGE_PREFIX}-isl" - "${MINGW_PACKAGE_PREFIX}-libwinpthread" - "${MINGW_PACKAGE_PREFIX}-mpc" - "${MINGW_PACKAGE_PREFIX}-mpfr" - "${MINGW_PACKAGE_PREFIX}-zlib" - "${MINGW_PACKAGE_PREFIX}-zstd") + "${MINGW_PACKAGE_PREFIX}-${_realname}-libs=${pkgver}-${pkgrel}") cd "${srcdir}"/build-${MSYSTEM} @@ -491,14 +454,7 @@ package_gcc-objc() { package_gcc-rust() { pkgdesc="GNU Compiler Collection (Rust) for MinGW-w64" depends=("${MINGW_PACKAGE_PREFIX}-${_realname}=${pkgver}-${pkgrel}" - "${MINGW_PACKAGE_PREFIX}-${_realname}-libs=${pkgver}-${pkgrel}" - "${MINGW_PACKAGE_PREFIX}-gmp" - "${MINGW_PACKAGE_PREFIX}-isl" - "${MINGW_PACKAGE_PREFIX}-libwinpthread" - "${MINGW_PACKAGE_PREFIX}-mpc" - "${MINGW_PACKAGE_PREFIX}-mpfr" - "${MINGW_PACKAGE_PREFIX}-zlib" - "${MINGW_PACKAGE_PREFIX}-zstd") + "${MINGW_PACKAGE_PREFIX}-${_realname}-libs=${pkgver}-${pkgrel}") cd "${srcdir}"/build-${MSYSTEM} @@ -509,14 +465,7 @@ package_gcc-rust() { package_gcc-lto-dump() { pkgdesc="Dump link time optimization object files (mingw-w64)" depends=("${MINGW_PACKAGE_PREFIX}-${_realname}=$pkgver-$pkgrel" - "${MINGW_PACKAGE_PREFIX}-${_realname}-libs=${pkgver}-${pkgrel}" - "${MINGW_PACKAGE_PREFIX}-gmp" - "${MINGW_PACKAGE_PREFIX}-isl" - "${MINGW_PACKAGE_PREFIX}-libwinpthread" - "${MINGW_PACKAGE_PREFIX}-mpc" - "${MINGW_PACKAGE_PREFIX}-mpfr" - "${MINGW_PACKAGE_PREFIX}-zlib" - "${MINGW_PACKAGE_PREFIX}-zstd") + "${MINGW_PACKAGE_PREFIX}-${_realname}-libs=${pkgver}-${pkgrel}") cd "${srcdir}"/build-${MSYSTEM} @@ -526,14 +475,7 @@ package_gcc-lto-dump() { package_libgccjit() { pkgdesc="GNU Compiler Collection (libgccjit) for MinGW-w64" depends=("${MINGW_PACKAGE_PREFIX}-${_realname}=${pkgver}-${pkgrel}" - "${MINGW_PACKAGE_PREFIX}-${_realname}-libs=${pkgver}-${pkgrel}" - "${MINGW_PACKAGE_PREFIX}-gmp" - "${MINGW_PACKAGE_PREFIX}-isl" - "${MINGW_PACKAGE_PREFIX}-libwinpthread" - "${MINGW_PACKAGE_PREFIX}-mpc" - "${MINGW_PACKAGE_PREFIX}-mpfr" - "${MINGW_PACKAGE_PREFIX}-zlib" - "${MINGW_PACKAGE_PREFIX}-zstd") + "${MINGW_PACKAGE_PREFIX}-${_realname}-libs=${pkgver}-${pkgrel}") cd "${srcdir}"/build-${MSYSTEM}