Skip to content

Commit

Permalink
fix: fix duplicate entries
Browse files Browse the repository at this point in the history
- fix duplicate entries in fortifed count
- check binary to validate that it relies on glibc before comparing against glibc
- update kernel configs
- add n/a and fs_cnt_total = 0 tests
- update gitignore
  • Loading branch information
slimm609 committed Apr 27, 2024
1 parent 753bc11 commit 3e35801
Show file tree
Hide file tree
Showing 24 changed files with 200,784 additions and 99 deletions.
2 changes: 2 additions & 0 deletions .gitignore
Original file line number Diff line number Diff line change
@@ -1,3 +1,5 @@
sign-checksec.sh
checksec.crt
checksec.key
tests/binaries/output/
dist/
4 changes: 2 additions & 2 deletions Dockerfile.ubuntu
Original file line number Diff line number Diff line change
Expand Up @@ -2,9 +2,9 @@ FROM ubuntu:22.04

# Install dependencies
RUN apt-get update && apt-get -y -q upgrade && DEBIAN_FRONTEND=noninteractive apt-get -y -q install \
bc bison flex build-essential ccache git file \
bc bison flex build-essential git file \
libncurses-dev libssl-dev u-boot-tools wget \
xz-utils vim xfce4 libxml2-utils python3 python3-pip jq \
xz-utils vim libxml2-utils python3 python3-pip jq \
gcc clang gcc-multilib && apt-get clean \
pip3 install --upgrade pip && pip3 install setuptools && \
pip3 install demjson3 && mkdir -p /zig && \
Expand Down
23 changes: 17 additions & 6 deletions checksec
Original file line number Diff line number Diff line change
Expand Up @@ -823,18 +823,29 @@ filecheck() {
fi

search_libc

libc_found="false"
if ${readelf} -d "${1}" 2> /dev/null | grep 'NEEDED' | grep -q 'libc\.so'; then
libc_found="true"
fi
FS_filechk_func_libc="$(${readelf} -s "${use_dynamic}" "${FS_libc}" 2> /dev/null | sed -ne 's/.*__\(.*_chk\)@@.*/\1/p')"
FS_func_libc="${FS_filechk_func_libc//_chk/}"
FS_func="$(${readelf} -s "${use_dynamic}" "${1}" 2> /dev/null | awk '{ print $8 }' | sed -e 's/_*//' -e 's/@.*//' -e '/^$/d')"
FS_cnt_checked=$(grep -cFxf <(sort <<< "${FS_filechk_func_libc}") <(sort <<< "${FS_func}"))
FS_cnt_unchecked=$(grep -cFxf <(sort <<< "${FS_func_libc}") <(sort <<< "${FS_func}"))
FS_cnt_checked=$(grep -cFxf <(sort -u <<< "${FS_filechk_func_libc}") <(sort -u <<< "${FS_func}"))
FS_cnt_unchecked=$(grep -cFxf <(sort -u <<< "${FS_func_libc}") <(sort -u <<< "${FS_func}"))
FS_cnt_total=$((FS_cnt_unchecked + FS_cnt_checked))

if [[ $FS_cnt_checked -eq $FS_cnt_total ]]; then
echo_message '\033[32mYes\033[m' 'Yes,' ' fortify_source="yes" ' '"fortify_source":"yes",'
if [[ "${libc_found}" == "false" ]] || [[ "${FS_cnt_total}" == "0" ]]; then
echo_message "\033[32mN/A\033[m" "N/A," ' fortify_source="n/a" ' '"fortify_source":"n/a",'
else
echo_message "\033[31mNo\033[m" "No," ' fortify_source="no" ' '"fortify_source":"no",'
if [[ $FS_cnt_checked -eq $FS_cnt_total ]]; then
echo_message '\033[32mYes\033[m' 'Yes,' ' fortify_source="yes" ' '"fortify_source":"yes",'
else
if [[ "${FS_cnt_checked}" == "0" ]]; then
echo_message "\033[31mNo\033[m" "No," ' fortify_source="no" ' '"fortify_source":"no",'
else
echo_message "\033[33mPartial\033[m" "Partial," ' fortify_source="partial" ' '"fortify_source":"partial",'
fi
fi
fi
echo_message "\t${FS_cnt_checked}\t" "${FS_cnt_checked}", "fortified=\"${FS_cnt_checked}\" " "\"fortified\":\"${FS_cnt_checked}\","
echo_message "\t${FS_cnt_total}\t\t" "${FS_cnt_total}" "fortify-able=\"${FS_cnt_total}\"" "\"fortify-able\":\"${FS_cnt_total}\""
Expand Down
14 changes: 7 additions & 7 deletions kernel_configs/build_kernel_configs.sh
Original file line number Diff line number Diff line change
Expand Up @@ -19,17 +19,17 @@ build_config() {
fi
}

#build configs for 3.x up to 3.18
for i in {1..18}; do
build_config 3.x 3 "$i"
done

#build configs for 4.x up to 4.19
for i in {0..19}; do
build_config 4.x 4 "$i"
done

#build configs for 5.x up to 5.10
for i in {1..10}; do
#build configs for 5.x up to 5.15
for i in {1..15}; do
build_config 5.x 5 "$i"
done

#build configs for 6.x up to 6.8
for i in {1..8}; do
build_config 6.x 6 "$i"
done
Loading

0 comments on commit 3e35801

Please sign in to comment.