From 8732f7b6c92f9dcf37f3ab618e9daab0c52fc781 Mon Sep 17 00:00:00 2001 From: fanquake Date: Mon, 24 May 2021 11:10:54 +0800 Subject: [PATCH 1/4] scripts: LIEF 0.11.5 --- contrib/gitian-descriptors/gitian-linux.yml | 2 +- contrib/gitian-descriptors/gitian-osx.yml | 2 +- contrib/gitian-descriptors/gitian-win.yml | 2 +- contrib/guix/manifest.scm | 4 ++-- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/contrib/gitian-descriptors/gitian-linux.yml b/contrib/gitian-descriptors/gitian-linux.yml index bed3531720c..e6dce7a8c66 100644 --- a/contrib/gitian-descriptors/gitian-linux.yml +++ b/contrib/gitian-descriptors/gitian-linux.yml @@ -99,7 +99,7 @@ script: | done } - pip3 install lief==0.11.4 + pip3 install lief==0.11.5 # Faketime for depends so intermediate results are comparable export PATH_orig=${PATH} diff --git a/contrib/gitian-descriptors/gitian-osx.yml b/contrib/gitian-descriptors/gitian-osx.yml index 1d4506e3c27..a39618adb78 100644 --- a/contrib/gitian-descriptors/gitian-osx.yml +++ b/contrib/gitian-descriptors/gitian-osx.yml @@ -78,7 +78,7 @@ script: | done } - pip3 install lief==0.11.4 + pip3 install lief==0.11.5 # Faketime for depends so intermediate results are comparable export PATH_orig=${PATH} diff --git a/contrib/gitian-descriptors/gitian-win.yml b/contrib/gitian-descriptors/gitian-win.yml index 03eba71366d..ffe228a032e 100644 --- a/contrib/gitian-descriptors/gitian-win.yml +++ b/contrib/gitian-descriptors/gitian-win.yml @@ -86,7 +86,7 @@ script: | done } - pip3 install lief==0.11.4 + pip3 install lief==0.11.5 # Faketime for depends so intermediate results are comparable export PATH_orig=${PATH} diff --git a/contrib/guix/manifest.scm b/contrib/guix/manifest.scm index d2bc789b60c..e4950c0e283 100644 --- a/contrib/guix/manifest.scm +++ b/contrib/guix/manifest.scm @@ -205,7 +205,7 @@ chain for " target " development.")) (define-public lief (package (name "python-lief") - (version "0.11.4") + (version "0.11.5") (source (origin (method git-fetch) @@ -215,7 +215,7 @@ chain for " target " development.")) (file-name (git-file-name name version)) (sha256 (base32 - "0h4kcwr9z478almjqhmils8imfpflzk0r7d05g4xbkdyknn162qf")))) + "0qahjfg1n0x76ps2mbyljvws1l3qhkqvmxqbahps4qgywl2hbdkj")))) (build-system python-build-system) (native-inputs `(("cmake" ,cmake))) From 29615aef52d7f1a29a87a29dfe4d39bf0e9867f3 Mon Sep 17 00:00:00 2001 From: fanquake Date: Wed, 5 May 2021 15:59:09 +0800 Subject: [PATCH 2/4] scripts: check minimum required macOS vesion is set We use a compile flag (-mmacosx-version-min) to set the minimum required version of macOS needed to run our binaries. This adds a sanity check that the version is being set as expected. --- contrib/devtools/symbol-check.py | 9 ++++++++- contrib/devtools/test-symbol-check.py | 15 ++++++++++++++- 2 files changed, 22 insertions(+), 2 deletions(-) diff --git a/contrib/devtools/symbol-check.py b/contrib/devtools/symbol-check.py index d740a945607..5fab2b32852 100755 --- a/contrib/devtools/symbol-check.py +++ b/contrib/devtools/symbol-check.py @@ -212,6 +212,12 @@ def check_MACHO_libraries(filename) -> bool: ok = False return ok +def check_MACHO_min_os(filename) -> bool: + binary = lief.parse(filename) + if binary.build_version.minos == [10,14,0]: + return True + return False + def check_PE_libraries(filename) -> bool: ok: bool = True binary = lief.parse(filename) @@ -228,7 +234,8 @@ CHECKS = { ('LIBRARY_DEPENDENCIES', check_ELF_libraries) ], 'MACHO': [ - ('DYNAMIC_LIBRARIES', check_MACHO_libraries) + ('DYNAMIC_LIBRARIES', check_MACHO_libraries), + ('MIN_OS', check_MACHO_min_os), ], 'PE' : [ ('DYNAMIC_LIBRARIES', check_PE_libraries) diff --git a/contrib/devtools/test-symbol-check.py b/contrib/devtools/test-symbol-check.py index 106dfd2c5a3..7cbe55f91db 100755 --- a/contrib/devtools/test-symbol-check.py +++ b/contrib/devtools/test-symbol-check.py @@ -98,7 +98,7 @@ class TestSymbolChecks(unittest.TestCase): self.assertEqual(call_symbol_check(cc, source, executable, ['-lexpat']), (1, 'libexpat.1.dylib is not in ALLOWED_LIBRARIES!\n' + - executable + ': failed DYNAMIC_LIBRARIES')) + executable + ': failed DYNAMIC_LIBRARIES MIN_OS')) source = 'test2.c' executable = 'test2' @@ -114,6 +114,19 @@ class TestSymbolChecks(unittest.TestCase): ''') self.assertEqual(call_symbol_check(cc, source, executable, ['-framework', 'CoreGraphics']), + (1, executable + ': failed MIN_OS')) + + source = 'test3.c' + executable = 'test3' + with open(source, 'w', encoding="utf8") as f: + f.write(''' + int main() + { + return 0; + } + ''') + + self.assertEqual(call_symbol_check(cc, source, executable, ['-mmacosx-version-min=10.14']), (0, '')) def test_PE(self): From c972345bacd0cb01371b3f00941e81dce16278e1 Mon Sep 17 00:00:00 2001 From: fanquake Date: Wed, 5 May 2021 16:38:04 +0800 Subject: [PATCH 3/4] scripts: check minimum required Windows version is set We use linker flags (-Wl,--major/minor-subsystem-version) to set the minimum required version of Windows needed to run our binaries. This adds a sanity check that the version is being set as expected. --- contrib/devtools/symbol-check.py | 11 ++++++++++- contrib/devtools/test-symbol-check.py | 18 ++++++++++++++++-- 2 files changed, 26 insertions(+), 3 deletions(-) diff --git a/contrib/devtools/symbol-check.py b/contrib/devtools/symbol-check.py index 5fab2b32852..aa189003c67 100755 --- a/contrib/devtools/symbol-check.py +++ b/contrib/devtools/symbol-check.py @@ -227,6 +227,14 @@ def check_PE_libraries(filename) -> bool: ok = False return ok +def check_PE_subsystem_version(filename) -> bool: + binary = lief.parse(filename) + major: int = binary.optional_header.major_subsystem_version + minor: int = binary.optional_header.minor_subsystem_version + if major == 6 and minor == 1: + return True + return False + CHECKS = { 'ELF': [ ('IMPORTED_SYMBOLS', check_imported_symbols), @@ -238,7 +246,8 @@ CHECKS = { ('MIN_OS', check_MACHO_min_os), ], 'PE' : [ - ('DYNAMIC_LIBRARIES', check_PE_libraries) + ('DYNAMIC_LIBRARIES', check_PE_libraries), + ('SUBSYSTEM_VERSION', check_PE_subsystem_version), ] } diff --git a/contrib/devtools/test-symbol-check.py b/contrib/devtools/test-symbol-check.py index 7cbe55f91db..f888621619e 100755 --- a/contrib/devtools/test-symbol-check.py +++ b/contrib/devtools/test-symbol-check.py @@ -145,12 +145,26 @@ class TestSymbolChecks(unittest.TestCase): } ''') - self.assertEqual(call_symbol_check(cc, source, executable, ['-lpdh']), + self.assertEqual(call_symbol_check(cc, source, executable, ['-lpdh', '-Wl,--major-subsystem-version', '-Wl,6', '-Wl,--minor-subsystem-version', '-Wl,1']), (1, 'pdh.dll is not in ALLOWED_LIBRARIES!\n' + executable + ': failed DYNAMIC_LIBRARIES')) source = 'test2.c' executable = 'test2.exe' + + with open(source, 'w', encoding="utf8") as f: + f.write(''' + int main() + { + return 0; + } + ''') + + self.assertEqual(call_symbol_check(cc, source, executable, ['-Wl,--major-subsystem-version', '-Wl,9', '-Wl,--minor-subsystem-version', '-Wl,9']), + (1, executable + ': failed SUBSYSTEM_VERSION')) + + source = 'test3.c' + executable = 'test3.exe' with open(source, 'w', encoding="utf8") as f: f.write(''' #include @@ -162,7 +176,7 @@ class TestSymbolChecks(unittest.TestCase): } ''') - self.assertEqual(call_symbol_check(cc, source, executable, ['-lole32']), + self.assertEqual(call_symbol_check(cc, source, executable, ['-lole32', '-Wl,--major-subsystem-version', '-Wl,6', '-Wl,--minor-subsystem-version', '-Wl,1']), (0, '')) From aa80b5759dfa613780a99801641519dd78bb3eca Mon Sep 17 00:00:00 2001 From: fanquake Date: Sun, 9 May 2021 16:18:53 +0800 Subject: [PATCH 4/4] scripts: check macOS SDK version is set Clangs Darwin driver should infer the SDK version used during compilation, and forward that through to the linker. Add a check that this has been done, and the expected SDK version is set. Should help prevent issues like #21771 in future. --- contrib/devtools/symbol-check.py | 7 +++++++ contrib/devtools/test-symbol-check.py | 6 +++--- 2 files changed, 10 insertions(+), 3 deletions(-) diff --git a/contrib/devtools/symbol-check.py b/contrib/devtools/symbol-check.py index aa189003c67..7a5a42c5d2a 100755 --- a/contrib/devtools/symbol-check.py +++ b/contrib/devtools/symbol-check.py @@ -218,6 +218,12 @@ def check_MACHO_min_os(filename) -> bool: return True return False +def check_MACHO_sdk(filename) -> bool: + binary = lief.parse(filename) + if binary.build_version.sdk == [10, 15, 6]: + return True + return False + def check_PE_libraries(filename) -> bool: ok: bool = True binary = lief.parse(filename) @@ -244,6 +250,7 @@ CHECKS = { 'MACHO': [ ('DYNAMIC_LIBRARIES', check_MACHO_libraries), ('MIN_OS', check_MACHO_min_os), + ('SDK', check_MACHO_sdk), ], 'PE' : [ ('DYNAMIC_LIBRARIES', check_PE_libraries), diff --git a/contrib/devtools/test-symbol-check.py b/contrib/devtools/test-symbol-check.py index f888621619e..6ce2fa35603 100755 --- a/contrib/devtools/test-symbol-check.py +++ b/contrib/devtools/test-symbol-check.py @@ -98,7 +98,7 @@ class TestSymbolChecks(unittest.TestCase): self.assertEqual(call_symbol_check(cc, source, executable, ['-lexpat']), (1, 'libexpat.1.dylib is not in ALLOWED_LIBRARIES!\n' + - executable + ': failed DYNAMIC_LIBRARIES MIN_OS')) + f'{executable}: failed DYNAMIC_LIBRARIES MIN_OS SDK')) source = 'test2.c' executable = 'test2' @@ -114,7 +114,7 @@ class TestSymbolChecks(unittest.TestCase): ''') self.assertEqual(call_symbol_check(cc, source, executable, ['-framework', 'CoreGraphics']), - (1, executable + ': failed MIN_OS')) + (1, f'{executable}: failed MIN_OS SDK')) source = 'test3.c' executable = 'test3' @@ -127,7 +127,7 @@ class TestSymbolChecks(unittest.TestCase): ''') self.assertEqual(call_symbol_check(cc, source, executable, ['-mmacosx-version-min=10.14']), - (0, '')) + (1, f'{executable}: failed SDK')) def test_PE(self): source = 'test1.c'