import annobin-10.06-1.el8

2021-10-05 14:20:00 +00:00 · 2021-10-05 14:20:00 +00:00 · a620ef6c40
commit a620ef6c40
parent b04c9c4f90
7 changed files with 111 additions and 35 deletions
--- a/.annobin.metadata
+++ b/.annobin.metadata
@ -1 +1 @@
-8f065c03bd8a5b86e99a66cfc9caa28ea362793f SOURCES/annobin-9.65.tar.xz
+3286c3d821187e9d4d9373a100f89ad49368dd50 SOURCES/annobin-10.06.tar.xz
--- a/.gitignore
+++ b/.gitignore
@ -1 +1 @@
-SOURCES/annobin-9.65.tar.xz
+SOURCES/annobin-10.06.tar.xz
--- a/SOURCES/annobin-aarch64-branch-protection.patch
+++ b/SOURCES/annobin-aarch64-branch-protection.patch
@ -0,0 +1,18 @@
+--- annobin.orig/gcc-plugin/aarch64.annobin.cc	2021-09-29 16:46:01.346694370 +0100
+++ annobin-10.06/gcc-plugin/aarch64.annobin.cc	2021-09-29 17:01:58.087076291 +0100
+@@ -42,6 +42,7 @@ annobin_get_target_pointer_size (void)
+   return 64;
+ }
+ 
+#ifdef aarch64_branch_protection_string
+ static void
+ record_branch_protection_note (bool is_global, annobin_function_info * info)
+ {
+@@ -70,6 +71,7 @@ record_branch_protection_note (bool is_g
+   annobin_output_note (buffer, len + 1, true, "string: -mbranch-protection status",
+ 		       is_global, info);
+ }
+#endif
+ 
+ void
+ annobin_record_global_target_notes (annobin_function_info * info)
--- a/SOURCES/annobin-glibc-test-skip-lto.patch
+++ b/SOURCES/annobin-glibc-test-skip-lto.patch
@ -0,0 +1,11 @@
+--- annobin.orig/tests/glibc-notes-test	2021-09-29 16:46:01.347694363 +0100
+++ annobin-10.06/tests/glibc-notes-test	2021-09-29 16:46:42.253411494 +0100
+@@ -44,7 +44,7 @@ $GCC -pie -Wl,-z,now hello.o hello2.o he
+ 
+ # Run annocheck
+ 
+-$ANNOCHECK glibc-notes.exe --skip-cf-protection --skip-property-note --skip-stack-realign --ignore-gaps --skip-entry --skip-dynamic-tags > glibc-notes.out
+$ANNOCHECK glibc-notes.exe --skip-cf-protection --skip-property-note --skip-stack-realign --ignore-gaps --skip-entry --skip-dynamic-tags --skip-lto > glibc-notes.out
+ grep -e "PASS" glibc-notes.out
+ if [ $? != 0 ];
+ then
--- a/SOURCES/annobin-nop.patch
+++ b/SOURCES/annobin-nop.patch
@ -0,0 +1,12 @@
+diff -rup annobin.orig/gcc-plugin/annobin.cc annobin-9.72/gcc-plugin/annobin.cc
+--- annobin.orig/gcc-plugin/annobin.cc	2021-05-17 17:25:32.693441649 +0100
+++ annobin-9.72/gcc-plugin/annobin.cc	2021-05-17 17:25:50.176331776 +0100
+@@ -1722,7 +1722,7 @@ annobin_emit_start_sym_and_version_note
+ 	 Ensure that we do not have empty special text sections so that the
+ 	 annobin start symbols are never beyond the end of the sections.  */
+       if (* suffix && enable_ppc64_nops)
+-	annobin_emit_asm (".nop", "Inserted by the annobin plugin.  Disable with -fplugin-arg-annobin-no-ppc64-nops");
+	annobin_emit_asm ("nop", "Inserted by the annobin plugin.  Disable with -fplugin-arg-annobin-no-ppc64-nops");
+     }
+   else
+     fprintf (asm_out_file, "\t.equiv %s%s, .\n", annobin_output_filesym, suffix);
--- a/SOURCES/annobin-skip-stack-prot.patch
+++ b/SOURCES/annobin-skip-stack-prot.patch
@ -1,31 +0,0 @@
-diff --git a/annocheck/hardened.c b/annocheck/hardened.c
-index d41c740..83645a7 100644
--- a/annocheck/hardened.c
-+++ b/annocheck/hardened.c
-@@ -3523,8 +3523,12 @@ finish (annocheck_data * data)
- 	    case TEST_STACK_PROT:
- 	      if (per_file.current_tool == TOOL_GO)
- 		skip (data, i, SOURCE_FINAL_SCAN, "GO is stack safe");
-+	      else if (per_file.seen_tools == TOOL_GAS
-+		       || (per_file.gcc_from_comment && per_file.seen_tools == (TOOL_GAS | TOOL_GCC)))
-+		skip (data, i, SOURCE_FINAL_SCAN, "no compiled code found");
- 	      else if (is_C_compiler (per_file.seen_tools))
-		maybe (data, i, SOURCE_FINAL_SCAN, "no valid notes found regarding this test");
-+		/* The skip is necessary because some glibc code is built this way.  */
-+		skip (data, i, SOURCE_FINAL_SCAN, "no notes found regarding this feature");
- 	      else
- 		skip (data, i, SOURCE_FINAL_SCAN, "not compiled code");
- 	      break;
-diff --git a/tests/glibc-notes-test b/tests/glibc-notes-test
-index ab9e639..8496af8 100755
--- a/tests/glibc-notes-test
-+++ b/tests/glibc-notes-test
-@@ -31,7 +31,7 @@ $GCC -pie -Wl,-z,now hello.o hello2.o hello3.o -L. -lhello -o glibc-notes.exe
- 
- # Run annocheck
- 
-$ANNOCHECK glibc-notes.exe --skip-cf-protection --skip-property-note --ignore-gaps > glibc-notes.out
-+$ANNOCHECK glibc-notes.exe --skip-cf-protection --skip-property-note --skip-stack-realign --ignore-gaps > glibc-notes.out
- grep -e "PASS" glibc-notes.out
- if [ $? != 0 ];
- then
--- a/SPECS/annobin.spec
+++ b/SPECS/annobin.spec
@ -1,7 +1,7 @@

 Name:    annobin
 Summary: Annotate and examine compiled binary files
-Version: 9.65
+Version: 10.06
 Release: 1%{?dist}
 License: GPLv3+
 # ProtocolURL: https://fedoraproject.org/wiki/Toolchain/Watermark
@ -55,7 +55,9 @@ Source:  annobin-%{version}.tar.xz
 # For the latest sources use:  git clone git://sourceware.org/git/annobin.git

 # Insert patches here, if needed.
-Patch01: annobin-skip-stack-prot.patch
+Patch01: annobin-nop.patch
+Patch02: annobin-glibc-test-skip-lto.patch
+Patch03: annobin-aarch64-branch-protection.patch

 #---------------------------------------------------------------------------------

@ -278,6 +280,7 @@ make -C llvm-plugin all CXXFLAGS="%{optflags} $BUILD_FLAGS"
 # Change the following line to "make check || :" on RHEL7 or if you need to see the
 # test suite logs in order to diagnose a test failure.
 make check
+
 if [ -f tests/test-suite.log ]; then
    cat tests/test-suite.log
 fi
@ -317,6 +320,69 @@ fi
 #---------------------------------------------------------------------------------

 %changelog
+* Wed Sep 29 2021 Nick Clifton <nickc@redhat.com> - 10.06-1
+- Rebase to 10.06.  (#2002351)
+- GCC Plugin: Fix detection of running inside the LTO compiler.  (#2004917)
+- Annocheck: Do not insist on the DT_AARCH64_PAC_PLT flag being present in AArch64 binaries.
+- Annocheck: With gaps at the start/end of the .text section, check for special symbols before displaying a MAYB result.
+- Annocheck: Do not set CFLAGS/LDFLAGS when building.  Take from environment instead.
+- Annocheck: Fix exit code when tests PASS.
+- Documentation: Add node for each hardening test.
+- Documentation: Install online.
+- Annocheck: Annote FAIL and MAYB results with URL to documentation
+- Annocheck: Add --no-urls and --provide-urls options
+- Annocheck: Add --help-<tool> option.
+- Annocheck: Fix fuzzing detected failures.
+- Annocheck: Add --profile option.
+- Docs: Document --profile option and rpminspect.yaml.
+- Annocheck: Skip GO/CET checks.  Fix fuzzing detected failures.
+- LLVM Plugin: Automatically choose the correct tests to run, based upon the version of Clang installed. (#1997444)
+- Annocheck: Fix memory corruption.  (#1996963)
+- Annocheck: Fix conditionalization of AArch64's PAC+BTI detection.
+- Annocheck: Add linker generated function for ppc64le exceptions.  (#1981410)
+- LLVM Plugin: Allow checks to be selected from the command line.
+- Annocheck: Examine DW_AT_producer for -flto.    
+- Annocheck: Conditionalize detection of AArch64's PAC+BTI protection.
+- Annocheck: Add linker generated function for s390x exceptions.  (#1981410)
+- Annocheck: Generate MAYB results for gaps in notes covering the .text section.  (#1991943)
+- Annocheck: Close DWARF file descriptors once the debug info is no longer needed.  (#1981410)
+- LLVM Plugin: Update to build with Clang v13.  (Thanks to: Tom Stellard <tstellar@redhat.com>)
+- Annocheck: Fix memory corruption.  (#1988715)
+- Annocheck: Skip certain tests for kernel modules.
+- Annocheck: Detect a missing CET note.  (#1991931)
+- Annocheck: Do not report future fails for AArch64 notes.
+- Annocheck: Warn about multiple --debug-file, --debug-rpm and --debug-dir options.
+- Annocheck: Process files in command line order.  (#1988714)
+- Annocheck: Reverse AArch64 PAC+BTI check, ie fail if they are enabled.  (#1984995)
+- Annocheck: Add another test exceptions.
+- Annocheck: Add some more test exceptions.
+- Tests: Skip glibc-notes test if the assembler does not support --generate-missing-build-notes.  (#1978573)
+- Tests: Skip objcopy test if objcopy does not support --merge-notes.
+- Annocheck: Fix spelling mistake in -mstack-realign failure message.  (#1977349)
+- gcc-plugin: Do not record global versions of stack protection settings in LTO mode, if not set.  (#1958954)
+- Annocheck: Remove limit on number of input files.
+- clang/llvm plugins: Build with correct security options.
+- Annocheck: Better detection of GO compiler version.
+- Annocheck: Better support for symbolic links.
+- Annocheck: In verbose mode, report the reason for skipping specific tests.  (#1969584)
+- Annocheck: Improve detection of shared libraries.  (#1958954)
+
+* Mon May 17 2021 Nick Clifton <nickc@redhat.com> - 9.72-1
+- Rebase to 9.72.  (#1960299)
+- annocheck: Accept 0 as a valid number for gcc minor versions and release numbers.
+- gcc-plugin: Add support for ARM and RISCV targets.
+- timing: do not initialise the clock if the timing tool is disabled.
+- gcc-plugin: Replace ICE messsages with verbose messages.
+- Fix the testsuite so that it can be run in parallel.
+- Annocheck: WARN if the annobin plugin was built for a newer version of the compiler than the one on which it was run.  (#1950657)
+- Annocheck: Improve detection of missing GNU-stack support.
+- Correct a package rename (bug #1949570)
+- Require docs subpackage by the other ones because of a license
+- Build-requiring perl-interpreter is enough
+- Fix bz1949570
+- Fix anomolies reported by covscan.
+- Move documentation into a sub-package.
+
 * Wed Mar 17 2021 Nick Clifton <nickc@redhat.com> - 9.65-1
 - gcc-plugin: Use a fixed filename when running in LTO mode.