[Buildroot] [PATCH 00/12] toolchain: warn for unsafe library/header paths

[Buildroot] [PATCH 00/12] toolchain: warn for unsafe library/header paths

[Thomas Petazzoni]

Hello,

This series is a respin of the patch I sent a long time ago to improve
the external toolchain wrapper to warn/error when unsafe library or
header paths are used.

This series extend this significantly by:

 - Making sure the external toolchain wrapper logic will work even if
   Buildroot is built from /usr. To do this, we assume only
   /usr/include and /usr/local/include are unsafe header paths, and
   /usr/lib and /usr/local/lib are unsafe library paths. Other
   locations in /usr are assumed to be safe.

 - Covering the internal toolchain backend as well, by
   borrowing/adapting gcc and binutils patches from
   CodeSourcery/Yocto. The compiler and linker directly check for
   unsafe paths in -I/-L options.

 - Adding a Config.in option to control the usage of this
   mechanism. When the option is disabled, only warnings are
   emitted. When the option is enabled, any unsafe header or library
   path will make the compilation fail.

Of course, this series is not meant for 2014.08, but for 2014.11.

Feedback welcome,

Thanks!

Thomas

Thomas Petazzoni (12):
  toolchain-external: instrument wrapper to warn about unsafe paths
  binutils/2.24: add patch to warn about unsafe library paths
  binutils/2.23: add patch to warn about unsafe library paths
  binutils/2.22: add patch to warn about unsafe library paths
  binutils/arc-4.8-R3: add patch to warn about unsafe library paths
  gcc/4.9: add patch to warn about unsafe header paths
  gcc/4.8: add patch to warn about unsafe header paths
  gcc/arc-4.8-R3: add patch to warn about unsafe header paths
  gcc/4.7: add patch to warn about unsafe header paths
  gcc: enable poison system directories option
  binutils: enable poison system directories option
  Add option for paranoid unsafe path checking

 Config.in                                          |  20 ++
 package/Makefile.in                                |   4 +
 .../2.22/600-poison-system-directories.patch       | 274 ++++++++++++++++++++
 .../2.23.2/600-poison-system-directories.patch     | 279 +++++++++++++++++++++
 .../2.24/600-poison-system-directories.patch       | 279 +++++++++++++++++++++
 .../arc-4.8-R3/600-poison-system-directories.patch | 279 +++++++++++++++++++++
 package/binutils/binutils.mk                       |   1 +
 .../4.7.4/910-gcc-poison-system-directories.patch  | 207 +++++++++++++++
 .../4.8.3/910-gcc-poison-system-directories.patch  | 207 +++++++++++++++
 .../4.9.1/910-gcc-poison-system-directories.patch  | 207 +++++++++++++++
 .../910-gcc-poison-system-directories.patch        | 221 ++++++++++++++++
 package/gcc/gcc-final/gcc-final.mk                 |   1 +
 .../toolchain-external/ext-toolchain-wrapper.c     |  49 ++++
 13 files changed, 2028 insertions(+)
 create mode 100644 package/binutils/2.22/600-poison-system-directories.patch
 create mode 100644 package/binutils/2.23.2/600-poison-system-directories.patch
 create mode 100644 package/binutils/2.24/600-poison-system-directories.patch
 create mode 100644 package/binutils/arc-4.8-R3/600-poison-system-directories.patch
 create mode 100644 package/gcc/4.7.4/910-gcc-poison-system-directories.patch
 create mode 100644 package/gcc/4.8.3/910-gcc-poison-system-directories.patch
 create mode 100644 package/gcc/4.9.1/910-gcc-poison-system-directories.patch
 create mode 100644 package/gcc/arc-4.8-R3/910-gcc-poison-system-directories.patch

-- 
2.0.0

[Buildroot] [PATCH 01/12] toolchain-external: instrument wrapper to warn about unsafe paths

[Thomas Petazzoni]

The CodeSourcery toolchains have a very interesting feature: they warn
the user when an unsafe header or library path is used, i.e a path
that will lead host headers or libraries to leak into the build.

This commit adds a similar functionality into our external toolchain
wrapper, so that it can be used with all external toolchains, and can
also be tuned as needed. By default, the external toolchain wrapper
now gives warnings such as:

  WARNING: unsafe header/library path used in cross-compilation: '-I /usr/foo'
  WARNING: unsafe header/library path used in cross-compilation: '-L /usr/bleh'

but the compilation continues successfully. One can then easily grep
in his build log to search for occurences of this message.

Optionally, if BR_PARANOID_WRAPPER is defined in the environment to a
non empty value, the external wrapper will instead error out and abort
the compilation. We could then one day imagine setting this
BR_PARANOID_WRAPPER in the autobuilders.

A similar change could be made to the internal toolchain backend
either by making it use a wrapper like the external toolchain one, or
by adding some patches to gcc, by borrowing the changes made by the
CodeSourcery people.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
---
Changes since v1:

 * Instead of testing if paths starts with /usr, test for
   /usr/include, /usr/lib, /usr/local/include and /usr/local/lib. This
   allows to support Buildroot builds in /usr (but of course not in
   any of those "unsafe" paths). Requested by Thomas DS.

 * Only error out if BR_PARANOID_WRAPPER has a non-empty
   value. Requested by Yann.

Remaining questions:

 * Shouldn't this be a Config.in option instead? The reasoning is that
   if we leave it as an environment variable, which gets set by the
   autobuilder script, it will not be visible in the .config file
   reported by the autobuilders. Therefore, if one simply takes the
   failed autobuilder configuration, and tries to build it while
   forgetting to pass BR_PARANOID_WRAPPER, one will get a different
   behavior. This is potentially annoying for failures inside
   configure scripts, for which the build output is hidden inside
   config.log.

 * I'm not sure about the name of the variable, maybe it should be:
   BR_COMPILER_WARN_UNSAFE_PATHS. This way, we could use the same
   variable name for the gcc patches to be used for the internal
   toolchain backend. It is also a bit more coherent in the sense that
   the user doesn't really need to know there's a wrapper.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
---
 .../toolchain-external/ext-toolchain-wrapper.c     | 49 ++++++++++++++++++++++
 1 file changed, 49 insertions(+)

diff --git a/toolchain/toolchain-external/ext-toolchain-wrapper.c b/toolchain/toolchain-external/ext-toolchain-wrapper.c
index 8db4ac4..16faa5c 100644
--- a/toolchain/toolchain-external/ext-toolchain-wrapper.c
+++ b/toolchain/toolchain-external/ext-toolchain-wrapper.c
@@ -70,6 +70,24 @@ static char *predef_args[] = {
 #endif
 };
 
+static void check_unsafe_path(const char *path, int paranoid)
+{
+	char **c;
+	char *unsafe_paths[] = {
+		"/usr/include", "/usr/lib", "/usr/local/include", "/usr/local/lib", NULL,
+	};
+
+	for (c = unsafe_paths; *c != NULL; c++) {
+		if (!strncmp(path, *c, strlen(*c))) {
+			fprintf(stderr, "%s: unsafe header/library path used in cross-compilation: '%s'\n",
+				paranoid ? "ERROR" : "WARNING", path);
+			if (paranoid)
+				exit(1);
+			continue;
+		}
+	}
+}
+
 int main(int argc, char **argv)
 {
 	char **args, **cur;
@@ -77,6 +95,8 @@ int main(int argc, char **argv)
 	char *progpath = argv[0];
 	char *basename;
 	char *env_debug;
+	char *paranoid_wrapper;
+	int paranoid;
 	int ret, i, count = 0, debug;
 
 	/* Calculate the relative paths */
@@ -178,6 +198,35 @@ int main(int argc, char **argv)
 	}
 #endif /* ARCH || TUNE || CPU */
 
+	paranoid_wrapper = getenv("BR_COMPILER_PARANOID_UNSAFE_PATH");
+	if (paranoid_wrapper && strlen(paranoid_wrapper) > 0)
+		paranoid = 1;
+	else
+		paranoid = 0;
+
+
+	/* Check for unsafe library and header paths */
+	for (i = 1; i < argc; i++) {
+
+		/* Skip options that do not start with -I and -L */
+		if (strncmp(argv[i], "-I", 2) && strncmp(argv[i], "-L", 2))
+			continue;
+
+		/* We handle two cases: first the case where -I/-L and
+		 * the path are separated by one space and therefore
+		 * visible as two separate options, and then the case
+		 * where they are stuck together forming one single
+		 * option.
+		 */
+		if (strlen(argv[i]) == 2) {
+			if (i == argc)
+				continue;
+			check_unsafe_path(argv[i+1], paranoid);
+		} else {
+			check_unsafe_path(argv[i] + 2, paranoid);
+		}
+	}
+
 	/* append forward args */
 	memcpy(cur, &argv[1], sizeof(char *) * (argc - 1));
 	cur += argc - 1;
-- 
2.0.0

[Buildroot] [PATCH 02/12] binutils/2.24: add patch to warn about unsafe library paths

[Thomas Petazzoni]

This commit adds a patch to binutils borrowed from CodeSourcery/Yocto
that warns about unsafe library paths (i.e /usr/lib, /usr/local/lib,
etc.). The patch was adapted to binutils 2.24, and modified to support
the BR_COMPILER_PARANOID_UNSAFE_PATH environment variable to error out
instead of just warn when unsafe paths are used. Even though erroring
out can be chosen by passing --error-poison-system-directories, we are
not sure this option in LDFLAGS will always be passed, so having an
environment variable guarantees it will always be passed, and also
allows to have an identical behavior to the external toolchain
wrapper.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
---
 .../2.24/600-poison-system-directories.patch       | 279 +++++++++++++++++++++
 1 file changed, 279 insertions(+)
 create mode 100644 package/binutils/2.24/600-poison-system-directories.patch

diff --git a/package/binutils/2.24/600-poison-system-directories.patch b/package/binutils/2.24/600-poison-system-directories.patch
new file mode 100644
index 0000000..d5dcee4
--- /dev/null
+++ b/package/binutils/2.24/600-poison-system-directories.patch
@@ -0,0 +1,279 @@
+Patch adapted to binutils 2.23.2 and extended to use
+BR_COMPILER_PARANOID_UNSAFE_PATH by Thomas Petazzoni.
+
+Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
+
+Upstream-Status: Inappropriate [distribution: codesourcery]
+
+Patch originally created by Mark Hatle, forward-ported to
+binutils 2.21 by Scott Garman.
+
+purpose:  warn for uses of system directories when cross linking
+
+Code Merged from Sourcery G++ binutils 2.19 - 4.4-277
+
+2008-07-02  Joseph Myers  <joseph@codesourcery.com>
+
+    ld/
+    * ld.h (args_type): Add error_poison_system_directories.
+    * ld.texinfo (--error-poison-system-directories): Document.
+    * ldfile.c (ldfile_add_library_path): Check
+    command_line.error_poison_system_directories.
+    * ldmain.c (main): Initialize
+    command_line.error_poison_system_directories.
+    * lexsup.c (enum option_values): Add
+    OPTION_ERROR_POISON_SYSTEM_DIRECTORIES.
+    (ld_options): Add --error-poison-system-directories.
+    (parse_args): Handle new option.
+
+2007-06-13  Joseph Myers  <joseph@codesourcery.com>
+
+    ld/
+    * config.in: Regenerate.
+    * ld.h (args_type): Add poison_system_directories.
+    * ld.texinfo (--no-poison-system-directories): Document.
+    * ldfile.c (ldfile_add_library_path): Check
+    command_line.poison_system_directories.
+    * ldmain.c (main): Initialize
+    command_line.poison_system_directories.
+    * lexsup.c (enum option_values): Add
+    OPTION_NO_POISON_SYSTEM_DIRECTORIES.
+    (ld_options): Add --no-poison-system-directories.
+    (parse_args): Handle new option.
+
+2007-04-20  Joseph Myers  <joseph@codesourcery.com>
+
+    Merge from Sourcery G++ binutils 2.17:
+
+    2007-03-20  Joseph Myers  <joseph@codesourcery.com>
+    Based on patch by Mark Hatle <mark.hatle@windriver.com>.
+    ld/
+    * configure.in (--enable-poison-system-directories): New option.
+    * configure, config.in: Regenerate.
+    * ldfile.c (ldfile_add_library_path): If
+    ENABLE_POISON_SYSTEM_DIRECTORIES defined, warn for use of /lib,
+    /usr/lib, /usr/local/lib or /usr/X11R6/lib.
+
+Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
+Signed-off-by: Scott Garman <scott.a.garman@intel.com>
+
+Index: b/ld/config.in
+===================================================================
+--- a/ld/config.in
++++ b/ld/config.in
+@@ -11,6 +11,9 @@
+    language is requested. */
+ #undef ENABLE_NLS
+ 
++/* Define to warn for use of native system library directories */
++#undef ENABLE_POISON_SYSTEM_DIRECTORIES
++
+ /* Additional extension a shared object might have. */
+ #undef EXTRA_SHLIB_EXTENSION
+ 
+Index: b/ld/configure
+===================================================================
+--- a/ld/configure
++++ b/ld/configure
+@@ -774,6 +774,7 @@
+ enable_targets
+ enable_64_bit_bfd
+ with_sysroot
++enable_poison_system_directories
+ enable_gold
+ enable_got
+ enable_werror
+@@ -1429,6 +1430,8 @@
+ 			  (and sometimes confusing) to the casual installer
+   --enable-targets        alternative target configurations
+   --enable-64-bit-bfd     64-bit support (on hosts with narrower word sizes)
++  --enable-poison-system-directories
++                          warn for use of native system library directories
+   --enable-gold[=ARG]     build gold [ARG={default,yes,no}]
+   --enable-got=<type>     GOT handling scheme (target, single, negative,
+                           multigot)
+@@ -4339,7 +4342,18 @@
+ fi
+ 
+ 
++# Check whether --enable-poison-system-directories was given.
++if test "${enable_poison_system_directories+set}" = set; then :
++  enableval=$enable_poison_system_directories;
++else
++  enable_poison_system_directories=no
++fi
++
++if test "x${enable_poison_system_directories}" = "xyes"; then
+ 
++$as_echo "#define ENABLE_POISON_SYSTEM_DIRECTORIES 1" >>confdefs.h
++
++fi
+ 
+ # Check whether --enable-got was given.
+ if test "${enable_got+set}" = set; then :
+Index: b/ld/configure.in
+===================================================================
+--- a/ld/configure.in
++++ b/ld/configure.in
+@@ -87,6 +87,16 @@
+ AC_SUBST(TARGET_SYSTEM_ROOT)
+ AC_SUBST(TARGET_SYSTEM_ROOT_DEFINE)
+ 
++AC_ARG_ENABLE([poison-system-directories],
++         AS_HELP_STRING([--enable-poison-system-directories],
++                [warn for use of native system library directories]),,
++         [enable_poison_system_directories=no])
++if test "x${enable_poison_system_directories}" = "xyes"; then
++  AC_DEFINE([ENABLE_POISON_SYSTEM_DIRECTORIES],
++       [1],
++       [Define to warn for use of native system library directories])
++fi
++
+ dnl Use --enable-gold to decide if this linker should be the default.
+ dnl "install_as_default" is set to false if gold is the default linker.
+ dnl "installed_linker" is the installed BFD linker name.
+Index: b/ld/ldfile.c
+===================================================================
+--- a/ld/ldfile.c
++++ b/ld/ldfile.c
+@@ -116,6 +116,23 @@
+     new_dirs->name = concat (ld_sysroot, name + 1, (const char *) NULL);
+   else
+     new_dirs->name = xstrdup (name);
++
++#ifdef ENABLE_POISON_SYSTEM_DIRECTORIES
++  if (command_line.poison_system_directories
++  && ((!strncmp (name, "/lib", 4))
++      || (!strncmp (name, "/usr/lib", 8))
++      || (!strncmp (name, "/usr/local/lib", 14))
++      || (!strncmp (name, "/usr/X11R6/lib", 14))))
++   {
++     if (command_line.error_poison_system_directories)
++       einfo (_("%X%P: error: library search path \"%s\" is unsafe for "
++            "cross-compilation\n"), name);
++     else
++       einfo (_("%P: warning: library search path \"%s\" is unsafe for "
++            "cross-compilation\n"), name);
++   }
++#endif
++
+ }
+ 
+ /* Try to open a BFD for a lang_input_statement.  */
+Index: b/ld/ld.h
+===================================================================
+--- a/ld/ld.h
++++ b/ld/ld.h
+@@ -180,6 +180,14 @@
+   /* If TRUE we'll just print the default output on stdout.  */
+   bfd_boolean print_output_format;
+ 
++  /* If TRUE (the default) warn for uses of system directories when
++     cross linking.  */
++  bfd_boolean poison_system_directories;
++
++  /* If TRUE (default FALSE) give an error for uses of system
++     directories when cross linking instead of a warning.  */
++  bfd_boolean error_poison_system_directories;
++
+   /* Big or little endian as set on command line.  */
+   enum endian_enum endian;
+ 
+Index: b/ld/ldmain.c
+===================================================================
+--- a/ld/ldmain.c
++++ b/ld/ldmain.c
+@@ -266,6 +266,8 @@
+   command_line.warn_mismatch = TRUE;
+   command_line.warn_search_mismatch = TRUE;
+   command_line.check_section_addresses = -1;
++  command_line.poison_system_directories = TRUE;
++  command_line.error_poison_system_directories = FALSE;
+ 
+   /* We initialize DEMANGLING based on the environment variable
+      COLLECT_NO_DEMANGLE.  The gcc collect2 program will demangle the
+Index: b/ld/ld.texinfo
+===================================================================
+--- a/ld/ld.texinfo
++++ b/ld/ld.texinfo
+@@ -2175,6 +2175,18 @@
+ 
+ Passing @code{none} for @var{style} disables the setting from any
+ @code{--build-id} options earlier on the command line.
++
++ at kindex --no-poison-system-directories
++ at item --no-poison-system-directories
++Do not warn for @option{-L} options using system directories such as
++ at file{/usr/lib} when cross linking.  This option is intended for use
++in chroot environments when such directories contain the correct
++libraries for the target system rather than the host.
++
++ at kindex --error-poison-system-directories
++ at item --error-poison-system-directories
++Give an error instead of a warning for @option{-L} options using
++system directories when cross linking.
+ @end table
+ 
+ @c man end
+Index: b/ld/lexsup.c
+===================================================================
+--- a/ld/lexsup.c
++++ b/ld/lexsup.c
+@@ -507,6 +507,14 @@
+     OPTION_IGNORE_UNRESOLVED_SYMBOL},
+     '\0', N_("SYMBOL"),
+     N_("Unresolved SYMBOL will not cause an error or warning"), TWO_DASHES },
++  { {"no-poison-system-directories", no_argument, NULL,
++     OPTION_NO_POISON_SYSTEM_DIRECTORIES},
++    '\0', NULL, N_("Do not warn for -L options using system directories"),
++    TWO_DASHES },
++  { {"error-poison-system-directories", no_argument, NULL,
++    +     OPTION_ERROR_POISON_SYSTEM_DIRECTORIES},
++    '\0', NULL, N_("Give an error for -L options using system directories"),
++    TWO_DASHES },
+ };
+ 
+ #define OPTION_COUNT ARRAY_SIZE (ld_options)
+@@ -519,6 +527,7 @@
+   int ingroup = 0;
+   char *default_dirlist = NULL;
+   char *shortopts;
++  char *temp;
+   struct option *longopts;
+   struct option *really_longopts;
+   int last_optind;
+@@ -1442,9 +1451,21 @@
+               einfo (_("%P%X: --hash-size needs a numeric argument\n"));
+           }
+           break;
++
++   case OPTION_NO_POISON_SYSTEM_DIRECTORIES:
++     command_line.poison_system_directories = FALSE;
++     break;
++
++   case OPTION_ERROR_POISON_SYSTEM_DIRECTORIES:
++     command_line.error_poison_system_directories = TRUE;
++     break;
+ 	}
+     }
+ 
++  temp = getenv("BR_COMPILER_PARANOID_UNSAFE_PATH");
++  if (temp && strlen(temp) > 0)
++    command_line.error_poison_system_directories = TRUE;
++
+   while (ingroup)
+     {
+       lang_leave_group ();
+Index: b/ld/ldlex.h
+===================================================================
+--- a/ld/ldlex.h
++++ b/ld/ldlex.h
+@@ -138,6 +138,8 @@
+   OPTION_DEFAULT_SCRIPT,
+   OPTION_PRINT_OUTPUT_FORMAT,
+   OPTION_IGNORE_UNRESOLVED_SYMBOL,
++  OPTION_NO_POISON_SYSTEM_DIRECTORIES,
++  OPTION_ERROR_POISON_SYSTEM_DIRECTORIES,
+ };
+ 
+ /* The initial parser states.  */
-- 
2.0.0

[Buildroot] [PATCH 03/12] binutils/2.23: add patch to warn about unsafe library paths

[Thomas Petazzoni]

This commit adds a patch to binutils borrowed from CodeSourcery/Yocto
that warns about unsafe library paths (i.e /usr/lib, /usr/local/lib,
etc.). The patch was adapted to binutils 2.23, and modified to support
the BR_COMPILER_PARANOID_UNSAFE_PATH environment variable to error out
instead of just warn when unsafe paths are used. Even though erroring
out can be chosen by passing --error-poison-system-directories, we are
not sure this option in LDFLAGS will always be passed, so having an
environment variable guarantees it will always be passed, and also
allows to have an identical behavior to the external toolchain
wrapper.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
---
 .../2.23.2/600-poison-system-directories.patch     | 279 +++++++++++++++++++++
 1 file changed, 279 insertions(+)
 create mode 100644 package/binutils/2.23.2/600-poison-system-directories.patch

diff --git a/package/binutils/2.23.2/600-poison-system-directories.patch b/package/binutils/2.23.2/600-poison-system-directories.patch
new file mode 100644
index 0000000..f67b378
--- /dev/null
+++ b/package/binutils/2.23.2/600-poison-system-directories.patch
@@ -0,0 +1,279 @@
+Patch adapted to binutils 2.23.2 and extended to use
+BR_COMPILER_PARANOID_UNSAFE_PATH by Thomas Petazzoni.
+
+Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
+
+Upstream-Status: Inappropriate [distribution: codesourcery]
+
+Patch originally created by Mark Hatle, forward-ported to
+binutils 2.21 by Scott Garman.
+
+purpose:  warn for uses of system directories when cross linking
+
+Code Merged from Sourcery G++ binutils 2.19 - 4.4-277
+
+2008-07-02  Joseph Myers  <joseph@codesourcery.com>
+
+    ld/
+    * ld.h (args_type): Add error_poison_system_directories.
+    * ld.texinfo (--error-poison-system-directories): Document.
+    * ldfile.c (ldfile_add_library_path): Check
+    command_line.error_poison_system_directories.
+    * ldmain.c (main): Initialize
+    command_line.error_poison_system_directories.
+    * lexsup.c (enum option_values): Add
+    OPTION_ERROR_POISON_SYSTEM_DIRECTORIES.
+    (ld_options): Add --error-poison-system-directories.
+    (parse_args): Handle new option.
+
+2007-06-13  Joseph Myers  <joseph@codesourcery.com>
+
+    ld/
+    * config.in: Regenerate.
+    * ld.h (args_type): Add poison_system_directories.
+    * ld.texinfo (--no-poison-system-directories): Document.
+    * ldfile.c (ldfile_add_library_path): Check
+    command_line.poison_system_directories.
+    * ldmain.c (main): Initialize
+    command_line.poison_system_directories.
+    * lexsup.c (enum option_values): Add
+    OPTION_NO_POISON_SYSTEM_DIRECTORIES.
+    (ld_options): Add --no-poison-system-directories.
+    (parse_args): Handle new option.
+
+2007-04-20  Joseph Myers  <joseph@codesourcery.com>
+
+    Merge from Sourcery G++ binutils 2.17:
+
+    2007-03-20  Joseph Myers  <joseph@codesourcery.com>
+    Based on patch by Mark Hatle <mark.hatle@windriver.com>.
+    ld/
+    * configure.in (--enable-poison-system-directories): New option.
+    * configure, config.in: Regenerate.
+    * ldfile.c (ldfile_add_library_path): If
+    ENABLE_POISON_SYSTEM_DIRECTORIES defined, warn for use of /lib,
+    /usr/lib, /usr/local/lib or /usr/X11R6/lib.
+
+Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
+Signed-off-by: Scott Garman <scott.a.garman@intel.com>
+
+Index: b/ld/config.in
+===================================================================
+--- a/ld/config.in
++++ b/ld/config.in
+@@ -11,6 +11,9 @@
+    language is requested. */
+ #undef ENABLE_NLS
+ 
++/* Define to warn for use of native system library directories */
++#undef ENABLE_POISON_SYSTEM_DIRECTORIES
++
+ /* Additional extension a shared object might have. */
+ #undef EXTRA_SHLIB_EXTENSION
+ 
+Index: b/ld/configure
+===================================================================
+--- a/ld/configure
++++ b/ld/configure
+@@ -773,6 +773,7 @@
+ enable_targets
+ enable_64_bit_bfd
+ with_sysroot
++enable_poison_system_directories
+ enable_gold
+ enable_got
+ enable_werror
+@@ -1428,6 +1429,8 @@
+ 			  (and sometimes confusing) to the casual installer
+   --enable-targets        alternative target configurations
+   --enable-64-bit-bfd     64-bit support (on hosts with narrower word sizes)
++  --enable-poison-system-directories
++                          warn for use of native system library directories
+   --enable-gold[=ARG]     build gold [ARG={default,yes,no}]
+   --enable-got=<type>     GOT handling scheme (target, single, negative,
+                           multigot)
+@@ -4338,7 +4341,18 @@
+ fi
+ 
+ 
++# Check whether --enable-poison-system-directories was given.
++if test "${enable_poison_system_directories+set}" = set; then :
++  enableval=$enable_poison_system_directories;
++else
++  enable_poison_system_directories=no
++fi
++
++if test "x${enable_poison_system_directories}" = "xyes"; then
+ 
++$as_echo "#define ENABLE_POISON_SYSTEM_DIRECTORIES 1" >>confdefs.h
++
++fi
+ 
+ # Check whether --enable-got was given.
+ if test "${enable_got+set}" = set; then :
+Index: b/ld/configure.in
+===================================================================
+--- a/ld/configure.in
++++ b/ld/configure.in
+@@ -70,6 +70,16 @@
+ AC_SUBST(TARGET_SYSTEM_ROOT)
+ AC_SUBST(TARGET_SYSTEM_ROOT_DEFINE)
+ 
++AC_ARG_ENABLE([poison-system-directories],
++         AS_HELP_STRING([--enable-poison-system-directories],
++                [warn for use of native system library directories]),,
++         [enable_poison_system_directories=no])
++if test "x${enable_poison_system_directories}" = "xyes"; then
++  AC_DEFINE([ENABLE_POISON_SYSTEM_DIRECTORIES],
++       [1],
++       [Define to warn for use of native system library directories])
++fi
++
+ dnl Use --enable-gold to decide if this linker should be the default.
+ dnl "install_as_default" is set to false if gold is the default linker.
+ dnl "installed_linker" is the installed BFD linker name.
+Index: b/ld/ldfile.c
+===================================================================
+--- a/ld/ldfile.c
++++ b/ld/ldfile.c
+@@ -116,6 +116,23 @@
+     new_dirs->name = concat (ld_sysroot, name + 1, (const char *) NULL);
+   else
+     new_dirs->name = xstrdup (name);
++
++#ifdef ENABLE_POISON_SYSTEM_DIRECTORIES
++  if (command_line.poison_system_directories
++  && ((!strncmp (name, "/lib", 4))
++      || (!strncmp (name, "/usr/lib", 8))
++      || (!strncmp (name, "/usr/local/lib", 14))
++      || (!strncmp (name, "/usr/X11R6/lib", 14))))
++   {
++     if (command_line.error_poison_system_directories)
++       einfo (_("%X%P: error: library search path \"%s\" is unsafe for "
++            "cross-compilation\n"), name);
++     else
++       einfo (_("%P: warning: library search path \"%s\" is unsafe for "
++            "cross-compilation\n"), name);
++   }
++#endif
++
+ }
+ 
+ /* Try to open a BFD for a lang_input_statement.  */
+Index: b/ld/ld.h
+===================================================================
+--- a/ld/ld.h
++++ b/ld/ld.h
+@@ -203,6 +203,14 @@
+   /* If TRUE we'll just print the default output on stdout.  */
+   bfd_boolean print_output_format;
+ 
++  /* If TRUE (the default) warn for uses of system directories when
++     cross linking.  */
++  bfd_boolean poison_system_directories;
++
++  /* If TRUE (default FALSE) give an error for uses of system
++     directories when cross linking instead of a warning.  */
++  bfd_boolean error_poison_system_directories;
++
+   /* Big or little endian as set on command line.  */
+   enum endian_enum endian;
+ 
+Index: b/ld/ldmain.c
+===================================================================
+--- a/ld/ldmain.c
++++ b/ld/ldmain.c
+@@ -265,6 +265,8 @@
+   command_line.warn_search_mismatch = TRUE;
+   command_line.check_section_addresses = -1;
+   command_line.disable_target_specific_optimizations = -1;
++  command_line.poison_system_directories = TRUE;
++  command_line.error_poison_system_directories = FALSE;
+ 
+   /* We initialize DEMANGLING based on the environment variable
+      COLLECT_NO_DEMANGLE.  The gcc collect2 program will demangle the
+Index: b/ld/ld.texinfo
+===================================================================
+--- a/ld/ld.texinfo
++++ b/ld/ld.texinfo
+@@ -2154,6 +2154,18 @@
+ 
+ Passing @code{none} for @var{style} disables the setting from any
+ @code{--build-id} options earlier on the command line.
++
++ at kindex --no-poison-system-directories
++ at item --no-poison-system-directories
++Do not warn for @option{-L} options using system directories such as
++ at file{/usr/lib} when cross linking.  This option is intended for use
++in chroot environments when such directories contain the correct
++libraries for the target system rather than the host.
++
++ at kindex --error-poison-system-directories
++ at item --error-poison-system-directories
++Give an error instead of a warning for @option{-L} options using
++system directories when cross linking.
+ @end table
+ 
+ @c man end
+Index: b/ld/lexsup.c
+===================================================================
+--- a/ld/lexsup.c
++++ b/ld/lexsup.c
+@@ -498,6 +498,14 @@
+     TWO_DASHES },
+   { {"wrap", required_argument, NULL, OPTION_WRAP},
+     '\0', N_("SYMBOL"), N_("Use wrapper functions for SYMBOL"), TWO_DASHES },
++  { {"no-poison-system-directories", no_argument, NULL,
++     OPTION_NO_POISON_SYSTEM_DIRECTORIES},
++    '\0', NULL, N_("Do not warn for -L options using system directories"),
++    TWO_DASHES },
++  { {"error-poison-system-directories", no_argument, NULL,
++     OPTION_ERROR_POISON_SYSTEM_DIRECTORIES},
++    '\0', NULL, N_("Give an error for -L options using system directories"),
++    TWO_DASHES },
+ };
+ 
+ #define OPTION_COUNT ARRAY_SIZE (ld_options)
+@@ -510,6 +518,7 @@
+   int ingroup = 0;
+   char *default_dirlist = NULL;
+   char *shortopts;
++  char *temp;
+   struct option *longopts;
+   struct option *really_longopts;
+   int last_optind;
+@@ -1427,9 +1436,21 @@
+               einfo (_("%P%X: --hash-size needs a numeric argument\n"));
+           }
+           break;
++
++   case OPTION_NO_POISON_SYSTEM_DIRECTORIES:
++     command_line.poison_system_directories = FALSE;
++     break;
++
++   case OPTION_ERROR_POISON_SYSTEM_DIRECTORIES:
++     command_line.error_poison_system_directories = TRUE;
++     break;
+ 	}
+     }
+ 
++  temp = getenv("BR_COMPILER_PARANOID_UNSAFE_PATH");
++  if (temp && strlen(temp) > 0)
++    command_line.error_poison_system_directories = TRUE;
++
+   while (ingroup)
+     {
+       lang_leave_group ();
+Index: b/ld/ldlex.h
+===================================================================
+--- a/ld/ldlex.h
++++ b/ld/ldlex.h
+@@ -136,6 +136,8 @@
+ #endif /* ENABLE_PLUGINS */
+   OPTION_DEFAULT_SCRIPT,
+   OPTION_PRINT_OUTPUT_FORMAT,
++  OPTION_NO_POISON_SYSTEM_DIRECTORIES,
++  OPTION_ERROR_POISON_SYSTEM_DIRECTORIES,
+ };
+ 
+ /* The initial parser states.  */
-- 
2.0.0

[Buildroot] [PATCH 04/12] binutils/2.22: add patch to warn about unsafe library paths

[Thomas Petazzoni]

This commit adds a patch to binutils borrowed from CodeSourcery/Yocto
that warns about unsafe library paths (i.e /usr/lib, /usr/local/lib,
etc.). The patch was adapted to binutils 2.22, and modified to support
the BR_COMPILER_PARANOID_UNSAFE_PATH environment variable to error out
instead of just warn when unsafe paths are used. Even though erroring
out can be chosen by passing --error-poison-system-directories, we are
not sure this option in LDFLAGS will always be passed, so having an
environment variable guarantees it will always be passed, and also
allows to have an identical behavior to the external toolchain
wrapper.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
---
 .../2.22/600-poison-system-directories.patch       | 274 +++++++++++++++++++++
 1 file changed, 274 insertions(+)
 create mode 100644 package/binutils/2.22/600-poison-system-directories.patch

diff --git a/package/binutils/2.22/600-poison-system-directories.patch b/package/binutils/2.22/600-poison-system-directories.patch
new file mode 100644
index 0000000..5426bb0
--- /dev/null
+++ b/package/binutils/2.22/600-poison-system-directories.patch
@@ -0,0 +1,274 @@
+Patch adapted to binutils 2.23.2 and extended to use
+BR_COMPILER_PARANOID_UNSAFE_PATH by Thomas Petazzoni.
+
+Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
+
+Upstream-Status: Inappropriate [distribution: codesourcery]
+
+Patch originally created by Mark Hatle, forward-ported to
+binutils 2.21 by Scott Garman.
+
+purpose:  warn for uses of system directories when cross linking
+
+Code Merged from Sourcery G++ binutils 2.19 - 4.4-277
+
+2008-07-02  Joseph Myers  <joseph@codesourcery.com>
+
+    ld/
+    * ld.h (args_type): Add error_poison_system_directories.
+    * ld.texinfo (--error-poison-system-directories): Document.
+    * ldfile.c (ldfile_add_library_path): Check
+    command_line.error_poison_system_directories.
+    * ldmain.c (main): Initialize
+    command_line.error_poison_system_directories.
+    * lexsup.c (enum option_values): Add
+    OPTION_ERROR_POISON_SYSTEM_DIRECTORIES.
+    (ld_options): Add --error-poison-system-directories.
+    (parse_args): Handle new option.
+
+2007-06-13  Joseph Myers  <joseph@codesourcery.com>
+
+    ld/
+    * config.in: Regenerate.
+    * ld.h (args_type): Add poison_system_directories.
+    * ld.texinfo (--no-poison-system-directories): Document.
+    * ldfile.c (ldfile_add_library_path): Check
+    command_line.poison_system_directories.
+    * ldmain.c (main): Initialize
+    command_line.poison_system_directories.
+    * lexsup.c (enum option_values): Add
+    OPTION_NO_POISON_SYSTEM_DIRECTORIES.
+    (ld_options): Add --no-poison-system-directories.
+    (parse_args): Handle new option.
+
+2007-04-20  Joseph Myers  <joseph@codesourcery.com>
+
+    Merge from Sourcery G++ binutils 2.17:
+
+    2007-03-20  Joseph Myers  <joseph@codesourcery.com>
+    Based on patch by Mark Hatle <mark.hatle@windriver.com>.
+    ld/
+    * configure.in (--enable-poison-system-directories): New option.
+    * configure, config.in: Regenerate.
+    * ldfile.c (ldfile_add_library_path): If
+    ENABLE_POISON_SYSTEM_DIRECTORIES defined, warn for use of /lib,
+    /usr/lib, /usr/local/lib or /usr/X11R6/lib.
+
+Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
+Signed-off-by: Scott Garman <scott.a.garman@intel.com>
+
+Index: b/ld/config.in
+===================================================================
+--- a/ld/config.in
++++ b/ld/config.in
+@@ -4,6 +4,9 @@
+    language is requested. */
+ #undef ENABLE_NLS
+ 
++/* Define to warn for use of native system library directories */
++#undef ENABLE_POISON_SYSTEM_DIRECTORIES
++
+ /* Additional extension a shared object might have. */
+ #undef EXTRA_SHLIB_EXTENSION
+ 
+Index: b/ld/configure
+===================================================================
+--- a/ld/configure
++++ b/ld/configure
+@@ -773,6 +773,7 @@
+ enable_targets
+ enable_64_bit_bfd
+ with_sysroot
++enable_poison_system_directories
+ enable_gold
+ enable_got
+ enable_werror
+@@ -1427,6 +1428,8 @@
+ 			  (and sometimes confusing) to the casual installer
+   --enable-targets        alternative target configurations
+   --enable-64-bit-bfd     64-bit support (on hosts with narrower word sizes)
++  --enable-poison-system-directories
++                          warn for use of native system library directories
+   --enable-gold[=ARG]     build gold [ARG={default,yes,no}]
+   --enable-got=<type>     GOT handling scheme (target, single, negative,
+                           multigot)
+@@ -4336,7 +4339,18 @@
+ fi
+ 
+ 
++# Check whether --enable-poison-system-directories was given.
++if test "${enable_poison_system_directories+set}" = set; then :
++  enableval=$enable_poison_system_directories;
++else
++  enable_poison_system_directories=no
++fi
++
++if test "x${enable_poison_system_directories}" = "xyes"; then
+ 
++$as_echo "#define ENABLE_POISON_SYSTEM_DIRECTORIES 1" >>confdefs.h
++
++fi
+ 
+ # Check whether --enable-got was given.
+ if test "${enable_got+set}" = set; then :
+Index: b/ld/configure.in
+===================================================================
+--- a/ld/configure.in
++++ b/ld/configure.in
+@@ -70,6 +70,16 @@
+ AC_SUBST(TARGET_SYSTEM_ROOT)
+ AC_SUBST(TARGET_SYSTEM_ROOT_DEFINE)
+ 
++AC_ARG_ENABLE([poison-system-directories],
++         AS_HELP_STRING([--enable-poison-system-directories],
++                [warn for use of native system library directories]),,
++         [enable_poison_system_directories=no])
++if test "x${enable_poison_system_directories}" = "xyes"; then
++  AC_DEFINE([ENABLE_POISON_SYSTEM_DIRECTORIES],
++       [1],
++       [Define to warn for use of native system library directories])
++fi
++
+ dnl Use --enable-gold to decide if this linker should be the default.
+ dnl "install_as_default" is set to false if gold is the default linker.
+ dnl "installed_linker" is the installed BFD linker name.
+Index: b/ld/ldfile.c
+===================================================================
+--- a/ld/ldfile.c
++++ b/ld/ldfile.c
+@@ -126,6 +126,22 @@
+       new_dirs->name = xstrdup (name);
+       new_dirs->sysrooted = is_sysrooted_pathname (name, FALSE);
+     }
++
++#ifdef ENABLE_POISON_SYSTEM_DIRECTORIES
++  if (command_line.poison_system_directories
++      && ((!strncmp (name, "/lib", 4))
++	  || (!strncmp (name, "/usr/lib", 8))
++	  || (!strncmp (name, "/usr/local/lib", 14))
++	  || (!strncmp (name, "/usr/X11R6/lib", 14))))
++    {
++      if (command_line.error_poison_system_directories)
++	einfo (_("%X%P: error: library search path \"%s\" is unsafe for "
++		 "cross-compilation\n"), name);
++      else
++	einfo (_("%P: warning: library search path \"%s\" is unsafe for "
++		 "cross-compilation\n"), name);
++    }
++#endif
+ }
+ 
+ /* Try to open a BFD for a lang_input_statement.  */
+Index: b/ld/ld.h
+===================================================================
+--- a/ld/ld.h
++++ b/ld/ld.h
+@@ -203,6 +203,14 @@
+   /* If TRUE we'll just print the default output on stdout.  */
+   bfd_boolean print_output_format;
+ 
++  /* If TRUE (the default) warn for uses of system directories when
++     cross linking.  */
++  bfd_boolean poison_system_directories;
++
++  /* If TRUE (default FALSE) give an error for uses of system
++     directories when cross linking instead of a warning.  */
++  bfd_boolean error_poison_system_directories;
++
+   /* Big or little endian as set on command line.  */
+   enum endian_enum endian;
+ 
+Index: b/ld/ldmain.c
+===================================================================
+--- a/ld/ldmain.c
++++ b/ld/ldmain.c
+@@ -259,6 +259,8 @@
+   command_line.warn_search_mismatch = TRUE;
+   command_line.check_section_addresses = -1;
+   command_line.disable_target_specific_optimizations = -1;
++  command_line.poison_system_directories = TRUE;
++  command_line.error_poison_system_directories = FALSE;
+ 
+   /* We initialize DEMANGLING based on the environment variable
+      COLLECT_NO_DEMANGLE.  The gcc collect2 program will demangle the
+Index: b/ld/ld.texinfo
+===================================================================
+--- a/ld/ld.texinfo
++++ b/ld/ld.texinfo
+@@ -2147,6 +2147,18 @@
+ 
+ Passing @code{none} for @var{style} disables the setting from any
+ @code{--build-id} options earlier on the command line.
++
++ at kindex --no-poison-system-directories
++ at item --no-poison-system-directories
++Do not warn for @option{-L} options using system directories such as
++ at file{/usr/lib} when cross linking.  This option is intended for use
++in chroot environments when such directories contain the correct
++libraries for the target system rather than the host.
++
++ at kindex --error-poison-system-directories
++ at item --error-poison-system-directories
++Give an error instead of a warning for @option{-L} options using
++system directories when cross linking.
+ @end table
+ 
+ @c man end
+Index: b/ld/lexsup.c
+===================================================================
+--- a/ld/lexsup.c
++++ b/ld/lexsup.c
+@@ -176,6 +176,8 @@
+ #endif /* ENABLE_PLUGINS */
+   OPTION_DEFAULT_SCRIPT,
+   OPTION_PRINT_OUTPUT_FORMAT,
++  OPTION_NO_POISON_SYSTEM_DIRECTORIES,
++  OPTION_ERROR_POISON_SYSTEM_DIRECTORIES,
+ };
+ 
+ /* The long options.  This structure is used for both the option
+@@ -612,6 +614,14 @@
+     TWO_DASHES },
+   { {"wrap", required_argument, NULL, OPTION_WRAP},
+     '\0', N_("SYMBOL"), N_("Use wrapper functions for SYMBOL"), TWO_DASHES },
++  { {"no-poison-system-directories", no_argument, NULL,
++     OPTION_NO_POISON_SYSTEM_DIRECTORIES},
++    '\0', NULL, N_("Do not warn for -L options using system directories"),
++    TWO_DASHES },
++  { {"error-poison-system-directories", no_argument, NULL,
++     OPTION_ERROR_POISON_SYSTEM_DIRECTORIES},
++    '\0', NULL, N_("Give an error for -L options using system directories"),
++    TWO_DASHES },
+ };
+ 
+ #define OPTION_COUNT ARRAY_SIZE (ld_options)
+@@ -624,6 +634,7 @@
+   int ingroup = 0;
+   char *default_dirlist = NULL;
+   char *shortopts;
++  char *temp;
+   struct option *longopts;
+   struct option *really_longopts;
+   int last_optind;
+@@ -1541,9 +1552,21 @@
+               einfo (_("%P%X: --hash-size needs a numeric argument\n"));
+           }
+           break;
++
++   case OPTION_NO_POISON_SYSTEM_DIRECTORIES:
++     command_line.poison_system_directories = FALSE;
++     break;
++
++   case OPTION_ERROR_POISON_SYSTEM_DIRECTORIES:
++     command_line.error_poison_system_directories = TRUE;
++     break;
+ 	}
+     }
+ 
++  temp = getenv("BR_COMPILER_PARANOID_UNSAFE_PATH");
++  if (temp && strlen(temp) > 0)
++    command_line.error_poison_system_directories = TRUE;
++
+   while (ingroup)
+     {
+       lang_leave_group ();
-- 
2.0.0

[Buildroot] [PATCH 05/12] binutils/arc-4.8-R3: add patch to warn about unsafe library paths

[Thomas Petazzoni]

This commit adds a patch to binutils borrowed from CodeSourcery/Yocto
that warns about unsafe library paths (i.e /usr/lib, /usr/local/lib,
etc.). The patch was adapted to binutils arc-4.8-R3, and modified to
support the BR_COMPILER_PARANOID_UNSAFE_PATH environment variable to
error out instead of just warn when unsafe paths are used. Even though
erroring out can be chosen by passing
--error-poison-system-directories, we are not sure this option in
LDFLAGS will always be passed, so having an environment variable
guarantees it will always be passed, and also allows to have an
identical behavior to the external toolchain wrapper.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
---
 .../arc-4.8-R3/600-poison-system-directories.patch | 279 +++++++++++++++++++++
 1 file changed, 279 insertions(+)
 create mode 100644 package/binutils/arc-4.8-R3/600-poison-system-directories.patch

diff --git a/package/binutils/arc-4.8-R3/600-poison-system-directories.patch b/package/binutils/arc-4.8-R3/600-poison-system-directories.patch
new file mode 100644
index 0000000..38f6f9c
--- /dev/null
+++ b/package/binutils/arc-4.8-R3/600-poison-system-directories.patch
@@ -0,0 +1,279 @@
+Patch adapted to binutils arc-4.8-R3 and extended to use
+BR_COMPILER_PARANOID_UNSAFE_PATH by Thomas Petazzoni.
+
+Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
+
+Upstream-Status: Inappropriate [distribution: codesourcery]
+
+Patch originally created by Mark Hatle, forward-ported to
+binutils 2.21 by Scott Garman.
+
+purpose:  warn for uses of system directories when cross linking
+
+Code Merged from Sourcery G++ binutils 2.19 - 4.4-277
+
+2008-07-02  Joseph Myers  <joseph@codesourcery.com>
+
+    ld/
+    * ld.h (args_type): Add error_poison_system_directories.
+    * ld.texinfo (--error-poison-system-directories): Document.
+    * ldfile.c (ldfile_add_library_path): Check
+    command_line.error_poison_system_directories.
+    * ldmain.c (main): Initialize
+    command_line.error_poison_system_directories.
+    * lexsup.c (enum option_values): Add
+    OPTION_ERROR_POISON_SYSTEM_DIRECTORIES.
+    (ld_options): Add --error-poison-system-directories.
+    (parse_args): Handle new option.
+
+2007-06-13  Joseph Myers  <joseph@codesourcery.com>
+
+    ld/
+    * config.in: Regenerate.
+    * ld.h (args_type): Add poison_system_directories.
+    * ld.texinfo (--no-poison-system-directories): Document.
+    * ldfile.c (ldfile_add_library_path): Check
+    command_line.poison_system_directories.
+    * ldmain.c (main): Initialize
+    command_line.poison_system_directories.
+    * lexsup.c (enum option_values): Add
+    OPTION_NO_POISON_SYSTEM_DIRECTORIES.
+    (ld_options): Add --no-poison-system-directories.
+    (parse_args): Handle new option.
+
+2007-04-20  Joseph Myers  <joseph@codesourcery.com>
+
+    Merge from Sourcery G++ binutils 2.17:
+
+    2007-03-20  Joseph Myers  <joseph@codesourcery.com>
+    Based on patch by Mark Hatle <mark.hatle@windriver.com>.
+    ld/
+    * configure.in (--enable-poison-system-directories): New option.
+    * configure, config.in: Regenerate.
+    * ldfile.c (ldfile_add_library_path): If
+    ENABLE_POISON_SYSTEM_DIRECTORIES defined, warn for use of /lib,
+    /usr/lib, /usr/local/lib or /usr/X11R6/lib.
+
+Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
+Signed-off-by: Scott Garman <scott.a.garman@intel.com>
+
+Index: b/ld/config.in
+===================================================================
+--- a/ld/config.in
++++ b/ld/config.in
+@@ -11,6 +11,9 @@
+    language is requested. */
+ #undef ENABLE_NLS
+ 
++/* Define to warn for use of native system library directories */
++#undef ENABLE_POISON_SYSTEM_DIRECTORIES
++
+ /* Additional extension a shared object might have. */
+ #undef EXTRA_SHLIB_EXTENSION
+ 
+Index: b/ld/configure
+===================================================================
+--- a/ld/configure
++++ b/ld/configure
+@@ -773,6 +773,7 @@
+ enable_targets
+ enable_64_bit_bfd
+ with_sysroot
++enable_poison_system_directories
+ enable_gold
+ enable_got
+ enable_werror
+@@ -1428,6 +1429,8 @@
+ 			  (and sometimes confusing) to the casual installer
+   --enable-targets        alternative target configurations
+   --enable-64-bit-bfd     64-bit support (on hosts with narrower word sizes)
++  --enable-poison-system-directories
++                          warn for use of native system library directories
+   --enable-gold[=ARG]     build gold [ARG={default,yes,no}]
+   --enable-got=<type>     GOT handling scheme (target, single, negative,
+                           multigot)
+@@ -4338,7 +4341,18 @@
+ fi
+ 
+ 
++# Check whether --enable-poison-system-directories was given.
++if test "${enable_poison_system_directories+set}" = set; then :
++  enableval=$enable_poison_system_directories;
++else
++  enable_poison_system_directories=no
++fi
++
++if test "x${enable_poison_system_directories}" = "xyes"; then
+ 
++$as_echo "#define ENABLE_POISON_SYSTEM_DIRECTORIES 1" >>confdefs.h
++
++fi
+ 
+ # Check whether --enable-got was given.
+ if test "${enable_got+set}" = set; then :
+Index: b/ld/configure.in
+===================================================================
+--- a/ld/configure.in
++++ b/ld/configure.in
+@@ -70,6 +70,16 @@
+ AC_SUBST(TARGET_SYSTEM_ROOT)
+ AC_SUBST(TARGET_SYSTEM_ROOT_DEFINE)
+ 
++AC_ARG_ENABLE([poison-system-directories],
++         AS_HELP_STRING([--enable-poison-system-directories],
++                [warn for use of native system library directories]),,
++         [enable_poison_system_directories=no])
++if test "x${enable_poison_system_directories}" = "xyes"; then
++  AC_DEFINE([ENABLE_POISON_SYSTEM_DIRECTORIES],
++       [1],
++       [Define to warn for use of native system library directories])
++fi
++
+ dnl Use --enable-gold to decide if this linker should be the default.
+ dnl "install_as_default" is set to false if gold is the default linker.
+ dnl "installed_linker" is the installed BFD linker name.
+Index: b/ld/ldfile.c
+===================================================================
+--- a/ld/ldfile.c
++++ b/ld/ldfile.c
+@@ -116,6 +116,23 @@
+     new_dirs->name = concat (ld_sysroot, name + 1, (const char *) NULL);
+   else
+     new_dirs->name = xstrdup (name);
++
++#ifdef ENABLE_POISON_SYSTEM_DIRECTORIES
++  if (command_line.poison_system_directories
++  && ((!strncmp (name, "/lib", 4))
++      || (!strncmp (name, "/usr/lib", 8))
++      || (!strncmp (name, "/usr/local/lib", 14))
++      || (!strncmp (name, "/usr/X11R6/lib", 14))))
++   {
++     if (command_line.error_poison_system_directories)
++       einfo (_("%X%P: error: library search path \"%s\" is unsafe for "
++            "cross-compilation\n"), name);
++     else
++       einfo (_("%P: warning: library search path \"%s\" is unsafe for "
++            "cross-compilation\n"), name);
++   }
++#endif
++
+ }
+ 
+ /* Try to open a BFD for a lang_input_statement.  */
+Index: b/ld/ld.h
+===================================================================
+--- a/ld/ld.h
++++ b/ld/ld.h
+@@ -203,6 +203,14 @@
+   /* If TRUE we'll just print the default output on stdout.  */
+   bfd_boolean print_output_format;
+ 
++  /* If TRUE (the default) warn for uses of system directories when
++     cross linking.  */
++  bfd_boolean poison_system_directories;
++
++  /* If TRUE (default FALSE) give an error for uses of system
++     directories when cross linking instead of a warning.  */
++  bfd_boolean error_poison_system_directories;
++
+   /* Big or little endian as set on command line.  */
+   enum endian_enum endian;
+ 
+Index: b/ld/ldmain.c
+===================================================================
+--- a/ld/ldmain.c
++++ b/ld/ldmain.c
+@@ -265,6 +265,8 @@
+   command_line.warn_search_mismatch = TRUE;
+   command_line.check_section_addresses = -1;
+   command_line.disable_target_specific_optimizations = -1;
++  command_line.poison_system_directories = TRUE;
++  command_line.error_poison_system_directories = FALSE;
+ 
+   /* We initialize DEMANGLING based on the environment variable
+      COLLECT_NO_DEMANGLE.  The gcc collect2 program will demangle the
+Index: b/ld/ld.texinfo
+===================================================================
+--- a/ld/ld.texinfo
++++ b/ld/ld.texinfo
+@@ -2156,6 +2156,18 @@
+ 
+ Passing @code{none} for @var{style} disables the setting from any
+ @code{--build-id} options earlier on the command line.
++
++ at kindex --no-poison-system-directories
++ at item --no-poison-system-directories
++Do not warn for @option{-L} options using system directories such as
++ at file{/usr/lib} when cross linking.  This option is intended for use
++in chroot environments when such directories contain the correct
++libraries for the target system rather than the host.
++
++ at kindex --error-poison-system-directories
++ at item --error-poison-system-directories
++Give an error instead of a warning for @option{-L} options using
++system directories when cross linking.
+ @end table
+ 
+ @c man end
+Index: b/ld/lexsup.c
+===================================================================
+--- a/ld/lexsup.c
++++ b/ld/lexsup.c
+@@ -498,6 +498,14 @@
+     TWO_DASHES },
+   { {"wrap", required_argument, NULL, OPTION_WRAP},
+     '\0', N_("SYMBOL"), N_("Use wrapper functions for SYMBOL"), TWO_DASHES },
++  { {"no-poison-system-directories", no_argument, NULL,
++     OPTION_NO_POISON_SYSTEM_DIRECTORIES},
++    '\0', NULL, N_("Do not warn for -L options using system directories"),
++    TWO_DASHES },
++  { {"error-poison-system-directories", no_argument, NULL,
++     OPTION_ERROR_POISON_SYSTEM_DIRECTORIES},
++    '\0', NULL, N_("Give an error for -L options using system directories"),
++    TWO_DASHES },
+ };
+ 
+ #define OPTION_COUNT ARRAY_SIZE (ld_options)
+@@ -510,6 +518,7 @@
+   int ingroup = 0;
+   char *default_dirlist = NULL;
+   char *shortopts;
++  char *temp;
+   struct option *longopts;
+   struct option *really_longopts;
+   int last_optind;
+@@ -1427,9 +1436,21 @@
+               einfo (_("%P%X: --hash-size needs a numeric argument\n"));
+           }
+           break;
++
++   case OPTION_NO_POISON_SYSTEM_DIRECTORIES:
++     command_line.poison_system_directories = FALSE;
++     break;
++
++   case OPTION_ERROR_POISON_SYSTEM_DIRECTORIES:
++     command_line.error_poison_system_directories = TRUE;
++     break;
+ 	}
+     }
+ 
++  temp = getenv("BR_COMPILER_PARANOID_UNSAFE_PATH");
++  if (temp && strlen(temp) > 0)
++    command_line.error_poison_system_directories = TRUE;
++
+   while (ingroup)
+     {
+       lang_leave_group ();
+Index: b/ld/ldlex.h
+===================================================================
+--- a/ld/ldlex.h
++++ b/ld/ldlex.h
+@@ -136,6 +136,8 @@
+ #endif /* ENABLE_PLUGINS */
+   OPTION_DEFAULT_SCRIPT,
+   OPTION_PRINT_OUTPUT_FORMAT,
++  OPTION_NO_POISON_SYSTEM_DIRECTORIES,
++  OPTION_ERROR_POISON_SYSTEM_DIRECTORIES,
+ };
+ 
+ /* The initial parser states.  */
-- 
2.0.0

[Buildroot] [PATCH 06/12] gcc/4.9: add patch to warn about unsafe header paths

[Thomas Petazzoni]

This commit adds a patch to gcc borrowed from CodeSourcery/Yocto that
warns about unsafe include paths (i.e /usr/include,
/usr/local/include, etc.). The patch was adapted to gcc 4.9.1, and
modified to support the BR_COMPILER_PARANOID_UNSAFE_PATH environment
variable to error out instead of just warn when unsafe paths are
used. Even though erroring out can be chosen by passing
-Werror=poison-system-directories, we are not sure this option in
CFLAGS will always be passed, so having an environment variable
guarantees it will always be passed, and also allows to have an
identical behavior to the external toolchain wrapper.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
---
 .../4.9.1/910-gcc-poison-system-directories.patch  | 207 +++++++++++++++++++++
 1 file changed, 207 insertions(+)
 create mode 100644 package/gcc/4.9.1/910-gcc-poison-system-directories.patch

diff --git a/package/gcc/4.9.1/910-gcc-poison-system-directories.patch b/package/gcc/4.9.1/910-gcc-poison-system-directories.patch
new file mode 100644
index 0000000..377ddf5
--- /dev/null
+++ b/package/gcc/4.9.1/910-gcc-poison-system-directories.patch
@@ -0,0 +1,207 @@
+From 160397ef3c3331099af028f1b8d3e085b07d88ad Mon Sep 17 00:00:00 2001
+From: Khem Raj <raj.khem@gmail.com>
+Date: Fri, 29 Mar 2013 08:59:00 +0400
+Subject: [PATCH 16/35] gcc: poison-system-directories
+
+Adapted to Buildroot and gcc 4.9.1 by Thomas Petazzoni, especially the
+addition of the BR_COMPILER_PARANOID_UNSAFE_PATH environment variable.
+
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
+
+Upstream-Status: Inappropriate [distribution: codesourcery]
+---
+ gcc/Makefile.in     |    2 +-
+ gcc/common.opt      |    4 ++++
+ gcc/config.in       |    6 ++++++
+ gcc/configure       |   20 ++++++++++++++++++--
+ gcc/configure.ac    |   10 ++++++++++
+ gcc/doc/invoke.texi |    9 +++++++++
+ gcc/gcc.c           |    2 ++
+ gcc/incpath.c       |   19 +++++++++++++++++++
+ 8 files changed, 69 insertions(+), 3 deletions(-)
+
+Index: b/gcc/common.opt
+===================================================================
+--- a/gcc/common.opt
++++ b/gcc/common.opt
+@@ -603,6 +603,10 @@
+ Common Var(pedantic) Warning
+ Issue warnings needed for strict compliance to the standard
+ 
++Wpoison-system-directories
++Common Var(flag_poison_system_directories) Init(1) Warning
++Warn for -I and -L options using system directories if cross compiling
++
+ Wshadow
+ Common Var(warn_shadow) Warning
+ Warn when one local variable shadows another
+Index: b/gcc/config.in
+===================================================================
+--- a/gcc/config.in
++++ b/gcc/config.in
+@@ -138,6 +138,12 @@
+ #endif
+ 
+ 
++/* Define to warn for use of native system header directories */
++#ifndef USED_FOR_TARGET
++#undef ENABLE_POISON_SYSTEM_DIRECTORIES
++#endif
++
++
+ /* Define if you want all operations on RTL (the basic data structure of the
+    optimizer and back end) to be checked for dynamic type safety at runtime.
+    This is quite expensive. */
+Index: b/gcc/configure
+===================================================================
+--- a/gcc/configure
++++ b/gcc/configure
+@@ -928,6 +928,7 @@
+ enable_maintainer_mode
+ enable_link_mutex
+ enable_version_specific_runtime_libs
++enable_poison_system_directories
+ enable_plugin
+ enable_host_shared
+ enable_libquadmath_support
+@@ -1648,6 +1649,8 @@
+   --enable-version-specific-runtime-libs
+                           specify that runtime libraries should be installed
+                           in a compiler-specific directory
++  --enable-poison-system-directories
++                          warn for use of native system header directories
+   --enable-plugin         enable plugin support
+   --enable-host-shared    build host code as shared libraries
+   --disable-libquadmath-support
+@@ -27737,6 +27740,19 @@
+ fi
+ 
+ 
++# Check whether --enable-poison-system-directories was given.
++if test "${enable_poison_system_directories+set}" = set; then :
++  enableval=$enable_poison_system_directories;
++else
++  enable_poison_system_directories=no
++fi
++
++if test "x${enable_poison_system_directories}" = "xyes"; then
++
++$as_echo "#define ENABLE_POISON_SYSTEM_DIRECTORIES 1" >>confdefs.h
++
++fi
++
+ # Substitute configuration variables
+ 
+ 
+Index: b/gcc/configure.ac
+===================================================================
+--- a/gcc/configure.ac
++++ b/gcc/configure.ac
+@@ -5388,6 +5388,16 @@
+                 [specify that runtime libraries should be
+                  installed in a compiler-specific directory])])
+ 
++AC_ARG_ENABLE([poison-system-directories],
++             AS_HELP_STRING([--enable-poison-system-directories],
++                            [warn for use of native system header directories]),,
++             [enable_poison_system_directories=no])
++if test "x${enable_poison_system_directories}" = "xyes"; then
++  AC_DEFINE([ENABLE_POISON_SYSTEM_DIRECTORIES],
++           [1],
++           [Define to warn for use of native system header directories])
++fi
++
+ # Substitute configuration variables
+ AC_SUBST(subdirs)
+ AC_SUBST(srcdir)
+Index: b/gcc/doc/invoke.texi
+===================================================================
+--- a/gcc/doc/invoke.texi
++++ b/gcc/doc/invoke.texi
+@@ -260,6 +260,7 @@
+ -Woverlength-strings  -Wpacked  -Wpacked-bitfield-compat  -Wpadded @gol
+ -Wparentheses  -Wpedantic-ms-format -Wno-pedantic-ms-format @gol
+ -Wpointer-arith  -Wno-pointer-to-int-cast @gol
++-Wno-poison-system-directories @gol
+ -Wredundant-decls  -Wno-return-local-addr @gol
+ -Wreturn-type  -Wsequence-point  -Wshadow @gol
+ -Wsign-compare  -Wsign-conversion -Wfloat-conversion @gol
+@@ -4208,6 +4209,14 @@
+  for most targets, it is made up of code and thus requires the stack
+  to be made executable in order for the program to work properly.
+ 
++ at item -Wno-poison-system-directories
++ at opindex Wno-poison-system-directories
++Do not warn for @option{-I} or @option{-L} options using system
++directories such as @file{/usr/include} when cross compiling.  This
++option is intended for use in chroot environments when such
++directories contain the correct headers and libraries for the target
++system rather than the host.
++
+ @item -Wfloat-equal
+ @opindex Wfloat-equal
+ @opindex Wno-float-equal
+Index: b/gcc/gcc.c
+===================================================================
+--- a/gcc/gcc.c
++++ b/gcc/gcc.c
+@@ -764,6 +764,8 @@
+    "%{fuse-ld=*:-fuse-ld=%*}\
+     %X %{o*} %{e*} %{N} %{n} %{r}\
+     %{s} %{t} %{u*} %{z} %{Z} %{!nostdlib:%{!nostartfiles:%S}} " VTABLE_VERIFICATION_SPEC " \
++    %{Wno-poison-system-directories:--no-poison-system-directories}\
++    %{Werror=poison-system-directories:--error-poison-system-directories}\
+     %{static:} %{L*} %(mfwrap) %(link_libgcc) " SANITIZER_EARLY_SPEC " %o\
+     %{fopenmp|ftree-parallelize-loops=*:%:include(libgomp.spec)%(link_gomp)}\
+     %{fcilkplus:%:include(libcilkrts.spec)%(link_cilkrts)}\
+@@ -4028,6 +4030,12 @@
+       gcc_assert (!compare_debug_opt);
+     }
+ 
++  temp = getenv("BR_COMPILER_PARANOID_UNSAFE_PATH");
++  if (temp && strlen(temp) > 0)
++    {
++      save_switch("-Werror=poison-system-directories", 0, NULL, false, true);
++    }
++
+   /* Set up the search paths.  We add directories that we expect to
+      contain GNU Toolchain components before directories specified by
+      the machine description so that we will find GNU components (like
+Index: b/gcc/incpath.c
+===================================================================
+--- a/gcc/incpath.c
++++ b/gcc/incpath.c
+@@ -28,6 +28,7 @@
+ #include "intl.h"
+ #include "incpath.h"
+ #include "cppdefault.h"
++#include "diagnostic-core.h"
+ 
+ /* Microsoft Windows does not natively support inodes.
+    VMS has non-numeric inodes.  */
+@@ -382,6 +383,24 @@
+ 	}
+       fprintf (stderr, _("End of search list.\n"));
+     }
++
++#ifdef ENABLE_POISON_SYSTEM_DIRECTORIES
++  if (flag_poison_system_directories)
++    {
++       struct cpp_dir *p;
++
++       for (p = heads[QUOTE]; p; p = p->next)
++         {
++          if ((!strncmp (p->name, "/usr/include", 12))
++              || (!strncmp (p->name, "/usr/local/include", 18))
++              || (!strncmp (p->name, "/usr/X11R6/include", 18)))
++            warning (OPT_Wpoison_system_directories,
++                     "include location \"%s\" is unsafe for "
++                     "cross-compilation",
++                     p->name);
++         }
++    }
++#endif
+ }
+ 
+ /* Use given -I paths for #include "..." but not #include <...>, and
-- 
2.0.0

[Buildroot] [PATCH 07/12] gcc/4.8: add patch to warn about unsafe header paths

[Thomas Petazzoni]

This commit adds a patch to gcc borrowed from CodeSourcery/Yocto that
warns about unsafe include paths (i.e /usr/include,
/usr/local/include, etc.). The patch was adapted to gcc 4.8.3, and
modified to support the BR_COMPILER_PARANOID_UNSAFE_PATH environment
variable to error out instead of just warn when unsafe paths are
used. Even though erroring out can be chosen by passing
-Werror=poison-system-directories, we are not sure this option in
CFLAGS will always be passed, so having an environment variable
guarantees it will always be passed, and also allows to have an
identical behavior to the external toolchain wrapper.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
---
 .../4.8.3/910-gcc-poison-system-directories.patch  | 207 +++++++++++++++++++++
 1 file changed, 207 insertions(+)
 create mode 100644 package/gcc/4.8.3/910-gcc-poison-system-directories.patch

diff --git a/package/gcc/4.8.3/910-gcc-poison-system-directories.patch b/package/gcc/4.8.3/910-gcc-poison-system-directories.patch
new file mode 100644
index 0000000..88b2c4e
--- /dev/null
+++ b/package/gcc/4.8.3/910-gcc-poison-system-directories.patch
@@ -0,0 +1,207 @@
+From 160397ef3c3331099af028f1b8d3e085b07d88ad Mon Sep 17 00:00:00 2001
+From: Khem Raj <raj.khem@gmail.com>
+Date: Fri, 29 Mar 2013 08:59:00 +0400
+Subject: [PATCH 16/35] gcc: poison-system-directories
+
+Adapted to Buildroot and gcc 4.8.3 by Thomas Petazzoni, especially the
+addition of the BR_COMPILER_PARANOID_UNSAFE_PATH environment variable.
+
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
+
+Upstream-Status: Inappropriate [distribution: codesourcery]
+---
+ gcc/Makefile.in     |    2 +-
+ gcc/common.opt      |    4 ++++
+ gcc/config.in       |    6 ++++++
+ gcc/configure       |   20 ++++++++++++++++++--
+ gcc/configure.ac    |   10 ++++++++++
+ gcc/doc/invoke.texi |    9 +++++++++
+ gcc/gcc.c           |    2 ++
+ gcc/incpath.c       |   19 +++++++++++++++++++
+ 8 files changed, 69 insertions(+), 3 deletions(-)
+
+Index: b/gcc/common.opt
+===================================================================
+--- a/gcc/common.opt
++++ b/gcc/common.opt
+@@ -595,6 +595,10 @@
+ Common Var(pedantic) Warning
+ Issue warnings needed for strict compliance to the standard
+ 
++Wpoison-system-directories
++Common Var(flag_poison_system_directories) Init(1) Warning
++Warn for -I and -L options using system directories if cross compiling
++
+ Wshadow
+ Common Var(warn_shadow) Warning
+ Warn when one local variable shadows another
+Index: b/gcc/config.in
+===================================================================
+--- a/gcc/config.in
++++ b/gcc/config.in
+@@ -138,6 +138,12 @@
+ #endif
+ 
+ 
++/* Define to warn for use of native system header directories */
++#ifndef USED_FOR_TARGET
++#undef ENABLE_POISON_SYSTEM_DIRECTORIES
++#endif
++
++
+ /* Define if you want all operations on RTL (the basic data structure of the
+    optimizer and back end) to be checked for dynamic type safety at runtime.
+    This is quite expensive. */
+Index: b/gcc/configure
+===================================================================
+--- a/gcc/configure
++++ b/gcc/configure
+@@ -917,6 +917,7 @@
+ with_system_zlib
+ enable_maintainer_mode
+ enable_version_specific_runtime_libs
++enable_poison_system_directories
+ enable_plugin
+ enable_libquadmath_support
+ with_linker_hash_style
+@@ -1630,6 +1631,8 @@
+   --enable-version-specific-runtime-libs
+                           specify that runtime libraries should be installed
+                           in a compiler-specific directory
++  --enable-poison-system-directories
++                          warn for use of native system header directories
+   --enable-plugin         enable plugin support
+   --disable-libquadmath-support
+                           disable libquadmath support for Fortran
+@@ -27195,6 +27198,19 @@
+ fi
+ 
+ 
++# Check whether --enable-poison-system-directories was given.
++if test "${enable_poison_system_directories+set}" = set; then :
++  enableval=$enable_poison_system_directories;
++else
++  enable_poison_system_directories=no
++fi
++
++if test "x${enable_poison_system_directories}" = "xyes"; then
++
++$as_echo "#define ENABLE_POISON_SYSTEM_DIRECTORIES 1" >>confdefs.h
++
++fi
++
+ # Substitute configuration variables
+ 
+ 
+Index: b/gcc/configure.ac
+===================================================================
+--- a/gcc/configure.ac
++++ b/gcc/configure.ac
+@@ -5101,6 +5101,16 @@
+                 [specify that runtime libraries should be
+                  installed in a compiler-specific directory])])
+ 
++AC_ARG_ENABLE([poison-system-directories],
++             AS_HELP_STRING([--enable-poison-system-directories],
++                            [warn for use of native system header directories]),,
++             [enable_poison_system_directories=no])
++if test "x${enable_poison_system_directories}" = "xyes"; then
++  AC_DEFINE([ENABLE_POISON_SYSTEM_DIRECTORIES],
++           [1],
++           [Define to warn for use of native system header directories])
++fi
++
+ # Substitute configuration variables
+ AC_SUBST(subdirs)
+ AC_SUBST(srcdir)
+Index: b/gcc/doc/invoke.texi
+===================================================================
+--- a/gcc/doc/invoke.texi
++++ b/gcc/doc/invoke.texi
+@@ -258,6 +258,7 @@
+ -Woverlength-strings  -Wpacked  -Wpacked-bitfield-compat  -Wpadded @gol
+ -Wparentheses  -Wpedantic-ms-format -Wno-pedantic-ms-format @gol
+ -Wpointer-arith  -Wno-pointer-to-int-cast @gol
++-Wno-poison-system-directories @gol
+ -Wredundant-decls  -Wno-return-local-addr @gol
+ -Wreturn-type  -Wsequence-point  -Wshadow @gol
+ -Wsign-compare  -Wsign-conversion  -Wsizeof-pointer-memaccess @gol
+@@ -4020,6 +4021,14 @@
+  for most targets, it is made up of code and thus requires the stack
+  to be made executable in order for the program to work properly.
+ 
++ at item -Wno-poison-system-directories
++ at opindex Wno-poison-system-directories
++Do not warn for @option{-I} or @option{-L} options using system
++directories such as @file{/usr/include} when cross compiling.  This
++option is intended for use in chroot environments when such
++directories contain the correct headers and libraries for the target
++system rather than the host.
++
+ @item -Wfloat-equal
+ @opindex Wfloat-equal
+ @opindex Wno-float-equal
+Index: b/gcc/gcc.c
+===================================================================
+--- a/gcc/gcc.c
++++ b/gcc/gcc.c
+@@ -741,6 +741,8 @@
+    "%{fuse-ld=*:-fuse-ld=%*}\
+     %X %{o*} %{e*} %{N} %{n} %{r}\
+     %{s} %{t} %{u*} %{z} %{Z} %{!nostdlib:%{!nostartfiles:%S}}\
++    %{Wno-poison-system-directories:--no-poison-system-directories}\
++    %{Werror=poison-system-directories:--error-poison-system-directories}\
+     %{static:} %{L*} %(mfwrap) %(link_libgcc) " SANITIZER_EARLY_SPEC " %o\
+     %{fopenmp|ftree-parallelize-loops=*:%:include(libgomp.spec)%(link_gomp)}\
+     %{fgnu-tm:%:include(libitm.spec)%(link_itm)}\
+@@ -3991,6 +3993,12 @@
+       gcc_assert (!compare_debug_opt);
+     }
+ 
++  temp = getenv("BR_COMPILER_PARANOID_UNSAFE_PATH");
++  if (temp && strlen(temp) > 0)
++    {
++      save_switch("-Werror=poison-system-directories", 0, NULL, false, true);
++    }
++
+   /* Set up the search paths.  We add directories that we expect to
+      contain GNU Toolchain components before directories specified by
+      the machine description so that we will find GNU components (like
+Index: b/gcc/incpath.c
+===================================================================
+--- a/gcc/incpath.c
++++ b/gcc/incpath.c
+@@ -28,6 +28,7 @@
+ #include "intl.h"
+ #include "incpath.h"
+ #include "cppdefault.h"
++#include "diagnostic-core.h"
+ 
+ /* Microsoft Windows does not natively support inodes.
+    VMS has non-numeric inodes.  */
+@@ -382,6 +383,24 @@
+ 	}
+       fprintf (stderr, _("End of search list.\n"));
+     }
++
++#ifdef ENABLE_POISON_SYSTEM_DIRECTORIES
++  if (flag_poison_system_directories)
++    {
++       struct cpp_dir *p;
++
++       for (p = heads[QUOTE]; p; p = p->next)
++         {
++          if ((!strncmp (p->name, "/usr/include", 12))
++              || (!strncmp (p->name, "/usr/local/include", 18))
++              || (!strncmp (p->name, "/usr/X11R6/include", 18)))
++            warning (OPT_Wpoison_system_directories,
++                     "include location \"%s\" is unsafe for "
++                     "cross-compilation",
++                     p->name);
++         }
++    }
++#endif
+ }
+ 
+ /* Use given -I paths for #include "..." but not #include <...>, and
-- 
2.0.0

[Buildroot] [PATCH 08/12] gcc/arc-4.8-R3: add patch to warn about unsafe header paths

[Thomas Petazzoni]

This commit adds a patch to gcc borrowed from CodeSourcery/Yocto that
warns about unsafe include paths (i.e /usr/include,
/usr/local/include, etc.). The patch was adapted to gcc arc-4.8-R3,
and modified to support the BR_COMPILER_PARANOID_UNSAFE_PATH
environment variable to error out instead of just warn when unsafe
paths are used. Even though erroring out can be chosen by passing
-Werror=poison-system-directories, we are not sure this option in
CFLAGS will always be passed, so having an environment variable
guarantees it will always be passed, and also allows to have an
identical behavior to the external toolchain wrapper.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
---
 .../910-gcc-poison-system-directories.patch        | 221 +++++++++++++++++++++
 1 file changed, 221 insertions(+)
 create mode 100644 package/gcc/arc-4.8-R3/910-gcc-poison-system-directories.patch

diff --git a/package/gcc/arc-4.8-R3/910-gcc-poison-system-directories.patch b/package/gcc/arc-4.8-R3/910-gcc-poison-system-directories.patch
new file mode 100644
index 0000000..67b3799
--- /dev/null
+++ b/package/gcc/arc-4.8-R3/910-gcc-poison-system-directories.patch
@@ -0,0 +1,221 @@
+From 160397ef3c3331099af028f1b8d3e085b07d88ad Mon Sep 17 00:00:00 2001
+From: Khem Raj <raj.khem@gmail.com>
+Date: Fri, 29 Mar 2013 08:59:00 +0400
+Subject: [PATCH 16/35] gcc: poison-system-directories
+
+Adapted to Buildroot and gcc arc-4.8-R3 by Thomas Petazzoni,
+especially the addition of the BR_COMPILER_PARANOID_UNSAFE_PATH
+environment variable.
+
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
+
+Upstream-Status: Inappropriate [distribution: codesourcery]
+---
+ gcc/Makefile.in     |    2 +-
+ gcc/common.opt      |    4 ++++
+ gcc/config.in       |    6 ++++++
+ gcc/configure       |   20 ++++++++++++++++++--
+ gcc/configure.ac    |   10 ++++++++++
+ gcc/doc/invoke.texi |    9 +++++++++
+ gcc/gcc.c           |    2 ++
+ gcc/incpath.c       |   19 +++++++++++++++++++
+ 8 files changed, 69 insertions(+), 3 deletions(-)
+
+Index: b/gcc/common.opt
+===================================================================
+--- a/gcc/common.opt
++++ b/gcc/common.opt
+@@ -595,6 +595,10 @@
+ Common Var(pedantic) Warning
+ Issue warnings needed for strict compliance to the standard
+ 
++Wpoison-system-directories
++Common Var(flag_poison_system_directories) Init(1) Warning
++Warn for -I and -L options using system directories if cross compiling
++
+ Wshadow
+ Common Var(warn_shadow) Warning
+ Warn when one local variable shadows another
+Index: b/gcc/config.in
+===================================================================
+--- a/gcc/config.in
++++ b/gcc/config.in
+@@ -138,6 +138,12 @@
+ #endif
+ 
+ 
++/* Define to warn for use of native system header directories */
++#ifndef USED_FOR_TARGET
++#undef ENABLE_POISON_SYSTEM_DIRECTORIES
++#endif
++
++
+ /* Define if you want all operations on RTL (the basic data structure of the
+    optimizer and back end) to be checked for dynamic type safety at runtime.
+    This is quite expensive. */
+Index: b/gcc/configure
+===================================================================
+--- a/gcc/configure
++++ b/gcc/configure
+@@ -917,6 +917,7 @@
+ with_system_zlib
+ enable_maintainer_mode
+ enable_version_specific_runtime_libs
++enable_poison_system_directories
+ enable_plugin
+ enable_libquadmath_support
+ with_linker_hash_style
+@@ -1630,6 +1631,8 @@
+   --enable-version-specific-runtime-libs
+                           specify that runtime libraries should be installed
+                           in a compiler-specific directory
++  --enable-poison-system-directories
++                          warn for use of native system header directories
+   --enable-plugin         enable plugin support
+   --disable-libquadmath-support
+                           disable libquadmath support for Fortran
+@@ -27103,6 +27106,19 @@
+ fi
+ 
+ 
++# Check whether --enable-poison-system-directories was given.
++if test "${enable_poison_system_directories+set}" = set; then :
++  enableval=$enable_poison_system_directories;
++else
++  enable_poison_system_directories=no
++fi
++
++if test "x${enable_poison_system_directories}" = "xyes"; then
++
++$as_echo "#define ENABLE_POISON_SYSTEM_DIRECTORIES 1" >>confdefs.h
++
++fi
++
+ # Substitute configuration variables
+ 
+ 
+Index: b/gcc/configure.ac
+===================================================================
+--- a/gcc/configure.ac
++++ b/gcc/configure.ac
+@@ -5063,6 +5063,16 @@
+                 [specify that runtime libraries should be
+                  installed in a compiler-specific directory])])
+ 
++AC_ARG_ENABLE([poison-system-directories],
++             AS_HELP_STRING([--enable-poison-system-directories],
++                            [warn for use of native system header directories]),,
++             [enable_poison_system_directories=no])
++if test "x${enable_poison_system_directories}" = "xyes"; then
++  AC_DEFINE([ENABLE_POISON_SYSTEM_DIRECTORIES],
++           [1],
++           [Define to warn for use of native system header directories])
++fi
++
+ # Substitute configuration variables
+ AC_SUBST(subdirs)
+ AC_SUBST(srcdir)
+Index: b/gcc/doc/invoke.texi
+===================================================================
+--- a/gcc/doc/invoke.texi
++++ b/gcc/doc/invoke.texi
+@@ -258,6 +258,7 @@
+ -Woverlength-strings  -Wpacked  -Wpacked-bitfield-compat  -Wpadded @gol
+ -Wparentheses  -Wpedantic-ms-format -Wno-pedantic-ms-format @gol
+ -Wpointer-arith  -Wno-pointer-to-int-cast @gol
++-Wno-poison-system-directories @gol
+ -Wredundant-decls  -Wno-return-local-addr @gol
+ -Wreturn-type  -Wsequence-point  -Wshadow @gol
+ -Wsign-compare  -Wsign-conversion  -Wsizeof-pointer-memaccess @gol
+@@ -4025,6 +4026,14 @@
+  for most targets, it is made up of code and thus requires the stack
+  to be made executable in order for the program to work properly.
+ 
++ at item -Wno-poison-system-directories
++ at opindex Wno-poison-system-directories
++Do not warn for @option{-I} or @option{-L} options using system
++directories such as @file{/usr/include} when cross compiling.  This
++option is intended for use in chroot environments when such
++directories contain the correct headers and libraries for the target
++system rather than the host.
++
+ @item -Wfloat-equal
+ @opindex Wfloat-equal
+ @opindex Wno-float-equal
+Index: b/gcc/gcc.c
+===================================================================
+--- a/gcc/gcc.c
++++ b/gcc/gcc.c
+@@ -740,6 +740,8 @@
+    "%{fuse-ld=*:-fuse-ld=%*}\
+     %X %{o*} %{e*} %{N} %{n} %{r}\
+     %{s} %{t} %{u*} %{z} %{Z} %{!nostdlib:%{!nostartfiles:%S}}\
++    %{Wno-poison-system-directories:--no-poison-system-directories}\
++    %{Werror=poison-system-directories:--error-poison-system-directories}\
+     %{static:} %{L*} %(mfwrap) %(link_libgcc) " SANITIZER_EARLY_SPEC " %o\
+     %{fopenmp|ftree-parallelize-loops=*:%:include(libgomp.spec)%(link_gomp)}\
+     %{fgnu-tm:%:include(libitm.spec)%(link_itm)}\
+@@ -3990,6 +3992,12 @@
+       gcc_assert (!compare_debug_opt);
+     }
+ 
++  temp = getenv("BR_COMPILER_PARANOID_UNSAFE_PATH");
++  if (temp && strlen(temp) > 0)
++    {
++      save_switch("-Werror=poison-system-directories", 0, NULL, false, true);
++    }
++
+   /* Set up the search paths.  We add directories that we expect to
+      contain GNU Toolchain components before directories specified by
+      the machine description so that we will find GNU components (like
+Index: b/gcc/incpath.c
+===================================================================
+--- a/gcc/incpath.c
++++ b/gcc/incpath.c
+@@ -28,6 +28,7 @@
+ #include "intl.h"
+ #include "incpath.h"
+ #include "cppdefault.h"
++#include "diagnostic-core.h"
+ 
+ /* Microsoft Windows does not natively support inodes.
+    VMS has non-numeric inodes.  */
+@@ -382,6 +383,24 @@
+ 	}
+       fprintf (stderr, _("End of search list.\n"));
+     }
++
++#ifdef ENABLE_POISON_SYSTEM_DIRECTORIES
++  if (flag_poison_system_directories)
++    {
++       struct cpp_dir *p;
++
++       for (p = heads[QUOTE]; p; p = p->next)
++         {
++          if ((!strncmp (p->name, "/usr/include", 12))
++              || (!strncmp (p->name, "/usr/local/include", 18))
++              || (!strncmp (p->name, "/usr/X11R6/include", 18)))
++            warning (OPT_Wpoison_system_directories,
++                     "include location \"%s\" is unsafe for "
++                     "cross-compilation",
++                     p->name);
++         }
++    }
++#endif
+ }
+ 
+ /* Use given -I paths for #include "..." but not #include <...>, and
+Index: b/gcc/config/arc/arc.h
+===================================================================
+--- a/gcc/config/arc/arc.h
++++ b/gcc/config/arc/arc.h
+@@ -205,6 +205,8 @@
+ %{!fsyntax-only:%{!c:%{!M:%{!MM:%{!E:%{!S:\
+     %(linker) %l " LINK_PIE_SPEC "%X %{o*} %{A} %{d} %{e*} %{m} %{N} %{n} %{r}\
+     %{s} %{t} %{u*} %{x} %{z} %{Z} %{!A:%{!nostdlib:%{!nostartfiles:%S}}}\
++    %{Wno-poison-system-directories:--no-poison-system-directories}\
++    %{Werror=poison-system-directories:--error-poison-system-directories}\
+     %{static:} %{L*} %(mfwrap) %(link_libgcc) %o\
+     %{fopenmp:%:include(libgomp.spec)%(link_gomp)} %(mflib)\
+     %{fprofile-arcs|fprofile-generate|coverage:-lgcov}\
-- 
2.0.0

[Buildroot] [PATCH 09/12] gcc/4.7: add patch to warn about unsafe header paths

[Thomas Petazzoni]

This commit adds a patch to gcc borrowed from CodeSourcery/Yocto that
warns about unsafe include paths (i.e /usr/include,
/usr/local/include, etc.). The patch was adapted to gcc 4.7.4, and
modified to support the BR_COMPILER_PARANOID_UNSAFE_PATH environment
variable to error out instead of just warn when unsafe paths are
used. Even though erroring out can be chosen by passing
-Werror=poison-system-directories, we are not sure this option in
CFLAGS will always be passed, so having an environment variable
guarantees it will always be passed, and also allows to have an
identical behavior to the external toolchain wrapper.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
---
 .../4.7.4/910-gcc-poison-system-directories.patch  | 207 +++++++++++++++++++++
 1 file changed, 207 insertions(+)
 create mode 100644 package/gcc/4.7.4/910-gcc-poison-system-directories.patch

diff --git a/package/gcc/4.7.4/910-gcc-poison-system-directories.patch b/package/gcc/4.7.4/910-gcc-poison-system-directories.patch
new file mode 100644
index 0000000..bc2d5c6
--- /dev/null
+++ b/package/gcc/4.7.4/910-gcc-poison-system-directories.patch
@@ -0,0 +1,207 @@
+From 160397ef3c3331099af028f1b8d3e085b07d88ad Mon Sep 17 00:00:00 2001
+From: Khem Raj <raj.khem@gmail.com>
+Date: Fri, 29 Mar 2013 08:59:00 +0400
+Subject: [PATCH 16/35] gcc: poison-system-directories
+
+Adapted to Buildroot and gcc 4.7.4 by Thomas Petazzoni, especially the
+addition of the BR_COMPILER_PARANOID_UNSAFE_PATH environment variable.
+
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
+
+Upstream-Status: Inappropriate [distribution: codesourcery]
+---
+ gcc/Makefile.in     |    2 +-
+ gcc/common.opt      |    4 ++++
+ gcc/config.in       |    6 ++++++
+ gcc/configure       |   20 ++++++++++++++++++--
+ gcc/configure.ac    |   10 ++++++++++
+ gcc/doc/invoke.texi |    9 +++++++++
+ gcc/gcc.c           |    2 ++
+ gcc/incpath.c       |   19 +++++++++++++++++++
+ 8 files changed, 69 insertions(+), 3 deletions(-)
+
+Index: b/gcc/common.opt
+===================================================================
+--- a/gcc/common.opt
++++ b/gcc/common.opt
+@@ -585,6 +585,10 @@
+ Common Var(warn_padded) Warning
+ Warn when padding is required to align structure members
+ 
++Wpoison-system-directories
++Common Var(flag_poison_system_directories) Init(1) Warning
++Warn for -I and -L options using system directories if cross compiling
++
+ Wshadow
+ Common Var(warn_shadow) Warning
+ Warn when one local variable shadows another
+Index: b/gcc/config.in
+===================================================================
+--- a/gcc/config.in
++++ b/gcc/config.in
+@@ -144,6 +144,12 @@
+ #endif
+ 
+ 
++/* Define to warn for use of native system header directories */
++#ifndef USED_FOR_TARGET
++#undef ENABLE_POISON_SYSTEM_DIRECTORIES
++#endif
++
++
+ /* Define if you want all operations on RTL (the basic data structure of the
+    optimizer and back end) to be checked for dynamic type safety at runtime.
+    This is quite expensive. */
+Index: b/gcc/configure
+===================================================================
+--- a/gcc/configure
++++ b/gcc/configure
+@@ -918,6 +918,7 @@
+ with_system_zlib
+ enable_maintainer_mode
+ enable_version_specific_runtime_libs
++enable_poison_system_directories
+ enable_plugin
+ enable_libquadmath_support
+ with_linker_hash_style
+@@ -1632,6 +1633,8 @@
+   --enable-version-specific-runtime-libs
+                           specify that runtime libraries should be installed
+                           in a compiler-specific directory
++  --enable-poison-system-directories
++                          warn for use of native system header directories
+   --enable-plugin         enable plugin support
+   --disable-libquadmath-support
+                           disable libquadmath support for Fortran
+@@ -27186,6 +27189,19 @@
+ fi
+ 
+ 
++# Check whether --enable-poison-system-directories was given.
++if test "${enable_poison_system_directories+set}" = set; then :
++  enableval=$enable_poison_system_directories;
++else
++  enable_poison_system_directories=no
++fi
++
++if test "x${enable_poison_system_directories}" = "xyes"; then
++
++$as_echo "#define ENABLE_POISON_SYSTEM_DIRECTORIES 1" >>confdefs.h
++
++fi
++
+ # Substitute configuration variables
+ 
+ 
+Index: b/gcc/configure.ac
+===================================================================
+--- a/gcc/configure.ac
++++ b/gcc/configure.ac
+@@ -5037,6 +5037,16 @@
+                 [specify that runtime libraries should be
+                  installed in a compiler-specific directory])])
+ 
++AC_ARG_ENABLE([poison-system-directories],
++             AS_HELP_STRING([--enable-poison-system-directories],
++                            [warn for use of native system header directories]),,
++             [enable_poison_system_directories=no])
++if test "x${enable_poison_system_directories}" = "xyes"; then
++  AC_DEFINE([ENABLE_POISON_SYSTEM_DIRECTORIES],
++           [1],
++           [Define to warn for use of native system header directories])
++fi
++
+ # Substitute configuration variables
+ AC_SUBST(subdirs)
+ AC_SUBST(srcdir)
+Index: b/gcc/doc/invoke.texi
+===================================================================
+--- a/gcc/doc/invoke.texi
++++ b/gcc/doc/invoke.texi
+@@ -260,6 +260,7 @@
+ -Woverlength-strings  -Wpacked  -Wpacked-bitfield-compat  -Wpadded @gol
+ -Wparentheses  -Wpedantic-ms-format -Wno-pedantic-ms-format @gol
+ -Wpointer-arith  -Wno-pointer-to-int-cast @gol
++-Wno-poison-system-directories @gol
+ -Wredundant-decls @gol
+ -Wreturn-type  -Wsequence-point  -Wshadow @gol
+ -Wsign-compare  -Wsign-conversion  -Wstack-protector @gol
+@@ -3880,6 +3881,14 @@
+  for most targets, it is made up of code and thus requires the stack
+  to be made executable in order for the program to work properly.
+ 
++ at item -Wno-poison-system-directories
++ at opindex Wno-poison-system-directories
++Do not warn for @option{-I} or @option{-L} options using system
++directories such as @file{/usr/include} when cross compiling.  This
++option is intended for use in chroot environments when such
++directories contain the correct headers and libraries for the target
++system rather than the host.
++
+ @item -Wfloat-equal
+ @opindex Wfloat-equal
+ @opindex Wno-float-equal
+Index: b/gcc/gcc.c
+===================================================================
+--- a/gcc/gcc.c
++++ b/gcc/gcc.c
+@@ -674,6 +674,8 @@
+     %{flto} %{flto=*} %l " LINK_PIE_SPEC \
+    "%X %{o*} %{e*} %{N} %{n} %{r}\
+     %{s} %{t} %{u*} %{z} %{Z} %{!nostdlib:%{!nostartfiles:%S}}\
++    %{Wno-poison-system-directories:--no-poison-system-directories}\
++    %{Werror=poison-system-directories:--error-poison-system-directories}\
+     %{static:} %{L*} %(mfwrap) %(link_libgcc) %o\
+     %{fopenmp|ftree-parallelize-loops=*:%:include(libgomp.spec)%(link_gomp)}\
+     %{fgnu-tm:%:include(libitm.spec)%(link_itm)}\
+@@ -3907,6 +3909,12 @@
+       gcc_assert (!compare_debug_opt);
+     }
+ 
++  temp = getenv("BR_COMPILER_PARANOID_UNSAFE_PATH");
++  if (temp && strlen(temp) > 0)
++    {
++      save_switch("-Werror=poison-system-directories", 0, NULL, false);
++    }
++
+   /* Set up the search paths.  We add directories that we expect to
+      contain GNU Toolchain components before directories specified by
+      the machine description so that we will find GNU components (like
+Index: b/gcc/incpath.c
+===================================================================
+--- a/gcc/incpath.c
++++ b/gcc/incpath.c
+@@ -30,6 +30,7 @@
+ #include "intl.h"
+ #include "incpath.h"
+ #include "cppdefault.h"
++#include "diagnostic-core.h"
+ 
+ /* Microsoft Windows does not natively support inodes.
+    VMS has non-numeric inodes.  */
+@@ -373,6 +374,24 @@
+ 	}
+       fprintf (stderr, _("End of search list.\n"));
+     }
++
++#ifdef ENABLE_POISON_SYSTEM_DIRECTORIES
++  if (flag_poison_system_directories)
++    {
++       struct cpp_dir *p;
++
++       for (p = heads[QUOTE]; p; p = p->next)
++         {
++          if ((!strncmp (p->name, "/usr/include", 12))
++              || (!strncmp (p->name, "/usr/local/include", 18))
++              || (!strncmp (p->name, "/usr/X11R6/include", 18)))
++            warning (OPT_Wpoison_system_directories,
++                     "include location \"%s\" is unsafe for "
++                     "cross-compilation",
++                     p->name);
++         }
++    }
++#endif
+ }
+ 
+ /* Use given -I paths for #include "..." but not #include <...>, and
-- 
2.0.0

[Buildroot] [PATCH 10/12] gcc: enable poison system directories option

[Thomas Petazzoni]

This commit enables the poison system directories option, which is now
available thanks to the gcc patches that have been added.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
---
 package/gcc/gcc-final/gcc-final.mk | 1 +
 1 file changed, 1 insertion(+)

diff --git a/package/gcc/gcc-final/gcc-final.mk b/package/gcc/gcc-final/gcc-final.mk
index 44b9561..b697e61 100644
--- a/package/gcc/gcc-final/gcc-final.mk
+++ b/package/gcc/gcc-final/gcc-final.mk
@@ -52,6 +52,7 @@ HOST_GCC_FINAL_CONF_OPT = \
 	$(HOST_GCC_COMMON_CONF_OPT) \
 	--enable-languages=$(GCC_FINAL_CROSS_LANGUAGES) \
 	$(DISABLE_LARGEFILE) \
+	--enable-poison-system-directories \
 	--with-build-time-tools=$(HOST_DIR)/usr/$(GNU_TARGET_NAME)/bin
 
 # Disable shared libs like libstdc++ if we do static since it confuses linking
-- 
2.0.0

[Buildroot] [PATCH 11/12] binutils: enable poison system directories option

[Thomas Petazzoni]

This commit enables the poison system directories option, which is now
available thanks to the binutils patches that have been added.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
---
 package/binutils/binutils.mk | 1 +
 1 file changed, 1 insertion(+)

diff --git a/package/binutils/binutils.mk b/package/binutils/binutils.mk
index 4888eeb..ecbd40d 100644
--- a/package/binutils/binutils.mk
+++ b/package/binutils/binutils.mk
@@ -72,6 +72,7 @@ HOST_BINUTILS_CONF_OPT = --disable-multilib --disable-werror \
 			--target=$(GNU_TARGET_NAME) \
 			--disable-shared --enable-static \
 			--with-sysroot=$(STAGING_DIR) \
+			--enable-poison-system-directories \
 			$(BINUTILS_DISABLE_GDB_CONF_OPT) \
 			$(BINUTILS_EXTRA_CONFIG_OPTIONS)
 
-- 
2.0.0

[Buildroot] [PATCH 12/12] Add option for paranoid unsafe path checking

[Thomas Petazzoni]

This commit adds a Config.in option to the "Build options" submenu to
enable paranoid checking of unsafe paths. This mechanism is added as
an option so that when we'll enable it in the autobuilders, people
trying to reproduce the build failures will be able to do so by just
downloading the configuration file. If instead we were leaving this
feature as an environment variable, everyone would have to remember to
pass this environment variable to reproduce build issues. And certain
build issues triggered by paranoid unsafe patch checking may not be
visible in the build output, for example when they happen during the
execution of configure scripts.

Since this option is fairly advanced, a new submenu inside "Build
options" is created, for Advanced options.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
---
 Config.in           | 20 ++++++++++++++++++++
 package/Makefile.in |  4 ++++
 2 files changed, 24 insertions(+)

diff --git a/Config.in b/Config.in
index 14ff55b..3f41b93 100644
--- a/Config.in
+++ b/Config.in
@@ -574,6 +574,26 @@ config BR2_GLOBAL_PATCH_DIR
 	  Otherwise, if the directory <global-patch-dir>/<packagename> exists,
 	  then all *.patch files in the directory will be applied.
 
+menu "Advanced"
+
+config BR2_COMPILER_PARANOID_UNSAFE_PATH
+	bool "paranoid check of library/header paths"
+	help
+	  By default, when this option is disabled, when the Buildroot
+	  cross-compiler will encounter an unsafe library or header
+	  path (such as /usr/include, or /usr/lib), the compiler will
+	  display a warning.
+
+	  By enabling this option, this warning is turned into an
+	  error, which will completely abort the build when such
+	  unsafe paths are encountered.
+
+	  Note that this mechanism is available for both the internal
+	  toolchain (through gcc and binutils patches) and external
+	  toolchain backends (through the external toolchain wrapper).
+
+endmenu
+
 endmenu
 
 source "toolchain/Config.in"
diff --git a/package/Makefile.in b/package/Makefile.in
index 7d9943c..b9ca7b0 100644
--- a/package/Makefile.in
+++ b/package/Makefile.in
@@ -385,6 +385,10 @@ else
 SHARED_STATIC_LIBS_OPTS = --enable-static --enable-shared
 endif
 
+ifeq ($(BR2_COMPILER_PARANOID_UNSAFE_PATH),y)
+export BR_COMPILER_PARANOID_UNSAFE_PATH=enabled
+endif
+
 include package/pkg-download.mk
 include package/pkg-autotools.mk
 include package/pkg-cmake.mk
-- 
2.0.0

[Buildroot] [PATCH 00/12] toolchain: warn for unsafe library/header paths

[Romain Naour]

Hi Thomas,

Le 20/08/2014 15:06, Thomas Petazzoni a ?crit :
> Hello,
> 
> This series is a respin of the patch I sent a long time ago to improve
> the external toolchain wrapper to warn/error when unsafe library or
> header paths are used.
> 
> This series extend this significantly by:
> 
>  - Making sure the external toolchain wrapper logic will work even if
>    Buildroot is built from /usr. To do this, we assume only
>    /usr/include and /usr/local/include are unsafe header paths, and
>    /usr/lib and /usr/local/lib are unsafe library paths. Other
>    locations in /usr are assumed to be safe.
> 
>  - Covering the internal toolchain backend as well, by
>    borrowing/adapting gcc and binutils patches from
>    CodeSourcery/Yocto. The compiler and linker directly check for
>    unsafe paths in -I/-L options.
> 
>  - Adding a Config.in option to control the usage of this
>    mechanism. When the option is disabled, only warnings are
>    emitted. When the option is enabled, any unsafe header or library
>    path will make the compilation fail.
> 
> Of course, this series is not meant for 2014.08, but for 2014.11.
> 
> Feedback welcome,
> 

First of all, thanks for your work on this topic !

I'm using this series during investigations on build errors reported by
autobuilders.

I discovered four packages that use unsafe paths:
tmux, ipset, aircrack-ng (-I/usr/local/include)
iprutils (-I/usr/include/ncurses)

Do you know why the upstream status of the gcc patch is "Inappropriate" ?
There is a way that this patch get merged into the mainline gcc ?
My colleague Adrien asked my about that.

Also, BR_COMPILER_PARANOID_UNSAFE_PATH needs to be renamed to
BR2_COMPILER_PARANOID_UNSAFE_PATH to follow the naming scheme ?

Best regards,
Romain

[Buildroot] [PATCH 00/12] toolchain: warn for unsafe library/header paths

[Thomas Petazzoni]

Dear Romain Naour,

On Thu, 21 Aug 2014 22:30:29 +0200, Romain Naour wrote:

> First of all, thanks for your work on this topic !
> 
> I'm using this series during investigations on build errors reported by
> autobuilders.
> 
> I discovered four packages that use unsafe paths:
> tmux, ipset, aircrack-ng (-I/usr/local/include)
> iprutils (-I/usr/include/ncurses)

Great!

> Do you know why the upstream status of the gcc patch is "Inappropriate" ?
> There is a way that this patch get merged into the mainline gcc ?
> My colleague Adrien asked my about that.

I *believe* because they hardcode which paths are assumed to be
"invalid", i.e /usr/include, /usr/local/include, etc. But it's probably
possible to implement a solution where those paths would be passed as
options at compile time and/or run time.

> Also, BR_COMPILER_PARANOID_UNSAFE_PATH needs to be renamed to
> BR2_COMPILER_PARANOID_UNSAFE_PATH to follow the naming scheme ?

No: BR2_* variables are Config.in options. Environment variables are
BR_*.

Best regards,

Thomas
-- 
Thomas Petazzoni, CTO, Free Electrons
Embedded Linux, Kernel and Android engineering
http://free-electrons.com

[Buildroot] [PATCH 00/12] toolchain: warn for unsafe library/header paths

[Yann E. MORIN]

Thomas, All,

On 2014-08-21 23:33 +0200, Thomas Petazzoni spake thusly:
> On Thu, 21 Aug 2014 22:30:29 +0200, Romain Naour wrote:
> > Also, BR_COMPILER_PARANOID_UNSAFE_PATH needs to be renamed to
> > BR2_COMPILER_PARANOID_UNSAFE_PATH to follow the naming scheme ?
> 
> No: BR2_* variables are Config.in options. Environment variables are
> BR_*.

Earlier this year in Brussels, we said we were to use BR2_ everywhere :
    http://elinux.org/Buildroot:DeveloperDaysFOSDEM2014

So Romain is right, that the environment variable should be renamed.

Regards,
Yann E. MORIN.

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 223 225 172 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'

[Buildroot] [PATCH 00/12] toolchain: warn for unsafe library/header paths

[Thomas De Schampheleire]

"Yann E. MORIN" <yann.morin.1998@free.fr> schreef:
>Thomas, All,
>
>On 2014-08-21 23:33 +0200, Thomas Petazzoni spake thusly:
>> On Thu, 21 Aug 2014 22:30:29 +0200, Romain Naour wrote:
>> > Also, BR_COMPILER_PARANOID_UNSAFE_PATH needs to be renamed to
>> > BR2_COMPILER_PARANOID_UNSAFE_PATH to follow the naming scheme ?
>> 
>> No: BR2_* variables are Config.in options. Environment variables are
>> BR_*.
>
>Earlier this year in Brussels, we said we were to use BR2_ everywhere :
>    http://elinux.org/Buildroot:DeveloperDaysFOSDEM2014

Hmm, that is written in the conclusion, but this is very
 different than what is in the 'proposed rules'.
Was it really the final outcome to use BR2 for all types
 of variable? I thought we wanted to make a
 distinction between config variables and others...

Best regards,
Thomas

[Buildroot] [PATCH 00/12] toolchain: warn for unsafe library/header paths

[Yann E. MORIN]

Thomas?, All,

On 2014-08-22 21:29 +0200, Thomas De Schampheleire spake thusly:
> "Yann E. MORIN" <yann.morin.1998@free.fr> schreef:
> >Thomas, All,
> >
> >On 2014-08-21 23:33 +0200, Thomas Petazzoni spake thusly:
> >> On Thu, 21 Aug 2014 22:30:29 +0200, Romain Naour wrote:
> >> > Also, BR_COMPILER_PARANOID_UNSAFE_PATH needs to be renamed to
> >> > BR2_COMPILER_PARANOID_UNSAFE_PATH to follow the naming scheme ?
> >> 
> >> No: BR2_* variables are Config.in options. Environment variables are
> >> BR_*.
> >
> >Earlier this year in Brussels, we said we were to use BR2_ everywhere :
> >    http://elinux.org/Buildroot:DeveloperDaysFOSDEM2014
> 
> Hmm, that is written in the conclusion, but this is very
>  different than what is in the 'proposed rules'.
> Was it really the final outcome to use BR2 for all types
>  of variable? I thought we wanted to make a
>  distinction between config variables and others...

Yes, I was a bit surprised by the conclusion, too.
From what I remember, I thought we decided for:
  - user-facing variables: prefix with BR2_
  - internal variables: prefix with BR_

IIRC, we already have a few changesets implementing those rules.

For example:
    35c666e toolchain/wrapper: rename BR_DEBUG_WRAPPER

(I could not find another reverse such change, unfortunetely...)

Regards,
Yann E. MORIN.

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 223 225 172 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'

[Buildroot] [PATCH 00/12] toolchain: warn for unsafe library/header paths

[Arnout Vandecappelle]

 [/me is back from too long holidays, facing 2000 BR mails :-)]

On 08/24/14 13:22, Yann E. MORIN wrote:
> Thomas?, All,
> 
> On 2014-08-22 21:29 +0200, Thomas De Schampheleire spake thusly:
>> "Yann E. MORIN" <yann.morin.1998@free.fr> schreef:
>>> Thomas, All,
>>>
>>> On 2014-08-21 23:33 +0200, Thomas Petazzoni spake thusly:
>>>> On Thu, 21 Aug 2014 22:30:29 +0200, Romain Naour wrote:
>>>>> Also, BR_COMPILER_PARANOID_UNSAFE_PATH needs to be renamed to
>>>>> BR2_COMPILER_PARANOID_UNSAFE_PATH to follow the naming scheme ?
>>>>
>>>> No: BR2_* variables are Config.in options. Environment variables are
>>>> BR_*.
>>>
>>> Earlier this year in Brussels, we said we were to use BR2_ everywhere :
>>>    http://elinux.org/Buildroot:DeveloperDaysFOSDEM2014
>>
>> Hmm, that is written in the conclusion, but this is very
>>  different than what is in the 'proposed rules'.
>> Was it really the final outcome to use BR2 for all types
>>  of variable? I thought we wanted to make a
>>  distinction between config variables and others...
> 
> Yes, I was a bit surprised by the conclusion, too.
> From what I remember, I thought we decided for:
>   - user-facing variables: prefix with BR2_
>   - internal variables: prefix with BR_
> 
> IIRC, we already have a few changesets implementing those rules.
> 
> For example:
>     35c666e toolchain/wrapper: rename BR_DEBUG_WRAPPER
> 
> (I could not find another reverse such change, unfortunetely...)

 Blame the reporter.

 The conclusion was:

* BR2_ for all Kconfig variables;
* BR2_ for user-facing environment variables;
* BR_ for internal environment variables.


 Other such changes:

4113b3c infra: replace BUILDROOT_CONFIG with BR2_CONFIG
6768021 infra: replace BUILDROOT_DL_DIR with BR2_DL_DIR.


 Regards,
 Arnout

> 
> Regards,
> Yann E. MORIN.
> 


-- 
Arnout Vandecappelle                          arnout at mind be
Senior Embedded Software Architect            +32-16-286500
Essensium/Mind                                http://www.mind.be
G.Geenslaan 9, 3001 Leuven, Belgium           BE 872 984 063 RPR Leuven
LinkedIn profile: http://www.linkedin.com/in/arnoutvandecappelle
GPG fingerprint:  7CB5 E4CC 6C2E EFD4 6E3D A754 F963 ECAB 2450 2F1F

[Buildroot] [PATCH 01/12] toolchain-external: instrument wrapper to warn about unsafe paths

[Yann E. MORIN]

Thomas, All,

At long last, here is a preliminary review of this series...

On 2014-08-20 15:06 +0200, Thomas Petazzoni spake thusly:
[--SNIP--]
> diff --git a/toolchain/toolchain-external/ext-toolchain-wrapper.c b/toolchain/toolchain-external/ext-toolchain-wrapper.c
> index 8db4ac4..16faa5c 100644
> --- a/toolchain/toolchain-external/ext-toolchain-wrapper.c
> +++ b/toolchain/toolchain-external/ext-toolchain-wrapper.c
> @@ -70,6 +70,24 @@ static char *predef_args[] = {
>  #endif
>  };
>  
> +static void check_unsafe_path(const char *path, int paranoid)
> +{
> +	char **c;
> +	char *unsafe_paths[] = {
> +		"/usr/include", "/usr/lib", "/usr/local/include", "/usr/local/lib", NULL,

Make it a global variable, or at least a static one.

> +	};
> +
> +	for (c = unsafe_paths; *c != NULL; c++) {
> +		if (!strncmp(path, *c, strlen(*c))) {
> +			fprintf(stderr, "%s: unsafe header/library path used in cross-compilation: '%s'\n",
> +				paranoid ? "ERROR" : "WARNING", path);

It could be nice to also print the name of the executable that is
running, something like:

    fprintf(stderr,"%s: %s: unsafe....'%s'\n",
            program_invocation_short_name,
            paranoid ? "ERROR" : "WARNING", path);

program_invocation_short_name is a glibcism, so it would only work on
glibc, or Clibc with the option enabled. Also requires:
    #define _GNU_SOURCE
    #include <errno.h>

> @@ -178,6 +198,35 @@ int main(int argc, char **argv)
>  	}
>  #endif /* ARCH || TUNE || CPU */
>  
> +	paranoid_wrapper = getenv("BR_COMPILER_PARANOID_UNSAFE_PATH");
> +	if (paranoid_wrapper && strlen(paranoid_wrapper) > 0)
> +		paranoid = 1;
> +	else
> +		paranoid = 0;
> +
> +
> +	/* Check for unsafe library and header paths */
> +	for (i = 1; i < argc; i++) {
> +
> +		/* Skip options that do not start with -I and -L */
> +		if (strncmp(argv[i], "-I", 2) && strncmp(argv[i], "-L", 2))
> +			continue;
> +
> +		/* We handle two cases: first the case where -I/-L and
> +		 * the path are separated by one space and therefore
> +		 * visible as two separate options, and then the case
> +		 * where they are stuck together forming one single
> +		 * option.
> +		 */
> +		if (strlen(argv[i]) == 2) {

argv[*] are passed by the user, so better not trust them. What about:

    if (argv[i][2]!='\0') {
        ...;
    }

Regards,
Yann E. MORIN.

> +			if (i == argc)
> +				continue;

'i' can not be == argc, because 'i' is an array index, and argc is the
number of entries in the array. If you want to test whether that's the
last argument, you should do:

    if (i+1 == argc) { ...; }

or:
    i++;
    if (i == argc) { ...; }

I think the second option is better, since that way you also skip
re-testign that argv in the next loop.

Also, I'd use break instead of continue, since the loop is finished
anyway.

Regards,
Yann E. MORIN.

> +			check_unsafe_path(argv[i+1], paranoid);
> +		} else {
> +			check_unsafe_path(argv[i] + 2, paranoid);
> +		}
> +	}
> +
>  	/* append forward args */
>  	memcpy(cur, &argv[1], sizeof(char *) * (argc - 1));
>  	cur += argc - 1;
> -- 
> 2.0.0
> 
> _______________________________________________
> buildroot mailing list
> buildroot at busybox.net
> http://lists.busybox.net/mailman/listinfo/buildroot

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 223 225 172 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'

[Buildroot] [PATCH 02/12] binutils/2.24: add patch to warn about unsafe library paths

[Yann E. MORIN]

Thomas, All,

On 2014-08-20 15:06 +0200, Thomas Petazzoni spake thusly:
[--SNIP--]
> +Index: b/ld/lexsup.c
> +===================================================================
> +--- a/ld/lexsup.c
> ++++ b/ld/lexsup.c
[--SNIP--]
> +@@ -519,6 +527,7 @@
> +   int ingroup = 0;
> +   char *default_dirlist = NULL;
> +   char *shortopts;
> ++  char *temp;

Well, let's give it a better name, please:  char *BR_paranoid_env;

;-)

Regards,
Yann E. MORIN.

> +   struct option *longopts;
> +   struct option *really_longopts;
> +   int last_optind;
> +@@ -1442,9 +1451,21 @@
> +               einfo (_("%P%X: --hash-size needs a numeric argument\n"));
> +           }
> +           break;
> ++
> ++   case OPTION_NO_POISON_SYSTEM_DIRECTORIES:
> ++     command_line.poison_system_directories = FALSE;
> ++     break;
> ++
> ++   case OPTION_ERROR_POISON_SYSTEM_DIRECTORIES:
> ++     command_line.error_poison_system_directories = TRUE;
> ++     break;
> + 	}
> +     }
> + 
> ++  temp = getenv("BR_COMPILER_PARANOID_UNSAFE_PATH");
> ++  if (temp && strlen(temp) > 0)

    if (BR_paranoid_env && BR_paranoid_env[0])

Regards,
Yann E. MORIN.

> ++    command_line.error_poison_system_directories = TRUE;
> ++
> +   while (ingroup)
> +     {
> +       lang_leave_group ();
> +Index: b/ld/ldlex.h
> +===================================================================
> +--- a/ld/ldlex.h
> ++++ b/ld/ldlex.h
> +@@ -138,6 +138,8 @@
> +   OPTION_DEFAULT_SCRIPT,
> +   OPTION_PRINT_OUTPUT_FORMAT,
> +   OPTION_IGNORE_UNRESOLVED_SYMBOL,
> ++  OPTION_NO_POISON_SYSTEM_DIRECTORIES,
> ++  OPTION_ERROR_POISON_SYSTEM_DIRECTORIES,
> + };
> + 
> + /* The initial parser states.  */
> -- 
> 2.0.0
> 
> _______________________________________________
> buildroot mailing list
> buildroot at busybox.net
> http://lists.busybox.net/mailman/listinfo/buildroot

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 223 225 172 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'

[Buildroot] [PATCH 06/12] gcc/4.9: add patch to warn about unsafe header paths

[Yann E. MORIN]

Thomas, All,

On 2014-08-20 15:06 +0200, Thomas Petazzoni spake thusly:
> +Index: b/gcc/gcc.c
> +===================================================================
> +--- a/gcc/gcc.c
> ++++ b/gcc/gcc.c
[--SNIP--]
> +@@ -4028,6 +4030,12 @@
> +       gcc_assert (!compare_debug_opt);
> +     }
> + 
> ++  temp = getenv("BR_COMPILER_PARANOID_UNSAFE_PATH");
> ++  if (temp && strlen(temp) > 0)
> ++    {
> ++      save_switch("-Werror=poison-system-directories", 0, NULL, false, true);

Here you set the --error-poison-system-direcotries for the linker...

> ++    }
> ++
> +   /* Set up the search paths.  We add directories that we expect to
> +      contain GNU Toolchain components before directories specified by
> +      the machine description so that we will find GNU components (like
> +Index: b/gcc/incpath.c
> +===================================================================
> +--- a/gcc/incpath.c
> ++++ b/gcc/incpath.c
> +@@ -28,6 +28,7 @@
> + #include "intl.h"
> + #include "incpath.h"
> + #include "cppdefault.h"
> ++#include "diagnostic-core.h"
> + 
> + /* Microsoft Windows does not natively support inodes.
> +    VMS has non-numeric inodes.  */
> +@@ -382,6 +383,24 @@
> + 	}
> +       fprintf (stderr, _("End of search list.\n"));
> +     }
> ++
> ++#ifdef ENABLE_POISON_SYSTEM_DIRECTORIES
> ++  if (flag_poison_system_directories)
> ++    {
> ++       struct cpp_dir *p;
> ++
> ++       for (p = heads[QUOTE]; p; p = p->next)
> ++         {
> ++          if ((!strncmp (p->name, "/usr/include", 12))
> ++              || (!strncmp (p->name, "/usr/local/include", 18))
> ++              || (!strncmp (p->name, "/usr/X11R6/include", 18)))
> ++            warning (OPT_Wpoison_system_directories,
> ++                     "include location \"%s\" is unsafe for "
> ++                     "cross-compilation",
> ++                     p->name);

But you do not handle include paths. We should error out if
BR_COMPILER_PARANOID_UNSAFE_PATH is set and non-empty, no?

BTW, I commented only one vrsion of each component, and the comments
apply to the other versions, of course.

Regards,
Yann E. MORIN.

> ++         }
> ++    }
> ++#endif
> + }
> + 
> + /* Use given -I paths for #include "..." but not #include <...>, and
> -- 
> 2.0.0
> 
> _______________________________________________
> buildroot mailing list
> buildroot at busybox.net
> http://lists.busybox.net/mailman/listinfo/buildroot

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 223 225 172 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'

[Buildroot] [PATCH 11/12] binutils: enable poison system directories option

[Yann E. MORIN]

Thomas, All,

On 2014-08-20 15:06 +0200, Thomas Petazzoni spake thusly:
> This commit enables the poison system directories option, which is now
> available thanks to the binutils patches that have been added.
> 
> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>

When the previous patches have been fixed:

Acked-by: "Yann E. MORIN" <yann.morin.1998@free.fr>

Regards,
Yann E. MORIN.

> ---
>  package/binutils/binutils.mk | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/package/binutils/binutils.mk b/package/binutils/binutils.mk
> index 4888eeb..ecbd40d 100644
> --- a/package/binutils/binutils.mk
> +++ b/package/binutils/binutils.mk
> @@ -72,6 +72,7 @@ HOST_BINUTILS_CONF_OPT = --disable-multilib --disable-werror \
>  			--target=$(GNU_TARGET_NAME) \
>  			--disable-shared --enable-static \
>  			--with-sysroot=$(STAGING_DIR) \
> +			--enable-poison-system-directories \
>  			$(BINUTILS_DISABLE_GDB_CONF_OPT) \
>  			$(BINUTILS_EXTRA_CONFIG_OPTIONS)
>  
> -- 
> 2.0.0
> 
> _______________________________________________
> buildroot mailing list
> buildroot at busybox.net
> http://lists.busybox.net/mailman/listinfo/buildroot

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 223 225 172 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'

[Buildroot] [PATCH 10/12] gcc: enable poison system directories option

[Yann E. MORIN]

Thomas, All,

On 2014-08-20 15:06 +0200, Thomas Petazzoni spake thusly:
> This commit enables the poison system directories option, which is now
> available thanks to the gcc patches that have been added.
> 
> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>

When the previous patches have been fixed:

Acked-by: "Yann E. MORIN" <yann.morin.1998@free.fr>

Regards,
Yann E. MORIN.

> ---
>  package/gcc/gcc-final/gcc-final.mk | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/package/gcc/gcc-final/gcc-final.mk b/package/gcc/gcc-final/gcc-final.mk
> index 44b9561..b697e61 100644
> --- a/package/gcc/gcc-final/gcc-final.mk
> +++ b/package/gcc/gcc-final/gcc-final.mk
> @@ -52,6 +52,7 @@ HOST_GCC_FINAL_CONF_OPT = \
>  	$(HOST_GCC_COMMON_CONF_OPT) \
>  	--enable-languages=$(GCC_FINAL_CROSS_LANGUAGES) \
>  	$(DISABLE_LARGEFILE) \
> +	--enable-poison-system-directories \
>  	--with-build-time-tools=$(HOST_DIR)/usr/$(GNU_TARGET_NAME)/bin
>  
>  # Disable shared libs like libstdc++ if we do static since it confuses linking
> -- 
> 2.0.0
> 
> _______________________________________________
> buildroot mailing list
> buildroot at busybox.net
> http://lists.busybox.net/mailman/listinfo/buildroot

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 223 225 172 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'

[Buildroot] [PATCH 12/12] Add option for paranoid unsafe path checking

[Yann E. MORIN]

Thomas, All,

On 2014-08-20 15:06 +0200, Thomas Petazzoni spake thusly:
> This commit adds a Config.in option to the "Build options" submenu to
> enable paranoid checking of unsafe paths. This mechanism is added as
> an option so that when we'll enable it in the autobuilders, people
> trying to reproduce the build failures will be able to do so by just
> downloading the configuration file. If instead we were leaving this
> feature as an environment variable, everyone would have to remember to
> pass this environment variable to reproduce build issues. And certain
> build issues triggered by paranoid unsafe patch checking may not be
> visible in the build output, for example when they happen during the
> execution of configure scripts.
> 
> Since this option is fairly advanced, a new submenu inside "Build
> options" is created, for Advanced options.
> 
> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>

When previous patches have been fixed:

Acked-by: "Yann E. MORIN" <yann.morin.1998@free.fr>

Regards,
Yann E. MORIN.

> ---
>  Config.in           | 20 ++++++++++++++++++++
>  package/Makefile.in |  4 ++++
>  2 files changed, 24 insertions(+)
> 
> diff --git a/Config.in b/Config.in
> index 14ff55b..3f41b93 100644
> --- a/Config.in
> +++ b/Config.in
> @@ -574,6 +574,26 @@ config BR2_GLOBAL_PATCH_DIR
>  	  Otherwise, if the directory <global-patch-dir>/<packagename> exists,
>  	  then all *.patch files in the directory will be applied.
>  
> +menu "Advanced"
> +
> +config BR2_COMPILER_PARANOID_UNSAFE_PATH
> +	bool "paranoid check of library/header paths"
> +	help
> +	  By default, when this option is disabled, when the Buildroot
> +	  cross-compiler will encounter an unsafe library or header
> +	  path (such as /usr/include, or /usr/lib), the compiler will
> +	  display a warning.
> +
> +	  By enabling this option, this warning is turned into an
> +	  error, which will completely abort the build when such
> +	  unsafe paths are encountered.
> +
> +	  Note that this mechanism is available for both the internal
> +	  toolchain (through gcc and binutils patches) and external
> +	  toolchain backends (through the external toolchain wrapper).
> +
> +endmenu
> +
>  endmenu
>  
>  source "toolchain/Config.in"
> diff --git a/package/Makefile.in b/package/Makefile.in
> index 7d9943c..b9ca7b0 100644
> --- a/package/Makefile.in
> +++ b/package/Makefile.in
> @@ -385,6 +385,10 @@ else
>  SHARED_STATIC_LIBS_OPTS = --enable-static --enable-shared
>  endif
>  
> +ifeq ($(BR2_COMPILER_PARANOID_UNSAFE_PATH),y)
> +export BR_COMPILER_PARANOID_UNSAFE_PATH=enabled
> +endif
> +
>  include package/pkg-download.mk
>  include package/pkg-autotools.mk
>  include package/pkg-cmake.mk
> -- 
> 2.0.0
> 
> _______________________________________________
> buildroot mailing list
> buildroot at busybox.net
> http://lists.busybox.net/mailman/listinfo/buildroot

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 223 225 172 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'

[Buildroot] [PATCH 01/12] toolchain-external: instrument wrapper to warn about unsafe paths

[Thomas Petazzoni]

Yann,

On Wed, 10 Sep 2014 21:42:39 +0200, Yann E. MORIN wrote:

> At long last, here is a preliminary review of this series...

Thanks a lot for looking into this!

> > +static void check_unsafe_path(const char *path, int paranoid)
> > +{
> > +	char **c;
> > +	char *unsafe_paths[] = {
> > +		"/usr/include", "/usr/lib", "/usr/local/include", "/usr/local/lib", NULL,
> 
> Make it a global variable, or at least a static one.

Right.

> > +	};
> > +
> > +	for (c = unsafe_paths; *c != NULL; c++) {
> > +		if (!strncmp(path, *c, strlen(*c))) {
> > +			fprintf(stderr, "%s: unsafe header/library path used in cross-compilation: '%s'\n",
> > +				paranoid ? "ERROR" : "WARNING", path);
> 
> It could be nice to also print the name of the executable that is
> running, something like:
> 
>     fprintf(stderr,"%s: %s: unsafe....'%s'\n",
>             program_invocation_short_name,
>             paranoid ? "ERROR" : "WARNING", path);
> 
> program_invocation_short_name is a glibcism, so it would only work on
> glibc, or Clibc with the option enabled. Also requires:
>     #define _GNU_SOURCE
>     #include <errno.h>

Right, ok.

> > +		/* We handle two cases: first the case where -I/-L and
> > +		 * the path are separated by one space and therefore
> > +		 * visible as two separate options, and then the case
> > +		 * where they are stuck together forming one single
> > +		 * option.
> > +		 */
> > +		if (strlen(argv[i]) == 2) {
> 
> argv[*] are passed by the user, so better not trust them. What about:
> 
>     if (argv[i][2]!='\0') {
>         ...;
>     }

This makes an assumption on the length of argv[i], which is even worse,
IMO. I don't see why strlen(argv[i]) would be unsafe, actually.

> > +			if (i == argc)
> > +				continue;
> 
> 'i' can not be == argc, because 'i' is an array index, and argc is the
> number of entries in the array. If you want to test whether that's the
> last argument, you should do:
> 
>     if (i+1 == argc) { ...; }
> 
> or:
>     i++;
>     if (i == argc) { ...; }
> 
> I think the second option is better, since that way you also skip
> re-testign that argv in the next loop.
> 
> Also, I'd use break instead of continue, since the loop is finished
> anyway.

Right, good point.

Thanks!

Thomas
-- 
Thomas Petazzoni, CTO, Free Electrons
Embedded Linux, Kernel and Android engineering
http://free-electrons.com

[Buildroot] [PATCH 02/12] binutils/2.24: add patch to warn about unsafe library paths

[Thomas Petazzoni]

Dear Yann E. MORIN,

On Wed, 10 Sep 2014 21:52:04 +0200, Yann E. MORIN wrote:

> > ++  char *temp;
> 
> Well, let's give it a better name, please:  char *BR_paranoid_env;

[...]

> > ++  temp = getenv("BR_COMPILER_PARANOID_UNSAFE_PATH");
> > ++  if (temp && strlen(temp) > 0)
> 
>     if (BR_paranoid_env && BR_paranoid_env[0])

Ok, makes sense.

Thomas
-- 
Thomas Petazzoni, CTO, Free Electrons
Embedded Linux, Kernel and Android engineering
http://free-electrons.com

[Buildroot] [PATCH 01/12] toolchain-external: instrument wrapper to warn about unsafe paths

[Yann E. MORIN]

Thomas, All,

On 2014-09-10 22:18 +0200, Thomas Petazzoni spake thusly:
[--SNIP--]
> > > +		/* We handle two cases: first the case where -I/-L and
> > > +		 * the path are separated by one space and therefore
> > > +		 * visible as two separate options, and then the case
> > > +		 * where they are stuck together forming one single
> > > +		 * option.
> > > +		 */
> > > +		if (strlen(argv[i]) == 2) {
> > 
> > argv[*] are passed by the user, so better not trust them. What about:
> > 
> >     if (argv[i][2]!='\0') {
> >         ...;
> >     }
> 
> This makes an assumption on the length of argv[i], which is even worse,
> IMO. I don't see why strlen(argv[i]) would be unsafe, actually.

Well, you know it is at least 3-char long, because it is at least either
"-I" or "-L" so argv[i][2] is valid.

And it can be an overly-long string passed by the user, so let's be
prepared to the worse.

And it is much faster than calling strlen, which is a costly function.

Regards,
Yann E. MORIN.

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 223 225 172 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'

[Buildroot] [PATCH 06/12] gcc/4.9: add patch to warn about unsafe header paths

[Thomas Petazzoni]

Dear Yann E. MORIN,

On Wed, 10 Sep 2014 22:08:25 +0200, Yann E. MORIN wrote:

> > ++  temp = getenv("BR_COMPILER_PARANOID_UNSAFE_PATH");
> > ++  if (temp && strlen(temp) > 0)
> > ++    {
> > ++      save_switch("-Werror=poison-system-directories", 0, NULL, false, true);
> 
> Here you set the --error-poison-system-direcotries for the linker...

No, that's not what's happening here. What's happening here is that if
BR_COMPILER_PARANOID_UNSAFE_PATH is set and non-empty, then we add
-Werror=poison-system-directories to the gcc options. This makes gcc
behave as if -Werror=poison-system-directories was passed on the
command line.

The idea is that it's hard for Buildroot to guarantee that
-Werror=poison-system-directories in the CFLAGS will *always* be passed
by all packages to the build of all files. So having an environment
variable that forces gcc to add this option by itself makes sure all
files will be compiled with this behavior.


> > ++#ifdef ENABLE_POISON_SYSTEM_DIRECTORIES
> > ++  if (flag_poison_system_directories)
> > ++    {
> > ++       struct cpp_dir *p;
> > ++
> > ++       for (p = heads[QUOTE]; p; p = p->next)
> > ++         {
> > ++          if ((!strncmp (p->name, "/usr/include", 12))
> > ++              || (!strncmp (p->name, "/usr/local/include", 18))
> > ++              || (!strncmp (p->name, "/usr/X11R6/include", 18)))
> > ++            warning (OPT_Wpoison_system_directories,
> > ++                     "include location \"%s\" is unsafe for "
> > ++                     "cross-compilation",
> > ++                     p->name);
> 
> But you do not handle include paths.

What? We're precisely handling include paths here.

> We should error out if BR_COMPILER_PARANOID_UNSAFE_PATH is set and
> non-empty, no?

See above, that's exactly what is happening. By default
(BR_COMPILER_PARANOID_UNSAFE_PATH is unset or empty), only warnings are
generated. If BR_COMPILER_PARANOID_UNSAFE_PATH is set and non-empty,
then it will be an error.

You should probably test this, and you'll notice that the warning()
function above actually *errors* out if the OPT_W<foo> warning passed
as first argument has -Werror=<foo> in the command line.

Best regards,

Thomas
-- 
Thomas Petazzoni, CTO, Free Electrons
Embedded Linux, Kernel and Android engineering
http://free-electrons.com

[Buildroot] [PATCH 06/12] gcc/4.9: add patch to warn about unsafe header paths

[Yann E. MORIN]

Thomas, All,

On 2014-09-10 22:24 +0200, Thomas Petazzoni spake thusly:
> Dear Yann E. MORIN,
> 
> On Wed, 10 Sep 2014 22:08:25 +0200, Yann E. MORIN wrote:
> 
> > > ++  temp = getenv("BR_COMPILER_PARANOID_UNSAFE_PATH");
> > > ++  if (temp && strlen(temp) > 0)
> > > ++    {
> > > ++      save_switch("-Werror=poison-system-directories", 0, NULL, false, true);
> > 
> > Here you set the --error-poison-system-direcotries for the linker...
> 
> No, that's not what's happening here. What's happening here is that if
> BR_COMPILER_PARANOID_UNSAFE_PATH is set and non-empty, then we add
> -Werror=poison-system-directories to the gcc options. This makes gcc
> behave as if -Werror=poison-system-directories was passed on the
> command line.

Ah, I see now. OK. We tell gcc to treat that warning as an error.
Of course. :-)

Forget my comment.

Regards,
Yann E. MORIN.

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 223 225 172 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'