Patrick Georgi submitted this change.

View Change

Approvals: build bot (Jenkins): Verified Paul Menzel: Looks good to me, approved Angel Pons: Looks good to me, approved 
crossgcc: Fix libcpp to address -Wformat-security

On some systems where the system compiler enables `-Wformat-security
-Werror=format-security` options by default, building libcpp fails
because the code passes a variable directly as a format string.

This change addresses this problem by patching the affected code.

Tested with the default compiler of Nixpkgs unstable, GCC 9.3.0 with the
options described above enabled by default.

Signed-off-by: Masanori Ogino <mogino@acm.org>
Change-Id: Ibf3c9e79ce10cd400c9f7ea40dd6de1ab81b50e2
Reviewed-on: https://review.coreboot.org/c/coreboot/+/45311
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Paul Menzel <paulepanter@users.sourceforge.net>
Reviewed-by: Angel Pons <th3fanbus@gmail.com>
---
A util/crossgcc/patches/gcc-8.3.0_libcpp.patch
1 file changed, 56 insertions(+), 0 deletions(-)

diff --git a/util/crossgcc/patches/gcc-8.3.0_libcpp.patch b/util/crossgcc/patches/gcc-8.3.0_libcpp.patch
new file mode 100644
index 0000000..124637e
--- /dev/null
+++ b/util/crossgcc/patches/gcc-8.3.0_libcpp.patch
@@ -0,0 +1,56 @@
+GCC with `-Wformat-security -Werror=format-security` hardening options enabled
+by default rejects some codes in libcpp. This patch fixes them.
+
+--- gcc-8.3.0/libcpp/expr.c.bak	2020-09-11 15:44:45.770000000 +0900
++++ gcc-8.3.0/libcpp/expr.c	2020-09-11 15:46:22.370000000 +0900
+@@ -794,10 +794,10 @@
+ 
+ 	  if (CPP_OPTION (pfile, c99))
+             cpp_warning_with_line (pfile, CPP_W_LONG_LONG, virtual_location,
+-				   0, message);
++				   0, "%s", message);
+           else
+             cpp_pedwarning_with_line (pfile, CPP_W_LONG_LONG,
+-				      virtual_location, 0, message);
++				      virtual_location, 0, "%s", message);
+         }
+ 
+       result |= CPP_N_INTEGER;
+--- gcc-8.3.0/libcpp/macro.c.bak	2020-09-11 16:01:42.550000000 +0900
++++ gcc-8.3.0/libcpp/macro.c	2020-09-11 16:03:47.850000000 +0900
+@@ -160,7 +160,7 @@
+ 	if (m_state == 2 && token->type == CPP_PASTE)
+ 	  {
+ 	    cpp_error_at (m_pfile, CPP_DL_ERROR, token->src_loc,
+-			  vaopt_paste_error);
++			  "%s", vaopt_paste_error);
+ 	    return ERROR;
+ 	  }
+ 	/* Advance states before further considering this token, in
+@@ -189,7 +189,7 @@
+ 		if (was_paste)
+ 		  {
+ 		    cpp_error_at (m_pfile, CPP_DL_ERROR, token->src_loc,
+-				  vaopt_paste_error);
++				  "%s", vaopt_paste_error);
+ 		    return ERROR;
+ 		  }
+ 
+@@ -3361,7 +3361,7 @@
+ 	     function-like macros, but not at the end.  */
+ 	  if (following_paste_op)
+ 	    {
+-	      cpp_error (pfile, CPP_DL_ERROR, paste_op_error_msg);
++	      cpp_error (pfile, CPP_DL_ERROR, "%s", paste_op_error_msg);
+ 	      return false;
+ 	    }
+ 	  break;
+@@ -3374,7 +3374,7 @@
+ 	     function-like macros, but not at the beginning.  */
+ 	  if (macro->count == 1)
+ 	    {
+-	      cpp_error (pfile, CPP_DL_ERROR, paste_op_error_msg);
++	      cpp_error (pfile, CPP_DL_ERROR, "%s", paste_op_error_msg);
+ 	      return false;
+ 	    }
+

To view, visit change 45311. To unsubscribe, or for help writing mail filters, visit settings.

Gerrit-Project: coreboot
Gerrit-Branch: master
Gerrit-Change-Id: Ibf3c9e79ce10cd400c9f7ea40dd6de1ab81b50e2
Gerrit-Change-Number: 45311
Gerrit-PatchSet: 4
Gerrit-Owner: Masanori Ogino <mogino@acm.org>
Gerrit-Reviewer: Angel Pons <th3fanbus@gmail.com>
Gerrit-Reviewer: Patrick Georgi <pgeorgi@google.com>
Gerrit-Reviewer: Paul Menzel <paulepanter@users.sourceforge.net>
Gerrit-Reviewer: build bot (Jenkins) <no-reply@coreboot.org>
Gerrit-MessageType: merged