Merge #243211: treewide: disable fortify3 flag on packages

...into staging-next
2023-07-13 10:09:54 +02:00 · 2023-07-13 10:09:54 +02:00 · b77e88f15c
parent c77a0a323a 8275047a79
commit b77e88f15c
13 changed files with 55 additions and 3 deletions
--- a/pkgs/applications/audio/alsa-scarlett-gui/default.nix
+++ b/pkgs/applications/audio/alsa-scarlett-gui/default.nix
@ -25,6 +25,9 @@ stdenv.mkDerivation rec {
  nativeBuildInputs = [ pkg-config wrapGAppsHook4 ];
  buildInputs = [ gtk4 alsa-lib ];

+  # causes redefinition of _FORTIFY_SOURCE
+  hardeningDisable = [ "fortify3" ];
+
  meta = with lib; {
    description = "GUI for alsa controls presented by Focusrite Scarlett Gen 2/3 Mixer Driver";
    homepage = "https://github.com/geoffreybennett/alsa-scarlett-gui";
--- a/pkgs/applications/emulators/retroarch/cores.nix
+++ b/pkgs/applications/emulators/retroarch/cores.nix
@ -722,6 +722,10 @@ in
      # remove ccache
      substituteInPlace CMakeLists.txt --replace "ccache" ""
    '';
+
+    # causes redefinition of _FORTIFY_SOURCE
+    hardeningDisable = [ "fortify3" ];
+
    postBuild = "cd /build/source/build/pcsx2";
    meta = {
      description = "Port of PCSX2 to libretro";
--- a/pkgs/applications/graphics/foxotron/default.nix
+++ b/pkgs/applications/graphics/foxotron/default.nix
@ -51,6 +51,9 @@ stdenv.mkDerivation rec {
    "-Wno-error=array-bounds"
  ];

+  # error: writing 1 byte into a region of size 0
+  hardeningDisable = [ "fortify3" ];
+
  installPhase = ''
    runHook preInstall

--- a/pkgs/applications/science/chemistry/ergoscf/default.nix
+++ b/pkgs/applications/science/chemistry/ergoscf/default.nix
@ -28,6 +28,12 @@ stdenv.mkDerivation rec {

  OMP_NUM_THREADS = 2; # required for check phase

+  # With "fortify3", there are test failures, such as:
+  # Testing cnof CAMB3LYP/6-31G using FMM
+  # *** buffer overflow detected ***: terminated
+  # ./test_fmm_camb3lyp.sh: line 81: 1061289 Aborted                 (core dumped) ./ergo <<EOINPUT > /dev/null
+  hardeningDisable = [ "fortify3" ];
+
  doCheck = true;

  meta = with lib; {
--- a/pkgs/applications/terminal-emulators/kitty/default.nix
+++ b/pkgs/applications/terminal-emulators/kitty/default.nix
@ -99,8 +99,13 @@ buildPythonApplication rec {
    ./disable-test_ssh_bootstrap_with_different_launchers.patch
  ];

-  # Causes build failure due to warning
-  hardeningDisable = lib.optional stdenv.cc.isClang "strictoverflow";
+  hardeningDisable = [
+    # causes redefinition of _FORTIFY_SOURCE
+    "fortify3"
+  ] ++ lib.optionals stdenv.cc.isClang [
+    # Causes build failure due to warning
+    "strictoverflow"
+  ];

  CGO_ENABLED = 0;
  GOFLAGS = "-trimpath";
--- a/pkgs/development/libraries/libffi/3.3.nix
+++ b/pkgs/development/libraries/libffi/3.3.nix
@ -29,6 +29,9 @@ stdenv.mkDerivation rec {
    "--disable-exec-static-tramp"
  ];

+  # with fortify3, tests fail for some reason
+  hardeningDisable = [ "fortify3" ];
+
  preCheck = ''
    # The tests use -O0 which is not compatible with -D_FORTIFY_SOURCE.
    NIX_HARDENING_ENABLE=''${NIX_HARDENING_ENABLE/fortify/}
--- a/pkgs/development/libraries/libxlsxwriter/default.nix
+++ b/pkgs/development/libraries/libxlsxwriter/default.nix
@ -31,6 +31,9 @@ stdenv.mkDerivation rec {
    "USE_SYSTEM_MINIZIP=1"
  ];

+  # TEST 428/429 worksheet:worksheet_table15 *** buffer overflow detected ***: terminated
+  hardeningDisable = [ "fortify3" ];
+
  doCheck = true;

  checkTarget = "test";
--- a/pkgs/development/tools/analysis/sparse/default.nix
+++ b/pkgs/development/tools/analysis/sparse/default.nix
@ -22,6 +22,14 @@ in stdenv.mkDerivation rec {
  doCheck = true;
  buildFlags = [ "GCC_BASE:=${GCC_BASE}" ];

+  # Test failures with "fortify3" on, such as:
+  # +*** buffer overflow detected ***: terminated
+  # +Aborted (core dumped)
+  # error: Actual exit value does not match the expected one.
+  # error: expected 0, got 134.
+  # error: FAIL: test 'bool-float.c' failed
+  hardeningDisable = [ "fortify3" ];
+
  passthru.tests = {
    simple-execution = callPackage ./tests.nix { };
  };
--- a/pkgs/games/cdogs-sdl/default.nix
+++ b/pkgs/games/cdogs-sdl/default.nix
@ -50,6 +50,9 @@ stdenv.mkDerivation rec {
    protobuf
  ];

+  # inlining failed in call to 'tinydir_open': --param max-inline-insns-single limit reached
+  hardeningDisable = [ "fortify3" ];
+
  meta = with lib; {
    homepage = "https://cxong.github.io/cdogs-sdl";
    description = "Open source classic overhead run-and-gun game";
--- a/pkgs/os-specific/linux/mmc-utils/default.nix
+++ b/pkgs/os-specific/linux/mmc-utils/default.nix
@ -12,6 +12,9 @@ stdenv.mkDerivation {

  makeFlags = [ "CC=${stdenv.cc.targetPrefix}cc" "prefix=$(out)" ];

+  # causes redefinition of _FORTIFY_SOURCE
+  hardeningDisable = [ "fortify3" ];
+
  postInstall = ''
    mkdir -p $out/share/man/man1
    cp man/mmc.1 $out/share/man/man1/
--- a/pkgs/os-specific/linux/sgx/psw/default.nix
+++ b/pkgs/os-specific/linux/sgx/psw/default.nix
@ -59,7 +59,10 @@ stdenv.mkDerivation rec {
    protobuf
  ];

-  hardeningDisable = lib.optionals debug [
+  hardeningDisable = [
+    # causes redefinition of _FORTIFY_SOURCE
+    "fortify3"
+  ] ++ lib.optionals debug [
    "fortify"
  ];

--- a/pkgs/os-specific/linux/x86info/default.nix
+++ b/pkgs/os-specific/linux/x86info/default.nix
@ -26,6 +26,9 @@ stdenv.mkDerivation rec {
    pciutils
  ];

+  # causes redefinition of _FORTIFY_SOURCE
+  hardeningDisable = [ "fortify3" ];
+
  postBuild = ''
    patchShebangs lsmsr/createheader.py
    make -C lsmsr
--- a/pkgs/tools/networking/tgt/default.nix
+++ b/pkgs/tools/networking/tgt/default.nix
@ -27,6 +27,11 @@ stdenv.mkDerivation rec {
    "-Wno-error=maybe-uninitialized"
  ];

+  hardeningDisable = lib.optionals stdenv.isAarch64 [
+    # error: 'read' writing 1 byte into a region of size 0 overflows the destination
+    "fortify3"
+  ];
+
  installFlags = [
    "sysconfdir=${placeholder "out"}/etc"
  ];