From 018359b0b91c3b2ab2d6c0ecd3aa6450d4a4b121 Mon Sep 17 00:00:00 2001 From: Theodore Ni <3806110+tjni@users.noreply.github.com> Date: Wed, 12 Jul 2023 20:05:11 -0700 Subject: [PATCH 01/13] alsa-scarlett-gui: disable fortify3 hardening flag --- pkgs/applications/audio/alsa-scarlett-gui/default.nix | 3 +++ 1 file changed, 3 insertions(+) diff --git a/pkgs/applications/audio/alsa-scarlett-gui/default.nix b/pkgs/applications/audio/alsa-scarlett-gui/default.nix index 6433bdbe3d0..80db9e85d3d 100644 --- a/pkgs/applications/audio/alsa-scarlett-gui/default.nix +++ b/pkgs/applications/audio/alsa-scarlett-gui/default.nix @@ -25,6 +25,9 @@ stdenv.mkDerivation rec { nativeBuildInputs = [ pkg-config wrapGAppsHook4 ]; buildInputs = [ gtk4 alsa-lib ]; + # causes redefinition of _FORTIFY_SOURCE + hardeningDisable = [ "fortify3" ]; + meta = with lib; { description = "GUI for alsa controls presented by Focusrite Scarlett Gen 2/3 Mixer Driver"; homepage = "https://github.com/geoffreybennett/alsa-scarlett-gui"; From 233164d393cfe0ad886a43e683faf7f34c3029a9 Mon Sep 17 00:00:00 2001 From: Theodore Ni <3806110+tjni@users.noreply.github.com> Date: Wed, 12 Jul 2023 20:09:48 -0700 Subject: [PATCH 02/13] cdogs-sdl: disable fortify3 hardening flag --- pkgs/games/cdogs-sdl/default.nix | 3 +++ 1 file changed, 3 insertions(+) diff --git a/pkgs/games/cdogs-sdl/default.nix b/pkgs/games/cdogs-sdl/default.nix index 89321b9c96f..3db387990eb 100644 --- a/pkgs/games/cdogs-sdl/default.nix +++ b/pkgs/games/cdogs-sdl/default.nix @@ -50,6 +50,9 @@ stdenv.mkDerivation rec { protobuf ]; + # inlining failed in call to 'tinydir_open': --param max-inline-insns-single limit reached + hardeningDisable = [ "fortify3" ]; + meta = with lib; { homepage = "https://cxong.github.io/cdogs-sdl"; description = "Open source classic overhead run-and-gun game"; From f3466e8ec1ec02d1fc7b9294783231feaee9896c Mon Sep 17 00:00:00 2001 From: Theodore Ni <3806110+tjni@users.noreply.github.com> Date: Wed, 12 Jul 2023 20:26:51 -0700 Subject: [PATCH 03/13] foxotron: disable fortify3 hardening flag --- pkgs/applications/graphics/foxotron/default.nix | 3 +++ 1 file changed, 3 insertions(+) diff --git a/pkgs/applications/graphics/foxotron/default.nix b/pkgs/applications/graphics/foxotron/default.nix index b16025e8829..c2eaac0f563 100644 --- a/pkgs/applications/graphics/foxotron/default.nix +++ b/pkgs/applications/graphics/foxotron/default.nix @@ -51,6 +51,9 @@ stdenv.mkDerivation rec { "-Wno-error=array-bounds" ]; + # error: writing 1 byte into a region of size 0 + hardeningDisable = [ "fortify3" ]; + installPhase = '' runHook preInstall From be0667a60bcf6076d8926186b9cf7b695c3c4269 Mon Sep 17 00:00:00 2001 From: Theodore Ni <3806110+tjni@users.noreply.github.com> Date: Wed, 12 Jul 2023 20:38:24 -0700 Subject: [PATCH 04/13] kitty: disable fortify3 hardening flag --- pkgs/applications/terminal-emulators/kitty/default.nix | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/pkgs/applications/terminal-emulators/kitty/default.nix b/pkgs/applications/terminal-emulators/kitty/default.nix index ea7fc0e3e71..ab68f720933 100644 --- a/pkgs/applications/terminal-emulators/kitty/default.nix +++ b/pkgs/applications/terminal-emulators/kitty/default.nix @@ -94,8 +94,13 @@ buildPythonApplication rec { ./disable-test_ssh_bootstrap_with_different_launchers.patch ]; - # Causes build failure due to warning - hardeningDisable = lib.optional stdenv.cc.isClang "strictoverflow"; + hardeningDisable = [ + # causes redefinition of _FORTIFY_SOURCE + "fortify3" + ] ++ lib.optionals stdenv.cc.isClang [ + # Causes build failure due to warning + "strictoverflow" + ]; CGO_ENABLED = 0; GOFLAGS = "-trimpath"; From 8f096fa0077faa1252480e813ff824b76815cded Mon Sep 17 00:00:00 2001 From: Theodore Ni <3806110+tjni@users.noreply.github.com> Date: Wed, 12 Jul 2023 20:44:59 -0700 Subject: [PATCH 05/13] libxlsxwriter: disable fortify3 hardening flag --- pkgs/development/libraries/libxlsxwriter/default.nix | 3 +++ 1 file changed, 3 insertions(+) diff --git a/pkgs/development/libraries/libxlsxwriter/default.nix b/pkgs/development/libraries/libxlsxwriter/default.nix index 5d9b50e7251..3716090a30d 100644 --- a/pkgs/development/libraries/libxlsxwriter/default.nix +++ b/pkgs/development/libraries/libxlsxwriter/default.nix @@ -31,6 +31,9 @@ stdenv.mkDerivation rec { "USE_SYSTEM_MINIZIP=1" ]; + # TEST 428/429 worksheet:worksheet_table15 *** buffer overflow detected ***: terminated + hardeningDisable = [ "fortify3" ]; + doCheck = true; checkTarget = "test"; From b704e2a42354e6d099a8bcce7449d75b77fe793c Mon Sep 17 00:00:00 2001 From: Theodore Ni <3806110+tjni@users.noreply.github.com> Date: Wed, 12 Jul 2023 21:03:30 -0700 Subject: [PATCH 06/13] libffi_3_3: disable fortify3 hardening flag --- pkgs/development/libraries/libffi/3.3.nix | 3 +++ 1 file changed, 3 insertions(+) diff --git a/pkgs/development/libraries/libffi/3.3.nix b/pkgs/development/libraries/libffi/3.3.nix index b6837c6523f..294717d1fb1 100644 --- a/pkgs/development/libraries/libffi/3.3.nix +++ b/pkgs/development/libraries/libffi/3.3.nix @@ -29,6 +29,9 @@ stdenv.mkDerivation rec { "--disable-exec-static-tramp" ]; + # with fortify3, tests fail for some reason + hardeningDisable = [ "fortify3" ]; + preCheck = '' # The tests use -O0 which is not compatible with -D_FORTIFY_SOURCE. NIX_HARDENING_ENABLE=''${NIX_HARDENING_ENABLE/fortify/} From b3fce87bc51273f3a3cbf9a6695ca403bbdf446c Mon Sep 17 00:00:00 2001 From: Theodore Ni <3806110+tjni@users.noreply.github.com> Date: Wed, 12 Jul 2023 21:32:09 -0700 Subject: [PATCH 07/13] ergoscf: disable fortify3 hardening flag --- pkgs/applications/science/chemistry/ergoscf/default.nix | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/pkgs/applications/science/chemistry/ergoscf/default.nix b/pkgs/applications/science/chemistry/ergoscf/default.nix index b7d61848134..a2ea5b90153 100644 --- a/pkgs/applications/science/chemistry/ergoscf/default.nix +++ b/pkgs/applications/science/chemistry/ergoscf/default.nix @@ -28,6 +28,12 @@ stdenv.mkDerivation rec { OMP_NUM_THREADS = 2; # required for check phase + # With "fortify3", there are test failures, such as: + # Testing cnof CAMB3LYP/6-31G using FMM + # *** buffer overflow detected ***: terminated + # ./test_fmm_camb3lyp.sh: line 81: 1061289 Aborted (core dumped) ./ergo < /dev/null + hardeningDisable = [ "fortify3" ]; + doCheck = true; meta = with lib; { From 209ba9b911630debe231dadbc936391e8de13c3d Mon Sep 17 00:00:00 2001 From: Theodore Ni <3806110+tjni@users.noreply.github.com> Date: Wed, 12 Jul 2023 22:24:50 -0700 Subject: [PATCH 08/13] libretro.pcsx2: disable fortify3 hardening flag --- pkgs/applications/emulators/retroarch/cores.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/pkgs/applications/emulators/retroarch/cores.nix b/pkgs/applications/emulators/retroarch/cores.nix index 8da558bfbeb..63e03bc00ad 100644 --- a/pkgs/applications/emulators/retroarch/cores.nix +++ b/pkgs/applications/emulators/retroarch/cores.nix @@ -722,6 +722,10 @@ in # remove ccache substituteInPlace CMakeLists.txt --replace "ccache" "" ''; + + # causes redefinition of _FORTIFY_SOURCE + hardeningDisable = [ "fortify3" ]; + postBuild = "cd /build/source/build/pcsx2"; meta = { description = "Port of PCSX2 to libretro"; From 2052c2d56f1a31f05fc32a0880bc0f640f364893 Mon Sep 17 00:00:00 2001 From: Theodore Ni <3806110+tjni@users.noreply.github.com> Date: Wed, 12 Jul 2023 22:27:28 -0700 Subject: [PATCH 09/13] mmc-utils: disable fortify3 hardening flag --- pkgs/os-specific/linux/mmc-utils/default.nix | 3 +++ 1 file changed, 3 insertions(+) diff --git a/pkgs/os-specific/linux/mmc-utils/default.nix b/pkgs/os-specific/linux/mmc-utils/default.nix index fb1763a735d..9580301eae9 100644 --- a/pkgs/os-specific/linux/mmc-utils/default.nix +++ b/pkgs/os-specific/linux/mmc-utils/default.nix @@ -12,6 +12,9 @@ stdenv.mkDerivation { makeFlags = [ "CC=${stdenv.cc.targetPrefix}cc" "prefix=$(out)" ]; + # causes redefinition of _FORTIFY_SOURCE + hardeningDisable = [ "fortify3" ]; + postInstall = '' mkdir -p $out/share/man/man1 cp man/mmc.1 $out/share/man/man1/ From b14fcda6c0c53d8f8557d175bd6a2d19f63b8a20 Mon Sep 17 00:00:00 2001 From: Theodore Ni <3806110+tjni@users.noreply.github.com> Date: Wed, 12 Jul 2023 22:35:45 -0700 Subject: [PATCH 10/13] sgx-psw: disable fortify3 hardening flag --- pkgs/os-specific/linux/sgx/psw/default.nix | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/pkgs/os-specific/linux/sgx/psw/default.nix b/pkgs/os-specific/linux/sgx/psw/default.nix index 4a5e50d9c6a..fa4a7be01cf 100644 --- a/pkgs/os-specific/linux/sgx/psw/default.nix +++ b/pkgs/os-specific/linux/sgx/psw/default.nix @@ -59,7 +59,10 @@ stdenv.mkDerivation rec { protobuf ]; - hardeningDisable = lib.optionals debug [ + hardeningDisable = [ + # causes redefinition of _FORTIFY_SOURCE + "fortify3" + ] ++ lib.optionals debug [ "fortify" ]; From cf84ebf3719c701c5760b0dfe51f0b4b597abcad Mon Sep 17 00:00:00 2001 From: Theodore Ni <3806110+tjni@users.noreply.github.com> Date: Wed, 12 Jul 2023 22:39:02 -0700 Subject: [PATCH 11/13] sparse: disable fortify3 hardening flag --- pkgs/development/tools/analysis/sparse/default.nix | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/pkgs/development/tools/analysis/sparse/default.nix b/pkgs/development/tools/analysis/sparse/default.nix index 7842954cde6..497d571cf14 100644 --- a/pkgs/development/tools/analysis/sparse/default.nix +++ b/pkgs/development/tools/analysis/sparse/default.nix @@ -22,6 +22,14 @@ in stdenv.mkDerivation rec { doCheck = true; buildFlags = [ "GCC_BASE:=${GCC_BASE}" ]; + # Test failures with "fortify3" on, such as: + # +*** buffer overflow detected ***: terminated + # +Aborted (core dumped) + # error: Actual exit value does not match the expected one. + # error: expected 0, got 134. + # error: FAIL: test 'bool-float.c' failed + hardeningDisable = [ "fortify3" ]; + passthru.tests = { simple-execution = callPackage ./tests.nix { }; }; From 91b10b224b3b36789cb3e9ad4df8d113fec30d3f Mon Sep 17 00:00:00 2001 From: Theodore Ni <3806110+tjni@users.noreply.github.com> Date: Wed, 12 Jul 2023 22:43:00 -0700 Subject: [PATCH 12/13] tgt: disable fortify3 hardening flag on aarch64 --- pkgs/tools/networking/tgt/default.nix | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/pkgs/tools/networking/tgt/default.nix b/pkgs/tools/networking/tgt/default.nix index 8de6a67faed..0b4e75879ca 100644 --- a/pkgs/tools/networking/tgt/default.nix +++ b/pkgs/tools/networking/tgt/default.nix @@ -27,6 +27,11 @@ stdenv.mkDerivation rec { "-Wno-error=maybe-uninitialized" ]; + hardeningDisable = lib.optionals stdenv.isAarch64 [ + # error: 'read' writing 1 byte into a region of size 0 overflows the destination + "fortify3" + ]; + installFlags = [ "sysconfdir=${placeholder "out"}/etc" ]; From 8275047a7963d7e01cac9c37063b253f02accf95 Mon Sep 17 00:00:00 2001 From: Theodore Ni <3806110+tjni@users.noreply.github.com> Date: Wed, 12 Jul 2023 22:45:30 -0700 Subject: [PATCH 13/13] x86info: disable fortify3 hardening flag --- pkgs/os-specific/linux/x86info/default.nix | 3 +++ 1 file changed, 3 insertions(+) diff --git a/pkgs/os-specific/linux/x86info/default.nix b/pkgs/os-specific/linux/x86info/default.nix index db5b040da3a..f330fbbe6c7 100644 --- a/pkgs/os-specific/linux/x86info/default.nix +++ b/pkgs/os-specific/linux/x86info/default.nix @@ -26,6 +26,9 @@ stdenv.mkDerivation rec { pciutils ]; + # causes redefinition of _FORTIFY_SOURCE + hardeningDisable = [ "fortify3" ]; + postBuild = '' patchShebangs lsmsr/createheader.py make -C lsmsr