Merge #243211: treewide: disable fortify3 flag on packages

...into staging-next
2023-07-13 10:09:54 +02:00 · 2023-07-13 10:09:54 +02:00 · b77e88f15c
parent c77a0a323a 8275047a79
commit b77e88f15c
13 changed files with 55 additions and 3 deletions
--- a/pkgs/applications/audio/alsa-scarlett-gui/default.nix
+++ b/pkgs/applications/audio/alsa-scarlett-gui/default.nix
@ -25,6 +25,9 @@ stdenv.mkDerivation rec {
  nativeBuildInputs = [ pkg-config wrapGAppsHook4 ];
  buildInputs = [ gtk4 alsa-lib ];
  # causes redefinition of _FORTIFY_SOURCE
  hardeningDisable = [ "fortify3" ];
  meta = with lib; {
    description = "GUI for alsa controls presented by Focusrite Scarlett Gen 2/3 Mixer Driver";
    homepage = "https://github.com/geoffreybennett/alsa-scarlett-gui";
--- a/pkgs/applications/emulators/retroarch/cores.nix
+++ b/pkgs/applications/emulators/retroarch/cores.nix
@ -722,6 +722,10 @@ in
      # remove ccache
      substituteInPlace CMakeLists.txt --replace "ccache" ""
    '';
    # causes redefinition of _FORTIFY_SOURCE
    hardeningDisable = [ "fortify3" ];
    postBuild = "cd /build/source/build/pcsx2";
    meta = {
      description = "Port of PCSX2 to libretro";
--- a/pkgs/applications/graphics/foxotron/default.nix
+++ b/pkgs/applications/graphics/foxotron/default.nix
@ -51,6 +51,9 @@ stdenv.mkDerivation rec {
    "-Wno-error=array-bounds"
  ];
  # error: writing 1 byte into a region of size 0
  hardeningDisable = [ "fortify3" ];
  installPhase = ''
    runHook preInstall
--- a/pkgs/applications/science/chemistry/ergoscf/default.nix
+++ b/pkgs/applications/science/chemistry/ergoscf/default.nix
@ -28,6 +28,12 @@ stdenv.mkDerivation rec {
  OMP_NUM_THREADS = 2; # required for check phase
  # With "fortify3", there are test failures, such as:
  # Testing cnof CAMB3LYP/6-31G using FMM
  # *** buffer overflow detected ***: terminated
  # ./test_fmm_camb3lyp.sh: line 81: 1061289 Aborted                 (core dumped) ./ergo <<EOINPUT > /dev/null
  hardeningDisable = [ "fortify3" ];
  doCheck = true;
  meta = with lib; {
--- a/pkgs/applications/terminal-emulators/kitty/default.nix
+++ b/pkgs/applications/terminal-emulators/kitty/default.nix
@ -99,8 +99,13 @@ buildPythonApplication rec {
    ./disable-test_ssh_bootstrap_with_different_launchers.patch
  ];
-  # Causes build failure due to warning
+  hardeningDisable = [
-  hardeningDisable = lib.optional stdenv.cc.isClang "strictoverflow";
+    # causes redefinition of _FORTIFY_SOURCE
    "fortify3"
  ] ++ lib.optionals stdenv.cc.isClang [
    # Causes build failure due to warning
    "strictoverflow"
  ];
  CGO_ENABLED = 0;
  GOFLAGS = "-trimpath";
--- a/pkgs/development/libraries/libffi/3.3.nix
+++ b/pkgs/development/libraries/libffi/3.3.nix
@ -29,6 +29,9 @@ stdenv.mkDerivation rec {
    "--disable-exec-static-tramp"
  ];
  # with fortify3, tests fail for some reason
  hardeningDisable = [ "fortify3" ];
  preCheck = ''
    # The tests use -O0 which is not compatible with -D_FORTIFY_SOURCE.
    NIX_HARDENING_ENABLE=''${NIX_HARDENING_ENABLE/fortify/}
--- a/pkgs/development/libraries/libxlsxwriter/default.nix
+++ b/pkgs/development/libraries/libxlsxwriter/default.nix
@ -31,6 +31,9 @@ stdenv.mkDerivation rec {
    "USE_SYSTEM_MINIZIP=1"
  ];
  # TEST 428/429 worksheet:worksheet_table15 *** buffer overflow detected ***: terminated
  hardeningDisable = [ "fortify3" ];
  doCheck = true;
  checkTarget = "test";
--- a/pkgs/development/tools/analysis/sparse/default.nix
+++ b/pkgs/development/tools/analysis/sparse/default.nix
@ -22,6 +22,14 @@ in stdenv.mkDerivation rec {
  doCheck = true;
  buildFlags = [ "GCC_BASE:=${GCC_BASE}" ];
  # Test failures with "fortify3" on, such as:
  # +*** buffer overflow detected ***: terminated
  # +Aborted (core dumped)
  # error: Actual exit value does not match the expected one.
  # error: expected 0, got 134.
  # error: FAIL: test 'bool-float.c' failed
  hardeningDisable = [ "fortify3" ];
  passthru.tests = {
    simple-execution = callPackage ./tests.nix { };
  };
--- a/pkgs/games/cdogs-sdl/default.nix
+++ b/pkgs/games/cdogs-sdl/default.nix
@ -50,6 +50,9 @@ stdenv.mkDerivation rec {
    protobuf
  ];
  # inlining failed in call to 'tinydir_open': --param max-inline-insns-single limit reached
  hardeningDisable = [ "fortify3" ];
  meta = with lib; {
    homepage = "https://cxong.github.io/cdogs-sdl";
    description = "Open source classic overhead run-and-gun game";
--- a/pkgs/os-specific/linux/mmc-utils/default.nix
+++ b/pkgs/os-specific/linux/mmc-utils/default.nix
@ -12,6 +12,9 @@ stdenv.mkDerivation {
  makeFlags = [ "CC=${stdenv.cc.targetPrefix}cc" "prefix=$(out)" ];
  # causes redefinition of _FORTIFY_SOURCE
  hardeningDisable = [ "fortify3" ];
  postInstall = ''
    mkdir -p $out/share/man/man1
    cp man/mmc.1 $out/share/man/man1/
--- a/pkgs/os-specific/linux/sgx/psw/default.nix
+++ b/pkgs/os-specific/linux/sgx/psw/default.nix
@ -59,7 +59,10 @@ stdenv.mkDerivation rec {
    protobuf
  ];
-  hardeningDisable = lib.optionals debug [
+  hardeningDisable = [
    # causes redefinition of _FORTIFY_SOURCE
    "fortify3"
  ] ++ lib.optionals debug [
    "fortify"
  ];
--- a/pkgs/os-specific/linux/x86info/default.nix
+++ b/pkgs/os-specific/linux/x86info/default.nix
@ -26,6 +26,9 @@ stdenv.mkDerivation rec {
    pciutils
  ];
  # causes redefinition of _FORTIFY_SOURCE
  hardeningDisable = [ "fortify3" ];
  postBuild = ''
    patchShebangs lsmsr/createheader.py
    make -C lsmsr
--- a/pkgs/tools/networking/tgt/default.nix
+++ b/pkgs/tools/networking/tgt/default.nix
@ -27,6 +27,11 @@ stdenv.mkDerivation rec {
    "-Wno-error=maybe-uninitialized"
  ];
  hardeningDisable = lib.optionals stdenv.isAarch64 [
    # error: 'read' writing 1 byte into a region of size 0 overflows the destination
    "fortify3"
  ];
  installFlags = [
    "sysconfdir=${placeholder "out"}/etc"
  ];