[hardening-discuss] Bug#688522: hardening-includes: hardening-check - please consider invoking readelf fewer times

Niels Thykier niels at thykier.net
Sun Sep 23 13:25:36 UTC 2012 

Package: hardening-includes
Version: 2.2
Severity: wishlist

Hi,

Currently hardening-check invokes readelf 3 times per ELF file.  It is
my understanding that forking is significantly more expensive on
kFreeBSD based platforms.  Please consider reducing it to at most once
per file.

It is possible to reduce the number of readelf calls even more by
using (e.g.) xargs, though it is hardly trivial.  If you need
inspiration for this case, consider looking at
collection/object-dump{,-helper} in Lintian.

Below sample ad-hoc patch I used for testing.  It seems to work ok,
but not tested a lot and has a couple of "style" issues...  :)

~Niels

$ diff -u /usr/bin/hardening-check hardening-check-forkless
--- /usr/bin/hardening-check    2012-06-14 16:41:46.000000000 +0000
+++ hardening-check-forkless    2012-09-23 13:00:09.000000000 +0000
@@ -200,14 +200,15 @@
     return $1 || "";
 }
 
-sub find_functions($$) {
-    my ($file, $undefined) = @_;
+sub find_functions($$;$) {
+    my ($file, $undefined, $relocs) = @_;
     my (%funcs);
 
     # Catch "NOTYPE" for object archives.
     my $func_regex = " (I?FUNC|NOTYPE) ";
 
-    my $relocs = output("readelf", "-sW", $file);
+    $relocs = output("readelf", "-sW", $file)
+       unless defined $relocs;
     for my $line (split("\n", $relocs)) {
         next if ($line !~ /$func_regex/);
         next if ($undefined && $line !~ /$func_regex.* UND /);
@@ -247,17 +248,18 @@
     @tags = ();
 
     # Get program headers.
-    my $PROG_REPORT=output("readelf", "-lW", $file);
+    my $PROG_REPORT=output("readelf", "-lsdW", $file);
     if (length($PROG_REPORT) == 0) {
         $overall = 1;
         next;
     }
 
     # Get ELF headers.
-    my $DYN_REPORT=output("readelf", "-dW", $file);
+#    my $DYN_REPORT=output("readelf", "-dW", $file);
+    my $DYN_REPORT=$PROG_REPORT;
 
     # Get list of all symbols needing external resolution.
-    my $functions = find_functions($file, 1);
+    my $functions = find_functions($file, 1, $PROG_REPORT);
 
     # PIE
     # First, verify this is an executable, not a library. This seems to be

More information about the hardening-discuss mailing list