From 658ab4b45b317948bd93c796c544baa7a1bcb068 Mon Sep 17 00:00:00 2001
From: Robert Scott <code@humanleg.org.uk>
Date: Sun, 30 Jul 2023 12:25:02 +0100
Subject: [PATCH] cc-wrapper: add fortify flags after invocation args, not
 before

this splits hardeningCFlags into hardeningCFlagsAfter and
hardeningCFlagsBefore (where most flags still remain) to allow
us to *append* `-D_FORTIFY_SOURCE=` values to the command-line,
forcing our choice of fortify level and avoiding potential
redefinition warnings/errors through use of `-U_FORTIFY_SOURCE`
---
 .../build-support/cc-wrapper/add-hardening.sh | 27 +++++++++++--------
 pkgs/build-support/cc-wrapper/cc-wrapper.sh   |  4 +--
 2 files changed, 18 insertions(+), 13 deletions(-)

diff --git a/pkgs/build-support/cc-wrapper/add-hardening.sh b/pkgs/build-support/cc-wrapper/add-hardening.sh
index 7f5cd4cf4af3..8d02b4e5124d 100644
--- a/pkgs/build-support/cc-wrapper/add-hardening.sh
+++ b/pkgs/build-support/cc-wrapper/add-hardening.sh
@@ -1,4 +1,5 @@
-declare -a hardeningCFlags=()
+declare -a hardeningCFlagsAfter=()
+declare -a hardeningCFlagsBefore=()
 
 declare -A hardeningEnableMap=()
 
@@ -48,15 +49,19 @@ for flag in "${!hardeningEnableMap[@]}"; do
     fortify | fortify3)
       # Use -U_FORTIFY_SOURCE to avoid warnings on toolchains that explicitly
       # set -D_FORTIFY_SOURCE=0 (like 'clang -fsanitize=address').
-      hardeningCFlags+=('-O2' '-U_FORTIFY_SOURCE')
+      hardeningCFlagsBefore+=('-O2' '-U_FORTIFY_SOURCE')
+      # Unset any _FORTIFY_SOURCE values the command-line may have set before
+      # enforcing our own value, avoiding (potentially fatal) redefinition
+      # warnings
+      hardeningCFlagsAfter+=('-U_FORTIFY_SOURCE')
       case $flag in
         fortify)
           if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling fortify >&2; fi
-          hardeningCFlags+=('-D_FORTIFY_SOURCE=2')
+          hardeningCFlagsAfter+=('-D_FORTIFY_SOURCE=2')
         ;;
         fortify3)
           if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling fortify3 >&2; fi
-          hardeningCFlags+=('-D_FORTIFY_SOURCE=3')
+          hardeningCFlagsAfter+=('-D_FORTIFY_SOURCE=3')
         ;;
         *)
           # Ignore unsupported.
@@ -65,20 +70,20 @@ for flag in "${!hardeningEnableMap[@]}"; do
       ;;
     stackprotector)
       if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling stackprotector >&2; fi
-      hardeningCFlags+=('-fstack-protector-strong' '--param' 'ssp-buffer-size=4')
+      hardeningCFlagsBefore+=('-fstack-protector-strong' '--param' 'ssp-buffer-size=4')
       ;;
     pie)
       # NB: we do not use `+=` here, because PIE flags must occur before any PIC flags
       if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling CFlags -fPIE >&2; fi
-      hardeningCFlags=('-fPIE' "${hardeningCFlags[@]}")
+      hardeningCFlagsBefore=('-fPIE' "${hardeningCFlagsBefore[@]}")
       if [[ ! (" ${params[*]} " =~ " -shared " || " ${params[*]} " =~ " -static ") ]]; then
         if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling LDFlags -pie >&2; fi
-        hardeningCFlags=('-pie' "${hardeningCFlags[@]}")
+        hardeningCFlagsBefore=('-pie' "${hardeningCFlagsBefore[@]}")
       fi
       ;;
     pic)
       if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling pic >&2; fi
-      hardeningCFlags+=('-fPIC')
+      hardeningCFlagsBefore+=('-fPIC')
       ;;
     strictoverflow)
       if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling strictoverflow >&2; fi
@@ -89,14 +94,14 @@ for flag in "${!hardeningEnableMap[@]}"; do
         #
         # See: https://github.com/llvm/llvm-project/blob/llvmorg-16.0.6/clang/lib/Driver/ToolChains/Clang.cpp#L6315
         #
-        hardeningCFlags+=('-fwrapv')
+        hardeningCFlagsBefore+=('-fwrapv')
       else
-        hardeningCFlags+=('-fno-strict-overflow')
+        hardeningCFlagsBefore+=('-fno-strict-overflow')
       fi
       ;;
     format)
       if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling format >&2; fi
-      hardeningCFlags+=('-Wformat' '-Wformat-security' '-Werror=format-security')
+      hardeningCFlagsBefore+=('-Wformat' '-Wformat-security' '-Werror=format-security')
       ;;
     *)
       # Ignore unsupported. Checked in Nix that at least *some*
diff --git a/pkgs/build-support/cc-wrapper/cc-wrapper.sh b/pkgs/build-support/cc-wrapper/cc-wrapper.sh
index 244a0bb6623b..9dcd29c64431 100644
--- a/pkgs/build-support/cc-wrapper/cc-wrapper.sh
+++ b/pkgs/build-support/cc-wrapper/cc-wrapper.sh
@@ -171,8 +171,8 @@ fi
 source @out@/nix-support/add-hardening.sh
 
 # Add the flags for the C compiler proper.
-extraAfter=($NIX_CFLAGS_COMPILE_@suffixSalt@)
-extraBefore=(${hardeningCFlags[@]+"${hardeningCFlags[@]}"} $NIX_CFLAGS_COMPILE_BEFORE_@suffixSalt@)
+extraAfter=(${hardeningCFlagsAfter[@]+"${hardeningCFlagsAfter[@]}"} $NIX_CFLAGS_COMPILE_@suffixSalt@)
+extraBefore=(${hardeningCFlagsBefore[@]+"${hardeningCFlagsBefore[@]}"} $NIX_CFLAGS_COMPILE_BEFORE_@suffixSalt@)
 
 if [ "$dontLink" != 1 ]; then