- (djm) [configure.ac aclocal.m4] More tests to detect fallout from

   platform hardening options: include some long long int arithmatic
   to detect missing support functions for -ftrapv in libgcc and
   equivalents, actually test linking when -ftrapv is supplied and
   set either both -pie/-fPIE or neither. feedback and ok dtucker@

diff --git a/ChangeLog b/ChangeLog
index bbe112e68633ee46e8c101f022474e39d12d5c75..b4a81f996b604358ecc5e4a8f5f4013a09ef000a 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -4,6 +4,11 @@
    hack surprises us by providing a setproctitle in libc; ok dtucker
  - (djm) [configure.ac] Unless specifically requested, only attempt
    to build Position Independent Executables on gcc >= 4.x; ok dtucker
+ - (djm) [configure.ac aclocal.m4] More tests to detect fallout from
+   platform hardening options: include some long long int arithmatic
+   to detect missing support functions for -ftrapv in libgcc and
+   equivalents, actually test linking when -ftrapv is supplied and
+   set either both -pie/-fPIE or neither. feedback and ok dtucker@
 
 20140121
  - (dtucker) [configure.ac] Make PIE a configure-time option which defaults

diff --git a/aclocal.m4 b/aclocal.m4
index 195a87636899e2f7027c7f2003e2e38bc865da42..1640683e1d1d7c447e163183cbadb666019401ae 100644 (file)
--- a/aclocal.m4
+++ b/aclocal.m4
@@ -1,4 +1,4 @@
-dnl $Id: aclocal.m4,v 1.12 2014/01/21 02:10:27 djm Exp $
+dnl $Id: aclocal.m4,v 1.13 2014/01/22 10:30:12 djm Exp $
 dnl
 dnl OpenSSH-specific autoconf macros
 dnl
@@ -21,7 +21,45 @@ int main(int argc, char **argv) {
        int i = 123 * argc, j = 456 + argc, k = 789 - argc;
        float l = i * 2.1;
        double m = l / 0.5;
-       printf("%d %d %d %f %f\n", i, j, k, l, m);
+       long long int n = argc * 12345LL, o = 12345LL * (long long int)argc;
+       printf("%d %d %d %f %f %lld %lld\n", i, j, k, l, m, n, o);
+       exit(0);
+}
+       ]])],
+               [
+if `grep -i "unrecognized option" conftest.err >/dev/null`
+then
+               AC_MSG_RESULT([no])
+               CFLAGS="$saved_CFLAGS"
+else
+               AC_MSG_RESULT([yes])
+                CFLAGS="$saved_CFLAGS $_define_flag"
+fi],
+               [ AC_MSG_RESULT([no])
+                 CFLAGS="$saved_CFLAGS" ]
+       )
+}])
+
+dnl OSSH_CHECK_CFLAG_LINK(check_flag[, define_flag])
+dnl Check that $CC accepts a flag 'check_flag'. If it is supported append
+dnl 'define_flag' to $CFLAGS. If 'define_flag' is not specified, then append
+dnl 'check_flag'.
+AC_DEFUN([OSSH_CHECK_CFLAG_LINK], [{
+       AC_MSG_CHECKING([if $CC supports compile flag $1 and linking succeeds])
+       saved_CFLAGS="$CFLAGS"
+       CFLAGS="$CFLAGS $WERROR $1"
+       _define_flag="$2"
+       test "x$_define_flag" = "x" && _define_flag="$1"
+       AC_LINK_IFELSE([AC_LANG_SOURCE([[
+#include <stdlib.h>
+#include <stdio.h>
+int main(int argc, char **argv) {
+       /* Some math to catch -ftrapv problems in the toolchain */
+       int i = 123 * argc, j = 456 + argc, k = 789 - argc;
+       float l = i * 2.1;
+       double m = l / 0.5;
+       long long int n = argc * 12345LL, o = 12345LL * (long long int)argc;
+       printf("%d %d %d %f %f %lld %lld\n", i, j, k, l, m, n, o);
        exit(0);
 }
        ]])],
@@ -57,7 +95,8 @@ int main(int argc, char **argv) {
        int i = 123 * argc, j = 456 + argc, k = 789 - argc;
        float l = i * 2.1;
        double m = l / 0.5;
-       printf("%d %d %d %f %f\n", i, j, k, l, m);
+       long long int n = argc * 12345LL, o = 12345LL * (long long int)argc;
+       printf("%d %d %d %f %f %lld %lld\n", i, j, k, l, m, n, o);
        exit(0);
 }
                ]])],

diff --git a/configure.ac b/configure.ac
index b738f4e60d52195aa3b9aa5ae8958a7a2b814aae..12d62e294bc14e98e14f0638a1fe380b604ea6d8 100644 (file)
--- a/configure.ac
+++ b/configure.ac
@@ -1,4 +1,4 @@
-# $Id: configure.ac,v 1.557 2014/01/22 05:31:18 djm Exp $
+# $Id: configure.ac,v 1.558 2014/01/22 10:30:13 djm Exp $
 #
 # Copyright (c) 1999-2004 Damien Miller
 #
@@ -15,7 +15,7 @@
 # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 
 AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org])
-AC_REVISION($Revision: 1.557 $)
+AC_REVISION($Revision: 1.558 $)
 AC_CONFIG_SRCDIR([ssh.c])
 AC_LANG([C])
 
@@ -164,10 +164,15 @@ if test "$GCC" = "yes" || test "$GCC" = "egcs"; then
        OSSH_CHECK_CFLAG_COMPILE([-fno-strict-aliasing])
        OSSH_CHECK_CFLAG_COMPILE([-D_FORTIFY_SOURCE=2])
     if test "x$use_toolchain_hardening" = "x1"; then
-       OSSH_CHECK_CFLAG_COMPILE([-ftrapv])
        OSSH_CHECK_LDFLAG_LINK([-Wl,-z,relro])
        OSSH_CHECK_LDFLAG_LINK([-Wl,-z,now])
        OSSH_CHECK_LDFLAG_LINK([-Wl,-z,noexecstack])
+       # NB. -ftrapv expects certain support functions to be present in
+       # the compiler library (libgcc or similar) to detect integer operations
+       # that can overflow. We must check that the result of enabling it
+       # actually links. The test program compiled/linked includes a number
+       # of integer operations that should exercise this.
+       OSSH_CHECK_CFLAG_LINK([-ftrapv])
     fi
        AC_MSG_CHECKING([gcc version])
        GCC_VER=`$CC -v 2>&1 | $AWK '/gcc version /{print $3}'`
@@ -1594,8 +1599,20 @@ if test "x$use_pie" == "xauto"; then
 )
 fi
 if test "x$use_pie" != "xno"; then
+       SAVED_CFLAGS="$CFLAGS"
+       SAVED_LDFLAGS="$LDFLAGS"
        OSSH_CHECK_CFLAG_COMPILE([-fPIE])
        OSSH_CHECK_LDFLAG_LINK([-pie])
+       # We use both -fPIE and -pie or neither.
+       AC_MSG_CHECKING([whether both -fPIE and -pie are supported])
+       if echo "x $CFLAGS"  | grep ' -fPIE' >/dev/null 2>&1 && \
+          echo "x $LDFLAGS" | grep ' -pie'  >/dev/null 2>&1 ; then
+               AC_MSG_RESULT([yes])
+       else
+               AC_MSG_RESULT([no])
+               CFLAGS="$SAVED_CFLAGS"
+               LDFLAGS="$SAVED_LDFLAGS"
+       fi
 fi
 
 dnl    Checks for library functions. Please keep in alphabetical order