From: Darren Tucker <dtucker@dtucker.net>
Date: Wed, 29 Sep 2021 00:53:55 +0000 (+1000)
Subject: Add new compiler hardening flags.
X-Git-Tag: V_8_9_P1~269
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=39f2111b1d5f00206446257377dcce58cc72369f;p=thirdparty%2Fopenssh-portable.git

Add new compiler hardening flags.

Add -fzero-call-used-regs and -ftrivial-auto-var-init to the list of
compiler hardening flags that configure checks for.  These are supported
by clang and gcc, and make ROP gadgets less useful and mitigate
stack-based infoleaks respectively.  ok djm@
---

diff --git a/configure.ac b/configure.ac
index 413913a7c..821a75ba1 100644
--- a/configure.ac
+++ b/configure.ac
@@ -190,6 +190,8 @@ if test "$GCC" = "yes" || test "$GCC" = "egcs"; then
 	# actually links. The test program compiled/linked includes a number
 	# of integer operations that should exercise this.
 	OSSH_CHECK_CFLAG_LINK([-ftrapv])
+	OSSH_CHECK_CFLAG_COMPILE([-fzero-call-used-regs=all])
+	OSSH_CHECK_CFLAG_COMPILE([-ftrivial-auto-var-init=zero])
     fi
 	AC_MSG_CHECKING([gcc version])
 	GCC_VER=`$CC -v 2>&1 | $AWK '/gcc version /{print $3}'`