From: Mike Frysinger Date: Mon, 19 Oct 2015 17:07:28 +0000 (-0400) Subject: use -fstack-protector-strong when available X-Git-Tag: glibc-2.23~295 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=6ab674ebff5e60c62b126d0ac2e774e581916afe;p=thirdparty%2Fglibc.git use -fstack-protector-strong when available With gcc-4.9, a new -fstack-protector-strong flag is available that is between -fstack-protector (pretty weak) and -fstack-protector-all (pretty strong) that provides good trade-offs between overhead but still providing good coverage. Update the places in glibc that use ssp to use this flag when it's available. This also kills off the indirection of hardcoding the flag name in the Makefiles and adding it based on a have-ssp boolean. Instead, the build always expands the $(stack-protector) variable to the best ssp setting. This makes the build logic a bit simpler and allows people to easily set to a diff flag like: make stack-protector=-fstack-protector-all --- diff --git a/ChangeLog b/ChangeLog index 007f6c9d7e5..cc2e93934ba 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,15 @@ +2015-10-19 Mike Frysinger + + * config.make.in (have-ssp): Delete. + (stack-protector): New variable. + * configure.ac: Delete libc_cv_ssp export. Add libc_cv_ssp_strong + cache test for -fstack-protector-strong. Export stack_protector to + the best ssp flag. + * configure: Regenerated. + * login/Makefile (pt_chown-cflags): Always add $(stack-protector). + * nscd/Makefile (CFLAGS-nscd): Likewise. + * resolv/Makefile (CFLAGS-libresolv): Likewise. + 2015-10-16 H.J. Lu [BZ #19122] diff --git a/config.make.in b/config.make.in index 7f561eb3333..a7919227385 100644 --- a/config.make.in +++ b/config.make.in @@ -56,7 +56,7 @@ old-glibc-headers = @old_glibc_headers@ unwind-find-fde = @libc_cv_gcc_unwind_find_fde@ have-forced-unwind = @libc_cv_forced_unwind@ have-fpie = @libc_cv_fpie@ -have-ssp = @libc_cv_ssp@ +stack-protector = @stack_protector@ have-selinux = @have_selinux@ have-libaudit = @have_libaudit@ have-libcap = @have_libcap@ diff --git a/configure b/configure index 3285213cb74..bd4cabdfe87 100755 --- a/configure +++ b/configure @@ -621,7 +621,7 @@ LIBGD libc_cv_cc_loop_to_function libc_cv_cc_submachine libc_cv_cc_nofma -libc_cv_ssp +stack_protector fno_unit_at_a_time libc_cv_output_format libc_cv_hashstyle @@ -6050,6 +6050,33 @@ fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $libc_cv_ssp" >&5 $as_echo "$libc_cv_ssp" >&6; } +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for -fstack-protector-strong" >&5 +$as_echo_n "checking for -fstack-protector-strong... " >&6; } +if ${libc_cv_ssp_strong+:} false; then : + $as_echo_n "(cached) " >&6 +else + if { ac_try='${CC-cc} $CFLAGS $CPPFLAGS -Werror -fstack-protector-strong -xc /dev/null -S -o /dev/null' + { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_try\""; } >&5 + (eval $ac_try) 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; }; then : + libc_cv_ssp_strong=yes +else + libc_cv_ssp_strong=no +fi + +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $libc_cv_ssp_strong" >&5 +$as_echo "$libc_cv_ssp_strong" >&6; } + +stack_protector= +if test "$libc_cv_ssp_strong" = "yes"; then + stack_protector="-fstack-protector-strong" +elif test "$libc_cv_ssp" = "yes"; then + stack_protector="-fstack-protector" +fi + { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether cc puts quotes around section names" >&5 $as_echo_n "checking whether cc puts quotes around section names... " >&6; } diff --git a/configure.ac b/configure.ac index eba7a15f11d..e6cab9c5bda 100644 --- a/configure.ac +++ b/configure.ac @@ -1503,7 +1503,20 @@ LIBC_TRY_CC_OPTION([$CFLAGS $CPPFLAGS -Werror -fstack-protector], [libc_cv_ssp=yes], [libc_cv_ssp=no]) ]) -AC_SUBST(libc_cv_ssp) + +AC_CACHE_CHECK(for -fstack-protector-strong, libc_cv_ssp_strong, [dnl +LIBC_TRY_CC_OPTION([$CFLAGS $CPPFLAGS -Werror -fstack-protector-strong], + [libc_cv_ssp_strong=yes], + [libc_cv_ssp_strong=no]) +]) + +stack_protector= +if test "$libc_cv_ssp_strong" = "yes"; then + stack_protector="-fstack-protector-strong" +elif test "$libc_cv_ssp" = "yes"; then + stack_protector="-fstack-protector" +fi +AC_SUBST(stack_protector) AC_CACHE_CHECK(whether cc puts quotes around section names, libc_cv_have_section_quotes, diff --git a/login/Makefile b/login/Makefile index 0f4bb22557d..0634f87cf5c 100644 --- a/login/Makefile +++ b/login/Makefile @@ -58,9 +58,7 @@ CFLAGS-getpt.c = -fexceptions ifeq (yesyes,$(have-fpie)$(build-shared)) pt_chown-cflags += $(pie-ccflag) endif -ifeq (yes,$(have-ssp)) -pt_chown-cflags += -fstack-protector -endif +pt_chown-cflags += $(stack-protector) ifeq (yes,$(have-libcap)) libcap = -lcap endif diff --git a/nscd/Makefile b/nscd/Makefile index ede941d1b2a..e1a1aa92fc6 100644 --- a/nscd/Makefile +++ b/nscd/Makefile @@ -84,9 +84,7 @@ CPPFLAGS-nscd += -D_FORTIFY_SOURCE=2 ifeq (yesyes,$(have-fpie)$(build-shared)) CFLAGS-nscd += $(pie-ccflag) endif -ifeq (yes,$(have-ssp)) -CFLAGS-nscd += -fstack-protector -endif +CFLAGS-nscd += $(stack-protector) ifeq (yesyes,$(have-fpie)$(build-shared)) LDFLAGS-nscd = -Wl,-z,now diff --git a/resolv/Makefile b/resolv/Makefile index 1dcb75f7c7e..add74875c6c 100644 --- a/resolv/Makefile +++ b/resolv/Makefile @@ -90,9 +90,7 @@ CPPFLAGS += -Dgethostbyname=res_gethostbyname \ -Dgetnetbyname=res_getnetbyname \ -Dgetnetbyaddr=res_getnetbyaddr -ifeq (yes,$(have-ssp)) -CFLAGS-libresolv += -fstack-protector -endif +CFLAGS-libresolv += $(stack-protector) CFLAGS-res_hconf.c = -fexceptions # The BIND code elicits some harmless warnings.