hardening: Enable i386 FORTIFY_SOURCE on Clang 16+

The i386 regparm bug exposed with FORTIFY_SOURCE with Clang was fixed
in Clang 16[1].

Link: https://github.com/llvm/llvm-project/commit/c167c0a4dcdb998affb2756ce76903a12f7d8ca5
Reviewed-by: Nathan Chancellor <nathan@kernel.org>
Link: https://lore.kernel.org/r/20250308042929.1753543-2-kees@kernel.org
Signed-off-by: Kees Cook <kees@kernel.org>

diff --git a/arch/x86/Makefile b/arch/x86/Makefile
index 4c136bcaff861d45dbc005e1c6eda79091445501..3ba7e185924e7f6a8245ccb9fa67a2b88a242a34 100644 (file)
--- a/arch/x86/Makefile
+++ b/arch/x86/Makefile
@@ -137,7 +137,7 @@ ifeq ($(CONFIG_X86_32),y)
         include $(srctree)/arch/x86/Makefile_32.cpu
         KBUILD_CFLAGS += $(cflags-y)
 
-    ifeq ($(CONFIG_CC_IS_CLANG),y)
+    ifneq ($(call clang-min-version, 160000),y)
         # https://github.com/llvm/llvm-project/issues/53645
         KBUILD_CFLAGS += -ffreestanding
     endif

diff --git a/security/Kconfig.hardening b/security/Kconfig.hardening
index 23ffb0d7c84551acd060a991436c4de5ddc76256..c17366ce8224ef3bea7465eecf9fdd145cb27fd8 100644 (file)
--- a/security/Kconfig.hardening
+++ b/security/Kconfig.hardening
@@ -286,7 +286,7 @@ config FORTIFY_SOURCE
        bool "Harden common str/mem functions against buffer overflows"
        depends on ARCH_HAS_FORTIFY_SOURCE
        # https://github.com/llvm/llvm-project/issues/53645
-       depends on !CC_IS_CLANG || !X86_32
+       depends on !X86_32 || !CC_IS_CLANG || CLANG_VERSION >= 160000
        help
          Detect overflows of buffers in common string and memory functions
          where the compiler can determine and validate the buffer sizes.