# define GRUB_TARGET_CPU "@GRUB_TARGET_CPU@"
# define GRUB_PLATFORM "@GRUB_PLATFORM@"
+# define GRUB_STACK_PROTECTOR_INIT @GRUB_STACK_PROTECTOR_INIT@
+
# define RE_ENABLE_I18N 1
# define _GNU_SOURCE 1
AC_MSG_ERROR([invalid value $enable_stack_protector for --enable-stack-protector])
fi
TARGET_CPPFLAGS="$TARGET_CPPFLAGS -DGRUB_STACK_PROTECTOR=1"
+
+ if test -r /dev/urandom; then
+ # Generate the 8 byte stack protector canary at build time if /dev/urandom
+ # is able to be read. The first byte should be NUL to filter out string
+ # buffer overflow attacks.
+ GRUB_STACK_PROTECTOR_INIT="$($PYTHON -c 'import codecs; rf=open("/dev/urandom", "rb"); print("0x00"+codecs.encode(rf.read(7), "hex").decode("ascii"))')"
+ else
+ # Some hosts may not have a urandom, e.g. Windows, so use statically
+ # generated random bytes
+ GRUB_STACK_PROTECTOR_INIT="0x00f2b7e2f193b25c"
+ fi
+
+ if test x"$target_m32" = x1 ; then
+ # Make sure that the canary default value is 24-bits by only using the
+ # lower 3 bytes on 32 bit systems. This allows the upper byte to be NUL
+ # to filter out string buffer overflow attacks.
+ GRUB_STACK_PROTECTOR_INIT="0x00$(echo "$GRUB_STACK_PROTECTOR_INIT" | sed 's/.*\(......\)$/\1/')"
+ fi
+
+ AC_SUBST([GRUB_STACK_PROTECTOR_INIT])
fi
CFLAGS="$TARGET_CFLAGS"
static grub_efi_uint8_t stack_chk_guard_buf[32];
/* Initialize canary in case there is no RNG protocol. */
-grub_addr_t __stack_chk_guard = (grub_addr_t) 0x00f2b7e2f193b25c;
+grub_addr_t __stack_chk_guard = (grub_addr_t) GRUB_STACK_PROTECTOR_INIT;
void __attribute__ ((noreturn))
__stack_chk_fail (void)
projects / thirdparty / grub.git / commitdiff
