about summary refs log tree commit diff
diff options
context:
space:
mode:
authorMike Frysinger <vapier@gentoo.org>2015-10-19 13:07:28 -0400
committerMike Frysinger <vapier@gentoo.org>2015-10-19 15:36:48 -0400
commit6ab674ebff5e60c62b126d0ac2e774e581916afe (patch)
tree72e72448b982e3715630f091e3be4612244f6589
parentcf6d542db3dfe26402b6adaa740a578b54767f65 (diff)
downloadglibc-6ab674ebff5e60c62b126d0ac2e774e581916afe.tar.gz
glibc-6ab674ebff5e60c62b126d0ac2e774e581916afe.tar.xz
glibc-6ab674ebff5e60c62b126d0ac2e774e581916afe.zip
use -fstack-protector-strong when available
With gcc-4.9, a new -fstack-protector-strong flag is available that is
between -fstack-protector (pretty weak) and -fstack-protector-all (pretty
strong) that provides good trade-offs between overhead but still providing
good coverage.  Update the places in glibc that use ssp to use this flag
when it's available.

This also kills off the indirection of hardcoding the flag name in the
Makefiles and adding it based on a have-ssp boolean.  Instead, the build
always expands the $(stack-protector) variable to the best ssp setting.
This makes the build logic a bit simpler and allows people to easily set
to a diff flag like:
	make stack-protector=-fstack-protector-all
-rw-r--r--ChangeLog12
-rw-r--r--config.make.in2
-rwxr-xr-xconfigure29
-rw-r--r--configure.ac15
-rw-r--r--login/Makefile4
-rw-r--r--nscd/Makefile4
-rw-r--r--resolv/Makefile4
7 files changed, 58 insertions, 12 deletions
diff --git a/ChangeLog b/ChangeLog
index 007f6c9d7e..cc2e93934b 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,15 @@
+2015-10-19  Mike Frysinger  <vapier@gentoo.org>
+
+	* config.make.in (have-ssp): Delete.
+	(stack-protector): New variable.
+	* configure.ac: Delete libc_cv_ssp export.  Add libc_cv_ssp_strong
+	cache test for -fstack-protector-strong.  Export stack_protector to
+	the best ssp flag.
+	* configure: Regenerated.
+	* login/Makefile (pt_chown-cflags): Always add $(stack-protector).
+	* nscd/Makefile (CFLAGS-nscd): Likewise.
+	* resolv/Makefile (CFLAGS-libresolv): Likewise.
+
 2015-10-16  H.J. Lu  <hongjiu.lu@intel.com>
 
 	[BZ #19122]
diff --git a/config.make.in b/config.make.in
index 7f561eb333..a791922738 100644
--- a/config.make.in
+++ b/config.make.in
@@ -56,7 +56,7 @@ old-glibc-headers = @old_glibc_headers@
 unwind-find-fde = @libc_cv_gcc_unwind_find_fde@
 have-forced-unwind = @libc_cv_forced_unwind@
 have-fpie = @libc_cv_fpie@
-have-ssp = @libc_cv_ssp@
+stack-protector = @stack_protector@
 have-selinux = @have_selinux@
 have-libaudit = @have_libaudit@
 have-libcap = @have_libcap@
diff --git a/configure b/configure
index 3285213cb7..bd4cabdfe8 100755
--- a/configure
+++ b/configure
@@ -621,7 +621,7 @@ LIBGD
 libc_cv_cc_loop_to_function
 libc_cv_cc_submachine
 libc_cv_cc_nofma
-libc_cv_ssp
+stack_protector
 fno_unit_at_a_time
 libc_cv_output_format
 libc_cv_hashstyle
@@ -6050,6 +6050,33 @@ fi
 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $libc_cv_ssp" >&5
 $as_echo "$libc_cv_ssp" >&6; }
 
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for -fstack-protector-strong" >&5
+$as_echo_n "checking for -fstack-protector-strong... " >&6; }
+if ${libc_cv_ssp_strong+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  if { ac_try='${CC-cc} $CFLAGS $CPPFLAGS -Werror -fstack-protector-strong -xc /dev/null -S -o /dev/null'
+  { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_try\""; } >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }; }; then :
+  libc_cv_ssp_strong=yes
+else
+  libc_cv_ssp_strong=no
+fi
+
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $libc_cv_ssp_strong" >&5
+$as_echo "$libc_cv_ssp_strong" >&6; }
+
+stack_protector=
+if test "$libc_cv_ssp_strong" = "yes"; then
+  stack_protector="-fstack-protector-strong"
+elif test "$libc_cv_ssp" = "yes"; then
+  stack_protector="-fstack-protector"
+fi
+
 
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether cc puts quotes around section names" >&5
 $as_echo_n "checking whether cc puts quotes around section names... " >&6; }
diff --git a/configure.ac b/configure.ac
index eba7a15f11..e6cab9c5bd 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1503,7 +1503,20 @@ LIBC_TRY_CC_OPTION([$CFLAGS $CPPFLAGS -Werror -fstack-protector],
 		   [libc_cv_ssp=yes],
 		   [libc_cv_ssp=no])
 ])
-AC_SUBST(libc_cv_ssp)
+
+AC_CACHE_CHECK(for -fstack-protector-strong, libc_cv_ssp_strong, [dnl
+LIBC_TRY_CC_OPTION([$CFLAGS $CPPFLAGS -Werror -fstack-protector-strong],
+		   [libc_cv_ssp_strong=yes],
+		   [libc_cv_ssp_strong=no])
+])
+
+stack_protector=
+if test "$libc_cv_ssp_strong" = "yes"; then
+  stack_protector="-fstack-protector-strong"
+elif test "$libc_cv_ssp" = "yes"; then
+  stack_protector="-fstack-protector"
+fi
+AC_SUBST(stack_protector)
 
 AC_CACHE_CHECK(whether cc puts quotes around section names,
 	       libc_cv_have_section_quotes,
diff --git a/login/Makefile b/login/Makefile
index 0f4bb22557..0634f87cf5 100644
--- a/login/Makefile
+++ b/login/Makefile
@@ -58,9 +58,7 @@ CFLAGS-getpt.c = -fexceptions
 ifeq (yesyes,$(have-fpie)$(build-shared))
 pt_chown-cflags += $(pie-ccflag)
 endif
-ifeq (yes,$(have-ssp))
-pt_chown-cflags += -fstack-protector
-endif
+pt_chown-cflags += $(stack-protector)
 ifeq (yes,$(have-libcap))
 libcap = -lcap
 endif
diff --git a/nscd/Makefile b/nscd/Makefile
index ede941d1b2..e1a1aa92fc 100644
--- a/nscd/Makefile
+++ b/nscd/Makefile
@@ -84,9 +84,7 @@ CPPFLAGS-nscd += -D_FORTIFY_SOURCE=2
 ifeq (yesyes,$(have-fpie)$(build-shared))
 CFLAGS-nscd += $(pie-ccflag)
 endif
-ifeq (yes,$(have-ssp))
-CFLAGS-nscd += -fstack-protector
-endif
+CFLAGS-nscd += $(stack-protector)
 
 ifeq (yesyes,$(have-fpie)$(build-shared))
 LDFLAGS-nscd = -Wl,-z,now
diff --git a/resolv/Makefile b/resolv/Makefile
index 1dcb75f7c7..add74875c6 100644
--- a/resolv/Makefile
+++ b/resolv/Makefile
@@ -90,9 +90,7 @@ CPPFLAGS += -Dgethostbyname=res_gethostbyname \
 	    -Dgetnetbyname=res_getnetbyname \
 	    -Dgetnetbyaddr=res_getnetbyaddr
 
-ifeq (yes,$(have-ssp))
-CFLAGS-libresolv += -fstack-protector
-endif
+CFLAGS-libresolv += $(stack-protector)
 CFLAGS-res_hconf.c = -fexceptions
 
 # The BIND code elicits some harmless warnings.