diff mbox

use -fstack-protector-strong when available

Message ID 1445276533-17166-1-git-send-email-vapier@gentoo.org
State Committed
Delegated to: Mike Frysinger
Headers show

Commit Message

Mike Frysinger Oct. 19, 2015, 5:42 p.m. UTC
With gcc-4.9, a new -fstack-protector-strong flag is available that is
between -fstack-protector (pretty weak) and -fstack-protector-all (pretty
strong) that provides good trade-offs between overhead but still providing
good coverage.  Update the places in glibc that use ssp to use this flag
when it's available.

This also kills off the indirection of hardcoding the flag name in the
Makefiles and adding it based on a have-ssp boolean.  Instead, the build
always expands the $(stack-protector) variable to the best ssp setting.
This makes the build logic a bit simpler and allows people to easily set
to a diff flag like:
	make stack-protector=-fstack-protector-all

2015-10-19  Mike Frysinger  <vapier@gentoo.org>

	* config.make.in (have-ssp): Delete.
	(stack-protector): New variable.
	* configure.ac: Delete libc_cv_ssp export.  Add libc_cv_ssp_strong
	cache test for -fstack-protector-strong.  Export stack_protector to
	the best ssp flag.
	* configure: Regenerated.
	* login/Makefile (pt_chown-cflags): Always add $(stack-protector).
	* nscd/Makefile (CFLAGS-nscd): Likewise.
	* resolv/Makefile (CFLAGS-libresolv): Likewise.
---
 config.make.in  |  2 +-
 configure       | 29 ++++++++++++++++++++++++++++-
 configure.ac    | 15 ++++++++++++++-
 login/Makefile  |  4 +---
 nscd/Makefile   |  4 +---
 resolv/Makefile |  4 +---
 6 files changed, 46 insertions(+), 12 deletions(-)

Comments

Roland McGrath Oct. 19, 2015, 6:35 p.m. UTC | #1
Looks fine, assuming you tested it (which you didn't mention).
Mike Frysinger Oct. 19, 2015, 7:36 p.m. UTC | #2
On 19 Oct 2015 11:35, Roland McGrath wrote:
> Looks fine, assuming you tested it (which you didn't mention).

i verified the build uses -fstack-protector-strong on these files,
and that resolv/ and inet/ and nscd/ pass their tests still.
-mike
diff mbox

Patch

diff --git a/config.make.in b/config.make.in
index 7f561eb..a791922 100644
--- a/config.make.in
+++ b/config.make.in
@@ -56,7 +56,7 @@  old-glibc-headers = @old_glibc_headers@
 unwind-find-fde = @libc_cv_gcc_unwind_find_fde@
 have-forced-unwind = @libc_cv_forced_unwind@
 have-fpie = @libc_cv_fpie@
-have-ssp = @libc_cv_ssp@
+stack-protector = @stack_protector@
 have-selinux = @have_selinux@
 have-libaudit = @have_libaudit@
 have-libcap = @have_libcap@
diff --git a/configure b/configure
index a97ed8c..c53c5a8 100755
--- a/configure
+++ b/configure
@@ -621,7 +621,7 @@  LIBGD
 libc_cv_cc_loop_to_function
 libc_cv_cc_submachine
 libc_cv_cc_nofma
-libc_cv_ssp
+stack_protector
 fno_unit_at_a_time
 libc_cv_output_format
 libc_cv_hashstyle
@@ -6051,6 +6051,33 @@  fi
 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $libc_cv_ssp" >&5
 $as_echo "$libc_cv_ssp" >&6; }
 
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for -fstack-protector-strong" >&5
+$as_echo_n "checking for -fstack-protector-strong... " >&6; }
+if ${libc_cv_ssp_strong+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  if { ac_try='${CC-cc} $CFLAGS $CPPFLAGS -Werror -fstack-protector-strong -xc /dev/null -S -o /dev/null'
+  { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_try\""; } >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }; }; then :
+  libc_cv_ssp_strong=yes
+else
+  libc_cv_ssp_strong=no
+fi
+
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $libc_cv_ssp_strong" >&5
+$as_echo "$libc_cv_ssp_strong" >&6; }
+
+stack_protector=
+if test "$libc_cv_ssp_strong" = "yes"; then
+  stack_protector="-fstack-protector-strong"
+elif test "$libc_cv_ssp" = "yes"; then
+  stack_protector="-fstack-protector"
+fi
+
 
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether cc puts quotes around section names" >&5
 $as_echo_n "checking whether cc puts quotes around section names... " >&6; }
diff --git a/configure.ac b/configure.ac
index 63f5f92..ab3bcb0 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1503,7 +1503,20 @@  LIBC_TRY_CC_OPTION([$CFLAGS $CPPFLAGS -Werror -fstack-protector],
 		   [libc_cv_ssp=yes],
 		   [libc_cv_ssp=no])
 ])
-AC_SUBST(libc_cv_ssp)
+
+AC_CACHE_CHECK(for -fstack-protector-strong, libc_cv_ssp_strong, [dnl
+LIBC_TRY_CC_OPTION([$CFLAGS $CPPFLAGS -Werror -fstack-protector-strong],
+		   [libc_cv_ssp_strong=yes],
+		   [libc_cv_ssp_strong=no])
+])
+
+stack_protector=
+if test "$libc_cv_ssp_strong" = "yes"; then
+  stack_protector="-fstack-protector-strong"
+elif test "$libc_cv_ssp" = "yes"; then
+  stack_protector="-fstack-protector"
+fi
+AC_SUBST(stack_protector)
 
 AC_CACHE_CHECK(whether cc puts quotes around section names,
 	       libc_cv_have_section_quotes,
diff --git a/login/Makefile b/login/Makefile
index 0f4bb22..0634f87 100644
--- a/login/Makefile
+++ b/login/Makefile
@@ -58,9 +58,7 @@  CFLAGS-getpt.c = -fexceptions
 ifeq (yesyes,$(have-fpie)$(build-shared))
 pt_chown-cflags += $(pie-ccflag)
 endif
-ifeq (yes,$(have-ssp))
-pt_chown-cflags += -fstack-protector
-endif
+pt_chown-cflags += $(stack-protector)
 ifeq (yes,$(have-libcap))
 libcap = -lcap
 endif
diff --git a/nscd/Makefile b/nscd/Makefile
index ede941d..e1a1aa9 100644
--- a/nscd/Makefile
+++ b/nscd/Makefile
@@ -84,9 +84,7 @@  CPPFLAGS-nscd += -D_FORTIFY_SOURCE=2
 ifeq (yesyes,$(have-fpie)$(build-shared))
 CFLAGS-nscd += $(pie-ccflag)
 endif
-ifeq (yes,$(have-ssp))
-CFLAGS-nscd += -fstack-protector
-endif
+CFLAGS-nscd += $(stack-protector)
 
 ifeq (yesyes,$(have-fpie)$(build-shared))
 LDFLAGS-nscd = -Wl,-z,now
diff --git a/resolv/Makefile b/resolv/Makefile
index 1dcb75f..add7487 100644
--- a/resolv/Makefile
+++ b/resolv/Makefile
@@ -90,9 +90,7 @@  CPPFLAGS += -Dgethostbyname=res_gethostbyname \
 	    -Dgetnetbyname=res_getnetbyname \
 	    -Dgetnetbyaddr=res_getnetbyaddr
 
-ifeq (yes,$(have-ssp))
-CFLAGS-libresolv += -fstack-protector
-endif
+CFLAGS-libresolv += $(stack-protector)
 CFLAGS-res_hconf.c = -fexceptions
 
 # The BIND code elicits some harmless warnings.