mirror of
git://sourceware.org/git/glibc.git
synced 2025-04-12 14:21:18 +08:00
use -fstack-protector-strong when available
With gcc-4.9, a new -fstack-protector-strong flag is available that is between -fstack-protector (pretty weak) and -fstack-protector-all (pretty strong) that provides good trade-offs between overhead but still providing good coverage. Update the places in glibc that use ssp to use this flag when it's available. This also kills off the indirection of hardcoding the flag name in the Makefiles and adding it based on a have-ssp boolean. Instead, the build always expands the $(stack-protector) variable to the best ssp setting. This makes the build logic a bit simpler and allows people to easily set to a diff flag like: make stack-protector=-fstack-protector-all
This commit is contained in:
Mike Frysinger
parent
cf6d542db3
commit
6ab674ebff
12
ChangeLog
12
ChangeLog
@ -1,3 +1,15 @@
|
||||
2015-10-19 Mike Frysinger <vapier@gentoo.org>
|
||||
|
||||
* config.make.in (have-ssp): Delete.
|
||||
(stack-protector): New variable.
|
||||
* configure.ac: Delete libc_cv_ssp export. Add libc_cv_ssp_strong
|
||||
cache test for -fstack-protector-strong. Export stack_protector to
|
||||
the best ssp flag.
|
||||
* configure: Regenerated.
|
||||
* login/Makefile (pt_chown-cflags): Always add $(stack-protector).
|
||||
* nscd/Makefile (CFLAGS-nscd): Likewise.
|
||||
* resolv/Makefile (CFLAGS-libresolv): Likewise.
|
||||
|
||||
2015-10-16 H.J. Lu <hongjiu.lu@intel.com>
|
||||
|
||||
[BZ #19122]
|
||||
|
||||
@ -56,7 +56,7 @@ old-glibc-headers = @old_glibc_headers@
|
||||
unwind-find-fde = @libc_cv_gcc_unwind_find_fde@
|
||||
have-forced-unwind = @libc_cv_forced_unwind@
|
||||
have-fpie = @libc_cv_fpie@
|
||||
have-ssp = @libc_cv_ssp@
|
||||
stack-protector = @stack_protector@
|
||||
have-selinux = @have_selinux@
|
||||
have-libaudit = @have_libaudit@
|
||||
have-libcap = @have_libcap@
|
||||
|
||||
29
configure
vendored
29
configure
vendored
@ -621,7 +621,7 @@ LIBGD
|
||||
libc_cv_cc_loop_to_function
|
||||
libc_cv_cc_submachine
|
||||
libc_cv_cc_nofma
|
||||
libc_cv_ssp
|
||||
stack_protector
|
||||
fno_unit_at_a_time
|
||||
libc_cv_output_format
|
||||
libc_cv_hashstyle
|
||||
@ -6050,6 +6050,33 @@ fi
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $libc_cv_ssp" >&5
|
||||
$as_echo "$libc_cv_ssp" >&6; }
|
||||
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for -fstack-protector-strong" >&5
|
||||
$as_echo_n "checking for -fstack-protector-strong... " >&6; }
|
||||
if ${libc_cv_ssp_strong+:} false; then :
|
||||
$as_echo_n "(cached) " >&6
|
||||
else
|
||||
if { ac_try='${CC-cc} $CFLAGS $CPPFLAGS -Werror -fstack-protector-strong -xc /dev/null -S -o /dev/null'
|
||||
{ { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_try\""; } >&5
|
||||
(eval $ac_try) 2>&5
|
||||
ac_status=$?
|
||||
$as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
|
||||
test $ac_status = 0; }; }; then :
|
||||
libc_cv_ssp_strong=yes
|
||||
else
|
||||
libc_cv_ssp_strong=no
|
||||
fi
|
||||
|
||||
fi
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $libc_cv_ssp_strong" >&5
|
||||
$as_echo "$libc_cv_ssp_strong" >&6; }
|
||||
|
||||
stack_protector=
|
||||
if test "$libc_cv_ssp_strong" = "yes"; then
|
||||
stack_protector="-fstack-protector-strong"
|
||||
elif test "$libc_cv_ssp" = "yes"; then
|
||||
stack_protector="-fstack-protector"
|
||||
fi
|
||||
|
||||
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether cc puts quotes around section names" >&5
|
||||
$as_echo_n "checking whether cc puts quotes around section names... " >&6; }
|
||||
|
||||
15
configure.ac
15
configure.ac
@ -1503,7 +1503,20 @@ LIBC_TRY_CC_OPTION([$CFLAGS $CPPFLAGS -Werror -fstack-protector],
|
||||
[libc_cv_ssp=yes],
|
||||
[libc_cv_ssp=no])
|
||||
])
|
||||
AC_SUBST(libc_cv_ssp)
|
||||
|
||||
AC_CACHE_CHECK(for -fstack-protector-strong, libc_cv_ssp_strong, [dnl
|
||||
LIBC_TRY_CC_OPTION([$CFLAGS $CPPFLAGS -Werror -fstack-protector-strong],
|
||||
[libc_cv_ssp_strong=yes],
|
||||
[libc_cv_ssp_strong=no])
|
||||
])
|
||||
|
||||
stack_protector=
|
||||
if test "$libc_cv_ssp_strong" = "yes"; then
|
||||
stack_protector="-fstack-protector-strong"
|
||||
elif test "$libc_cv_ssp" = "yes"; then
|
||||
stack_protector="-fstack-protector"
|
||||
fi
|
||||
AC_SUBST(stack_protector)
|
||||
|
||||
AC_CACHE_CHECK(whether cc puts quotes around section names,
|
||||
libc_cv_have_section_quotes,
|
||||
|
||||
@ -58,9 +58,7 @@ CFLAGS-getpt.c = -fexceptions
|
||||
ifeq (yesyes,$(have-fpie)$(build-shared))
|
||||
pt_chown-cflags += $(pie-ccflag)
|
||||
endif
|
||||
ifeq (yes,$(have-ssp))
|
||||
pt_chown-cflags += -fstack-protector
|
||||
endif
|
||||
pt_chown-cflags += $(stack-protector)
|
||||
ifeq (yes,$(have-libcap))
|
||||
libcap = -lcap
|
||||
endif
|
||||
|
||||
@ -84,9 +84,7 @@ CPPFLAGS-nscd += -D_FORTIFY_SOURCE=2
|
||||
ifeq (yesyes,$(have-fpie)$(build-shared))
|
||||
CFLAGS-nscd += $(pie-ccflag)
|
||||
endif
|
||||
ifeq (yes,$(have-ssp))
|
||||
CFLAGS-nscd += -fstack-protector
|
||||
endif
|
||||
CFLAGS-nscd += $(stack-protector)
|
||||
|
||||
ifeq (yesyes,$(have-fpie)$(build-shared))
|
||||
LDFLAGS-nscd = -Wl,-z,now
|
||||
|
||||
@ -90,9 +90,7 @@ CPPFLAGS += -Dgethostbyname=res_gethostbyname \
|
||||
-Dgetnetbyname=res_getnetbyname \
|
||||
-Dgetnetbyaddr=res_getnetbyaddr
|
||||
|
||||
ifeq (yes,$(have-ssp))
|
||||
CFLAGS-libresolv += -fstack-protector
|
||||
endif
|
||||
CFLAGS-libresolv += $(stack-protector)
|
||||
CFLAGS-res_hconf.c = -fexceptions
|
||||
|
||||
# The BIND code elicits some harmless warnings.
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user