| Comprehensive stack protector support was added to upstream glibc with |
| this commit: |
| |
| commit cecbc7967f0bcac718b6f8f8942b58403c0e917c |
| Author: Nick Alcock <nick.alcock@oracle.com> |
| Date: Mon Dec 26 10:09:10 2016 +0100 |
| |
| Enable -fstack-protector=* when requested by configure [BZ #7065] |
| |
| It is a superset of the functionality in this patch. |
| |
| diff -urN glibc-2.17-c758a686/config.make.in glibc-2.17-c758a686/config.make.in |
| |
| |
| @@ -62,6 +62,7 @@ |
| have-as-vis3 = @libc_cv_sparc_as_vis3@ |
| gnu89-inline-CFLAGS = @gnu89_inline@ |
| have-ssp = @libc_cv_ssp@ |
| +have-ssp-strong = @libc_cv_ssp_strong@ |
| have-selinux = @have_selinux@ |
| have-libaudit = @have_libaudit@ |
| have-libcap = @have_libcap@ |
| diff -urN glibc-2.17-c758a686/configure glibc-2.17-c758a686/configure |
| |
| |
| @@ -610,6 +610,7 @@ |
| libc_cv_cc_submachine |
| exceptions |
| gnu89_inline |
| +libc_cv_ssp_strong |
| libc_cv_ssp |
| fno_unit_at_a_time |
| libc_cv_output_format |
| @@ -6758,6 +6759,27 @@ |
| $as_echo "$libc_cv_ssp" >&6; } |
| |
| |
| +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for -fstack-protector-strong" >&5 |
| +$as_echo_n "checking for -fstack-protector-strong... " >&6; } |
| +if ${libc_cv_ssp_strong+:} false; then : |
| + $as_echo_n "(cached) " >&6 |
| +else |
| + if { ac_try='${CC-cc} $CFLAGS $CPPFLAGS -Werror -fstack-protector-strong -xc /dev/null -S -o /dev/null' |
| + { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_try\""; } >&5 |
| + (eval $ac_try) 2>&5 |
| + ac_status=$? |
| + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 |
| + test $ac_status = 0; }; }; then : |
| + libc_cv_ssp_strong=yes |
| +else |
| + libc_cv_ssp_strong=no |
| +fi |
| + |
| +fi |
| +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $libc_cv_ssp_strong" >&5 |
| +$as_echo "$libc_cv_ssp_strong" >&6; } |
| + |
| + |
| { $as_echo "$as_me:${as_lineno-$LINENO}: checking for -fgnu89-inline" >&5 |
| $as_echo_n "checking for -fgnu89-inline... " >&6; } |
| if ${libc_cv_gnu89_inline+:} false; then : |
| diff -urN glibc-2.17-c758a686/configure.in glibc-2.17-c758a686/configure.in |
| |
| |
| @@ -1682,6 +1682,13 @@ |
| ]) |
| AC_SUBST(libc_cv_ssp) |
| |
| +AC_CACHE_CHECK(for -fstack-protector-strong, libc_cv_ssp_strong, [dnl |
| +LIBC_TRY_CC_OPTION([$CFLAGS $CPPFLAGS -Werror -fstack-protector-strong], |
| + [libc_cv_ssp_strong=yes], |
| + [libc_cv_ssp_strong=no]) |
| +]) |
| +AC_SUBST(libc_cv_ssp_strong) |
| + |
| AC_CACHE_CHECK(for -fgnu89-inline, libc_cv_gnu89_inline, [dnl |
| cat > conftest.c <<EOF |
| int foo; |
| diff -urN glibc-2.17-c758a686/login/Makefile glibc-2.17-c758a686/login/Makefile |
| |
| |
| @@ -60,6 +60,9 @@ |
| ifeq (yes,$(have-ssp)) |
| pt_chown-cflags += -fstack-protector |
| endif |
| +ifeq (yes,$(have-ssp-strong)) |
| +pt_chown-cflags += -fstack-protector-strong |
| +endif |
| ifeq (yes,$(have-libcap)) |
| libcap = -lcap |
| endif |
| diff -urN glibc-2.17-c758a686/nscd/Makefile glibc-2.17-c758a686/nscd/Makefile |
| |
| |
| @@ -87,6 +87,9 @@ |
| ifeq (yes,$(have-ssp)) |
| CFLAGS-nonlib += -fstack-protector |
| endif |
| +ifeq (yes,$(have-ssp-strong)) |
| +CFLAGS-nonlib += -fstack-protector-strong |
| +endif |
| |
| ifeq (yesyes,$(have-fpie)$(build-shared)) |
| LDFLAGS-nscd = -Wl,-z,now |
| diff -urN glibc-2.17-c758a686/resolv/Makefile glibc-2.17-c758a686/resolv/Makefile |
| |
| |
| @@ -79,6 +79,10 @@ |
| ifeq (yes,$(have-ssp)) |
| CFLAGS-libresolv += -fstack-protector |
| endif |
| +ifeq (yes,$(have-ssp-strong)) |
| +CFLAGS-libresolv += -fstack-protector-strong |
| +endif |
| + |
| CFLAGS-res_hconf.c = -fexceptions |
| |
| # The BIND code elicits some harmless warnings. |