Comprehensive stack protector support was added to upstream glibc with
this commit:
commit cecbc7967f0bcac718b6f8f8942b58403c0e917c
Author: Nick Alcock <nick.alcock@oracle.com>
Date: Mon Dec 26 10:09:10 2016 +0100
Enable -fstack-protector=* when requested by configure [BZ #7065]
It is a superset of the functionality in this patch.
diff -urN glibc-2.17-c758a686/config.make.in glibc-2.17-c758a686/config.make.in
--- glibc-2.17-c758a686/config.make.in 2014-02-27 10:33:11.466763885 -0500
+++ glibc-2.17-c758a686/config.make.in 2014-02-27 10:36:44.481320149 -0500
@@ -62,6 +62,7 @@
have-as-vis3 = @libc_cv_sparc_as_vis3@
gnu89-inline-CFLAGS = @gnu89_inline@
have-ssp = @libc_cv_ssp@
+have-ssp-strong = @libc_cv_ssp_strong@
have-selinux = @have_selinux@
have-libaudit = @have_libaudit@
have-libcap = @have_libcap@
diff -urN glibc-2.17-c758a686/configure glibc-2.17-c758a686/configure
--- glibc-2.17-c758a686/configure 2014-02-27 10:33:11.561763687 -0500
+++ glibc-2.17-c758a686/configure 2014-02-27 10:32:28.885852593 -0500
@@ -610,6 +610,7 @@
libc_cv_cc_submachine
exceptions
gnu89_inline
+libc_cv_ssp_strong
libc_cv_ssp
fno_unit_at_a_time
libc_cv_output_format
@@ -6758,6 +6759,27 @@
$as_echo "$libc_cv_ssp" >&6; }
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for -fstack-protector-strong" >&5
+$as_echo_n "checking for -fstack-protector-strong... " >&6; }
+if ${libc_cv_ssp_strong+:} false; then :
+ $as_echo_n "(cached) " >&6
+else
+ if { ac_try='${CC-cc} $CFLAGS $CPPFLAGS -Werror -fstack-protector-strong -xc /dev/null -S -o /dev/null'
+ { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_try\""; } >&5
+ (eval $ac_try) 2>&5
+ ac_status=$?
+ $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+ test $ac_status = 0; }; }; then :
+ libc_cv_ssp_strong=yes
+else
+ libc_cv_ssp_strong=no
+fi
+
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $libc_cv_ssp_strong" >&5
+$as_echo "$libc_cv_ssp_strong" >&6; }
+
+
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for -fgnu89-inline" >&5
$as_echo_n "checking for -fgnu89-inline... " >&6; }
if ${libc_cv_gnu89_inline+:} false; then :
diff -urN glibc-2.17-c758a686/configure.in glibc-2.17-c758a686/configure.in
--- glibc-2.17-c758a686/configure.in 2014-02-27 10:33:11.469763878 -0500
+++ glibc-2.17-c758a686/configure.in 2014-02-27 10:32:09.171893663 -0500
@@ -1682,6 +1682,13 @@
])
AC_SUBST(libc_cv_ssp)
+AC_CACHE_CHECK(for -fstack-protector-strong, libc_cv_ssp_strong, [dnl
+LIBC_TRY_CC_OPTION([$CFLAGS $CPPFLAGS -Werror -fstack-protector-strong],
+ [libc_cv_ssp_strong=yes],
+ [libc_cv_ssp_strong=no])
+])
+AC_SUBST(libc_cv_ssp_strong)
+
AC_CACHE_CHECK(for -fgnu89-inline, libc_cv_gnu89_inline, [dnl
cat > conftest.c <<EOF
int foo;
diff -urN glibc-2.17-c758a686/login/Makefile glibc-2.17-c758a686/login/Makefile
--- glibc-2.17-c758a686/login/Makefile 2014-02-27 10:33:11.325764178 -0500
+++ glibc-2.17-c758a686/login/Makefile 2014-02-27 10:35:30.785473661 -0500
@@ -60,6 +60,9 @@
ifeq (yes,$(have-ssp))
pt_chown-cflags += -fstack-protector
endif
+ifeq (yes,$(have-ssp-strong))
+pt_chown-cflags += -fstack-protector-strong
+endif
ifeq (yes,$(have-libcap))
libcap = -lcap
endif
diff -urN glibc-2.17-c758a686/nscd/Makefile glibc-2.17-c758a686/nscd/Makefile
--- glibc-2.17-c758a686/nscd/Makefile 2012-12-24 22:02:13.000000000 -0500
+++ glibc-2.17-c758a686/nscd/Makefile 2014-02-27 10:36:00.017412769 -0500
@@ -87,6 +87,9 @@
ifeq (yes,$(have-ssp))
CFLAGS-nonlib += -fstack-protector
endif
+ifeq (yes,$(have-ssp-strong))
+CFLAGS-nonlib += -fstack-protector-strong
+endif
ifeq (yesyes,$(have-fpie)$(build-shared))
LDFLAGS-nscd = -Wl,-z,now
diff -urN glibc-2.17-c758a686/resolv/Makefile glibc-2.17-c758a686/resolv/Makefile
--- glibc-2.17-c758a686/resolv/Makefile 2012-12-24 22:02:13.000000000 -0500
+++ glibc-2.17-c758a686/resolv/Makefile 2014-02-27 10:36:29.449351461 -0500
@@ -79,6 +79,10 @@
ifeq (yes,$(have-ssp))
CFLAGS-libresolv += -fstack-protector
endif
+ifeq (yes,$(have-ssp-strong))
+CFLAGS-libresolv += -fstack-protector-strong
+endif
+
CFLAGS-res_hconf.c = -fexceptions
# The BIND code elicits some harmless warnings.