Blob Blame History Raw
Comprehensive stack protector support was added to upstream glibc with
this commit:

commit cecbc7967f0bcac718b6f8f8942b58403c0e917c
Author: Nick Alcock <nick.alcock@oracle.com>
Date:   Mon Dec 26 10:09:10 2016 +0100

    Enable -fstack-protector=* when requested by configure [BZ #7065]

It is a superset of the functionality in this patch.

diff -urN glibc-2.17-c758a686/config.make.in glibc-2.17-c758a686/config.make.in
--- glibc-2.17-c758a686/config.make.in	2014-02-27 10:33:11.466763885 -0500
+++ glibc-2.17-c758a686/config.make.in	2014-02-27 10:36:44.481320149 -0500
@@ -62,6 +62,7 @@
 have-as-vis3 = @libc_cv_sparc_as_vis3@
 gnu89-inline-CFLAGS = @gnu89_inline@
 have-ssp = @libc_cv_ssp@
+have-ssp-strong = @libc_cv_ssp_strong@
 have-selinux = @have_selinux@
 have-libaudit = @have_libaudit@
 have-libcap = @have_libcap@
diff -urN glibc-2.17-c758a686/configure glibc-2.17-c758a686/configure
--- glibc-2.17-c758a686/configure	2014-02-27 10:33:11.561763687 -0500
+++ glibc-2.17-c758a686/configure	2014-02-27 10:32:28.885852593 -0500
@@ -610,6 +610,7 @@
 libc_cv_cc_submachine
 exceptions
 gnu89_inline
+libc_cv_ssp_strong
 libc_cv_ssp
 fno_unit_at_a_time
 libc_cv_output_format
@@ -6758,6 +6759,27 @@
 $as_echo "$libc_cv_ssp" >&6; }
 
 
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for -fstack-protector-strong" >&5
+$as_echo_n "checking for -fstack-protector-strong... " >&6; }
+if ${libc_cv_ssp_strong+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  if { ac_try='${CC-cc} $CFLAGS $CPPFLAGS -Werror -fstack-protector-strong -xc /dev/null -S -o /dev/null'
+  { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_try\""; } >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }; }; then :
+  libc_cv_ssp_strong=yes
+else
+  libc_cv_ssp_strong=no
+fi
+
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $libc_cv_ssp_strong" >&5
+$as_echo "$libc_cv_ssp_strong" >&6; }
+
+
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for -fgnu89-inline" >&5
 $as_echo_n "checking for -fgnu89-inline... " >&6; }
 if ${libc_cv_gnu89_inline+:} false; then :
diff -urN glibc-2.17-c758a686/configure.in glibc-2.17-c758a686/configure.in
--- glibc-2.17-c758a686/configure.in	2014-02-27 10:33:11.469763878 -0500
+++ glibc-2.17-c758a686/configure.in	2014-02-27 10:32:09.171893663 -0500
@@ -1682,6 +1682,13 @@
 ])
 AC_SUBST(libc_cv_ssp)
 
+AC_CACHE_CHECK(for -fstack-protector-strong, libc_cv_ssp_strong, [dnl
+LIBC_TRY_CC_OPTION([$CFLAGS $CPPFLAGS -Werror -fstack-protector-strong],
+		   [libc_cv_ssp_strong=yes],
+		   [libc_cv_ssp_strong=no])
+])
+AC_SUBST(libc_cv_ssp_strong)
+
 AC_CACHE_CHECK(for -fgnu89-inline, libc_cv_gnu89_inline, [dnl
 cat > conftest.c <<EOF
 int foo;
diff -urN glibc-2.17-c758a686/login/Makefile glibc-2.17-c758a686/login/Makefile
--- glibc-2.17-c758a686/login/Makefile	2014-02-27 10:33:11.325764178 -0500
+++ glibc-2.17-c758a686/login/Makefile	2014-02-27 10:35:30.785473661 -0500
@@ -60,6 +60,9 @@
 ifeq (yes,$(have-ssp))
 pt_chown-cflags += -fstack-protector
 endif
+ifeq (yes,$(have-ssp-strong))
+pt_chown-cflags += -fstack-protector-strong
+endif
 ifeq (yes,$(have-libcap))
 libcap = -lcap
 endif
diff -urN glibc-2.17-c758a686/nscd/Makefile glibc-2.17-c758a686/nscd/Makefile
--- glibc-2.17-c758a686/nscd/Makefile	2012-12-24 22:02:13.000000000 -0500
+++ glibc-2.17-c758a686/nscd/Makefile	2014-02-27 10:36:00.017412769 -0500
@@ -87,6 +87,9 @@
 ifeq (yes,$(have-ssp))
 CFLAGS-nonlib += -fstack-protector
 endif
+ifeq (yes,$(have-ssp-strong))
+CFLAGS-nonlib += -fstack-protector-strong
+endif
 
 ifeq (yesyes,$(have-fpie)$(build-shared))
 LDFLAGS-nscd = -Wl,-z,now
diff -urN glibc-2.17-c758a686/resolv/Makefile glibc-2.17-c758a686/resolv/Makefile
--- glibc-2.17-c758a686/resolv/Makefile	2012-12-24 22:02:13.000000000 -0500
+++ glibc-2.17-c758a686/resolv/Makefile	2014-02-27 10:36:29.449351461 -0500
@@ -79,6 +79,10 @@
 ifeq (yes,$(have-ssp))
 CFLAGS-libresolv += -fstack-protector
 endif
+ifeq (yes,$(have-ssp-strong))
+CFLAGS-libresolv += -fstack-protector-strong
+endif
+
 CFLAGS-res_hconf.c = -fexceptions
 
 # The BIND code elicits some harmless warnings.