From: Todd C. Miller Date: Tue, 15 Jan 2013 20:38:11 +0000 (-0500) Subject: Use -fstack-protector-all in preference to -fstack-protector where X-Git-Tag: SUDO_1_7_10p4~1 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=3598608a631a261bc556bb9c56d10b8f436141a3;p=sudo Use -fstack-protector-all in preference to -fstack-protector where supported and restrict the test to GNU compatible compilers. --HG-- branch : 1.7 --- diff --git a/configure b/configure index f323c302a..af72a29bf 100755 --- a/configure +++ b/configure @@ -20029,7 +20029,84 @@ fi if test "$enable_hardening" != "no"; then ac_c_werror_flag=yes - { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -fstack-protector" >&5 + if test -n "$GCC"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -fstack-protector-all" >&5 +$as_echo_n "checking whether C compiler accepts -fstack-protector-all... " >&6; } +if ${ax_cv_check_cflags___fstack_protector_all+:} false; then : + $as_echo_n "(cached) " >&6 +else + + ax_check_save_flags=$CFLAGS + CFLAGS="$CFLAGS -fstack-protector-all" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +int +main () +{ + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + ax_cv_check_cflags___fstack_protector_all=yes +else + ax_cv_check_cflags___fstack_protector_all=no +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + CFLAGS=$ax_check_save_flags +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags___fstack_protector_all" >&5 +$as_echo "$ax_cv_check_cflags___fstack_protector_all" >&6; } +if test x"$ax_cv_check_cflags___fstack_protector_all" = xyes; then : + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the linker accepts -fstack-protector-all" >&5 +$as_echo_n "checking whether the linker accepts -fstack-protector-all... " >&6; } +if ${ax_cv_check_ldflags___fstack_protector_all+:} false; then : + $as_echo_n "(cached) " >&6 +else + + ax_check_save_flags=$LDFLAGS + LDFLAGS="$LDFLAGS -fstack-protector-all" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +int +main () +{ + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ax_cv_check_ldflags___fstack_protector_all=yes +else + ax_cv_check_ldflags___fstack_protector_all=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext + LDFLAGS=$ax_check_save_flags +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_ldflags___fstack_protector_all" >&5 +$as_echo "$ax_cv_check_ldflags___fstack_protector_all" >&6; } +if test x"$ax_cv_check_ldflags___fstack_protector_all" = xyes; then : + + SSP_CFLAGS="-fstack-protector-all" + SSP_LDFLAGS="-fstack-protector-all" + +else + : +fi + + +else + : +fi + + if test -z "$SSP_CFLAGS"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -fstack-protector" >&5 $as_echo_n "checking whether C compiler accepts -fstack-protector... " >&6; } if ${ax_cv_check_cflags___fstack_protector+:} false; then : $as_echo_n "(cached) " >&6 @@ -20060,7 +20137,7 @@ fi $as_echo "$ax_cv_check_cflags___fstack_protector" >&6; } if test x"$ax_cv_check_cflags___fstack_protector" = xyes; then : - { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the linker accepts -fstack-protector" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the linker accepts -fstack-protector" >&5 $as_echo_n "checking whether the linker accepts -fstack-protector... " >&6; } if ${ax_cv_check_ldflags___fstack_protector+:} false; then : $as_echo_n "(cached) " >&6 @@ -20092,8 +20169,8 @@ fi $as_echo "$ax_cv_check_ldflags___fstack_protector" >&6; } if test x"$ax_cv_check_ldflags___fstack_protector" = xyes; then : - SSP_CFLAGS="-fstack-protector" - SSP_LDFLAGS="-fstack-protector" + SSP_CFLAGS="-fstack-protector" + SSP_LDFLAGS="-fstack-protector" else : @@ -20104,6 +20181,8 @@ else : fi + fi + fi { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the linker accepts -Wl,-z,relro" >&5 $as_echo_n "checking whether the linker accepts -Wl,-z,relro... " >&6; } if ${ax_cv_check_ldflags___Wl__z_relro+:} false; then : diff --git a/configure.in b/configure.in index aa382ce7b..5da6ac6b8 100644 --- a/configure.in +++ b/configure.in @@ -3045,12 +3045,22 @@ dnl into fatal errors (and there is no way to undo that) dnl if test "$enable_hardening" != "no"; then AC_LANG_WERROR - AX_CHECK_COMPILE_FLAG([-fstack-protector], [ - AX_CHECK_LINK_FLAG([-fstack-protector], [ - SSP_CFLAGS="-fstack-protector" - SSP_LDFLAGS="-fstack-protector" + if test -n "$GCC"; then + AX_CHECK_COMPILE_FLAG([-fstack-protector-all], [ + AX_CHECK_LINK_FLAG([-fstack-protector-all], [ + SSP_CFLAGS="-fstack-protector-all" + SSP_LDFLAGS="-fstack-protector-all" + ]) ]) - ]) + if test -z "$SSP_CFLAGS"; then + AX_CHECK_COMPILE_FLAG([-fstack-protector], [ + AX_CHECK_LINK_FLAG([-fstack-protector], [ + SSP_CFLAGS="-fstack-protector" + SSP_LDFLAGS="-fstack-protector" + ]) + ]) + fi + fi AX_CHECK_LINK_FLAG([-Wl,-z,relro], [LDFLAGS="${LDFLAGS} -Wl,-z,relro"]) fi