From: Todd C. Miller Date: Wed, 23 May 2012 21:13:36 +0000 (-0400) Subject: When checking for -fstack-protector, treat warnings as fatal errors. X-Git-Tag: SUDO_1_7_10~80 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=59160440a9f6dd2618568ae793d01f87933ba5d1;p=sudo When checking for -fstack-protector, treat warnings as fatal errors. --HG-- branch : 1.7 --- diff --git a/configure b/configure index 745a3be58..fccd06234 100755 --- a/configure +++ b/configure @@ -611,6 +611,7 @@ ac_includes_default="\ # include #endif" +ac_c_werror_flag= ac_subst_vars='LTLIBOBJS KRB5CONFIG LIBOBJS @@ -14540,115 +14541,6 @@ $as_echo "#define volatile /**/" >>confdefs.h fi -if test "$enable_hardening" != "no"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -fstack-protector" >&5 -$as_echo_n "checking whether C compiler accepts -fstack-protector... " >&6; } -if ${ax_cv_check_cflags___fstack_protector+:} false; then : - $as_echo_n "(cached) " >&6 -else - - ax_check_save_flags=$CFLAGS - CFLAGS="$CFLAGS -fstack-protector" - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - -int -main () -{ - - ; - return 0; -} -_ACEOF -if ac_fn_c_try_compile "$LINENO"; then : - ax_cv_check_cflags___fstack_protector=yes -else - ax_cv_check_cflags___fstack_protector=no -fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext - CFLAGS=$ax_check_save_flags -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags___fstack_protector" >&5 -$as_echo "$ax_cv_check_cflags___fstack_protector" >&6; } -if test x"$ax_cv_check_cflags___fstack_protector" = xyes; then : - CFLAGS="${CFLAGS} -fstack-protector" -else - : -fi - - { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the linker accepts -fstack-protector" >&5 -$as_echo_n "checking whether the linker accepts -fstack-protector... " >&6; } -if ${ax_cv_check_ldflags___fstack_protector+:} false; then : - $as_echo_n "(cached) " >&6 -else - - ax_check_save_flags=$LDFLAGS - LDFLAGS="$LDFLAGS -fstack-protector" - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - -int -main () -{ - - ; - return 0; -} -_ACEOF -if ac_fn_c_try_link "$LINENO"; then : - ax_cv_check_ldflags___fstack_protector=yes -else - ax_cv_check_ldflags___fstack_protector=no -fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext - LDFLAGS=$ax_check_save_flags -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_ldflags___fstack_protector" >&5 -$as_echo "$ax_cv_check_ldflags___fstack_protector" >&6; } -if test x"$ax_cv_check_ldflags___fstack_protector" = xyes; then : - LDFLAGS="${LDFLAGS} -fstack-protector" -else - : -fi - - { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the linker accepts -Wl,-z,relro" >&5 -$as_echo_n "checking whether the linker accepts -Wl,-z,relro... " >&6; } -if ${ax_cv_check_ldflags___Wl__z_relro+:} false; then : - $as_echo_n "(cached) " >&6 -else - - ax_check_save_flags=$LDFLAGS - LDFLAGS="$LDFLAGS -Wl,-z,relro" - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - -int -main () -{ - - ; - return 0; -} -_ACEOF -if ac_fn_c_try_link "$LINENO"; then : - ax_cv_check_ldflags___Wl__z_relro=yes -else - ax_cv_check_ldflags___Wl__z_relro=no -fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext - LDFLAGS=$ax_check_save_flags -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_ldflags___Wl__z_relro" >&5 -$as_echo "$ax_cv_check_ldflags___Wl__z_relro" >&6; } -if test x"$ax_cv_check_ldflags___Wl__z_relro" = xyes; then : - LDFLAGS="${LDFLAGS} -Wl,-z,relro" -else - : -fi - -fi for ac_prog in 'bison -y' byacc do @@ -19940,6 +19832,120 @@ done fi +if test "$enable_hardening" != "no"; then + +ac_c_werror_flag=yes + { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -fstack-protector" >&5 +$as_echo_n "checking whether C compiler accepts -fstack-protector... " >&6; } +if ${ax_cv_check_cflags___fstack_protector+:} false; then : + $as_echo_n "(cached) " >&6 +else + + ax_check_save_flags=$CFLAGS + CFLAGS="$CFLAGS -fstack-protector" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +int +main () +{ + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + ax_cv_check_cflags___fstack_protector=yes +else + ax_cv_check_cflags___fstack_protector=no +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + CFLAGS=$ax_check_save_flags +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags___fstack_protector" >&5 +$as_echo "$ax_cv_check_cflags___fstack_protector" >&6; } +if test x"$ax_cv_check_cflags___fstack_protector" = xyes; then : + + CFLAGS="${CFLAGS} -fstack-protector" + { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the linker accepts -fstack-protector" >&5 +$as_echo_n "checking whether the linker accepts -fstack-protector... " >&6; } +if ${ax_cv_check_ldflags___fstack_protector+:} false; then : + $as_echo_n "(cached) " >&6 +else + + ax_check_save_flags=$LDFLAGS + LDFLAGS="$LDFLAGS -fstack-protector" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +int +main () +{ + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ax_cv_check_ldflags___fstack_protector=yes +else + ax_cv_check_ldflags___fstack_protector=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext + LDFLAGS=$ax_check_save_flags +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_ldflags___fstack_protector" >&5 +$as_echo "$ax_cv_check_ldflags___fstack_protector" >&6; } +if test x"$ax_cv_check_ldflags___fstack_protector" = xyes; then : + LDFLAGS="${LDFLAGS} -fstack-protector" +else + : +fi + + +else + : +fi + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the linker accepts -Wl,-z,relro" >&5 +$as_echo_n "checking whether the linker accepts -Wl,-z,relro... " >&6; } +if ${ax_cv_check_ldflags___Wl__z_relro+:} false; then : + $as_echo_n "(cached) " >&6 +else + + ax_check_save_flags=$LDFLAGS + LDFLAGS="$LDFLAGS -Wl,-z,relro" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +int +main () +{ + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ax_cv_check_ldflags___Wl__z_relro=yes +else + ax_cv_check_ldflags___Wl__z_relro=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext + LDFLAGS=$ax_check_save_flags +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_ldflags___Wl__z_relro" >&5 +$as_echo "$ax_cv_check_ldflags___Wl__z_relro" >&6; } +if test x"$ax_cv_check_ldflags___Wl__z_relro" = xyes; then : + LDFLAGS="${LDFLAGS} -Wl,-z,relro" +else + : +fi + +fi + case "$with_passwd" in yes|maybe) AUTH_OBJS="$AUTH_OBJS getspwuid.o passwd.o" diff --git a/configure.in b/configure.in index 0a2eba92b..83b55040b 100644 --- a/configure.in +++ b/configure.in @@ -1898,14 +1898,6 @@ dnl AC_PROG_GCC_TRADITIONAL AC_C_CONST AC_C_VOLATILE -dnl -dnl Check for -fstack-protector and -z relro support -dnl -if test "$enable_hardening" != "no"; then - AX_CHECK_COMPILE_FLAG([-fstack-protector], [CFLAGS="${CFLAGS} -fstack-protector"]) - AX_CHECK_LINK_FLAG([-fstack-protector], [LDFLAGS="${LDFLAGS} -fstack-protector"]) - AX_CHECK_LINK_FLAG([-Wl,-z,relro], [LDFLAGS="${LDFLAGS} -Wl,-z,relro"]) -fi dnl dnl Program checks @@ -2984,6 +2976,20 @@ if test "${with_iologdir-yes}" != "no"; then ]) fi +dnl +dnl Check for -fstack-protector and -z relro support +dnl This must be towards the end as it turns warnings +dnl into fatal errors (and there is no way to undo that) +dnl +if test "$enable_hardening" != "no"; then + AC_LANG_WERROR + AX_CHECK_COMPILE_FLAG([-fstack-protector], [ + CFLAGS="${CFLAGS} -fstack-protector" + AX_CHECK_LINK_FLAG([-fstack-protector], [LDFLAGS="${LDFLAGS} -fstack-protector"]) + ]) + AX_CHECK_LINK_FLAG([-Wl,-z,relro], [LDFLAGS="${LDFLAGS} -Wl,-z,relro"]) +fi + dnl dnl Use passwd auth module? dnl