From: Todd C. Miller Date: Thu, 29 Oct 2015 16:51:09 +0000 (-0600) Subject: Better configure test for -fstack-protector. Some gcc installations X-Git-Tag: SUDO_1_8_15^2~6 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=bdcb83be92f012d2d9d635cd0ba77e8ffebaded6;p=sudo Better configure test for -fstack-protector. Some gcc installations may be missing the ssp library even though the compiler supports it. --- diff --git a/configure b/configure index 1f6ecc5cb..462364db9 100755 --- a/configure +++ b/configure @@ -23916,236 +23916,94 @@ fi fi if test "$enable_hardening" != "no"; then - if test -n "$GCC"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -fstack-protector-strong" >&5 -$as_echo_n "checking whether C compiler accepts -fstack-protector-strong... " >&6; } -if ${ax_cv_check_cflags___fstack_protector_strong+:} false; then : + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for compiler stack protector support" >&5 +$as_echo_n "checking for compiler stack protector support... " >&6; } +if ${sudo_cv_var_stack_protector+:} false; then : $as_echo_n "(cached) " >&6 else - ax_check_save_flags=$CFLAGS - CFLAGS="$CFLAGS -fstack-protector-strong" - cat confdefs.h - <<_ACEOF >conftest.$ac_ext + sudo_cv_var_stack_protector=no + _CFLAGS="$CFLAGS" + _LDFLAGS="$LDFLAGS" + CFLAGS="-fstack-protector-strong" + LDFLAGS="-fstack-protector-strong" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ + $ac_includes_default int main () { - +char buf[1024]; buf[1023] = '\0'; ; return 0; } -_ACEOF -if ac_fn_c_try_compile "$LINENO"; then : - ax_cv_check_cflags___fstack_protector_strong=yes -else - ax_cv_check_cflags___fstack_protector_strong=no -fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext - CFLAGS=$ax_check_save_flags -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags___fstack_protector_strong" >&5 -$as_echo "$ax_cv_check_cflags___fstack_protector_strong" >&6; } -if test x"$ax_cv_check_cflags___fstack_protector_strong" = xyes; then : - - { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the linker accepts -fstack-protector-strong" >&5 -$as_echo_n "checking whether the linker accepts -fstack-protector-strong... " >&6; } -if ${ax_cv_check_ldflags___fstack_protector_strong+:} false; then : - $as_echo_n "(cached) " >&6 -else - - ax_check_save_flags=$LDFLAGS - LDFLAGS="$LDFLAGS -fstack-protector-strong" - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - -int -main () -{ - ; - return 0; -} _ACEOF -if ac_fn_c_try_link "$LINENO"; then : - ax_cv_check_ldflags___fstack_protector_strong=yes -else - ax_cv_check_ldflags___fstack_protector_strong=no -fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext - LDFLAGS=$ax_check_save_flags -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_ldflags___fstack_protector_strong" >&5 -$as_echo "$ax_cv_check_ldflags___fstack_protector_strong" >&6; } -if test x"$ax_cv_check_ldflags___fstack_protector_strong" = xyes; then : - - SSP_CFLAGS="-fstack-protector-strong" - SSP_LDFLAGS="-Wc,-fstack-protector-strong" - -else - : -fi - +if ac_fn_c_try_compile "$LINENO"; then : -else - : -fi + sudo_cv_var_stack_protector="-fstack-protector-strong" - if test -z "$SSP_CFLAGS"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -fstack-protector-all" >&5 -$as_echo_n "checking whether C compiler accepts -fstack-protector-all... " >&6; } -if ${ax_cv_check_cflags___fstack_protector_all+:} false; then : - $as_echo_n "(cached) " >&6 else - ax_check_save_flags=$CFLAGS - CFLAGS="$CFLAGS -fstack-protector-all" - cat confdefs.h - <<_ACEOF >conftest.$ac_ext + CFLAGS="-fstack-protector-all" + LDFLAGS="-fstack-protector-all" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ + $ac_includes_default int main () { - +char buf[1024]; buf[1023] = '\0'; ; return 0; } -_ACEOF -if ac_fn_c_try_compile "$LINENO"; then : - ax_cv_check_cflags___fstack_protector_all=yes -else - ax_cv_check_cflags___fstack_protector_all=no -fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext - CFLAGS=$ax_check_save_flags -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags___fstack_protector_all" >&5 -$as_echo "$ax_cv_check_cflags___fstack_protector_all" >&6; } -if test x"$ax_cv_check_cflags___fstack_protector_all" = xyes; then : - - { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the linker accepts -fstack-protector-all" >&5 -$as_echo_n "checking whether the linker accepts -fstack-protector-all... " >&6; } -if ${ax_cv_check_ldflags___fstack_protector_all+:} false; then : - $as_echo_n "(cached) " >&6 -else - - ax_check_save_flags=$LDFLAGS - LDFLAGS="$LDFLAGS -fstack-protector-all" - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - -int -main () -{ - ; - return 0; -} _ACEOF -if ac_fn_c_try_link "$LINENO"; then : - ax_cv_check_ldflags___fstack_protector_all=yes -else - ax_cv_check_ldflags___fstack_protector_all=no -fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext - LDFLAGS=$ax_check_save_flags -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_ldflags___fstack_protector_all" >&5 -$as_echo "$ax_cv_check_ldflags___fstack_protector_all" >&6; } -if test x"$ax_cv_check_ldflags___fstack_protector_all" = xyes; then : - - SSP_CFLAGS="-fstack-protector-all" - SSP_LDFLAGS="-Wc,-fstack-protector-all" - -else - : -fi - +if ac_fn_c_try_compile "$LINENO"; then : -else - : -fi + sudo_cv_var_stack_protector="-fstack-protector-all" - if test -z "$SSP_CFLAGS"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -fstack-protector" >&5 -$as_echo_n "checking whether C compiler accepts -fstack-protector... " >&6; } -if ${ax_cv_check_cflags___fstack_protector+:} false; then : - $as_echo_n "(cached) " >&6 else - ax_check_save_flags=$CFLAGS - CFLAGS="$CFLAGS -fstack-protector" - cat confdefs.h - <<_ACEOF >conftest.$ac_ext + CFLAGS="-fstack-protector" + LDFLAGS="-fstack-protector" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ + $ac_includes_default int main () { - +char buf[1024]; buf[1023] = '\0'; ; return 0; } + _ACEOF if ac_fn_c_try_compile "$LINENO"; then : - ax_cv_check_cflags___fstack_protector=yes -else - ax_cv_check_cflags___fstack_protector=no -fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext - CFLAGS=$ax_check_save_flags -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags___fstack_protector" >&5 -$as_echo "$ax_cv_check_cflags___fstack_protector" >&6; } -if test x"$ax_cv_check_cflags___fstack_protector" = xyes; then : - { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the linker accepts -fstack-protector" >&5 -$as_echo_n "checking whether the linker accepts -fstack-protector... " >&6; } -if ${ax_cv_check_ldflags___fstack_protector+:} false; then : - $as_echo_n "(cached) " >&6 -else - - ax_check_save_flags=$LDFLAGS - LDFLAGS="$LDFLAGS -fstack-protector" - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - -int -main () -{ + sudo_cv_var_stack_protector="-fstack-protector" - ; - return 0; -} -_ACEOF -if ac_fn_c_try_link "$LINENO"; then : - ax_cv_check_ldflags___fstack_protector=yes -else - ax_cv_check_ldflags___fstack_protector=no fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext - LDFLAGS=$ax_check_save_flags -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_ldflags___fstack_protector" >&5 -$as_echo "$ax_cv_check_ldflags___fstack_protector" >&6; } -if test x"$ax_cv_check_ldflags___fstack_protector" = xyes; then : +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext - SSP_CFLAGS="-fstack-protector" - SSP_LDFLAGS="-Wc,-fstack-protector" +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext -else - : fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + CFLAGS="$_CFLAGS" + LDFLAGS="$_LDFLAGS" -else - : fi - - fi - fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $sudo_cv_var_stack_protector" >&5 +$as_echo "$sudo_cv_var_stack_protector" >&6; } + if test X"$sudo_cv_var_stack_protector" != X"no"; then + SSP_CFLAGS="$sudo_cv_var_stack_protector" + SSP_LDFLAGS="-Wc,$sudo_cv_var_stack_protector" fi { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the linker accepts -Wl,-z,relro" >&5 $as_echo_n "checking whether the linker accepts -Wl,-z,relro... " >&6; } diff --git a/configure.ac b/configure.ac index 7cbff15e0..edeaa2c0e 100644 --- a/configure.ac +++ b/configure.ac @@ -3978,29 +3978,45 @@ dnl Check for -fstack-protector and -z relro support dnl This test relies on AC_LANG_WERROR dnl if test "$enable_hardening" != "no"; then - if test -n "$GCC"; then - AX_CHECK_COMPILE_FLAG([-fstack-protector-strong], [ - AX_CHECK_LINK_FLAG([-fstack-protector-strong], [ - SSP_CFLAGS="-fstack-protector-strong" - SSP_LDFLAGS="-Wc,-fstack-protector-strong" - ]) - ]) - if test -z "$SSP_CFLAGS"; then - AX_CHECK_COMPILE_FLAG([-fstack-protector-all], [ - AX_CHECK_LINK_FLAG([-fstack-protector-all], [ - SSP_CFLAGS="-fstack-protector-all" - SSP_LDFLAGS="-Wc,-fstack-protector-all" + AC_CACHE_CHECK([for compiler stack protector support], + [sudo_cv_var_stack_protector], + [ + sudo_cv_var_stack_protector=no + _CFLAGS="$CFLAGS" + _LDFLAGS="$LDFLAGS" + CFLAGS="-fstack-protector-strong" + LDFLAGS="-fstack-protector-strong" + AC_COMPILE_IFELSE([ + AC_LANG_PROGRAM([AC_INCLUDES_DEFAULT], + [[char buf[1024]; buf[1023] = '\0';]]) + ], [ + sudo_cv_var_stack_protector="-fstack-protector-strong" + ], [ + CFLAGS="-fstack-protector-all" + LDFLAGS="-fstack-protector-all" + AC_COMPILE_IFELSE([ + AC_LANG_PROGRAM([AC_INCLUDES_DEFAULT], + [[char buf[1024]; buf[1023] = '\0';]]) + ], [ + sudo_cv_var_stack_protector="-fstack-protector-all" + ], [ + CFLAGS="-fstack-protector" + LDFLAGS="-fstack-protector" + AC_COMPILE_IFELSE([ + AC_LANG_PROGRAM([AC_INCLUDES_DEFAULT], + [[char buf[1024]; buf[1023] = '\0';]]) + ], [ + sudo_cv_var_stack_protector="-fstack-protector" + ], []) ]) ]) - if test -z "$SSP_CFLAGS"; then - AX_CHECK_COMPILE_FLAG([-fstack-protector], [ - AX_CHECK_LINK_FLAG([-fstack-protector], [ - SSP_CFLAGS="-fstack-protector" - SSP_LDFLAGS="-Wc,-fstack-protector" - ]) - ]) - fi - fi + CFLAGS="$_CFLAGS" + LDFLAGS="$_LDFLAGS" + ] + ) + if test X"$sudo_cv_var_stack_protector" != X"no"; then + SSP_CFLAGS="$sudo_cv_var_stack_protector" + SSP_LDFLAGS="-Wc,$sudo_cv_var_stack_protector" fi AX_CHECK_LINK_FLAG([-Wl,-z,relro], [LDFLAGS="${LDFLAGS} -Wl,-z,relro"]) fi