From 448f7f25f2033a14f45071f226acbde98f6c0a84 Mon Sep 17 00:00:00 2001
From: "Todd C. Miller" <Todd.Miller@courtesan.com>
Date: Fri, 30 Oct 2015 08:49:22 -0600
Subject: [PATCH] When checking for stack protector support we need to actually
 link the test program.

---
 configure    | 46 ++++++++++++++++++++++++++++------------------
 configure.ac | 43 ++++++++++++++++++++++++-------------------
 2 files changed, 52 insertions(+), 37 deletions(-)

diff --git a/configure b/configure
index b8b22e514..6a27b2f63 100755
--- a/configure
+++ b/configure
@@ -23922,11 +23922,17 @@ if ${sudo_cv_var_stack_protector+:} false; then :
   $as_echo_n "(cached) " >&6
 else
 
-	    sudo_cv_var_stack_protector=no
+	    # Avoid using CFLAGS since the compiler might optimize away our
+	    # test.  We don't want LIBS to interfere with the test but keep
+	    # LDFLAGS as it may have an rpath needed to find the ssp lib.
 	    _CFLAGS="$CFLAGS"
 	    _LDFLAGS="$LDFLAGS"
-	    CFLAGS="-fstack-protector-strong"
-	    LDFLAGS="$_LDFLAGS -fstack-protector-strong"
+	    _LIBS="$LIBS"
+	    LIBS=
+
+	    sudo_cv_var_stack_protector="-fstack-protector-strong"
+	    CFLAGS="$sudo_cv_var_stack_protector"
+	    LDFLAGS="$_LDFLAGS $sudo_cv_var_stack_protector"
 	    cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 
@@ -23940,14 +23946,13 @@ char buf[1024]; buf[1023] = '\0';
 }
 
 _ACEOF
-if ac_fn_c_try_compile "$LINENO"; then :
-
-		sudo_cv_var_stack_protector="-fstack-protector-strong"
+if ac_fn_c_try_link "$LINENO"; then :
 
 else
 
-		CFLAGS="-fstack-protector-all"
-		LDFLAGS="$_LDFLAGS -fstack-protector-all"
+		sudo_cv_var_stack_protector="-fstack-protector-all"
+		CFLAGS="$sudo_cv_var_stack_protector"
+		LDFLAGS="$_LDFLAGS $sudo_cv_var_stack_protector"
 		cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 
@@ -23961,14 +23966,13 @@ char buf[1024]; buf[1023] = '\0';
 }
 
 _ACEOF
-if ac_fn_c_try_compile "$LINENO"; then :
-
-		    sudo_cv_var_stack_protector="-fstack-protector-all"
+if ac_fn_c_try_link "$LINENO"; then :
 
 else
 
-		    CFLAGS="-fstack-protector"
-		    LDFLAGS="$_LDFLAGS -fstack-protector"
+		    sudo_cv_var_stack_protector="-fstack-protector"
+		    CFLAGS="$sudo_cv_var_stack_protector"
+		    LDFLAGS="$_LDFLAGS $sudo_cv_var_stack_protector"
 		    cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 
@@ -23982,20 +23986,26 @@ char buf[1024]; buf[1023] = '\0';
 }
 
 _ACEOF
-if ac_fn_c_try_compile "$LINENO"; then :
+if ac_fn_c_try_link "$LINENO"; then :
+
+else
 
-			sudo_cv_var_stack_protector="-fstack-protector"
+			sudo_cv_var_stack_protector=no
 
 fi
-rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
 
 fi
-rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
 
 fi
-rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
 	    CFLAGS="$_CFLAGS"
 	    LDFLAGS="$_LDFLAGS"
+	    LIBS="$_LIBS"
 
 
 fi
diff --git a/configure.ac b/configure.ac
index 958b57243..97253eed1 100644
--- a/configure.ac
+++ b/configure.ac
@@ -3981,37 +3981,42 @@ if test "$enable_hardening" != "no"; then
     AC_CACHE_CHECK([for compiler stack protector support],
 	[sudo_cv_var_stack_protector],
 	[
-	    sudo_cv_var_stack_protector=no
+	    # Avoid using CFLAGS since the compiler might optimize away our
+	    # test.  We don't want LIBS to interfere with the test but keep
+	    # LDFLAGS as it may have an rpath needed to find the ssp lib.
 	    _CFLAGS="$CFLAGS"
 	    _LDFLAGS="$LDFLAGS"
-	    CFLAGS="-fstack-protector-strong"
-	    LDFLAGS="$_LDFLAGS -fstack-protector-strong"
-	    AC_COMPILE_IFELSE([
+	    _LIBS="$LIBS"
+	    LIBS=
+
+	    sudo_cv_var_stack_protector="-fstack-protector-strong"
+	    CFLAGS="$sudo_cv_var_stack_protector"
+	    LDFLAGS="$_LDFLAGS $sudo_cv_var_stack_protector"
+	    AC_LINK_IFELSE([
 		AC_LANG_PROGRAM([AC_INCLUDES_DEFAULT],
 		[[char buf[1024]; buf[1023] = '\0';]])
-	    ], [
-		sudo_cv_var_stack_protector="-fstack-protector-strong"
-	    ], [
-		CFLAGS="-fstack-protector-all"
-		LDFLAGS="$_LDFLAGS -fstack-protector-all"
-		AC_COMPILE_IFELSE([
+	    ], [], [
+		sudo_cv_var_stack_protector="-fstack-protector-all"
+		CFLAGS="$sudo_cv_var_stack_protector"
+		LDFLAGS="$_LDFLAGS $sudo_cv_var_stack_protector"
+		AC_LINK_IFELSE([
 		    AC_LANG_PROGRAM([AC_INCLUDES_DEFAULT],
 		    [[char buf[1024]; buf[1023] = '\0';]])
-		], [
-		    sudo_cv_var_stack_protector="-fstack-protector-all"
-		], [
-		    CFLAGS="-fstack-protector"
-		    LDFLAGS="$_LDFLAGS -fstack-protector"
-		    AC_COMPILE_IFELSE([
+		], [], [
+		    sudo_cv_var_stack_protector="-fstack-protector"
+		    CFLAGS="$sudo_cv_var_stack_protector"
+		    LDFLAGS="$_LDFLAGS $sudo_cv_var_stack_protector"
+		    AC_LINK_IFELSE([
 			AC_LANG_PROGRAM([AC_INCLUDES_DEFAULT],
 			[[char buf[1024]; buf[1023] = '\0';]])
-		    ], [
-			sudo_cv_var_stack_protector="-fstack-protector"
-		    ], [])
+		    ], [], [
+			sudo_cv_var_stack_protector=no
+		    ])
 		])
 	    ])
 	    CFLAGS="$_CFLAGS"
 	    LDFLAGS="$_LDFLAGS"
+	    LIBS="$_LIBS"
 	]
     )
     if test X"$sudo_cv_var_stack_protector" != X"no"; then
-- 
2.40.0