From 7720a7fc89ebb88b7e70b417b930891ffa65524b Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" Date: Thu, 24 May 2012 11:03:10 -0400 Subject: [PATCH] When checking for -fstack-protector, treat warnings as fatal errors. --- configure | 226 ++++++++++++++++++++++++++------------------------- configure.in | 24 ++++-- 2 files changed, 133 insertions(+), 117 deletions(-) diff --git a/configure b/configure index c95a6824c..1d70bbde7 100755 --- a/configure +++ b/configure @@ -612,6 +612,7 @@ ac_includes_default="\ # include #endif" +ac_c_werror_flag= ac_subst_vars='LTLIBOBJS KRB5CONFIG LIBOBJS @@ -14645,115 +14646,6 @@ $as_echo "$sudo_cv_var_gcc_static_libgcc" >&6; } LTLDFLAGS="$LTLDFLAGS -Wc,-static-libgcc" fi fi -if test "$enable_hardening" != "no"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -fstack-protector" >&5 -$as_echo_n "checking whether C compiler accepts -fstack-protector... " >&6; } -if ${ax_cv_check_cflags___fstack_protector+:} false; then : - $as_echo_n "(cached) " >&6 -else - - ax_check_save_flags=$CFLAGS - CFLAGS="$CFLAGS -fstack-protector" - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - -int -main () -{ - - ; - return 0; -} -_ACEOF -if ac_fn_c_try_compile "$LINENO"; then : - ax_cv_check_cflags___fstack_protector=yes -else - ax_cv_check_cflags___fstack_protector=no -fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext - CFLAGS=$ax_check_save_flags -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags___fstack_protector" >&5 -$as_echo "$ax_cv_check_cflags___fstack_protector" >&6; } -if test x"$ax_cv_check_cflags___fstack_protector" = xyes; then : - CFLAGS="${CFLAGS} -fstack-protector" -else - : -fi - - { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the linker accepts -fstack-protector" >&5 -$as_echo_n "checking whether the linker accepts -fstack-protector... " >&6; } -if ${ax_cv_check_ldflags___fstack_protector+:} false; then : - $as_echo_n "(cached) " >&6 -else - - ax_check_save_flags=$LDFLAGS - LDFLAGS="$LDFLAGS -fstack-protector" - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - -int -main () -{ - - ; - return 0; -} -_ACEOF -if ac_fn_c_try_link "$LINENO"; then : - ax_cv_check_ldflags___fstack_protector=yes -else - ax_cv_check_ldflags___fstack_protector=no -fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext - LDFLAGS=$ax_check_save_flags -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_ldflags___fstack_protector" >&5 -$as_echo "$ax_cv_check_ldflags___fstack_protector" >&6; } -if test x"$ax_cv_check_ldflags___fstack_protector" = xyes; then : - LDFLAGS="${LDFLAGS} -fstack-protector" -else - : -fi - - { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the linker accepts -Wl,-z,relro" >&5 -$as_echo_n "checking whether the linker accepts -Wl,-z,relro... " >&6; } -if ${ax_cv_check_ldflags___Wl__z_relro+:} false; then : - $as_echo_n "(cached) " >&6 -else - - ax_check_save_flags=$LDFLAGS - LDFLAGS="$LDFLAGS -Wl,-z,relro" - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - -int -main () -{ - - ; - return 0; -} -_ACEOF -if ac_fn_c_try_link "$LINENO"; then : - ax_cv_check_ldflags___Wl__z_relro=yes -else - ax_cv_check_ldflags___Wl__z_relro=no -fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext - LDFLAGS=$ax_check_save_flags -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_ldflags___Wl__z_relro" >&5 -$as_echo "$ax_cv_check_ldflags___Wl__z_relro" >&6; } -if test x"$ax_cv_check_ldflags___Wl__z_relro" = xyes; then : - LDFLAGS="${LDFLAGS} -Wl,-z,relro" -else - : -fi - -fi for ac_prog in 'bison -y' byacc do @@ -20167,6 +20059,122 @@ EOF $as_echo "$iolog_dir" >&6; } +if test "$enable_hardening" != "no"; then + +ac_c_werror_flag=yes + { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -fstack-protector" >&5 +$as_echo_n "checking whether C compiler accepts -fstack-protector... " >&6; } +if ${ax_cv_check_cflags___fstack_protector+:} false; then : + $as_echo_n "(cached) " >&6 +else + + ax_check_save_flags=$CFLAGS + CFLAGS="$CFLAGS -fstack-protector" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +int +main () +{ + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + ax_cv_check_cflags___fstack_protector=yes +else + ax_cv_check_cflags___fstack_protector=no +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + CFLAGS=$ax_check_save_flags +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags___fstack_protector" >&5 +$as_echo "$ax_cv_check_cflags___fstack_protector" >&6; } +if test x"$ax_cv_check_cflags___fstack_protector" = xyes; then : + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the linker accepts -fstack-protector" >&5 +$as_echo_n "checking whether the linker accepts -fstack-protector... " >&6; } +if ${ax_cv_check_ldflags___fstack_protector+:} false; then : + $as_echo_n "(cached) " >&6 +else + + ax_check_save_flags=$LDFLAGS + LDFLAGS="$LDFLAGS -fstack-protector" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +int +main () +{ + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ax_cv_check_ldflags___fstack_protector=yes +else + ax_cv_check_ldflags___fstack_protector=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext + LDFLAGS=$ax_check_save_flags +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_ldflags___fstack_protector" >&5 +$as_echo "$ax_cv_check_ldflags___fstack_protector" >&6; } +if test x"$ax_cv_check_ldflags___fstack_protector" = xyes; then : + + CFLAGS="${CFLAGS} -fstack-protector" + LDFLAGS="${LDFLAGS} -fstack-protector" + +else + : +fi + + +else + : +fi + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the linker accepts -Wl,-z,relro" >&5 +$as_echo_n "checking whether the linker accepts -Wl,-z,relro... " >&6; } +if ${ax_cv_check_ldflags___Wl__z_relro+:} false; then : + $as_echo_n "(cached) " >&6 +else + + ax_check_save_flags=$LDFLAGS + LDFLAGS="$LDFLAGS -Wl,-z,relro" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +int +main () +{ + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ax_cv_check_ldflags___Wl__z_relro=yes +else + ax_cv_check_ldflags___Wl__z_relro=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext + LDFLAGS=$ax_check_save_flags +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_ldflags___Wl__z_relro" >&5 +$as_echo "$ax_cv_check_ldflags___Wl__z_relro" >&6; } +if test x"$ax_cv_check_ldflags___Wl__z_relro" = xyes; then : + LDFLAGS="${LDFLAGS} -Wl,-z,relro" +else + : +fi + +fi + case "$with_passwd" in yes|maybe) AUTH_OBJS="$AUTH_OBJS getspwuid.lo passwd.lo" diff --git a/configure.in b/configure.in index e93cfa5e7..c3ec5dafb 100644 --- a/configure.in +++ b/configure.in @@ -1977,14 +1977,6 @@ if test X"$with_gnu_ld" != "yes" -a -n "$GCC"; then LTLDFLAGS="$LTLDFLAGS -Wc,-static-libgcc" fi fi -dnl -dnl Check for -fstack-protector and -z relro support -dnl -if test "$enable_hardening" != "no"; then - AX_CHECK_COMPILE_FLAG([-fstack-protector], [CFLAGS="${CFLAGS} -fstack-protector"]) - AX_CHECK_LINK_FLAG([-fstack-protector], [LDFLAGS="${LDFLAGS} -fstack-protector"]) - AX_CHECK_LINK_FLAG([-Wl,-z,relro], [LDFLAGS="${LDFLAGS} -Wl,-z,relro"]) -fi dnl dnl Program checks @@ -3161,6 +3153,22 @@ SUDO_LOGFILE SUDO_TIMEDIR SUDO_IO_LOGDIR +dnl +dnl Check for -fstack-protector and -z relro support +dnl This must be towards the end as it turns warnings +dnl into fatal errors (and there is no way to undo that) +dnl +if test "$enable_hardening" != "no"; then + AC_LANG_WERROR + AX_CHECK_COMPILE_FLAG([-fstack-protector], [ + AX_CHECK_LINK_FLAG([-fstack-protector], [ + CFLAGS="${CFLAGS} -fstack-protector" + LDFLAGS="${LDFLAGS} -fstack-protector" + ]) + ]) + AX_CHECK_LINK_FLAG([-Wl,-z,relro], [LDFLAGS="${LDFLAGS} -Wl,-z,relro"]) +fi + dnl dnl Use passwd auth module? dnl -- 2.40.0