diff --git a/configure b/configure index 30945055b..bede9869b 100755 --- a/configure +++ b/configure @@ -31317,7 +31317,7 @@ then : fi -if test -n "$GCC" -a "$lt_cv_prog_gnu_ld" != "yes" -a -n "$GCC"; then +if test -n "$GCC" -a "$lt_cv_prog_gnu_ld" != "yes"; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -static-libgcc" >&5 printf %s "checking whether C compiler accepts -static-libgcc... " >&6; } if test ${ax_cv_check_cflags___static_libgcc+y} @@ -32930,7 +32930,7 @@ printf "%s\n" "$sudo_cv_use_fortify_source" >&6; } CPPFLAGS="$O_CPPFLAGS" fi - if test "$enable_ssp" != "no"; then + if test -n "$GCC" -a "$enable_ssp" != "no"; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for compiler stack protector support" >&5 printf %s "checking for compiler stack protector support... " >&6; } if test ${sudo_cv_var_stack_protector+y} @@ -33048,19 +33048,20 @@ printf "%s\n" "$sudo_cv_var_stack_protector" >&6; } # machine-specific code does not support it. We use a test program # with a large stack allocation to try to cause the compiler to # insert the stack clash protection code, or fail if not supported. - { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether C compiler supports -fstack-clash-protection" >&5 + if test -n "$GCC"; then + { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether C compiler supports -fstack-clash-protection" >&5 printf %s "checking whether C compiler supports -fstack-clash-protection... " >&6; } if test ${sudo_cv_check_cflags___fstack_clash_protection+y} then : printf %s "(cached) " >&6 else case e in #( e) - _CFLAGS="$CFLAGS" - CFLAGS="$CFLAGS -fstack-clash-protection" - cat confdefs.h - <<_ACEOF >conftest.$ac_ext + _CFLAGS="$CFLAGS" + CFLAGS="$CFLAGS -fstack-clash-protection" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ - int main(int argc, char *argv[]) { char buf[16384], *src = argv[0], *dst = buf; while ((*dst++ = *src++) != '\0') { continue; } return buf[argc]; } + int main(int argc, char *argv[]) { char buf[16384], *src = argv[0], *dst = buf; while ((*dst++ = *src++) != '\0') { continue; } return buf[argc]; } _ACEOF if ac_fn_c_try_compile "$LINENO" @@ -33071,15 +33072,15 @@ else case e in #( esac fi rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext - CFLAGS="$_CFLAGS" + CFLAGS="$_CFLAGS" - ;; + ;; esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $sudo_cv_check_cflags___fstack_clash_protection" >&5 printf "%s\n" "$sudo_cv_check_cflags___fstack_clash_protection" >&6; } - if test X"$sudo_cv_check_cflags___fstack_clash_protection" = X"yes"; then - { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether the linker accepts -fstack-clash-protection" >&5 + if test X"$sudo_cv_check_cflags___fstack_clash_protection" = X"yes"; then + { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether the linker accepts -fstack-clash-protection" >&5 printf %s "checking whether the linker accepts -fstack-clash-protection... " >&6; } if test ${ax_cv_check_ldflags___fstack_clash_protection+y} then : @@ -33190,10 +33191,10 @@ else case e in #( esac fi - fi + fi - # Check for control-flow transfer instrumentation (Intel CET). - { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -fcf-protection" >&5 + # Check for control-flow transfer instrumentation (Intel CET). + { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -fcf-protection" >&5 printf %s "checking whether C compiler accepts -fcf-protection... " >&6; } if test ${ax_cv_check_cflags___fcf_protection+y} then : @@ -33229,7 +33230,7 @@ printf "%s\n" "$ax_cv_check_cflags___fcf_protection" >&6; } if test "x$ax_cv_check_cflags___fcf_protection" = xyes then : - { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether the linker accepts -fcf-protection" >&5 + { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether the linker accepts -fcf-protection" >&5 printf %s "checking whether the linker accepts -fcf-protection... " >&6; } if test ${ax_cv_check_ldflags___fcf_protection+y} then : @@ -33346,6 +33347,7 @@ else case e in #( esac fi + fi # Linker-specific hardening flags. { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether the linker accepts -Wl,-z,relro" >&5 diff --git a/configure.ac b/configure.ac index 41702cf93..05023fbf5 100644 --- a/configure.ac +++ b/configure.ac @@ -4024,7 +4024,7 @@ dnl If compiler supports the -static-libgcc flag use it unless we have dnl GNU ld (which can avoid linking in libgcc when it is not needed). dnl This test relies on AC_LANG_WERROR dnl -if test -n "$GCC" -a "$lt_cv_prog_gnu_ld" != "yes" -a -n "$GCC"; then +if test -n "$GCC" -a "$lt_cv_prog_gnu_ld" != "yes"; then AX_CHECK_COMPILE_FLAG([-static-libgcc], [AX_APPEND_FLAG([-Wc,-static-libgcc], [LT_LDFLAGS])]) fi diff --git a/m4/hardening.m4 b/m4/hardening.m4 index c5195e435..fb1e22555 100644 --- a/m4/hardening.m4 +++ b/m4/hardening.m4 @@ -30,7 +30,7 @@ AC_DEFUN([SUDO_CHECK_HARDENING], [ dnl dnl The following tests rely on AC_LANG_WERROR. dnl - if test "$enable_ssp" != "no"; then + if test -n "$GCC" -a "$enable_ssp" != "no"; then AC_CACHE_CHECK([for compiler stack protector support], [sudo_cv_var_stack_protector], [ @@ -86,32 +86,34 @@ AC_DEFUN([SUDO_CHECK_HARDENING], [ # machine-specific code does not support it. We use a test program # with a large stack allocation to try to cause the compiler to # insert the stack clash protection code, or fail if not supported. - AC_CACHE_CHECK([whether C compiler supports -fstack-clash-protection], - [sudo_cv_check_cflags___fstack_clash_protection], - [ - _CFLAGS="$CFLAGS" - CFLAGS="$CFLAGS -fstack-clash-protection" - AC_COMPILE_IFELSE([ - AC_LANG_SOURCE([[int main(int argc, char *argv[]) { char buf[16384], *src = argv[0], *dst = buf; while ((*dst++ = *src++) != '\0') { continue; } return buf[argc]; }]]) - ], [sudo_cv_check_cflags___fstack_clash_protection=yes], [sudo_cv_check_cflags___fstack_clash_protection=no]) - CFLAGS="$_CFLAGS" - ] - ) - if test X"$sudo_cv_check_cflags___fstack_clash_protection" = X"yes"; then - AX_CHECK_LINK_FLAG([-fstack-clash-protection], [ - AX_APPEND_FLAG([-fstack-clash-protection], [HARDENING_CFLAGS]) - AX_APPEND_FLAG([-Wc,-fstack-clash-protection], [HARDENING_LDFLAGS]) + if test -n "$GCC"; then + AC_CACHE_CHECK([whether C compiler supports -fstack-clash-protection], + [sudo_cv_check_cflags___fstack_clash_protection], + [ + _CFLAGS="$CFLAGS" + CFLAGS="$CFLAGS -fstack-clash-protection" + AC_COMPILE_IFELSE([ + AC_LANG_SOURCE([[int main(int argc, char *argv[]) { char buf[16384], *src = argv[0], *dst = buf; while ((*dst++ = *src++) != '\0') { continue; } return buf[argc]; }]]) + ], [sudo_cv_check_cflags___fstack_clash_protection=yes], [sudo_cv_check_cflags___fstack_clash_protection=no]) + CFLAGS="$_CFLAGS" + ] + ) + if test X"$sudo_cv_check_cflags___fstack_clash_protection" = X"yes"; then + AX_CHECK_LINK_FLAG([-fstack-clash-protection], [ + AX_APPEND_FLAG([-fstack-clash-protection], [HARDENING_CFLAGS]) + AX_APPEND_FLAG([-Wc,-fstack-clash-protection], [HARDENING_LDFLAGS]) + ]) + fi + + # Check for control-flow transfer instrumentation (Intel CET). + AX_CHECK_COMPILE_FLAG([-fcf-protection], [ + AX_CHECK_LINK_FLAG([-fcf-protection], [ + AX_APPEND_FLAG([-fcf-protection], [HARDENING_CFLAGS]) + AX_APPEND_FLAG([-Wc,-fcf-protection], [HARDENING_LDFLAGS]) + ]) ]) fi - # Check for control-flow transfer instrumentation (Intel CET). - AX_CHECK_COMPILE_FLAG([-fcf-protection], [ - AX_CHECK_LINK_FLAG([-fcf-protection], [ - AX_APPEND_FLAG([-fcf-protection], [HARDENING_CFLAGS]) - AX_APPEND_FLAG([-Wc,-fcf-protection], [HARDENING_LDFLAGS]) - ]) - ]) - # Linker-specific hardening flags. AX_CHECK_LINK_FLAG([-Wl,-z,relro], [AX_APPEND_FLAG([-Wl,-z,relro], [HARDENING_LDFLAGS])]) AX_CHECK_LINK_FLAG([-Wl,-z,now], [AX_APPEND_FLAG([-Wl,-z,now], [HARDENING_LDFLAGS])])