From c0630a36c8a5afc9efed823a166b71fe6b8becc6 Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" Date: Tue, 31 Aug 2021 09:57:11 -0600 Subject: [PATCH] Add checks for -fstack-clash-protection and -Wl,-z,noexecstack We use -Wc,-fstack-clash-protection as the linker flag to prevent libtool from removing it from the link line. --- configure | 177 +++++++++++++++++++++++++++++++++++++++++++++++++++ configure.ac | 5 ++ 2 files changed, 182 insertions(+) diff --git a/configure b/configure index 49b443824..b254cc6bf 100755 --- a/configure +++ b/configure @@ -30463,6 +30463,112 @@ printf "%s\n" "$sudo_cv_var_stack_protector" >&6; } fi fi if test "$enable_hardening" != "no"; then + { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether the linker accepts -fstack-clash-protection" >&5 +printf %s "checking whether the linker accepts -fstack-clash-protection... " >&6; } +if test ${ax_cv_check_ldflags___fstack_clash_protection+y} +then : + printf %s "(cached) " >&6 +else $as_nop + + ax_check_save_flags=$LDFLAGS + LDFLAGS="$LDFLAGS -fstack-clash-protection" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +int +main (void) +{ + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO" +then : + ax_cv_check_ldflags___fstack_clash_protection=yes +else $as_nop + ax_cv_check_ldflags___fstack_clash_protection=no +fi +rm -f core conftest.err conftest.$ac_objext conftest.beam \ + conftest$ac_exeext conftest.$ac_ext + LDFLAGS=$ax_check_save_flags +fi +{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_ldflags___fstack_clash_protection" >&5 +printf "%s\n" "$ax_cv_check_ldflags___fstack_clash_protection" >&6; } +if test x"$ax_cv_check_ldflags___fstack_clash_protection" = xyes +then : + + +if test ${SSP_CFLAGS+y} +then : + + case " $SSP_CFLAGS " in #( + *" -fstack-clash-protection "*) : + { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : SSP_CFLAGS already contains -fstack-clash-protection"; } >&5 + (: SSP_CFLAGS already contains -fstack-clash-protection) 2>&5 + ac_status=$? + printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } ;; #( + *) : + + as_fn_append SSP_CFLAGS " -fstack-clash-protection" + { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : SSP_CFLAGS=\"\$SSP_CFLAGS\""; } >&5 + (: SSP_CFLAGS="$SSP_CFLAGS") 2>&5 + ac_status=$? + printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } + ;; +esac + +else $as_nop + + SSP_CFLAGS=-fstack-clash-protection + { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : SSP_CFLAGS=\"\$SSP_CFLAGS\""; } >&5 + (: SSP_CFLAGS="$SSP_CFLAGS") 2>&5 + ac_status=$? + printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } + +fi + + +if test ${SSP_LDFLAGS+y} +then : + + case " $SSP_LDFLAGS " in #( + *" -Wc,-fstack-clash-protection "*) : + { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : SSP_LDFLAGS already contains -Wc,-fstack-clash-protection"; } >&5 + (: SSP_LDFLAGS already contains -Wc,-fstack-clash-protection) 2>&5 + ac_status=$? + printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } ;; #( + *) : + + as_fn_append SSP_LDFLAGS " -Wc,-fstack-clash-protection" + { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : SSP_LDFLAGS=\"\$SSP_LDFLAGS\""; } >&5 + (: SSP_LDFLAGS="$SSP_LDFLAGS") 2>&5 + ac_status=$? + printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } + ;; +esac + +else $as_nop + + SSP_LDFLAGS=-Wc,-fstack-clash-protection + { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : SSP_LDFLAGS=\"\$SSP_LDFLAGS\""; } >&5 + (: SSP_LDFLAGS="$SSP_LDFLAGS") 2>&5 + ac_status=$? + printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } + +fi + + +else $as_nop + : +fi + { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether the linker accepts -Wl,-z,relro" >&5 printf %s "checking whether the linker accepts -Wl,-z,relro... " >&6; } if test ${ax_cv_check_ldflags___Wl__z_relro+y} @@ -30530,6 +30636,77 @@ else $as_nop fi +else $as_nop + : +fi + + { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether the linker accepts -Wl,-z,noexecstack" >&5 +printf %s "checking whether the linker accepts -Wl,-z,noexecstack... " >&6; } +if test ${ax_cv_check_ldflags___Wl__z_noexecstack+y} +then : + printf %s "(cached) " >&6 +else $as_nop + + ax_check_save_flags=$LDFLAGS + LDFLAGS="$LDFLAGS -Wl,-z,noexecstack" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +int +main (void) +{ + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO" +then : + ax_cv_check_ldflags___Wl__z_noexecstack=yes +else $as_nop + ax_cv_check_ldflags___Wl__z_noexecstack=no +fi +rm -f core conftest.err conftest.$ac_objext conftest.beam \ + conftest$ac_exeext conftest.$ac_ext + LDFLAGS=$ax_check_save_flags +fi +{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_ldflags___Wl__z_noexecstack" >&5 +printf "%s\n" "$ax_cv_check_ldflags___Wl__z_noexecstack" >&6; } +if test x"$ax_cv_check_ldflags___Wl__z_noexecstack" = xyes +then : + +if test ${LDFLAGS+y} +then : + + case " $LDFLAGS " in #( + *" -Wl,-z,noexecstack "*) : + { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : LDFLAGS already contains -Wl,-z,noexecstack"; } >&5 + (: LDFLAGS already contains -Wl,-z,noexecstack) 2>&5 + ac_status=$? + printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } ;; #( + *) : + + as_fn_append LDFLAGS " -Wl,-z,noexecstack" + { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : LDFLAGS=\"\$LDFLAGS\""; } >&5 + (: LDFLAGS="$LDFLAGS") 2>&5 + ac_status=$? + printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } + ;; +esac + +else $as_nop + + LDFLAGS=-Wl,-z,noexecstack + { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : LDFLAGS=\"\$LDFLAGS\""; } >&5 + (: LDFLAGS="$LDFLAGS") 2>&5 + ac_status=$? + printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } + +fi + else $as_nop : fi diff --git a/configure.ac b/configure.ac index 5d9801423..daf06431e 100644 --- a/configure.ac +++ b/configure.ac @@ -4660,7 +4660,12 @@ if test "$enable_hardening" != "no" && test "$enable_ssp" != "no"; then fi fi if test "$enable_hardening" != "no"; then + AX_CHECK_LINK_FLAG([-fstack-clash-protection], [ + AX_APPEND_FLAG([-fstack-clash-protection], [SSP_CFLAGS]) + AX_APPEND_FLAG([-Wc,-fstack-clash-protection], [SSP_LDFLAGS]) + ]) AX_CHECK_LINK_FLAG([-Wl,-z,relro], [AX_APPEND_FLAG([-Wl,-z,relro], [LDFLAGS])]) + AX_CHECK_LINK_FLAG([-Wl,-z,noexecstack], [AX_APPEND_FLAG([-Wl,-z,noexecstack], [LDFLAGS])]) fi dnl