From c5f983c643ec87f078b8a13fd35a718655d19b10 Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" Date: Wed, 29 Sep 2021 15:50:57 -0600 Subject: [PATCH] Add "-fcf-protection" to SSP_CFLAGS and SSP_LDFLAGS if supported. Can be disabled via --disable-hardening. --- configure | 106 +++++++++++++++++++++++++++++++++++++++++++++++++++ configure.ac | 4 ++ 2 files changed, 110 insertions(+) diff --git a/configure b/configure index 33947f00e..affcac363 100755 --- a/configure +++ b/configure @@ -30972,6 +30972,112 @@ else $as_nop fi +else $as_nop + : +fi + + { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether the linker accepts -fcf-protection" >&5 +printf %s "checking whether the linker accepts -fcf-protection... " >&6; } +if test ${ax_cv_check_ldflags___fcf_protection+y} +then : + printf %s "(cached) " >&6 +else $as_nop + + ax_check_save_flags=$LDFLAGS + LDFLAGS="$LDFLAGS -fcf-protection" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +int +main (void) +{ + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO" +then : + ax_cv_check_ldflags___fcf_protection=yes +else $as_nop + ax_cv_check_ldflags___fcf_protection=no +fi +rm -f core conftest.err conftest.$ac_objext conftest.beam \ + conftest$ac_exeext conftest.$ac_ext + LDFLAGS=$ax_check_save_flags +fi +{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_ldflags___fcf_protection" >&5 +printf "%s\n" "$ax_cv_check_ldflags___fcf_protection" >&6; } +if test x"$ax_cv_check_ldflags___fcf_protection" = xyes +then : + + +if test ${SSP_CFLAGS+y} +then : + + case " $SSP_CFLAGS " in #( + *" -fcf-protection "*) : + { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : SSP_CFLAGS already contains -fcf-protection"; } >&5 + (: SSP_CFLAGS already contains -fcf-protection) 2>&5 + ac_status=$? + printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } ;; #( + *) : + + as_fn_append SSP_CFLAGS " -fcf-protection" + { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : SSP_CFLAGS=\"\$SSP_CFLAGS\""; } >&5 + (: SSP_CFLAGS="$SSP_CFLAGS") 2>&5 + ac_status=$? + printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } + ;; +esac + +else $as_nop + + SSP_CFLAGS=-fcf-protection + { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : SSP_CFLAGS=\"\$SSP_CFLAGS\""; } >&5 + (: SSP_CFLAGS="$SSP_CFLAGS") 2>&5 + ac_status=$? + printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } + +fi + + +if test ${SSP_LDFLAGS+y} +then : + + case " $SSP_LDFLAGS " in #( + *" -Wc,-fcf-protection "*) : + { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : SSP_LDFLAGS already contains -Wc,-fcf-protection"; } >&5 + (: SSP_LDFLAGS already contains -Wc,-fcf-protection) 2>&5 + ac_status=$? + printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } ;; #( + *) : + + as_fn_append SSP_LDFLAGS " -Wc,-fcf-protection" + { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : SSP_LDFLAGS=\"\$SSP_LDFLAGS\""; } >&5 + (: SSP_LDFLAGS="$SSP_LDFLAGS") 2>&5 + ac_status=$? + printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } + ;; +esac + +else $as_nop + + SSP_LDFLAGS=-Wc,-fcf-protection + { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : SSP_LDFLAGS=\"\$SSP_LDFLAGS\""; } >&5 + (: SSP_LDFLAGS="$SSP_LDFLAGS") 2>&5 + ac_status=$? + printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } + +fi + + else $as_nop : fi diff --git a/configure.ac b/configure.ac index b9722ed37..ab58dbe30 100644 --- a/configure.ac +++ b/configure.ac @@ -4707,6 +4707,10 @@ if test "$enable_hardening" != "no"; then AX_APPEND_FLAG([-fstack-clash-protection], [SSP_CFLAGS]) AX_APPEND_FLAG([-Wc,-fstack-clash-protection], [SSP_LDFLAGS]) ]) + AX_CHECK_LINK_FLAG([-fcf-protection], [ + AX_APPEND_FLAG([-fcf-protection], [SSP_CFLAGS]) + AX_APPEND_FLAG([-Wc,-fcf-protection], [SSP_LDFLAGS]) + ]) AX_CHECK_LINK_FLAG([-Wl,-z,relro], [AX_APPEND_FLAG([-Wl,-z,relro], [LDFLAGS])]) AX_CHECK_LINK_FLAG([-Wl,-z,now], [AX_APPEND_FLAG([-Wl,-z,now], [LDFLAGS])]) AX_CHECK_LINK_FLAG([-Wl,-z,noexecstack], [AX_APPEND_FLAG([-Wl,-z,noexecstack], [LDFLAGS])])