This is the mail archive of the
glibc-cvs@sourceware.org
mailing list for the glibc project.
GNU C Library master sources branch fw/stack-protector created. glibc-2.23-548-g82f2eb6
- From: fw at sourceware dot org
- To: glibc-cvs at sourceware dot org
- Date: 28 Jul 2016 17:05:23 -0000
- Subject: GNU C Library master sources branch fw/stack-protector created. glibc-2.23-548-g82f2eb6
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".
The branch, fw/stack-protector has been created
at 82f2eb623ce1d9bd0a4d2c45d9d47688e71ed383 (commit)
- Log -----------------------------------------------------------------
http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=82f2eb623ce1d9bd0a4d2c45d9d47688e71ed383
commit 82f2eb623ce1d9bd0a4d2c45d9d47688e71ed383
Author: Nick Alcock <nick.alcock@oracle.com>
Date: Tue Jun 7 12:06:16 2016 +0100
Enable -fstack-protector=* when requested by configure.
This finally turns on all the machinery added in previous commits.
v3: Wrap long lines.
v5: Shuffle to the end.
* Makeconfig (+stack-protector): New variable.
(+cflags): Use it.
diff --git a/Makeconfig b/Makeconfig
index 901e253..d1f4c85 100644
--- a/Makeconfig
+++ b/Makeconfig
@@ -762,6 +762,11 @@ endif
# disable any optimization that assume default rounding mode.
+math-flags = -frounding-math
+# We might want to compile with some stack-protection flag.
+ifneq ($(stack-protector),)
++stack-protector=$(stack-protector)
+endif
+
# This is the program that generates makefile dependencies from C source files.
# The -MP flag tells GCC >= 3.2 (which we now require) to produce dummy
# targets for headers so that removed headers don't break the build.
@@ -821,7 +826,8 @@ ifeq "$(strip $(+cflags))" ""
+cflags := $(default_cflags)
endif # $(+cflags) == ""
-+cflags += $(cflags-cpu) $(+gccwarn) $(+merge-constants) $(+math-flags)
++cflags += $(cflags-cpu) $(+gccwarn) $(+merge-constants) $(+math-flags) \
+ $(+stack-protector)
+gcc-nowarn := -w
# Don't duplicate options if we inherited variables from the parent.
http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=11533a025509becc37503eab765e8e769e882283
commit 11533a025509becc37503eab765e8e769e882283
Author: Nick Alcock <nick.alcock@oracle.com>
Date: Tue Jun 7 12:06:15 2016 +0100
Do not stack-protect sigreturn stubs.
These are called from the kernel with the stack at a carefully-
chosen location so that the stack frame can be restored: they must not
move the stack pointer lest garbage be restored into the registers.
We explicitly inhibit protection for SPARC and for signal/sigreturn.c:
other arches either define their sigreturn stubs in .S files, or (i386,
x86_64, mips) use macros expanding to top-level asm blocks and explicit
labels in the text section to mock up a "function" without telling the
compiler that one is there at all.
v2: New.
v3: Use $(no-stack-protector).
v4: Use inhibit_stack_protector.
v7: Add sigreturn.c.
* signal/Makefile (CFLAGS-sigreturn.c): Use
$(no-stack-protector).
* sysdeps/unix/sysv/linux/sparc/sparc64/sigaction.c:
(__rt_sigreturn_stub): Use inhibit_stack_protector.
* sysdeps/unix/sysv/linux/sparc/sparc32/sigaction.c
(__rt_sigreturn_stub): Likewise.
(__sigreturn_stub): Likewise.
diff --git a/signal/Makefile b/signal/Makefile
index 9d29ff4..ccd6f51 100644
--- a/signal/Makefile
+++ b/signal/Makefile
@@ -48,3 +48,5 @@ CFLAGS-sigsuspend.c = -fexceptions -fasynchronous-unwind-tables
CFLAGS-sigtimedwait.c = -fexceptions -fasynchronous-unwind-tables
CFLAGS-sigwait.c = -fexceptions -fasynchronous-unwind-tables
CFLAGS-sigwaitinfo.c = -fexceptions -fasynchronous-unwind-tables
+
+CFLAGS-sigreturn.c = $(no-stack-protector)
diff --git a/sysdeps/unix/sysv/linux/sparc/sparc32/sigaction.c b/sysdeps/unix/sysv/linux/sparc/sparc32/sigaction.c
index 5aa3c35..b75142f 100644
--- a/sysdeps/unix/sysv/linux/sparc/sparc32/sigaction.c
+++ b/sysdeps/unix/sysv/linux/sparc/sparc32/sigaction.c
@@ -65,7 +65,9 @@ libc_hidden_def (__libc_sigaction)
#include <nptl/sigaction.c>
-static void
+static
+inhibit_stack_protector
+void
__rt_sigreturn_stub (void)
{
__asm__ ("mov %0, %%g1\n\t"
@@ -74,7 +76,9 @@ __rt_sigreturn_stub (void)
: "i" (__NR_rt_sigreturn));
}
-static void
+static
+inhibit_stack_protector
+void
__sigreturn_stub (void)
{
__asm__ ("mov %0, %%g1\n\t"
diff --git a/sysdeps/unix/sysv/linux/sparc/sparc64/sigaction.c b/sysdeps/unix/sysv/linux/sparc/sparc64/sigaction.c
index 50c444c..058c011 100644
--- a/sysdeps/unix/sysv/linux/sparc/sparc64/sigaction.c
+++ b/sysdeps/unix/sysv/linux/sparc/sparc64/sigaction.c
@@ -66,7 +66,9 @@ libc_hidden_def (__libc_sigaction)
#include <nptl/sigaction.c>
-static void
+static
+inhibit_stack_protector
+void
__rt_sigreturn_stub (void)
{
__asm__ ("mov %0, %%g1\n\t"
http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=14b3c413f1b1dd1bfc0bae45fc042a4de56b85af
commit 14b3c413f1b1dd1bfc0bae45fc042a4de56b85af
Author: Nick Alcock <nick.alcock@oracle.com>
Date: Tue Jun 7 12:06:14 2016 +0100
Drop explicit stack-protection of pieces of the system.
This is probably a bad idea: maybe we want to stack-protect some parts
of the system even when ! --enable-stack-protector. I can easily adjust
the patch to do that (though it'll mean introducing a new variable
analogous to $(stack-protector) but not controlled by the configure
flag.)
But if we wanted to value consistency over security, and use the same
stack-protection configure flag to control everything, this is how we'd
do it!
("Always include at least one patch with something obviously wrong with
it.")
* login/Makefile (pt_chown-cflags): Remove.
* nscd/Makefile (CFLAGS-nscd): Likewise.
* resolv/Makefile (CFLAGS-libresolv): Likewise.
diff --git a/login/Makefile b/login/Makefile
index 9ff36d6..1a6161c 100644
--- a/login/Makefile
+++ b/login/Makefile
@@ -58,7 +58,6 @@ CFLAGS-getpt.c = -fexceptions
ifeq (yesyes,$(have-fpie)$(build-shared))
pt_chown-cflags += $(pie-ccflag)
endif
-pt_chown-cflags += $(stack-protector)
ifeq (yes,$(have-libcap))
libcap = -lcap
endif
diff --git a/nscd/Makefile b/nscd/Makefile
index 50bad32..bfd72d5 100644
--- a/nscd/Makefile
+++ b/nscd/Makefile
@@ -84,7 +84,6 @@ CPPFLAGS-nscd += -D_FORTIFY_SOURCE=2
ifeq (yesyes,$(have-fpie)$(build-shared))
CFLAGS-nscd += $(pie-ccflag)
endif
-CFLAGS-nscd += $(stack-protector)
ifeq (yesyes,$(have-fpie)$(build-shared))
LDFLAGS-nscd = -Wl,-z,now
diff --git a/resolv/Makefile b/resolv/Makefile
index 8be41d3..0395b1a 100644
--- a/resolv/Makefile
+++ b/resolv/Makefile
@@ -90,7 +90,6 @@ CPPFLAGS += -Dgethostbyname=res_gethostbyname \
-Dgetnetbyname=res_getnetbyname \
-Dgetnetbyaddr=res_getnetbyaddr
-CFLAGS-libresolv += $(stack-protector)
CFLAGS-res_hconf.c = -fexceptions
# The BIND code elicits some harmless warnings.
http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=72bb1d426913236e2059e0001afcd75782ef8ff6
commit 72bb1d426913236e2059e0001afcd75782ef8ff6
Author: Nick Alcock <nick.alcock@oracle.com>
Date: Tue Jun 7 12:06:13 2016 +0100
Link various tests with -fno-stack-protector.
These tests do not link with libc, so cannot see __stack_chk_fail().
v3: Use $(no-stack-protector).
* elf/Makefile (CFLAGS-filtmod1.c): Use $(no-stack-protector) for
non-libc-linking testcase.
(CFLAGS-filtmod2.c): Likewise.
* stdlib/Makefile (CFLAGS-tst-putenvmod.c): Likewise.
* sysdeps/x86_64/Makefile (CFLAGS-tst-quad1pie.c): Likewise.
(CFLAGS-tst-quad2pie.c): Likewise.
diff --git a/elf/Makefile b/elf/Makefile
index a742ed5..71674ef 100644
--- a/elf/Makefile
+++ b/elf/Makefile
@@ -754,6 +754,10 @@ $(objpfx)filtmod1.so: $(objpfx)filtmod1.os $(objpfx)filtmod2.so
$< -Wl,-F,$(objpfx)filtmod2.so
$(objpfx)filter: $(objpfx)filtmod1.so
+# These do not link against libc.
+CFLAGS-filtmod1.c = $(no-stack-protector)
+CFLAGS-filtmod2.c = $(no-stack-protector)
+
$(objpfx)unload: $(libdl)
$(objpfx)unload.out: $(objpfx)unloadmod.so
diff --git a/stdlib/Makefile b/stdlib/Makefile
index fc6f23d..b6477c4 100644
--- a/stdlib/Makefile
+++ b/stdlib/Makefile
@@ -177,6 +177,9 @@ LDFLAGS-tst-putenv = $(no-as-needed)
$(objpfx)tst-putenvmod.so: $(objpfx)tst-putenvmod.os $(link-libc-deps)
$(build-module)
+# This is not only not in libc, it's not even linked with it.
+CFLAGS-tst-putenvmod.c += $(no-stack-protector)
+
libof-tst-putenvmod = extramodules
$(objpfx)bug-getcontext: $(libm)
diff --git a/sysdeps/x86_64/Makefile b/sysdeps/x86_64/Makefile
index 6d99284..fbe138f 100644
--- a/sysdeps/x86_64/Makefile
+++ b/sysdeps/x86_64/Makefile
@@ -46,6 +46,9 @@ tests-pie += $(quad-pie-test)
test-extras += tst-quadmod1pie tst-quadmod2pie
extra-test-objs += tst-quadmod1pie.o tst-quadmod2pie.o
+CFLAGS-tst-quad1pie.c = $(no-stack-protector)
+CFLAGS-tst-quad2pie.c = $(no-stack-protector)
+
$(objpfx)tst-quad1pie: $(objpfx)tst-quadmod1pie.o
$(objpfx)tst-quad2pie: $(objpfx)tst-quadmod2pie.o
http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=f738b8f9e2c63772979e26e491ecf055bff28c50
commit f738b8f9e2c63772979e26e491ecf055bff28c50
Author: Adhemerval Zanella <adhemerval.zanella@linaro.org>
Date: Tue Jun 7 12:06:12 2016 +0100
De-PLTize __stack_chk_fail internal calls within libc.so.
We use the same assembler-macro trick we use to de-PLTize
compiler-generated libcalls to memcpy and memset to redirect
__stack_chk_fail to __stack_chk_fail_local.
v5: New.
v6: Only do it within the shared library: with __stack_chk_fail_local
in libc_pic.a now we don't need to worry about calls from inside
other routines in libc_nonshared.a any more.
* sysdeps/generic/symbol-hacks.h (__stack_chk_fail): Add internal
alias.
diff --git a/sysdeps/generic/symbol-hacks.h b/sysdeps/generic/symbol-hacks.h
index ce576c9..fd3d2de 100644
--- a/sysdeps/generic/symbol-hacks.h
+++ b/sysdeps/generic/symbol-hacks.h
@@ -5,3 +5,9 @@ asm ("memmove = __GI_memmove");
asm ("memset = __GI_memset");
asm ("memcpy = __GI_memcpy");
#endif
+
+/* -fstack-protector generates calls to __stack_chk_fail, which need
+ similar adjustments to avoid going through the PLT. */
+#if !defined __ASSEMBLER__ && IS_IN (libc) && defined SHARED
+asm ("__stack_chk_fail = __stack_chk_fail_local");
+#endif
http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=4f2b01de3ab88daefdc239a3c25640153b88283d
commit 4f2b01de3ab88daefdc239a3c25640153b88283d
Author: Nick Alcock <nick.alcock@oracle.com>
Date: Tue Jun 7 12:06:11 2016 +0100
Add stack_chk_fail_local to libc.so.
This is required by the next commit, which routes all
__stack_chk_fail() calls in libc.so via this function to avoid
the PLT. It has be duplicated in libc.so and libc_nonshared.a
because its entire reason for existence is to be hidden and avoid
the PLT, so the copy in libc.so is not visible from elsewhere.
Also stop all the variants of __stack_chk_fail from being stack-
protected: this makes no sense and risks recursion.
v5: Better explanation. Add no-stack-protection of
__stack_chk_fail_local etc.
v6: Rework as suggested by Andreas: make a shared-only version of
stack_chk_fail_local.c rather than linking libc_nonshared into
libc.
* debug/libc-stack_chk_fail_local.c: New file.
* debug/Makefile (routines): Add it.
(shared-only-routines): Likewise.
(CFLAGS-stack_chk_fail.c): Use $(no-stack-protector).
(CFLAGS-stack_chk_fail_local.c): Likewise.
(CFLAGS-libc-stack_chk_fail_local.c): Likewise.
diff --git a/debug/Makefile b/debug/Makefile
index 6b5f31e..27da081 100644
--- a/debug/Makefile
+++ b/debug/Makefile
@@ -48,9 +48,21 @@ routines = backtrace backtracesyms backtracesymsfd noophooks \
vdprintf_chk obprintf_chk \
longjmp_chk ____longjmp_chk \
fdelt_chk poll_chk ppoll_chk \
- stack_chk_fail fortify_fail \
+ stack_chk_fail fortify_fail libc-stack_chk_fail_local \
$(static-only-routines)
+
+# stack_chk_fail_local must be non-PIC, thus static-only, but we also
+# want an identical thunk hidden in libc.so to avoid going via the PLT.
+
static-only-routines := warning-nop stack_chk_fail_local
+shared-only-routines += libc-stack_chk_fail_local
+
+# Building the stack-protector failure routines with stack protection
+# makes no sense.
+
+CFLAGS-stack_chk_fail.c = $(no-stack-protector)
+CFLAGS-stack_chk_fail_local.c = $(no-stack-protector)
+CFLAGS-libc-stack_chk_fail_local.c = $(no-stack-protector)
CFLAGS-backtrace.c = -fno-omit-frame-pointer
CFLAGS-sprintf_chk.c = $(libio-mtsafe)
diff --git a/debug/libc-stack_chk_fail_local.c b/debug/libc-stack_chk_fail_local.c
new file mode 100644
index 0000000..73da970
--- /dev/null
+++ b/debug/libc-stack_chk_fail_local.c
@@ -0,0 +1,3 @@
+/* This goes into the shared libc. */
+
+#include <stack_chk_fail_local.c>
http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=085d48cdc5494e642cc7016649a75ab200a03781
commit 085d48cdc5494e642cc7016649a75ab200a03781
Author: Nick Alcock <nick.alcock@oracle.com>
Date: Tue Jun 7 12:06:10 2016 +0100
Work even with compilers hacked to enable -fstack-protector by default.
With all the machinery we just added, we can easily arrange to work even
when the compiler passes in -fstack-protector automatically: all the
necessary bits of glibc are always compiled with -fno-stack-protector
now.
So tear out the check in configure, and add appropriate calls to
-fno-stack-protector in tests that need them (largely those that use
-nostdlib), since we don't yet have a __stack_chk_fail() that those
tests can rely upon. (GCC often provides one, but we cannot rely on
this, especially not when bootstrapping.)
v2: No longer pass in -lssp to anything.
v5: Remove accidentally duplicated $(no_ssp)s.
v6: Small revisions following Mike Frysinger's review.
* configure.ac: Add check for unsupported stack-protection level.
(libc_cv_predef_stack_protector): Remove.
(no_ssp): New variable.
(libc_cv_ld_gnu_indirect_function): Use it.
(libc_cv_asm_set_directive): Likewise.
(libc_cv_protected_data): Likewise.
(libc_cv_z_combreloc): Likewise.
(libc_cv_hashstyle): Likewise.
(libc_cv_has_glob_dat): Likewise.
(libc_cv_output_format): Likewise.
(libc_cv_ehdr_start): Likewise.
* aclocal.m4 (LIBC_TRY_LINK_STATIC): Likewise.
(LIBC_LINKER_FEATURE): Likewise.
(LIBC_COMPILER_BUILTIN_INLINED): Likewise.
diff --git a/aclocal.m4 b/aclocal.m4
index 3d64f77..6902155 100644
--- a/aclocal.m4
+++ b/aclocal.m4
@@ -141,7 +141,7 @@ int _start (void) { return 0; }
int __start (void) { return 0; }
$1
EOF
-AS_IF([AC_TRY_COMMAND([${CC-cc} $CFLAGS $CPPFLAGS $LDFLAGS -o conftest
+AS_IF([AC_TRY_COMMAND([${CC-cc} $CFLAGS $CPPFLAGS $LDFLAGS $no_ssp -o conftest
conftest.c -static -nostartfiles -nostdlib
1>&AS_MESSAGE_LOG_FD])],
[$2], [$3])
@@ -226,7 +226,7 @@ if test x"$gnu_ld" = x"yes"; then
cat > conftest.c <<EOF
int _start (void) { return 42; }
EOF
- if AC_TRY_COMMAND([${CC-cc} $CFLAGS $CPPFLAGS $LDFLAGS
+ if AC_TRY_COMMAND([${CC-cc} $CFLAGS $CPPFLAGS $LDFLAGS $no_ssp
$2 -nostdlib -nostartfiles
-fPIC -shared -o conftest.so conftest.c
1>&AS_MESSAGE_LOG_FD])
@@ -268,7 +268,7 @@ libc_compiler_builtin_inlined=no
cat > conftest.c <<EOF
int _start (void) { $2 return 0; }
EOF
-if ! AC_TRY_COMMAND([${CC-cc} $CFLAGS $CPPFLAGS $LDFLAGS
+if ! AC_TRY_COMMAND([${CC-cc} $CFLAGS $CPPFLAGS $LDFLAGS $no_ssp
$3 -nostdlib -nostartfiles
-S conftest.c -o - | fgrep "$1"
1>&AS_MESSAGE_LOG_FD])
diff --git a/configure.ac b/configure.ac
index 6ab2ed2..70bfdfd 100644
--- a/configure.ac
+++ b/configure.ac
@@ -656,6 +656,18 @@ AC_SUBST(libc_cv_ssp)
AC_SUBST(stack_protector)
AC_SUBST(no_stack_protector)
+if test -n "$stack_protector"; then
+ dnl Don't run configure tests with stack-protection on, to avoid problems with
+ dnl bootstrapping.
+ no_ssp=-fno-stack-protector
+else
+ no_ssp=
+
+ if test "$enable_stack_protector" != no; then
+ AC_MSG_ERROR([--enable-stack-protector=$enable_stack_protector specified, but specified level of stack protection is not supported by the compiler.])
+ fi
+fi
+
# For the multi-arch option we need support in the assembler & linker.
AC_CACHE_CHECK([for assembler and linker STT_GNU_IFUNC support],
libc_cv_ld_gnu_indirect_function, [dnl
@@ -675,7 +687,7 @@ __start:
EOF
libc_cv_ld_gnu_indirect_function=no
if ${CC-cc} $CFLAGS $CPPFLAGS $LDFLAGS \
- -nostartfiles -nostdlib \
+ -nostartfiles -nostdlib $no_ssp \
-o conftest conftest.S 1>&AS_MESSAGE_LOG_FD 2>&AS_MESSAGE_LOG_FD; then
# Do a link to see if the backend supports IFUNC relocs.
$READELF -r conftest 1>&AS_MESSAGE_LOG_FD
@@ -1144,7 +1156,7 @@ extern int glibc_conftest_frobozz;
void _start() { glibc_conftest_frobozz = 1; }
EOF
if ${CC-cc} $CFLAGS $CPPFLAGS $LDFLAGS \
- -nostartfiles -nostdlib \
+ -nostartfiles -nostdlib $no_ssp \
-o conftest conftest.s conftest1.c 1>&AS_MESSAGE_LOG_FD 2>&AS_MESSAGE_LOG_FD; then
libc_cv_asm_set_directive=yes
else
@@ -1161,12 +1173,12 @@ AC_CACHE_CHECK(linker support for protected data symbol,
int bar __attribute__ ((visibility ("protected"))) = 1;
EOF
libc_cv_protected_data=no
- if AC_TRY_COMMAND(${CC-cc} -nostdlib -nostartfiles -fPIC -shared conftest.c -o conftest.so); then
+ if AC_TRY_COMMAND(${CC-cc} -nostdlib -nostartfiles $no_ssp -fPIC -shared conftest.c -o conftest.so); then
cat > conftest.c <<EOF
extern int bar;
int main (void) { return bar; }
EOF
- if AC_TRY_COMMAND(${CC-cc} -nostdlib -nostartfiles conftest.c -o conftest conftest.so); then
+ if AC_TRY_COMMAND(${CC-cc} -nostdlib -nostartfiles $no_ssp conftest.c -o conftest conftest.so); then
libc_cv_protected_data=yes
fi
fi
@@ -1288,7 +1300,7 @@ extern int mumble;
int foo (void) { return bar (mumble); }
EOF
if AC_TRY_COMMAND([${CC-cc} $CFLAGS $CPPFLAGS $LDFLAGS
- -fPIC -shared -o conftest.so conftest.c
+ -fPIC -shared $no_ssp -o conftest.so conftest.c
-nostdlib -nostartfiles
-Wl,-z,combreloc 1>&AS_MESSAGE_LOG_FD])
then
@@ -1326,7 +1338,7 @@ AC_CACHE_CHECK(for --hash-style option,
cat > conftest.c <<EOF
int _start (void) { return 42; }
EOF
-if AC_TRY_COMMAND([${CC-cc} $CFLAGS $CPPFLAGS $LDFLAGS
+if AC_TRY_COMMAND([${CC-cc} $CFLAGS $CPPFLAGS $LDFLAGS $no_ssp
-fPIC -shared -o conftest.so conftest.c
-Wl,--hash-style=both -nostdlib 1>&AS_MESSAGE_LOG_FD])
then
@@ -1398,7 +1410,7 @@ int foo (void) { return mumble; }
EOF
if AC_TRY_COMMAND([${CC-cc} $CFLAGS $CPPFLAGS $LDFLAGS
-fPIC -shared -o conftest.so conftest.c
- -nostdlib -nostartfiles
+ -nostdlib -nostartfiles $no_ssp
1>&AS_MESSAGE_LOG_FD])
then
dnl look for GLOB_DAT relocation.
@@ -1415,7 +1427,7 @@ AC_SUBST(libc_cv_has_glob_dat)
AC_CACHE_CHECK(linker output format, libc_cv_output_format, [dnl
if libc_cv_output_format=`
-${CC-cc} -nostartfiles -nostdlib -Wl,--print-output-format 2>&AS_MESSAGE_LOG_FD`
+${CC-cc} -nostartfiles -nostdlib $no_ssp -Wl,--print-output-format 2>&AS_MESSAGE_LOG_FD`
then
:
else
@@ -1614,46 +1626,6 @@ if test $libc_cv_predef_fortify_source = yes; then
fi
AC_SUBST(CPPUNDEFS)
-dnl Check for silly hacked compilers inserting -fstack-protector.
-dnl This breaks badly for the early startup code we compile, since
-dnl the compiled code can refer to a magic machine-dependent location
-dnl for the canary value before we have sufficient setup for that to
-dnl work. It's also questionable to build all of libc with this flag
-dnl even when you're doing that for most applications you build, since
-dnl libc's code is so heavily-used and performance-sensitive. If we
-dnl ever really want to make that work, it should be enabled explicitly
-dnl in the libc build, not inherited from implicit compiler settings.
-AC_CACHE_CHECK([whether $CC implicitly enables -fstack-protector],
- libc_cv_predef_stack_protector, [
-AC_TRY_COMPILE([extern void foobar (char *);],
- [char large_array[2048]; foobar (large_array);], [
-libc_undefs=`$NM -u conftest.o |
- LC_ALL=C $AWK '$1 == "U" { print $2 | "sort -u"; next } { exit(1) }' \
- 2>&AS_MESSAGE_LOG_FD` || {
- AC_MSG_ERROR([confusing output from $NM -u])
-}
-echo >&AS_MESSAGE_LOG_FD "libc_undefs='$libc_undefs'"
-# On some architectures, there are architecture-specific undefined
-# symbols (resolved by the linker), so filter out unknown symbols.
-# This will fail to produce the correct result if the compiler
-# defaults to -fstack-protector but this produces an undefined symbol
-# other than __stack_chk_fail. However, compilers like that have not
-# been encountered in practice.
-libc_undefs=`echo "$libc_undefs" | egrep '^(foobar|__stack_chk_fail)$'`
-case "$libc_undefs" in
-foobar) libc_cv_predef_stack_protector=no ;;
-'__stack_chk_fail
-foobar') libc_cv_predef_stack_protector=yes ;;
-*) AC_MSG_ERROR([unexpected symbols in test: $libc_undefs]) ;;
-esac],
- [AC_MSG_ERROR([test compilation failed])])
-])
-libc_extra_cflags=
-if test $libc_cv_predef_stack_protector = yes; then
- libc_extra_cflags="$libc_extra_cflags -fno-stack-protector"
-fi
-libc_extra_cppflags=
-
# Some linkers on some architectures support __ehdr_start but with
# bugs. Make sure usage of it does not create relocations in the
# output (as the linker should resolve them all for us).
@@ -1663,7 +1635,7 @@ old_CFLAGS="$CFLAGS"
old_LDFLAGS="$LDFLAGS"
old_LIBS="$LIBS"
CFLAGS="$CFLAGS -fPIC"
-LDFLAGS="$LDFLAGS -nostdlib -nostartfiles -shared"
+LDFLAGS="$LDFLAGS -nostdlib -nostartfiles -shared $no_ssp"
LIBS=
AC_LINK_IFELSE([AC_LANG_SOURCE([
typedef struct {
http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=10bb23d6cd48055ba4974119bc1cf87f4d8063e5
commit 10bb23d6cd48055ba4974119bc1cf87f4d8063e5
Author: Nick Alcock <nick.alcock@oracle.com>
Date: Tue Jun 7 12:06:09 2016 +0100
Prevent the rtld mapfile computation from dragging in __stack_chk_fail*.
The previous commit prevented rtld itself from being built with
-fstack-protector, but this is not quite enough. We identify which
objects belong in rtld via a test link and analysis of the resulting
mapfile. That link is necessarily done against objects that are
stack-protected, so drags in __stack_chk_fail_local, __stack_chk_fail,
and all the libc and libio code they use.
To stop this happening, use --defsym in the test librtld.map-production
link to force the linker to predefine these two symbols (to 0, but it
could be to anything). (In a real link, this would of course be
catastrophic, but these object files are never used for anything else.)
v2: New.
v6: Dummy out stack_chk_fail_local too.
* elf/Makefile (dummy-stack-chk-fail): New.
($(objpfx)librtld.map): Use it.
diff --git a/elf/Makefile b/elf/Makefile
index cd06b60..a742ed5 100644
--- a/elf/Makefile
+++ b/elf/Makefile
@@ -351,9 +351,20 @@ $(objpfx)dl-allobjs.os: $(all-rtld-routines:%=$(objpfx)%.os)
# are compiled with special flags, and puts these modules into rtld-libc.a
# for us. Then we do the real link using rtld-libc.a instead of libc_pic.a.
+# If the compiler can do SSP, build the mapfile with dummy __stack_chk_fail
+# and __stack_chk_fail_local symbols defined, to prevent the real things
+# being dragged into rtld even though rtld is never built with stack-protection.
+
+ifeq ($(have-ssp),yes)
+dummy-stack-chk-fail := -Wl,--defsym='__stack_chk_fail=0' \
+ -Wl,--defsym='__stack_chk_fail_local=0'
+else
+dummy-stack-chk-fail :=
+endif
+
$(objpfx)librtld.map: $(objpfx)dl-allobjs.os $(common-objpfx)libc_pic.a
@-rm -f $@T
- $(reloc-link) -o $@.o '-Wl,-(' $^ -lgcc '-Wl,-)' -Wl,-Map,$@T
+ $(reloc-link) -o $@.o $(dummy-stack-chk-fail) '-Wl,-(' $^ -lgcc '-Wl,-)' -Wl,-Map,$@T
rm -f $@.o
mv -f $@T $@
http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=0718bc3e5680502076efaba7fe3000d8d896c52f
commit 0718bc3e5680502076efaba7fe3000d8d896c52f
Author: Nick Alcock <nick.alcock@oracle.com>
Date: Tue Jun 7 12:06:08 2016 +0100
Compile the entire dynamic linker with -fno-stack-protector.
Also compile corresponding routines in the static libc.a with the same
flag.
v3: Use $(no-stack-protector).
Introduce $(elide-stack-protector) and use it to reduce redundancy.
Bring all the elisions together textually.
* elf/Makefile (elide-stack-protector): New.
(CFLAGS-.os): Use it, eliding $(all-rtld-routines).
(CFLAGS-.oX): Likewise, eliding $(elide-routines.os).
(rtld-CFLAGS): Likewise.
diff --git a/elf/Makefile b/elf/Makefile
index 210dde9..cd06b60 100644
--- a/elf/Makefile
+++ b/elf/Makefile
@@ -50,6 +50,19 @@ CFLAGS-dl-runtime.c = -fexceptions -fasynchronous-unwind-tables
CFLAGS-dl-lookup.c = -fexceptions -fasynchronous-unwind-tables
CFLAGS-dl-iterate-phdr.c = $(uses-callbacks)
+# Compile rtld itself without stack protection.
+# Also compile all routines in the static library that are elided from
+# the shared libc because they are in ld.so the same way.
+
+define elide-stack-protector
+$(if $(filter $(@F),$(patsubst %,%$(1),$(2))), $(no-stack-protector))
+endef
+
+CFLAGS-.o += $(call elide-stack-protector,.o,$(elide-routines.os))
+CFLAGS-.op += $(call elide-stack-protector,.op,$(elide-routines.os))
+CFLAGS-.og += $(call elide-stack-protector,.og,$(elide-routines.os))
+CFLAGS-.os += $(call elide-stack-protector,.os,$(all-rtld-routines))
+
ifeq ($(unwind-find-fde),yes)
routines += unwind-dw2-fde-glibc
shared-only-routines += unwind-dw2-fde-glibc
diff --git a/elf/rtld-Rules b/elf/rtld-Rules
index c1bb506..aff4e3e 100644
--- a/elf/rtld-Rules
+++ b/elf/rtld-Rules
@@ -144,4 +144,6 @@ cpp-srcs-left := $(rtld-modules:%.os=%)
lib := rtld
include $(patsubst %,$(..)cppflags-iterator.mk,$(cpp-srcs-left))
+rtld-CFLAGS := $(no-stack-protector)
+
endif
http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=dcb6b662b71117834db8732bd46649557f554a58
commit dcb6b662b71117834db8732bd46649557f554a58
Author: Nick Alcock <nick.alcock@oracle.com>
Date: Tue Jun 7 12:06:06 2016 +0100
Mark all machinery needed in early static-link init as -fno-stack-protector.
The startup code in csu/, brk() and sbrk(), and the
__pthread_initialize_tcb_internal() function we just introduced are
needed very early in initialization of a statically-linked program,
before the stack guard is initialized. Mark all of these as
-fno-stack-protector.
We also finally introduce @libc_cv_ssp@ and @no_stack_protector@, both
substituted by the configury changes made earlier, to detect the case
when -fno-stack-protector is supported by the compiler, and
unconditionally pass it in when this is the case, whether or not
--enable-stack-protector is passed to configure. (This means that
it'll even work when the compiler's been hacked to pass
-fstack-protector by default, unless the hackage is so broken that
it does so in a way that is impossible to override.)
(At one point we marked __libc_fatal() as non-stack-protected too,
but this was pointless: all it did was call other routines which *are*
stack-protected. The earliest __libc_fatal() call is in the
DL_SYSDEP_OSCHECK hook on some platforms, when statically linking:
this is fine, since it is after TLS and stack-canary initialization.
I have tested invocation of programs statically and dynamically
linked against this glibc on older kernels on x86 and ARM, and they
still "work", i.e. fail with the appropriate message.)
v2: No longer mark memcpy() as -fno-stack-protector.
v3: Use $(no-stack-protector).
v4: Use inhibit_stack_protector rather than de-protecting all of nptl-init.c.
v5: Don't stack-protect brk() and sbrk() in the shared library.
v7: Add comment in misc/Makefile. Commit message tweak.
* config.make.in (have-ssp): New.
(no-stack-protector): New.
* csu/Makefile (CFLAGS-.o): Use it.
(CFLAGS-.og): Likewise.
(CFLAGS-.op): Likewise.
(CFLAGS-.os): Likewise.
* misc/Makefile (CFLAGS-sbrk.o): Likewise.
(CFLAGS-sbrk.op): Likewise.
(CFLAGS-sbrk.og): Likewise.
(CFLAGS-brk.o): Likewise.
(CFLAGS-brk.op): Likewise.
(CFLAGS-brk.og): Likewise.
* nptl/nptl-init.c [!SHARED] (__pthread_initialize_tcb_internal):
Likewise.
diff --git a/config.make.in b/config.make.in
index 95c6f36..6c15d19 100644
--- a/config.make.in
+++ b/config.make.in
@@ -56,7 +56,9 @@ with-fp = @with_fp@
enable-timezone-tools = @enable_timezone_tools@
unwind-find-fde = @libc_cv_gcc_unwind_find_fde@
have-fpie = @libc_cv_fpie@
+have-ssp = @libc_cv_ssp@
stack-protector = @stack_protector@
+no-stack-protector = @no_stack_protector@
have-selinux = @have_selinux@
have-libaudit = @have_libaudit@
have-libcap = @have_libcap@
diff --git a/csu/Makefile b/csu/Makefile
index 31e8bb9..22afe67 100644
--- a/csu/Makefile
+++ b/csu/Makefile
@@ -45,6 +45,11 @@ before-compile += $(objpfx)version-info.h
tests := tst-empty tst-atomic tst-atomic-long
tests-static := tst-empty
+CFLAGS-.o += $(no-stack-protector)
+CFLAGS-.og += $(no-stack-protector)
+CFLAGS-.op += $(no-stack-protector)
+CFLAGS-.os += $(no-stack-protector)
+
ifeq (yes,$(build-shared))
extra-objs += S$(start-installed-name) gmon-start.os
ifneq ($(start-installed-name),$(static-start-installed-name))
diff --git a/misc/Makefile b/misc/Makefile
index 56e20ce..9d413c4 100644
--- a/misc/Makefile
+++ b/misc/Makefile
@@ -104,6 +104,15 @@ CFLAGS-getusershell.c = -fexceptions
CFLAGS-err.c = -fexceptions
CFLAGS-tst-tsearch.c = $(stack-align-test-flags)
+# Called during static library initialization, so turn stack-protection
+# off for non-shared builds.
+CFLAGS-sbrk.o = $(no-stack-protector)
+CFLAGS-sbrk.op = $(no-stack-protector)
+CFLAGS-sbrk.og = $(no-stack-protector)
+CFLAGS-brk.o = $(no-stack-protector)
+CFLAGS-brk.op = $(no-stack-protector)
+CFLAGS-brk.og = $(no-stack-protector)
+
include ../Rules
$(objpfx)libg.a: $(dep-dummy-lib); $(make-dummy-lib)
diff --git a/nptl/nptl-init.c b/nptl/nptl-init.c
index a4626be..2775d14 100644
--- a/nptl/nptl-init.c
+++ b/nptl/nptl-init.c
@@ -298,6 +298,7 @@ static bool __nptl_initial_report_events __attribute_used__;
#ifndef SHARED
void
+inhibit_stack_protector
__pthread_initialize_tcb_internal (void)
{
/* Unlike in the dynamically linked case the dynamic linker has not
http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=d23b1cd0cf47428831e451eb7fda5434982b0675
commit d23b1cd0cf47428831e451eb7fda5434982b0675
Author: Florian Weimer <fweimer@redhat.com>
Date: Mon Jul 4 12:25:57 2016 +0200
Define inhibit_stack_protector
diff --git a/config.h.in b/config.h.in
index da50564..74e6ed3 100644
--- a/config.h.in
+++ b/config.h.in
@@ -48,6 +48,10 @@
/* Define if compiler accepts -ftree-loop-distribute-patterns. */
#undef HAVE_CC_INHIBIT_LOOP_TO_LIBCALL
+/* Define if compiler accepts -fno-stack-protector in an
+ __attribute__((__optimize__)). */
+#undef HAVE_CC_NO_STACK_PROTECTOR
+
/* The level of stack protection in use for glibc as a whole. */
#undef STACK_PROTECTOR_LEVEL
diff --git a/configure.ac b/configure.ac
index ae46cf9..6ab2ed2 100644
--- a/configure.ac
+++ b/configure.ac
@@ -639,6 +639,7 @@ stack_protector=
no_stack_protector=
if test "$libc_cv_ssp" = yes; then
no_stack_protector="-fno-stack-protector"
+ AC_DEFINE(HAVE_CC_NO_STACK_PROTECTOR)
fi
if test "$enable_stack_protector" = yes && test "$libc_cv_ssp" = yes; then
diff --git a/include/libc-symbols.h b/include/libc-symbols.h
index 4548e09..a61a839 100644
--- a/include/libc-symbols.h
+++ b/include/libc-symbols.h
@@ -314,6 +314,16 @@ for linking")
#define attribute_relro __attribute__ ((section (".data.rel.ro")))
+
+/* Used to disable stack protection in sensitive places, like early
+ static TLS init. */
+#ifdef HAVE_CC_NO_STACK_PROTECTOR
+# define inhibit_stack_protector \
+ __attribute__ ((__optimize__ ("-fno-stack-protector")))
+#else
+# define inhibit_stack_protector
+#endif
+
/* The following macros are used for PLT bypassing within libc.so
(and if needed other libraries similarly).
First of all, you need to have the function prototyped somewhere,
http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=1a410af4d0c0b57ca0eff9546cf18539ebfce8af
commit 1a410af4d0c0b57ca0eff9546cf18539ebfce8af
Author: Nick Alcock <nick.alcock@oracle.com>
Date: Tue Jun 7 12:06:04 2016 +0100
Initialize the stack guard earlier when linking statically.
The address of the stack canary is stored in a per-thread variable,
which means that we must ensure that the TLS area is intialized before
calling any -fstack-protector'ed functions. For dynamically linked
applications, we ensure this (in a later patch) by disabling
-fstack-protector for the whole dynamic linker, but for static
applications the AT_ENTRY address is called directly by the kernel, so
we must deal with the problem differently.
So split out the part of pthread initialization that sets up the TCB
(and, more generally, the TLS area) into a separate function (twice --
there is one implementation in libpthread.a, and another outside it for
programs that do not link with libpthread), then call it at
initialization time. Call that, and move the stack guard initialization
above the DL_SYSDEP_OSCHECK hook, which if set will probably call
functions which are stack-protected (it does on Linux and NaCL too).
We also move apply_irel() up, so that we can still safely call functions
that require ifuncs while in __pthread_initialize_tcb_internal()
(though if stack-protection is enabled we still have to avoid calling
functions that are not stack-protected at this stage).
v2: describe why we don't move apply_irel() up, and the consequences.
v6: We can safely move apply_irel() up now.
* nptl/nptl-init.c (__pthread_initialize_tcb_internal): New
function, split out from...
(__pthread_initialize_minimal_internal): ... here.
* csu/libc-start.c (LIBC_START_MAIN): Call it. Move stack canary
and apply_irel() initialization up.
diff --git a/csu/libc-start.c b/csu/libc-start.c
index f4aa01a..c0a8b7a 100644
--- a/csu/libc-start.c
+++ b/csu/libc-start.c
@@ -33,6 +33,7 @@ extern int __libc_multiple_libcs;
#ifndef SHARED
# include <dl-osinfo.h>
extern void __pthread_initialize_minimal (void);
+extern void __pthread_initialize_tcb_internal (void);
# ifndef THREAD_SET_STACK_GUARD
/* Only exported for architectures that don't store the stack guard canary
in thread local area. */
@@ -178,6 +179,20 @@ LIBC_START_MAIN (int (*main) (int, char **, char ** MAIN_AUXVEC_DECL),
}
}
+ /* Perform IREL{,A} relocations. */
+ apply_irel ();
+
+ /* The stack guard goes into the TCB. */
+ __pthread_initialize_tcb_internal ();
+
+ /* Set up the stack checker's canary. */
+ uintptr_t stack_chk_guard = _dl_setup_stack_chk_guard (_dl_random);
+# ifdef THREAD_SET_STACK_GUARD
+ THREAD_SET_STACK_GUARD (stack_chk_guard);
+# else
+ __stack_chk_guard = stack_chk_guard;
+# endif
+
# ifdef DL_SYSDEP_OSCHECK
if (!__libc_multiple_libcs)
{
@@ -187,22 +202,11 @@ LIBC_START_MAIN (int (*main) (int, char **, char ** MAIN_AUXVEC_DECL),
}
# endif
- /* Perform IREL{,A} relocations. */
- apply_irel ();
-
/* Initialize the thread library at least a bit since the libgcc
functions are using thread functions if these are available and
we need to setup errno. */
__pthread_initialize_minimal ();
- /* Set up the stack checker's canary. */
- uintptr_t stack_chk_guard = _dl_setup_stack_chk_guard (_dl_random);
-# ifdef THREAD_SET_STACK_GUARD
- THREAD_SET_STACK_GUARD (stack_chk_guard);
-# else
- __stack_chk_guard = stack_chk_guard;
-# endif
-
/* Set up the pointer guard value. */
uintptr_t pointer_chk_guard = _dl_setup_pointer_guard (_dl_random,
stack_chk_guard);
diff --git a/csu/libc-tls.c b/csu/libc-tls.c
index d6425e0..3d67a64 100644
--- a/csu/libc-tls.c
+++ b/csu/libc-tls.c
@@ -241,5 +241,13 @@ void
__attribute__ ((weak))
__pthread_initialize_minimal (void)
{
+}
+
+/* This is the minimal initialization function used when libpthread is
+ not used. */
+void
+__attribute__ ((weak))
+__pthread_initialize_tcb_internal (void)
+{
__libc_setup_tls (TLS_INIT_TCB_SIZE, TLS_INIT_TCB_ALIGN);
}
diff --git a/nptl/nptl-init.c b/nptl/nptl-init.c
index bdbdfed..a4626be 100644
--- a/nptl/nptl-init.c
+++ b/nptl/nptl-init.c
@@ -296,21 +296,24 @@ extern void **__libc_dl_error_tsd (void) __attribute__ ((const));
/* This can be set by the debugger before initialization is complete. */
static bool __nptl_initial_report_events __attribute_used__;
+#ifndef SHARED
void
-__pthread_initialize_minimal_internal (void)
+__pthread_initialize_tcb_internal (void)
{
-#ifndef SHARED
/* Unlike in the dynamically linked case the dynamic linker has not
taken care of initializing the TLS data structures. */
__libc_setup_tls (TLS_TCB_SIZE, TLS_TCB_ALIGN);
- /* We must prevent gcc from being clever and move any of the
+ /* We must prevent gcc from being clever after inlining and moving any of the
following code ahead of the __libc_setup_tls call. This function
will initialize the thread register which is subsequently
used. */
__asm __volatile ("");
+}
#endif
-
+void
+__pthread_initialize_minimal_internal (void)
+{
/* Minimal initialization of the thread descriptor. */
struct pthread *pd = THREAD_SELF;
__pthread_initialize_pids (pd);
http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=c090aec57a599df633c4ee175dab96c3642f7c84
commit c090aec57a599df633c4ee175dab96c3642f7c84
Author: Nick Alcock <nick.alcock@oracle.com>
Date: Tue Jun 7 12:06:03 2016 +0100
Configury support for --enable-stack-protector.
This adds =all and =strong, with obvious semantics, and with a rather
arbitrarily-chosen default off, which we might well want to change to
something stronger once this patch has been tested by people other than
me.
We don't validate the value of the option yet: that's in a later patch.
Nor do we use it for anything at this stage.
We differentiate between 'the compiler understands -fstack-protector'
and 'the user wanted -fstack-protector' so that we can pass
-fno-stack-protector in appropriate places even if the user didn't want
to turn on -fstack-protector for other parts. (This helps us overcome
another existing limitation, that glibc doesn't work with GCCs hacked
to pass in -fstack-protector by default.)
We might want to add another configuration option to turn on
-fstack-protector for nscd and other network-facing operations by
default, but for now I've stuck with one option to control everything.
v2: documentation in install.texi; better description of the option.
INSTALL regenerated.
v3: Substitute in no_stack_protector.
v6: Small quoting/spacing revisions following Mike Frysinger's review.
Add STACK_PROTECTOR_LEVEL.
v7: Quoting changes. Report --enable-stack-protector argument values
on error.
[BZ #7065]
* configure.ac (libc_cv_ssp): Move up.
(libc_cv_ssp_strong): Likewise.
(libc_cv_ssp_all): New.
(stack_protector): Augment, adding -fstack-protector-all.
(no_stack_protector): New.
(STACK_PROTECTOR_LEVEL): New.
(AC_ARG_ENABLE(stack-protector)): New configure flag.
* manual/install.texi (--enable-stack-protector): Document it.
* config.h.in (STACK_PROTECTOR_LEVEL): New macro.
* INSTALL: Regenerate.
diff --git a/INSTALL b/INSTALL
index ec3445f..c6184f6 100644
--- a/INSTALL
+++ b/INSTALL
@@ -135,20 +135,31 @@ will be used, and CFLAGS sets optimization options for the compiler.
'--enable-lock-elision=yes'
Enable lock elision for pthread mutexes by default.
-'--enable-pt_chown'
- The file 'pt_chown' is a helper binary for 'grantpt' (*note
- Pseudo-Terminals: Allocation.) that is installed setuid root to fix
- up pseudo-terminal ownership. It is not built by default because
- systems using the Linux kernel are commonly built with the 'devpts'
- filesystem enabled and mounted at '/dev/pts', which manages
- pseudo-terminal ownership automatically. By using
- '--enable-pt_chown', you may build 'pt_chown' and install it setuid
- and owned by 'root'. The use of 'pt_chown' introduces additional
- security risks to the system and you should enable it only if you
- understand and accept those risks.
-
-'--disable-werror'
- By default, the GNU C Library is built with '-Werror'. If you wish
+`--enable-stack-protector'
+`--enable-stack-protector=strong'
+`--enable-stack-protector=all'
+ Compile the C library and all other parts of the glibc package
+ (including the threading and math libraries, NSS modules, and
+ transliteration modules) using the GCC `-fstack-protector',
+ `-fstack-protector-strong' or `-fstack-protector-all' options to
+ detect stack overruns. Only the dynamic linker and a small number
+ of routines called directly from assembler are excluded from this
+ protection.
+
+`--enable-pt_chown'
+ The file `pt_chown' is a helper binary for `grantpt' (*note
+ Pseudo-Terminals: Allocation.) that is installed setuid root to
+ fix up pseudo-terminal ownership. It is not built by default
+ because systems using the Linux kernel are commonly built with the
+ `devpts' filesystem enabled and mounted at `/dev/pts', which
+ manages pseudo-terminal ownership automatically. By using
+ `--enable-pt_chown', you may build `pt_chown' and install it
+ setuid and owned by `root'. The use of `pt_chown' introduces
+ additional security risks to the system and you should enable it
+ only if you understand and accept those risks.
+
+`--disable-werror'
+ By default, the GNU C Library is built with `-Werror'. If you wish
to build without this option (for example, if building with a newer
version of GCC than this version of the GNU C Library was tested
with, so new warnings cause the build with '-Werror' to fail), you
diff --git a/config.h.in b/config.h.in
index 856ef6a..da50564 100644
--- a/config.h.in
+++ b/config.h.in
@@ -48,6 +48,9 @@
/* Define if compiler accepts -ftree-loop-distribute-patterns. */
#undef HAVE_CC_INHIBIT_LOOP_TO_LIBCALL
+/* The level of stack protection in use for glibc as a whole. */
+#undef STACK_PROTECTOR_LEVEL
+
/* Define if the regparm attribute shall be used for local functions
(gcc on ix86 only). */
#undef USE_REGPARMS
diff --git a/configure.ac b/configure.ac
index 123f0d2..ae46cf9 100644
--- a/configure.ac
+++ b/configure.ac
@@ -235,6 +235,18 @@ if test "x$bindnow" = xyes; then
AC_DEFINE(BIND_NOW)
fi
+dnl Build glibc with -fstack-protector, -fstack-protector-all, or
+dnl -fstack-protector-strong.
+AC_ARG_ENABLE([stack-protector],
+ AC_HELP_STRING([--enable-stack-protector=@<:@yes|no|all|strong@:>@],
+ [Use -fstack-protector[-all|-strong] to detect glibc buffer overflows]),
+ [enable_stack_protector=$enableval],
+ [enable_stack_protector=no])
+case "$enable_stack_protector" in
+all|yes|no|strong) ;;
+*) AC_MSG_ERROR([Not a valid argument for --enable-stack-protector: \"$enable_stack_protector\"]);;
+esac
+
dnl On some platforms we cannot use dynamic loading. We must provide
dnl static NSS modules.
AC_ARG_ENABLE([static-nss],
@@ -605,6 +617,44 @@ fi
test -n "$base_machine" || base_machine=$machine
AC_SUBST(base_machine)
+AC_CACHE_CHECK(for -fstack-protector, libc_cv_ssp, [dnl
+LIBC_TRY_CC_OPTION([$CFLAGS $CPPFLAGS -Werror -fstack-protector],
+ [libc_cv_ssp=yes],
+ [libc_cv_ssp=no])
+])
+
+AC_CACHE_CHECK(for -fstack-protector-strong, libc_cv_ssp_strong, [dnl
+LIBC_TRY_CC_OPTION([$CFLAGS $CPPFLAGS -Werror -fstack-protector-strong],
+ [libc_cv_ssp_strong=yes],
+ [libc_cv_ssp_strong=no])
+])
+
+AC_CACHE_CHECK(for -fstack-protector-all, libc_cv_ssp_all, [dnl
+LIBC_TRY_CC_OPTION([$CFLAGS $CPPFLAGS -Werror -fstack-protector-all],
+ [libc_cv_ssp_all=yes],
+ [libc_cv_ssp_all=no])
+])
+
+stack_protector=
+no_stack_protector=
+if test "$libc_cv_ssp" = yes; then
+ no_stack_protector="-fno-stack-protector"
+fi
+
+if test "$enable_stack_protector" = yes && test "$libc_cv_ssp" = yes; then
+ stack_protector="-fstack-protector"
+ AC_DEFINE(STACK_PROTECTOR_LEVEL, 1)
+elif test "$enable_stack_protector" = all && test "$libc_cv_ssp_all" = yes; then
+ stack_protector="-fstack-protector-all"
+ AC_DEFINE(STACK_PROTECTOR_LEVEL, 2)
+elif test "$enable_stack_protector" = strong && test "$libc_cv_ssp_strong" = yes; then
+ stack_protector="-fstack-protector-strong"
+ AC_DEFINE(STACK_PROTECTOR_LEVEL, 3)
+fi
+AC_SUBST(libc_cv_ssp)
+AC_SUBST(stack_protector)
+AC_SUBST(no_stack_protector)
+
# For the multi-arch option we need support in the assembler & linker.
AC_CACHE_CHECK([for assembler and linker STT_GNU_IFUNC support],
libc_cv_ld_gnu_indirect_function, [dnl
@@ -1392,26 +1442,6 @@ else
fi
AC_SUBST(fno_unit_at_a_time)
-AC_CACHE_CHECK(for -fstack-protector, libc_cv_ssp, [dnl
-LIBC_TRY_CC_OPTION([$CFLAGS $CPPFLAGS -Werror -fstack-protector],
- [libc_cv_ssp=yes],
- [libc_cv_ssp=no])
-])
-
-AC_CACHE_CHECK(for -fstack-protector-strong, libc_cv_ssp_strong, [dnl
-LIBC_TRY_CC_OPTION([$CFLAGS $CPPFLAGS -Werror -fstack-protector-strong],
- [libc_cv_ssp_strong=yes],
- [libc_cv_ssp_strong=no])
-])
-
-stack_protector=
-if test "$libc_cv_ssp_strong" = "yes"; then
- stack_protector="-fstack-protector-strong"
-elif test "$libc_cv_ssp" = "yes"; then
- stack_protector="-fstack-protector"
-fi
-AC_SUBST(stack_protector)
-
AC_CACHE_CHECK(whether cc puts quotes around section names,
libc_cv_have_section_quotes,
[cat > conftest.c <<EOF
diff --git a/manual/install.texi b/manual/install.texi
index 79ee45f..c9a1e3b 100644
--- a/manual/install.texi
+++ b/manual/install.texi
@@ -164,6 +164,18 @@ time. Consult the @file{timezone} subdirectory for more details.
@item --enable-lock-elision=yes
Enable lock elision for pthread mutexes by default.
+@item --enable-stack-protector
+@itemx --enable-stack-protector=strong
+@itemx --enable-stack-protector=all
+Compile the C library and all other parts of the glibc package
+(including the threading and math libraries, NSS modules, and
+transliteration modules) using the GCC @option{-fstack-protector},
+@option{-fstack-protector-strong} or @option{-fstack-protector-all}
+options to detect stack overruns. Only the dynamic linker and a small
+number of routines called directly from assembler are excluded from this
+protection.
+
+
@pindex pt_chown
@findex grantpt
@item --enable-pt_chown
-----------------------------------------------------------------------
hooks/post-receive
--
GNU C Library master sources