View | Details | Raw Unified | Return to bug 7065 | Differences between
and this patch

Collapse All | Expand All

(-)libc-patched.orig/debug/Makefile (+1 lines)
Lines 48-53 Link Here
48
static-only-routines := warning-nop stack_chk_fail_local
48
static-only-routines := warning-nop stack_chk_fail_local
49
49
50
CFLAGS-backtrace.c = -fno-omit-frame-pointer
50
CFLAGS-backtrace.c = -fno-omit-frame-pointer
51
CFLAGS-stack_chk_fail.c = -DSSP_SMASH_DUMPS_CORE
51
CFLAGS-sprintf_chk.c = -D_IO_MTSAFE_IO
52
CFLAGS-sprintf_chk.c = -D_IO_MTSAFE_IO
52
CFLAGS-snprintf_chk.c = -D_IO_MTSAFE_IO
53
CFLAGS-snprintf_chk.c = -D_IO_MTSAFE_IO
53
CFLAGS-vsprintf_chk.c = -D_IO_MTSAFE_IO
54
CFLAGS-vsprintf_chk.c = -D_IO_MTSAFE_IO
(-)libc-patched.orig/debug/stack_chk_fail.c (-7 / +289 lines)
Lines 1-4 Link Here
1
/* Copyright (C) 2005, 2007 Free Software Foundation, Inc.
1
/* Copyright (C) 2005 Free Software Foundation, Inc.
2
   This file is part of the GNU C Library.
2
   This file is part of the GNU C Library.
3
3
4
   The GNU C Library is free software; you can redistribute it and/or
4
   The GNU C Library is free software; you can redistribute it and/or
Lines 16-30 Link Here
16
   Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
16
   Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
17
   02111-1307 USA.  */
17
   02111-1307 USA.  */
18
18
19
#include <stdio.h>
19
/* Copyright (C) 2006-2007 Gentoo Foundation Inc.
20
 * License terms as above.
21
 *
22
 * Hardened Gentoo SSP handler
23
 *
24
 * An SSP failure handler that does not use functions from the rest of
25
 * glibc; it uses the INTERNAL_SYSCALL methods directly.  This ensures
26
 * no possibility of recursion into the handler.
27
 *
28
 * Direct all bug reports to http://bugs.gentoo.org/
29
 *
30
 * Re-written from the glibc-2.3 Hardened Gentoo SSP handler
31
 * by Kevin F. Quinn - <kevquinn[@]gentoo.org>
32
 *
33
 * The following people contributed to the glibc-2.3 Hardened
34
 * Gentoo SSP handler, from which this implementation draws much:
35
 *
36
 * Ned Ludd - <solar[@]gentoo.org>
37
 * Alexander Gabert - <pappy[@]gentoo.org>
38
 * The PaX Team - <pageexec[@]freemail.hu>
39
 * Peter S. Mazinger - <ps.m[@]gmx.net>
40
 * Yoann Vandoorselaere - <yoann[@]prelude-ids.org>
41
 * Robert Connolly - <robert[@]linuxfromscratch.org>
42
 * Cory Visi <cory[@]visi.name>
43
 * Mike Frysinger <vapier[@]gentoo.org>
44
 */
45
46
#include <errno.h>
20
#include <stdlib.h>
47
#include <stdlib.h>
48
#include <unistd.h>
49
#include <signal.h>
50
51
#include <sys/types.h>
52
53
#include <sysdep-cancel.h>
54
#include <sys/syscall.h>
55
#include <bp-checks.h>
56
57
#include <kernel-features.h>
58
59
#include <alloca.h>
60
/* from sysdeps */
61
#include <socketcall.h>
62
/* for the stuff in bits/socket.h */
63
#include <sys/socket.h>
64
#include <sys/un.h>
65
66
67
/* Sanity check on SYSCALL macro names - force compilation
68
 * failure if the names used here do not exist
69
 */
70
#if !defined __NR_socketcall && !defined __NR_socket
71
# error Cannot do syscall socket or socketcall
72
#endif
73
#if !defined __NR_socketcall && !defined __NR_connect
74
# error Cannot do syscall connect or socketcall
75
#endif
76
#ifndef __NR_write
77
# error Cannot do syscall write
78
#endif
79
#ifndef __NR_close
80
# error Cannot do syscall close
81
#endif
82
#ifndef __NR_getpid
83
# error Cannot do syscall getpid
84
#endif
85
#ifndef __NR_kill
86
# error Cannot do syscall kill
87
#endif
88
#ifndef __NR_exit
89
# error Cannot do syscall exit
90
#endif
91
#ifdef SSP_SMASH_DUMPS_CORE
92
# define ENABLE_SSP_SMASH_DUMPS_CORE 1
93
# if !defined _KERNEL_NSIG && !defined _NSIG
94
#  error No _NSIG or _KERNEL_NSIG for rt_sigaction
95
# endif
96
# if !defined __NR_sigaction && !defined __NR_rt_sigaction
97
#  error Cannot do syscall sigaction or rt_sigaction
98
# endif
99
/* Although rt_sigaction expects sizeof(sigset_t) - it expects the size
100
 * of the _kernel_ sigset_t which is not the same as the user sigset_t.
101
 * Most arches have this as _NSIG bits - mips has _KERNEL_NSIG bits for
102
 * some reason.
103
 */
104
# ifdef _KERNEL_NSIG
105
#  define _SSP_NSIG _KERNEL_NSIG
106
# else
107
#  define _SSP_NSIG _NSIG
108
# endif
109
#else
110
# define _SSP_NSIG 0
111
# define ENABLE_SSP_SMASH_DUMPS_CORE 0
112
#endif
113
114
/* Define DO_SIGACTION - default to newer rt signal interface but
115
 * fallback to old as needed.
116
 */
117
#ifdef __NR_rt_sigaction
118
# define DO_SIGACTION(signum, act, oldact) \
119
	INLINE_SYSCALL(rt_sigaction, 4, signum, act, oldact, _SSP_NSIG/8)
120
#else
121
# define DO_SIGACTION(signum, act, oldact) \
122
	INLINE_SYSCALL(sigaction, 3, signum, act, oldact)
123
#endif
124
125
/* Define DO_SOCKET/DO_CONNECT functions to deal with socketcall vs socket/connect */
126
#if defined(__NR_socket) && defined(__NR_connect)
127
# define USE_OLD_SOCKETCALL 0
128
#else
129
# define USE_OLD_SOCKETCALL 1
130
#endif
131
/* stub out the __NR_'s so we can let gcc optimize away dead code */
132
#ifndef __NR_socketcall
133
# define __NR_socketcall 0
134
#endif
135
#ifndef __NR_socket
136
# define __NR_socket 0
137
#endif
138
#ifndef __NR_connect
139
# define __NR_connect 0
140
#endif
141
#define DO_SOCKET(result, domain, type, protocol) \
142
	do { \
143
		if (USE_OLD_SOCKETCALL) { \
144
			socketargs[0] = domain; \
145
			socketargs[1] = type; \
146
			socketargs[2] = protocol; \
147
			socketargs[3] = 0; \
148
			result = INLINE_SYSCALL(socketcall, 2, SOCKOP_socket, socketargs); \
149
		} else \
150
			result = INLINE_SYSCALL(socket, 3, domain, type, protocol); \
151
	} while (0)
152
#define DO_CONNECT(result, sockfd, serv_addr, addrlen) \
153
	do { \
154
		if (USE_OLD_SOCKETCALL) { \
155
			socketargs[0] = sockfd; \
156
			socketargs[1] = (unsigned long int)serv_addr; \
157
			socketargs[2] = addrlen; \
158
			socketargs[3] = 0; \
159
			result = INLINE_SYSCALL(socketcall, 2, SOCKOP_connect, socketargs); \
160
		} else \
161
			result = INLINE_SYSCALL(connect, 3, sockfd, serv_addr, addrlen); \
162
	} while (0)
163
164
#ifndef _PATH_LOG
165
# define _PATH_LOG "/dev/log"
166
#endif
167
168
static const char path_log[] = _PATH_LOG;
169
170
/* For building glibc with SSP switched on, define __progname to a
171
 * constant if building for the run-time loader, to avoid pulling
172
 * in more of libc.so into ld.so
173
 */
174
#ifdef IS_IN_rtld
175
static char *__progname = "<rtld>";
176
#else
177
extern char *__progname;
178
#endif
179
21
180
181
/* Common handler code, used by stack_chk_fail and __stack_smash_handler
182
 * Inlined to ensure no self-references to the handler within itself.
183
 * Data static to avoid putting more than necessary on the stack,
184
 * to aid core debugging.
185
 * The copy in rtld must be hidden to ensure that it gets no relocations
186
 * and thus does not crash if called during libc startup.
187
 */
188
__attribute__ ((__noreturn__ , __always_inline__))
189
#ifdef IS_IN_rtld
190
attribute_hidden
191
#endif
192
static inline void
193
__hardened_gentoo_stack_chk_fail(char func[], int damaged)
194
{
195
#define MESSAGE_BUFSIZ 256
196
	static pid_t pid;
197
	static int plen, i;
198
	static char message[MESSAGE_BUFSIZ];
199
	static const char msg_ssa[] = ": stack smashing attack";
200
	static const char msg_inf[] = " in function ";
201
	static const char msg_ssd[] = "*** stack smashing detected ***: ";
202
	static const char msg_terminated[] = " - terminated\n";
203
	static const char msg_unknown[] = "<unknown>";
204
	static int log_socket, connect_result;
205
	static struct sockaddr_un sock;
206
	static unsigned long int socketargs[4];
207
208
	/* Build socket address
209
	 */
210
	sock.sun_family = AF_UNIX;
211
	i = 0;
212
	while ((path_log[i] != '\0') && (i<(sizeof(sock.sun_path)-1))) {
213
		sock.sun_path[i] = path_log[i];
214
		i++;
215
	}
216
	sock.sun_path[i] = '\0';
217
218
	/* Try SOCK_DGRAM connection to syslog */
219
	connect_result = -1;
220
	DO_SOCKET(log_socket, AF_UNIX, SOCK_DGRAM, 0);
221
	if (log_socket != -1)
222
		DO_CONNECT(connect_result, log_socket, &sock, sizeof(sock));
223
	if (connect_result == -1) {
224
		if (log_socket != -1)
225
			INLINE_SYSCALL(close, 1, log_socket);
226
		/* Try SOCK_STREAM connection to syslog */
227
		DO_SOCKET(log_socket, AF_UNIX, SOCK_STREAM, 0);
228
		if (log_socket != -1)
229
			DO_CONNECT(connect_result, log_socket, &sock, sizeof(sock));
230
	}
231
232
	/* Build message.  Messages are generated both in the old style and new style,
233
	 * so that log watchers that are configured for the old-style message continue
234
	 * to work.
235
	 */
236
#define strconcat(str) \
237
		{i=0; while ((str[i] != '\0') && ((i+plen)<(MESSAGE_BUFSIZ-1))) \
238
		{\
239
			message[plen+i]=str[i];\
240
			i++;\
241
		}\
242
		plen+=i;}
243
244
	/* R.Henderson post-gcc-4 style message */
245
	plen = 0;
246
	strconcat(msg_ssd);
247
	if (__progname != (char *)0)
248
		strconcat(__progname)
249
	else
250
		strconcat(msg_unknown);
251
	strconcat(msg_terminated);
252
253
	/* Write out error message to STDERR, to syslog if open */
254
	INLINE_SYSCALL(write, 3, STDERR_FILENO, message, plen);
255
	if (connect_result != -1)
256
		INLINE_SYSCALL(write, 3, log_socket, message, plen);
257
258
	/* Dr. Etoh pre-gcc-4 style message */
259
	plen = 0;
260
	if (__progname != (char *)0)
261
		strconcat(__progname)
262
	else
263
		strconcat(msg_unknown);
264
	strconcat(msg_ssa);
265
	strconcat(msg_inf);
266
	if (func != NULL)
267
		strconcat(func)
268
	else
269
		strconcat(msg_unknown);
270
	strconcat(msg_terminated);
271
	/* Write out error message to STDERR, to syslog if open */
272
	INLINE_SYSCALL(write, 3, STDERR_FILENO, message, plen);
273
	if (connect_result != -1)
274
		INLINE_SYSCALL(write, 3, log_socket, message, plen);
22
275
23
extern char **__libc_argv attribute_hidden;
276
	/* Write out error message to STDERR, to syslog if open */
277
	INLINE_SYSCALL(write, 3, STDERR_FILENO, message, plen);
278
	if (connect_result != -1)
279
		INLINE_SYSCALL(write, 3, log_socket, message, plen);
280
281
	if (log_socket != -1)
282
		INLINE_SYSCALL(close, 1, log_socket);
283
284
	/* Suicide */
285
	pid = INLINE_SYSCALL(getpid, 0);
286
287
	if (ENABLE_SSP_SMASH_DUMPS_CORE) {
288
		static struct sigaction default_abort_act;
289
		/* Remove any user-supplied handler for SIGABRT, before using it */
290
		default_abort_act.sa_handler = SIG_DFL;
291
		default_abort_act.sa_sigaction = NULL;
292
		__sigfillset(&default_abort_act.sa_mask);
293
		default_abort_act.sa_flags = 0;
294
		if (DO_SIGACTION(SIGABRT, &default_abort_act, NULL) == 0)
295
			INLINE_SYSCALL(kill, 2, pid, SIGABRT);
296
	}
297
298
	/* Note; actions cannot be added to SIGKILL */
299
	INLINE_SYSCALL(kill, 2, pid, SIGKILL);
300
301
	/* In case the kill didn't work, exit anyway
302
	 * The loop prevents gcc thinking this routine returns
303
	 */
304
	while (1)
305
		INLINE_SYSCALL(exit, 0);
306
}
24
307
25
void
308
__attribute__ ((__noreturn__))
26
__attribute__ ((noreturn))
309
void __stack_chk_fail(void)
27
__stack_chk_fail (void)
28
{
310
{
29
  __fortify_fail ("stack smashing detected");
311
	__hardened_gentoo_stack_chk_fail(NULL, 0);
30
}
312
}
(-)libc-patched.orig/configure.in (-29 / +53 lines)
Lines 207-212 Link Here
207
	      [bindnow=no])
207
	      [bindnow=no])
208
AC_SUBST(bindnow)
208
AC_SUBST(bindnow)
209
209
210
dnl Build glibc with -fstack-protector, or with -fstack-protector-all.
211
AC_ARG_WITH([stack-protector],
212
            AC_HELP_STRING([--with-stack-protector=@<:@yes|no|all@:>@],
213
                           [Detect stack overflows in glibc functions with large string buffers, or in all glibc functions]),
214
            [with_stack_protector=$withval],
215
            [with_stack_protector=no])
216
case x"$with_stack_protector" in
217
    xall|xyes|xno) ;;
218
    *) AC_MSG_ERROR([Not a valid argument for --with-stack-protector]);;
219
esac
220
stack_protect="$with_stack_protector"
221
AC_SUBST(stack_protect)
222
210
dnl On some platforms we cannot use dynamic loading.  We must provide
223
dnl On some platforms we cannot use dynamic loading.  We must provide
211
dnl static NSS modules.
224
dnl static NSS modules.
212
AC_ARG_ENABLE([static-nss],
225
AC_ARG_ENABLE([static-nss],
Lines 1057-1062 Link Here
1057
override stddef.h = # The installed <stddef.h> seems to be libc-friendly."
1070
override stddef.h = # The installed <stddef.h> seems to be libc-friendly."
1058
fi
1071
fi
1059
1072
1073
AC_CACHE_CHECK(for -fstack-protector, libc_cv_ssp, [dnl
1074
cat > conftest.c <<EOF
1075
int foo;
1076
main () { return 0;}
1077
EOF
1078
if AC_TRY_COMMAND([${CC-cc} $CFLAGS $CPPFLAGS $LDFLAGS -Werror -fstack-protector
1079
			    -o conftest conftest.c 1>&AS_MESSAGE_LOG_FD])
1080
then
1081
  libc_cv_ssp=yes
1082
1083
  dnl While most tests can be conducted with stack protection on, a few are
1084
  dnl incompatible with it.
1085
  no_ssp=-fno-stack-protector
1086
  libssp=-lssp
1087
else
1088
  libc_cv_ssp=no
1089
  no_ssp=
1090
  libssp=
1091
1092
  if test x"$with_stack_protector" != xno; then
1093
    AC_MSG_ERROR([--with-stack-protector=$with_stack_protector specified, but stack protection is not supported by the compiler.])
1094
  fi
1095
fi
1096
rm -f conftest*])
1097
AC_SUBST(libc_cv_ssp)
1098
1060
AC_CACHE_CHECK(whether we need to use -P to assemble .S files,
1099
AC_CACHE_CHECK(whether we need to use -P to assemble .S files,
1061
	       libc_cv_need_minus_P, [dnl
1100
	       libc_cv_need_minus_P, [dnl
1062
cat > conftest.S <<EOF
1101
cat > conftest.S <<EOF
Lines 1126-1132 Link Here
1126
EOF
1165
EOF
1127
if ${CC-cc} $CFLAGS $CPPFLAGS $LDFLAGS \
1166
if ${CC-cc} $CFLAGS $CPPFLAGS $LDFLAGS \
1128
	    -nostartfiles -nostdlib \
1167
	    -nostartfiles -nostdlib \
1129
	    -o conftest conftest.s conftest1.c 1>&AS_MESSAGE_LOG_FD 2>&AS_MESSAGE_LOG_FD; then
1168
	    -o conftest conftest.s conftest1.c $libssp 1>&AS_MESSAGE_LOG_FD 2>&AS_MESSAGE_LOG_FD; then
1130
  libc_cv_asm_set_directive=yes
1169
  libc_cv_asm_set_directive=yes
1131
else
1170
else
1132
  libc_cv_asm_set_directive=no
1171
  libc_cv_asm_set_directive=no
Lines 1188-1194 Link Here
1188
EOF
1227
EOF
1189
  if ${CC-cc} -c $ASFLAGS conftest.s 1>&AS_MESSAGE_LOG_FD 2>&AS_MESSAGE_LOG_FD; then
1228
  if ${CC-cc} -c $ASFLAGS conftest.s 1>&AS_MESSAGE_LOG_FD 2>&AS_MESSAGE_LOG_FD; then
1190
    if AC_TRY_COMMAND([${CC-cc} $CFLAGS $LDFLAGS -shared
1229
    if AC_TRY_COMMAND([${CC-cc} $CFLAGS $LDFLAGS -shared
1191
				-o conftest.so conftest.o
1230
				-o conftest.so conftest.o $libssp
1192
				-nostartfiles -nostdlib
1231
				-nostartfiles -nostdlib
1193
				-Wl,--version-script,conftest.map
1232
				-Wl,--version-script,conftest.map
1194
		       1>&AS_MESSAGE_LOG_FD]);
1233
		       1>&AS_MESSAGE_LOG_FD]);
Lines 1361-1367 Link Here
1361
int foo (void) { return 1; }
1400
int foo (void) { return 1; }
1362
int (*fp) (void) __attribute__ ((section (".init_array"))) = foo;
1401
int (*fp) (void) __attribute__ ((section (".init_array"))) = foo;
1363
EOF
1402
EOF
1364
  if AC_TRY_COMMAND([${CC-cc} $CFLAGS $CPPFLAGS $LDFLAGS -o conftest conftest.c
1403
  if AC_TRY_COMMAND([${CC-cc} $CFLAGS $CPPFLAGS $LDFLAGS $no_ssp -o conftest conftest.c
1365
		     -static -nostartfiles -nostdlib 1>&AS_MESSAGE_LOG_FD])
1404
		     -static -nostartfiles -nostdlib 1>&AS_MESSAGE_LOG_FD])
1366
  then
1405
  then
1367
    if readelf -S conftest | fgrep INIT_ARRAY > /dev/null; then
1406
    if readelf -S conftest | fgrep INIT_ARRAY > /dev/null; then
Lines 1401-1407 Link Here
1401
EOF
1440
EOF
1402
  if AC_TRY_COMMAND([${CC-cc} $CFLAGS $CPPFLAGS $LDFLAGS
1441
  if AC_TRY_COMMAND([${CC-cc} $CFLAGS $CPPFLAGS $LDFLAGS
1403
		     -fPIC -shared -o conftest.so conftest.c
1442
		     -fPIC -shared -o conftest.so conftest.c
1404
		     -nostartfiles -nostdlib
1443
		     -nostartfiles -nostdlib $libssp
1405
		     -Wl,--enable-new-dtags,-z,nodelete 1>&AS_MESSAGE_LOG_FD])
1444
		     -Wl,--enable-new-dtags,-z,nodelete 1>&AS_MESSAGE_LOG_FD])
1406
  then
1445
  then
1407
    libc_cv_z_nodelete=yes
1446
    libc_cv_z_nodelete=yes
Lines 1417-1423 Link Here
1417
EOF
1456
EOF
1418
  if AC_TRY_COMMAND([${CC-cc} $CFLAGS $CPPFLAGS $LDFLAGS
1457
  if AC_TRY_COMMAND([${CC-cc} $CFLAGS $CPPFLAGS $LDFLAGS
1419
			-fPIC -shared -o conftest.so conftest.c
1458
			-fPIC -shared -o conftest.so conftest.c
1420
			-nostartfiles -nostdlib
1459
			-nostartfiles -nostdlib $libssp
1421
			-Wl,--enable-new-dtags,-z,nodlopen 1>&AS_MESSAGE_LOG_FD])
1460
			-Wl,--enable-new-dtags,-z,nodlopen 1>&AS_MESSAGE_LOG_FD])
1422
  then
1461
  then
1423
    libc_cv_z_nodlopen=yes
1462
    libc_cv_z_nodlopen=yes
Lines 1433-1439 Link Here
1433
EOF
1472
EOF
1434
  if AC_TRY_COMMAND([${CC-cc} $CFLAGS $CPPFLAGS $LDFLAGS
1473
  if AC_TRY_COMMAND([${CC-cc} $CFLAGS $CPPFLAGS $LDFLAGS
1435
			-fPIC -shared -o conftest.so conftest.c
1474
			-fPIC -shared -o conftest.so conftest.c
1436
			-nostartfiles -nostdlib
1475
			-nostartfiles -nostdlib $libssp
1437
			-Wl,--enable-new-dtags,-z,initfirst 1>&AS_MESSAGE_LOG_FD])
1476
			-Wl,--enable-new-dtags,-z,initfirst 1>&AS_MESSAGE_LOG_FD])
1438
  then
1477
  then
1439
    libc_cv_z_initfirst=yes
1478
    libc_cv_z_initfirst=yes
Lines 1468-1474 Link Here
1468
  cat > conftest.c <<EOF
1507
  cat > conftest.c <<EOF
1469
int _start (void) { return 42; }
1508
int _start (void) { return 42; }
1470
EOF
1509
EOF
1471
  if AC_TRY_COMMAND([${CC-cc} $CFLAGS $CPPFLAGS $LDFLAGS
1510
  if AC_TRY_COMMAND([${CC-cc} $CFLAGS $CPPFLAGS $LDFLAGS $no_ssp
1472
			      -fPIC -shared -o conftest.so conftest.c
1511
			      -fPIC -shared -o conftest.so conftest.c
1473
			      -Wl,-Bgroup -nostdlib 1>&AS_MESSAGE_LOG_FD])
1512
			      -Wl,-Bgroup -nostdlib 1>&AS_MESSAGE_LOG_FD])
1474
  then
1513
  then
Lines 1501-1507 Link Here
1501
  if AC_TRY_COMMAND([${CC-cc} $CFLAGS $CPPFLAGS $LDFLAGS
1540
  if AC_TRY_COMMAND([${CC-cc} $CFLAGS $CPPFLAGS $LDFLAGS
1502
			      -fPIC -shared -o conftest.so conftest.c
1541
			      -fPIC -shared -o conftest.so conftest.c
1503
			      -lgcc_s$libc_cv_libgcc_s_suffix -Wl,--as-needed
1542
			      -lgcc_s$libc_cv_libgcc_s_suffix -Wl,--as-needed
1504
			      -nostdlib 1>&AS_MESSAGE_LOG_FD])
1543
			      -nostdlib $libssp 1>&AS_MESSAGE_LOG_FD])
1505
  then
1544
  then
1506
    libc_cv_as_needed=yes
1545
    libc_cv_as_needed=yes
1507
  else
1546
  else
Lines 1541-1547 Link Here
1541
EOF
1580
EOF
1542
  if AC_TRY_COMMAND([${CC-cc} $CFLAGS $CPPFLAGS $LDFLAGS
1581
  if AC_TRY_COMMAND([${CC-cc} $CFLAGS $CPPFLAGS $LDFLAGS
1543
			-fPIC -shared -o conftest.so conftest.c
1582
			-fPIC -shared -o conftest.so conftest.c
1544
			-nostdlib -nostartfiles
1583
			-nostdlib -nostartfiles $libssp
1545
			-Wl,-z,combreloc 1>&AS_MESSAGE_LOG_FD])
1584
			-Wl,-z,combreloc 1>&AS_MESSAGE_LOG_FD])
1546
  then
1585
  then
1547
dnl The following test is a bit weak.  We must use a tool which can test
1586
dnl The following test is a bit weak.  We must use a tool which can test
Lines 1570-1576 Link Here
1570
EOF
1609
EOF
1571
  if AC_TRY_COMMAND([${CC-cc} $CFLAGS $CPPFLAGS $LDFLAGS
1610
  if AC_TRY_COMMAND([${CC-cc} $CFLAGS $CPPFLAGS $LDFLAGS
1572
			      -fPIC -shared -o conftest.so conftest.c
1611
			      -fPIC -shared -o conftest.so conftest.c
1573
			      -Wl,-z,execstack -nostdlib
1612
			      -Wl,-z,execstack -nostdlib $libssp
1574
			      1>&AS_MESSAGE_LOG_FD])
1613
			      1>&AS_MESSAGE_LOG_FD])
1575
  then
1614
  then
1576
    libc_cv_z_execstack=yes
1615
    libc_cv_z_execstack=yes
Lines 1603-1609 Link Here
1603
EOF
1642
EOF
1604
  if AC_TRY_COMMAND([${CC-cc} $CFLAGS $CPPFLAGS $LDFLAGS
1643
  if AC_TRY_COMMAND([${CC-cc} $CFLAGS $CPPFLAGS $LDFLAGS
1605
			      -fPIC -shared -o conftest.so conftest.c
1644
			      -fPIC -shared -o conftest.so conftest.c
1606
			      -Wl,--hash-style=both -nostdlib 1>&AS_MESSAGE_LOG_FD])
1645
			      -Wl,--hash-style=both -nostdlib $libssp 1>&AS_MESSAGE_LOG_FD])
1607
  then
1646
  then
1608
    libc_cv_hashstyle=yes
1647
    libc_cv_hashstyle=yes
1609
  else
1648
  else
Lines 1632-1652 Link Here
1632
fi
1671
fi
1633
AC_SUBST(fno_unit_at_a_time)
1672
AC_SUBST(fno_unit_at_a_time)
1634
1673
1635
AC_CACHE_CHECK(for -fstack-protector, libc_cv_ssp, [dnl
1636
cat > conftest.c <<EOF
1637
int foo;
1638
main () { return 0;}
1639
EOF
1640
if AC_TRY_COMMAND([${CC-cc} $CFLAGS $CPPFLAGS $LDFLAGS -Werror -fstack-protector
1641
			    -o conftest conftest.c 1>&AS_MESSAGE_LOG_FD])
1642
then
1643
  libc_cv_ssp=yes
1644
else
1645
  libc_cv_ssp=no
1646
fi
1647
rm -f conftest*])
1648
AC_SUBST(libc_cv_ssp)
1649
1650
AC_CACHE_CHECK(for -fgnu89-inline, libc_cv_gnu89_inline, [dnl
1674
AC_CACHE_CHECK(for -fgnu89-inline, libc_cv_gnu89_inline, [dnl
1651
cat > conftest.c <<EOF
1675
cat > conftest.c <<EOF
1652
int foo;
1676
int foo;
Lines 1832-1838 Link Here
1832
dnl No \ in command here because it ends up inside ''.
1856
dnl No \ in command here because it ends up inside ''.
1833
if AC_TRY_COMMAND([${CC-cc} $CFLAGS $CPPFLAGS $LDFLAGS
1857
if AC_TRY_COMMAND([${CC-cc} $CFLAGS $CPPFLAGS $LDFLAGS
1834
			    -nostdlib -nostartfiles -Wl,--no-whole-archive
1858
			    -nostdlib -nostartfiles -Wl,--no-whole-archive
1835
			    -o conftest conftest.c 1>&AS_MESSAGE_LOG_FD]); then
1859
			    -o conftest conftest.c $libssp 1>&AS_MESSAGE_LOG_FD]); then
1836
  libc_cv_ld_no_whole_archive=yes
1860
  libc_cv_ld_no_whole_archive=yes
1837
else
1861
else
1838
  libc_cv_ld_no_whole_archive=no
1862
  libc_cv_ld_no_whole_archive=no
Lines 1852-1858 Link Here
1852
dnl No \ in command here because it ends up inside ''.
1876
dnl No \ in command here because it ends up inside ''.
1853
if AC_TRY_COMMAND([${CC-cc} $CFLAGS $CPPFLAGS $LDFLAGS
1877
if AC_TRY_COMMAND([${CC-cc} $CFLAGS $CPPFLAGS $LDFLAGS
1854
			    -nostdlib -nostartfiles -fexceptions
1878
			    -nostdlib -nostartfiles -fexceptions
1855
			    -o conftest conftest.c 1>&AS_MESSAGE_LOG_FD]); then
1879
			    -o conftest conftest.c $libssp 1>&AS_MESSAGE_LOG_FD]); then
1856
  libc_cv_gcc_exceptions=yes
1880
  libc_cv_gcc_exceptions=yes
1857
else
1881
else
1858
  libc_cv_gcc_exceptions=no
1882
  libc_cv_gcc_exceptions=no
Lines 1887-1893 Link Here
1887
EOF
1911
EOF
1888
dnl No \ in command here because it ends up inside ''.
1912
dnl No \ in command here because it ends up inside ''.
1889
if AC_TRY_COMMAND([${CC-cc} $CFLAGS $CPPFLAGS $LDFLAGS -nostdlib -nostartfiles
1913
if AC_TRY_COMMAND([${CC-cc} $CFLAGS $CPPFLAGS $LDFLAGS -nostdlib -nostartfiles
1890
			    -o conftest conftest.c -lgcc >&AS_MESSAGE_LOG_FD]); then
1914
			    -o conftest conftest.c -lgcc $libssp >&AS_MESSAGE_LOG_FD]); then
1891
  libc_cv_gcc_builtin_expect=yes
1915
  libc_cv_gcc_builtin_expect=yes
1892
else
1916
else
1893
  libc_cv_gcc_builtin_expect=no
1917
  libc_cv_gcc_builtin_expect=no
(-)libc-patched.orig/csu/Makefile (+7 lines)
Lines 51-56 Link Here
51
51
52
include ../Makeconfig
52
include ../Makeconfig
53
53
54
ifeq ($(have-ssp),yes)
55
CFLAGS-.o += -fno-stack-protector
56
CFLAGS-.og += -fno-stack-protector
57
CFLAGS-.op += -fno-stack-protector
58
CFLAGS-.os += -fno-stack-protector
59
endif
60
54
ifeq (yes,$(build-shared))
61
ifeq (yes,$(build-shared))
55
extra-objs += S$(start-installed-name)
62
extra-objs += S$(start-installed-name)
56
install-lib += S$(start-installed-name)
63
install-lib += S$(start-installed-name)
(-)libc-patched.orig/Makerules (-1 / +1 lines)
Lines 236-242 Link Here
236
	     while [ $$# -ge 2 ]; do					      \
236
	     while [ $$# -ge 2 ]; do					      \
237
	       t=$$1; shift; 						      \
237
	       t=$$1; shift; 						      \
238
	       d=$$1; shift;						      \
238
	       d=$$1; shift;						      \
239
	       v=$${t%%%}; [ x"$$v" = x ] || v="\$$($${v}CPPFLAGS)";	      \
239
	       v=$${t%%%}; [ x"$$v" = x ] || v="\$$($${v}CPPFLAGS) \$$($${v}CFLAGS)";	      \
240
	       for s in $$asm .c; do					      \
240
	       for s in $$asm .c; do					      \
241
		 echo "\$$(objpfx)$$t$$o: $$dir/$$d$$s \$$(before-compile)";  \
241
		 echo "\$$(objpfx)$$t$$o: $$dir/$$d$$s \$$(before-compile)";  \
242
		 echo "	\$$(compile-command$$s) $$v";			      \
242
		 echo "	\$$(compile-command$$s) $$v";			      \
(-)libc-patched.orig/elf/rtld-Rules (-1 / +5 lines)
Lines 98-104 Link Here
98
$(objpfx)rtld-%.os: %.s $(before-compile)
98
$(objpfx)rtld-%.os: %.s $(before-compile)
99
	$(compile-command.s) $(rtld-CPPFLAGS)
99
	$(compile-command.s) $(rtld-CPPFLAGS)
100
$(objpfx)rtld-%.os: %.c $(before-compile)
100
$(objpfx)rtld-%.os: %.c $(before-compile)
101
	$(compile-command.c) $(rtld-CPPFLAGS)
101
	$(compile-command.c) $(rtld-CPPFLAGS) $(rtld-CFLAGS)
102
102
103
# The rules for generated source files.
103
# The rules for generated source files.
104
$(objpfx)rtld-%.os: $(objpfx)%.S $(before-compile); $(compile-command.S)
104
$(objpfx)rtld-%.os: $(objpfx)%.S $(before-compile); $(compile-command.S)
Lines 124-127 Link Here
124
# This here is the whole point of all the shenanigans.
124
# This here is the whole point of all the shenanigans.
125
rtld-CPPFLAGS := -DNOT_IN_libc=1 -DIS_IN_rtld=1
125
rtld-CPPFLAGS := -DNOT_IN_libc=1 -DIS_IN_rtld=1
126
126
127
ifeq ($(have-ssp),yes)
128
rtld-CFLAGS := -fno-stack-protector
129
endif
130
127
endif
131
endif
(-)libc-patched.orig/elf/Makefile (+19 lines)
Lines 101-106 Link Here
101
101
102
include ../Makeconfig
102
include ../Makeconfig
103
103
104
ifeq ($(have-ssp),yes)
105
# In the dynamic loader, some routines (which include routines called before
106
# the stack guard is initialized) are compiled without stack protection.
107
# Do the same when those routines are found in the static library.
108
109
CFLAGS-.o += $(if $(filter $(@F),$(patsubst %,%.o,$(elide-routines.os))),-fno-stack-protector)
110
CFLAGS-.op += $(if $(filter $(@F),$(patsubst %,%.op,$(elide-routines.os))),-fno-stack-protector)
111
CFLAGS-.og += $(if $(filter $(@F),$(patsubst %,%.og,$(elide-routines.os))),-fno-stack-protector)
112
endif
113
104
ifeq ($(unwind-find-fde),yes)
114
ifeq ($(unwind-find-fde),yes)
105
routines += unwind-dw2-fde-glibc
115
routines += unwind-dw2-fde-glibc
106
shared-only-routines += unwind-dw2-fde-glibc
116
shared-only-routines += unwind-dw2-fde-glibc
Lines 396-401 Link Here
396
CFLAGS-cache.c = $(SYSCONF-FLAGS)
406
CFLAGS-cache.c = $(SYSCONF-FLAGS)
397
407
398
CPPFLAGS-.os += $(if $(filter $(@F),$(patsubst %,%.os,$(all-rtld-routines))),-DNOT_IN_libc=1 -DIS_IN_rtld=1)
408
CPPFLAGS-.os += $(if $(filter $(@F),$(patsubst %,%.os,$(all-rtld-routines))),-DNOT_IN_libc=1 -DIS_IN_rtld=1)
409
ifeq ($(have-ssp),yes)
410
CFLAGS-.os += $(if $(filter $(@F),$(patsubst %,%.os,$(all-rtld-routines))),-fno-stack-protector)
411
endif
399
412
400
test-modules = $(addprefix $(objpfx),$(addsuffix .so,$(strip $(modules-names))))
413
test-modules = $(addprefix $(objpfx),$(addsuffix .so,$(strip $(modules-names))))
401
generated += $(addsuffix .so,$(strip $(modules-names)))
414
generated += $(addsuffix .so,$(strip $(modules-names)))
Lines 617-622 Link Here
617
		  $< -Wl,-F,$(objpfx)filtmod2.so
630
		  $< -Wl,-F,$(objpfx)filtmod2.so
618
$(objpfx)filter: $(objpfx)filtmod1.so
631
$(objpfx)filter: $(objpfx)filtmod1.so
619
632
633
ifeq ($(have-ssp),yes)
634
# These do not link against libc.
635
CFLAGS-filtmod1.c = -fno-stack-protector
636
CFLAGS-filtmod2.c = -fno-stack-protector
637
endif
638
620
$(objpfx)unload: $(libdl)
639
$(objpfx)unload: $(libdl)
621
$(objpfx)unload.out: $(objpfx)unloadmod.so
640
$(objpfx)unload.out: $(objpfx)unloadmod.so
622
641
(-)libc-patched.orig/nptl/Makefile (+5 lines)
Lines 292-297 Link Here
292
endif
292
endif
293
endif
293
endif
294
294
295
ifeq ($(have-ssp),yes)
296
# Parts of init.c are called before the stack guard is initialized.
297
CFLAGS-init.c += -fno-stack-protector
298
endif
299
295
modules-names = tst-atfork2mod tst-tls3mod tst-tls4moda tst-tls4modb \
300
modules-names = tst-atfork2mod tst-tls3mod tst-tls4moda tst-tls4modb \
296
		tst-tls5mod tst-tls5moda tst-tls5modb tst-tls5modc \
301
		tst-tls5mod tst-tls5moda tst-tls5modb tst-tls5modc \
297
		tst-tls5modd tst-tls5mode tst-tls5modf \
302
		tst-tls5modd tst-tls5mode tst-tls5modf \
(-)libc-patched.orig/libio/Makefile (+6 lines)
Lines 140-145 Link Here
140
CFLAGS-oldtmpfile.c = $(exceptions)
140
CFLAGS-oldtmpfile.c = $(exceptions)
141
# XXX Do we need filedoalloc and wfiledoalloc?  Others?
141
# XXX Do we need filedoalloc and wfiledoalloc?  Others?
142
142
143
ifeq ($(have-ssp),yes)
144
# libc_fatal() is called in extremis, and before static initialization
145
# is complete: don't stack-protect it.
146
CFLAGS-libc_fatal.o = -fno-stack-protector
147
endif
148
143
CFLAGS-tst_putwc.c = -DOBJPFX=\"$(objpfx)\"
149
CFLAGS-tst_putwc.c = -DOBJPFX=\"$(objpfx)\"
144
150
145
tst_wprintf2-ARGS = "Some Text"
151
tst_wprintf2-ARGS = "Some Text"
(-)libc-patched.orig/misc/Makefile (+6 lines)
Lines 101-106 Link Here
101
CFLAGS-tst-tsearch.c = $(stack-align-test-flags)
101
CFLAGS-tst-tsearch.c = $(stack-align-test-flags)
102
CFLAGS-mntent_r.c = -D_IO_MTSAFE_IO
102
CFLAGS-mntent_r.c = -D_IO_MTSAFE_IO
103
103
104
ifeq ($(have-ssp),yes)
105
# Called during static library initialization.
106
CFLAGS-sbrk.c = -fno-stack-protector
107
CFLAGS-brk.c = -fno-stack-protector
108
endif
109
104
include ../Rules
110
include ../Rules
105
111
106
$(objpfx)libbsd-compat.a: $(dep-dummy-lib); $(make-dummy-lib)
112
$(objpfx)libbsd-compat.a: $(dep-dummy-lib); $(make-dummy-lib)
(-)libc-patched.orig/string/Makefile (+5 lines)
Lines 74-79 Link Here
74
CFLAGS-test-ffs.c = -fno-builtin
74
CFLAGS-test-ffs.c = -fno-builtin
75
CFLAGS-tst-inlcall.c = -fno-builtin
75
CFLAGS-tst-inlcall.c = -fno-builtin
76
76
77
ifeq ($(have-ssp),yes)
78
# This is used in early initialization.
79
CFLAGS-memcpy.c = -fno-stack-protector
80
endif
81
77
ifeq ($(cross-compiling),no)
82
ifeq ($(cross-compiling),no)
78
tests: $(objpfx)tst-svc.out
83
tests: $(objpfx)tst-svc.out
79
$(objpfx)tst-svc.out: tst-svc.input $(objpfx)tst-svc
84
$(objpfx)tst-svc.out: tst-svc.input $(objpfx)tst-svc
(-)libc-patched.orig/stdlib/Makefile (+4 lines)
Lines 142-145 Link Here
142
142
143
$(objpfx)tst-putenvmod.so: $(objpfx)tst-putenvmod.os
143
$(objpfx)tst-putenvmod.so: $(objpfx)tst-putenvmod.os
144
	$(build-module)
144
	$(build-module)
145
# This is not only not in libc, it's not even linked with it.
145
CFLAGS-tst-putenvmod.c = -DNOT_IN_libc=1
146
CFLAGS-tst-putenvmod.c = -DNOT_IN_libc=1
147
ifeq ($(have-ssp),yes)
148
CFLAGS-tst-putenvmod.c += -fno-stack-protector
149
endif
(-)libc-patched.orig/Makeconfig (-1 / +8 lines)
Lines 584-589 Link Here
584
# actually different, so allow the compiler to merge them all.
584
# actually different, so allow the compiler to merge them all.
585
+merge-constants = -fmerge-all-constants
585
+merge-constants = -fmerge-all-constants
586
586
587
# We might want to compile with some stack-protection flag.
588
ifeq ($(stack-protect),yes)
589
+stack-protector=-fstack-protector
590
else ifeq ($(stack-protect),all)
591
+stack-protector=-fstack-protector-all
592
endif
593
587
# This is the program that generates makefile dependencies from C source files.
594
# This is the program that generates makefile dependencies from C source files.
588
# The -MP flag tells GCC >= 3.2 (which we now require) to produce dummy
595
# The -MP flag tells GCC >= 3.2 (which we now require) to produce dummy
589
# targets for headers so that removed headers don't break the build.
596
# targets for headers so that removed headers don't break the build.
Lines 643-649 Link Here
643
+cflags	:= $(default_cflags)
650
+cflags	:= $(default_cflags)
644
endif	# $(+cflags) == ""
651
endif	# $(+cflags) == ""
645
652
646
+cflags += $(cflags-cpu) $(+gccwarn) $(+merge-constants)
653
+cflags += $(cflags-cpu) $(+gccwarn) $(+merge-constants) $(+stack-protector)
647
+gcc-nowarn := -w
654
+gcc-nowarn := -w
648
655
649
# Don't duplicate options if we inherited variables from the parent.
656
# Don't duplicate options if we inherited variables from the parent.
(-)libc-patched.orig/config.make.in (+1 lines)
Lines 56-61 Link Here
56
have-fpie = @libc_cv_fpie@
56
have-fpie = @libc_cv_fpie@
57
gnu89-inline-CFLAGS = @libc_cv_gnu89_inline@
57
gnu89-inline-CFLAGS = @libc_cv_gnu89_inline@
58
have-ssp = @libc_cv_ssp@
58
have-ssp = @libc_cv_ssp@
59
stack-protect = @stack_protect@
59
have-selinux = @have_selinux@
60
have-selinux = @have_selinux@
60
have-libaudit = @have_libaudit@
61
have-libaudit = @have_libaudit@
61
have-libcap = @have_libcap@
62
have-libcap = @have_libcap@
(-)libc-patched.orig/nscd/Makefile (+4 lines)
Lines 93-99 Link Here
93
nscd-cflags += $(pie-ccflag)
93
nscd-cflags += $(pie-ccflag)
94
endif
94
endif
95
ifeq (yes,$(have-ssp))
95
ifeq (yes,$(have-ssp))
96
ifneq (all,$(stack-protect))
96
nscd-cflags += -fstack-protector
97
nscd-cflags += -fstack-protector
98
else
99
nscd-cflags += -fstack-protector-all
100
endif
97
endif
101
endif
98
102
99
CFLAGS-nscd.c += $(nscd-cflags)
103
CFLAGS-nscd.c += $(nscd-cflags)

Return to bug 7065