View | Details | Raw Unified | Return to bug 7065 | Differences between
and this patch

Collapse All | Expand All

(-)libc-patched.orig/debug/Makefile (+1 lines)
Lines 59-64 Link Here
59
static-only-routines := warning-nop stack_chk_fail_local
59
static-only-routines := warning-nop stack_chk_fail_local
60
60
61
CFLAGS-backtrace.c = -fno-omit-frame-pointer
61
CFLAGS-backtrace.c = -fno-omit-frame-pointer
62
CFLAGS-stack_chk_fail.c = -DSSP_SMASH_DUMPS_CORE
62
CFLAGS-sprintf_chk.c = -D_IO_MTSAFE_IO
63
CFLAGS-sprintf_chk.c = -D_IO_MTSAFE_IO
63
CFLAGS-snprintf_chk.c = -D_IO_MTSAFE_IO
64
CFLAGS-snprintf_chk.c = -D_IO_MTSAFE_IO
64
CFLAGS-vsprintf_chk.c = -D_IO_MTSAFE_IO
65
CFLAGS-vsprintf_chk.c = -D_IO_MTSAFE_IO
(-)libc-patched.orig/debug/stack_chk_fail.c (-7 / +289 lines)
Lines 1-4 Link Here
1
/* Copyright (C) 2005, 2007 Free Software Foundation, Inc.
1
/* Copyright (C) 2005 Free Software Foundation, Inc.
2
   This file is part of the GNU C Library.
2
   This file is part of the GNU C Library.
3
3
4
   The GNU C Library is free software; you can redistribute it and/or
4
   The GNU C Library is free software; you can redistribute it and/or
Lines 16-30 Link Here
16
   Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
16
   Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
17
   02111-1307 USA.  */
17
   02111-1307 USA.  */
18
18
19
#include <stdio.h>
19
/* Copyright (C) 2006-2007 Gentoo Foundation Inc.
20
 * License terms as above.
21
 *
22
 * Hardened Gentoo SSP handler
23
 *
24
 * An SSP failure handler that does not use functions from the rest of
25
 * glibc; it uses the INTERNAL_SYSCALL methods directly.  This ensures
26
 * no possibility of recursion into the handler.
27
 *
28
 * Direct all bug reports to http://bugs.gentoo.org/
29
 *
30
 * Re-written from the glibc-2.3 Hardened Gentoo SSP handler
31
 * by Kevin F. Quinn - <kevquinn[@]gentoo.org>
32
 *
33
 * The following people contributed to the glibc-2.3 Hardened
34
 * Gentoo SSP handler, from which this implementation draws much:
35
 *
36
 * Ned Ludd - <solar[@]gentoo.org>
37
 * Alexander Gabert - <pappy[@]gentoo.org>
38
 * The PaX Team - <pageexec[@]freemail.hu>
39
 * Peter S. Mazinger - <ps.m[@]gmx.net>
40
 * Yoann Vandoorselaere - <yoann[@]prelude-ids.org>
41
 * Robert Connolly - <robert[@]linuxfromscratch.org>
42
 * Cory Visi <cory[@]visi.name>
43
 * Mike Frysinger <vapier[@]gentoo.org>
44
 */
45
46
#include <errno.h>
20
#include <stdlib.h>
47
#include <stdlib.h>
48
#include <unistd.h>
49
#include <signal.h>
50
51
#include <sys/types.h>
52
53
#include <sysdep-cancel.h>
54
#include <sys/syscall.h>
55
#include <bp-checks.h>
56
57
#include <kernel-features.h>
58
59
#include <alloca.h>
60
/* from sysdeps */
61
#include <socketcall.h>
62
/* for the stuff in bits/socket.h */
63
#include <sys/socket.h>
64
#include <sys/un.h>
65
66
67
/* Sanity check on SYSCALL macro names - force compilation
68
 * failure if the names used here do not exist
69
 */
70
#if !defined __NR_socketcall && !defined __NR_socket
71
# error Cannot do syscall socket or socketcall
72
#endif
73
#if !defined __NR_socketcall && !defined __NR_connect
74
# error Cannot do syscall connect or socketcall
75
#endif
76
#ifndef __NR_write
77
# error Cannot do syscall write
78
#endif
79
#ifndef __NR_close
80
# error Cannot do syscall close
81
#endif
82
#ifndef __NR_getpid
83
# error Cannot do syscall getpid
84
#endif
85
#ifndef __NR_kill
86
# error Cannot do syscall kill
87
#endif
88
#ifndef __NR_exit
89
# error Cannot do syscall exit
90
#endif
91
#ifdef SSP_SMASH_DUMPS_CORE
92
# define ENABLE_SSP_SMASH_DUMPS_CORE 1
93
# if !defined _KERNEL_NSIG && !defined _NSIG
94
#  error No _NSIG or _KERNEL_NSIG for rt_sigaction
95
# endif
96
# if !defined __NR_sigaction && !defined __NR_rt_sigaction
97
#  error Cannot do syscall sigaction or rt_sigaction
98
# endif
99
/* Although rt_sigaction expects sizeof(sigset_t) - it expects the size
100
 * of the _kernel_ sigset_t which is not the same as the user sigset_t.
101
 * Most arches have this as _NSIG bits - mips has _KERNEL_NSIG bits for
102
 * some reason.
103
 */
104
# ifdef _KERNEL_NSIG
105
#  define _SSP_NSIG _KERNEL_NSIG
106
# else
107
#  define _SSP_NSIG _NSIG
108
# endif
109
#else
110
# define _SSP_NSIG 0
111
# define ENABLE_SSP_SMASH_DUMPS_CORE 0
112
#endif
113
114
/* Define DO_SIGACTION - default to newer rt signal interface but
115
 * fallback to old as needed.
116
 */
117
#ifdef __NR_rt_sigaction
118
# define DO_SIGACTION(signum, act, oldact) \
119
	INLINE_SYSCALL(rt_sigaction, 4, signum, act, oldact, _SSP_NSIG/8)
120
#else
121
# define DO_SIGACTION(signum, act, oldact) \
122
	INLINE_SYSCALL(sigaction, 3, signum, act, oldact)
123
#endif
124
125
/* Define DO_SOCKET/DO_CONNECT functions to deal with socketcall vs socket/connect */
126
#if defined(__NR_socket) && defined(__NR_connect)
127
# define USE_OLD_SOCKETCALL 0
128
#else
129
# define USE_OLD_SOCKETCALL 1
130
#endif
131
/* stub out the __NR_'s so we can let gcc optimize away dead code */
132
#ifndef __NR_socketcall
133
# define __NR_socketcall 0
134
#endif
135
#ifndef __NR_socket
136
# define __NR_socket 0
137
#endif
138
#ifndef __NR_connect
139
# define __NR_connect 0
140
#endif
141
#define DO_SOCKET(result, domain, type, protocol) \
142
	do { \
143
		if (USE_OLD_SOCKETCALL) { \
144
			socketargs[0] = domain; \
145
			socketargs[1] = type; \
146
			socketargs[2] = protocol; \
147
			socketargs[3] = 0; \
148
			result = INLINE_SYSCALL(socketcall, 2, SOCKOP_socket, socketargs); \
149
		} else \
150
			result = INLINE_SYSCALL(socket, 3, domain, type, protocol); \
151
	} while (0)
152
#define DO_CONNECT(result, sockfd, serv_addr, addrlen) \
153
	do { \
154
		if (USE_OLD_SOCKETCALL) { \
155
			socketargs[0] = sockfd; \
156
			socketargs[1] = (unsigned long int)serv_addr; \
157
			socketargs[2] = addrlen; \
158
			socketargs[3] = 0; \
159
			result = INLINE_SYSCALL(socketcall, 2, SOCKOP_connect, socketargs); \
160
		} else \
161
			result = INLINE_SYSCALL(connect, 3, sockfd, serv_addr, addrlen); \
162
	} while (0)
163
164
#ifndef _PATH_LOG
165
# define _PATH_LOG "/dev/log"
166
#endif
167
168
static const char path_log[] = _PATH_LOG;
169
170
/* For building glibc with SSP switched on, define __progname to a
171
 * constant if building for the run-time loader, to avoid pulling
172
 * in more of libc.so into ld.so
173
 */
174
#ifdef IS_IN_rtld
175
static char *__progname = "<rtld>";
176
#else
177
extern char *__progname;
178
#endif
179
21
180
181
/* Common handler code, used by stack_chk_fail and __stack_smash_handler
182
 * Inlined to ensure no self-references to the handler within itself.
183
 * Data static to avoid putting more than necessary on the stack,
184
 * to aid core debugging.
185
 * The copy in rtld must be hidden to ensure that it gets no relocations
186
 * and thus does not crash if called during libc startup.
187
 */
188
__attribute__ ((__noreturn__ , __always_inline__))
189
#ifdef IS_IN_rtld
190
attribute_hidden
191
#endif
192
static inline void
193
__hardened_gentoo_stack_chk_fail(char func[], int damaged)
194
{
195
#define MESSAGE_BUFSIZ 256
196
	static pid_t pid;
197
	static int plen, i;
198
	static char message[MESSAGE_BUFSIZ];
199
	static const char msg_ssa[] = ": stack smashing attack";
200
	static const char msg_inf[] = " in function ";
201
	static const char msg_ssd[] = "*** stack smashing detected ***: ";
202
	static const char msg_terminated[] = " - terminated\n";
203
	static const char msg_unknown[] = "<unknown>";
204
	static int log_socket, connect_result;
205
	static struct sockaddr_un sock;
206
	static unsigned long int socketargs[4];
207
208
	/* Build socket address
209
	 */
210
	sock.sun_family = AF_UNIX;
211
	i = 0;
212
	while ((path_log[i] != '\0') && (i<(sizeof(sock.sun_path)-1))) {
213
		sock.sun_path[i] = path_log[i];
214
		i++;
215
	}
216
	sock.sun_path[i] = '\0';
217
218
	/* Try SOCK_DGRAM connection to syslog */
219
	connect_result = -1;
220
	DO_SOCKET(log_socket, AF_UNIX, SOCK_DGRAM, 0);
221
	if (log_socket != -1)
222
		DO_CONNECT(connect_result, log_socket, &sock, sizeof(sock));
223
	if (connect_result == -1) {
224
		if (log_socket != -1)
225
			INLINE_SYSCALL(close, 1, log_socket);
226
		/* Try SOCK_STREAM connection to syslog */
227
		DO_SOCKET(log_socket, AF_UNIX, SOCK_STREAM, 0);
228
		if (log_socket != -1)
229
			DO_CONNECT(connect_result, log_socket, &sock, sizeof(sock));
230
	}
231
232
	/* Build message.  Messages are generated both in the old style and new style,
233
	 * so that log watchers that are configured for the old-style message continue
234
	 * to work.
235
	 */
236
#define strconcat(str) \
237
		{i=0; while ((str[i] != '\0') && ((i+plen)<(MESSAGE_BUFSIZ-1))) \
238
		{\
239
			message[plen+i]=str[i];\
240
			i++;\
241
		}\
242
		plen+=i;}
243
244
	/* R.Henderson post-gcc-4 style message */
245
	plen = 0;
246
	strconcat(msg_ssd);
247
	if (__progname != (char *)0)
248
		strconcat(__progname)
249
	else
250
		strconcat(msg_unknown);
251
	strconcat(msg_terminated);
252
253
	/* Write out error message to STDERR, to syslog if open */
254
	INLINE_SYSCALL(write, 3, STDERR_FILENO, message, plen);
255
	if (connect_result != -1)
256
		INLINE_SYSCALL(write, 3, log_socket, message, plen);
257
258
	/* Dr. Etoh pre-gcc-4 style message */
259
	plen = 0;
260
	if (__progname != (char *)0)
261
		strconcat(__progname)
262
	else
263
		strconcat(msg_unknown);
264
	strconcat(msg_ssa);
265
	strconcat(msg_inf);
266
	if (func != NULL)
267
		strconcat(func)
268
	else
269
		strconcat(msg_unknown);
270
	strconcat(msg_terminated);
271
	/* Write out error message to STDERR, to syslog if open */
272
	INLINE_SYSCALL(write, 3, STDERR_FILENO, message, plen);
273
	if (connect_result != -1)
274
		INLINE_SYSCALL(write, 3, log_socket, message, plen);
22
275
23
extern char **__libc_argv attribute_hidden;
276
	/* Write out error message to STDERR, to syslog if open */
277
	INLINE_SYSCALL(write, 3, STDERR_FILENO, message, plen);
278
	if (connect_result != -1)
279
		INLINE_SYSCALL(write, 3, log_socket, message, plen);
280
281
	if (log_socket != -1)
282
		INLINE_SYSCALL(close, 1, log_socket);
283
284
	/* Suicide */
285
	pid = INLINE_SYSCALL(getpid, 0);
286
287
	if (ENABLE_SSP_SMASH_DUMPS_CORE) {
288
		static struct sigaction default_abort_act;
289
		/* Remove any user-supplied handler for SIGABRT, before using it */
290
		default_abort_act.sa_handler = SIG_DFL;
291
		default_abort_act.sa_sigaction = NULL;
292
		__sigfillset(&default_abort_act.sa_mask);
293
		default_abort_act.sa_flags = 0;
294
		if (DO_SIGACTION(SIGABRT, &default_abort_act, NULL) == 0)
295
			INLINE_SYSCALL(kill, 2, pid, SIGABRT);
296
	}
297
298
	/* Note; actions cannot be added to SIGKILL */
299
	INLINE_SYSCALL(kill, 2, pid, SIGKILL);
300
301
	/* In case the kill didn't work, exit anyway
302
	 * The loop prevents gcc thinking this routine returns
303
	 */
304
	while (1)
305
		INLINE_SYSCALL(exit, 0);
306
}
24
307
25
void
308
__attribute__ ((__noreturn__))
26
__attribute__ ((noreturn))
309
void __stack_chk_fail(void)
27
__stack_chk_fail (void)
28
{
310
{
29
  __fortify_fail ("stack smashing detected");
311
	__hardened_gentoo_stack_chk_fail(NULL, 0);
30
}
312
}
(-)libc-patched.orig/configure.in (-25 / +49 lines)
Lines 221-226 Link Here
221
	      [bindnow=no])
221
	      [bindnow=no])
222
AC_SUBST(bindnow)
222
AC_SUBST(bindnow)
223
223
224
dnl Build glibc with -fstack-protector, or with -fstack-protector-all.
225
AC_ARG_WITH([stack-protector],
226
            AC_HELP_STRING([--with-stack-protector=@<:@yes|no|all@:>@],
227
                           [Detect stack overflows in glibc functions with large string buffers, or in all glibc functions]),
228
            [with_stack_protector=$withval],
229
            [with_stack_protector=no])
230
case x"$with_stack_protector" in
231
    xall|xyes|xno) ;;
232
    *) AC_MSG_ERROR([Not a valid argument for --with-stack-protector]);;
233
esac
234
stack_protect="$with_stack_protector"
235
AC_SUBST(stack_protect)
236
224
dnl On some platforms we cannot use dynamic loading.  We must provide
237
dnl On some platforms we cannot use dynamic loading.  We must provide
225
dnl static NSS modules.
238
dnl static NSS modules.
226
AC_ARG_ENABLE([static-nss],
239
AC_ARG_ENABLE([static-nss],
Lines 1259-1264 Link Here
1259
override stddef.h = # The installed <stddef.h> seems to be libc-friendly."
1272
override stddef.h = # The installed <stddef.h> seems to be libc-friendly."
1260
fi
1273
fi
1261
1274
1275
AC_CACHE_CHECK(for -fstack-protector, libc_cv_ssp, [dnl
1276
if AC_TRY_COMMAND([${CC-cc} $CFLAGS $CPPFLAGS $LDFLAGS -Werror -fstack-protector
1277
			    -o /dev/null -c -x c /dev/null 1>&AS_MESSAGE_LOG_FD])
1278
then
1279
  libc_cv_ssp=yes
1280
1281
  dnl While most tests can be conducted with stack protection on, a few are
1282
  dnl incompatible with it.
1283
  no_ssp=-fno-stack-protector
1284
  libssp="-lssp_nonshared -lssp"
1285
else
1286
  libc_cv_ssp=no
1287
  no_ssp=
1288
  libssp=
1289
1290
  if test x"$with_stack_protector" != xno; then
1291
    AC_MSG_ERROR([--with-stack-protector=$with_stack_protector specified, but stack protection is not supported by the compiler.])
1292
  fi
1293
fi])
1294
AC_SUBST(libc_cv_ssp)
1295
1262
AC_CACHE_CHECK(whether we need to use -P to assemble .S files,
1296
AC_CACHE_CHECK(whether we need to use -P to assemble .S files,
1263
	       libc_cv_need_minus_P, [dnl
1297
	       libc_cv_need_minus_P, [dnl
1264
cat > conftest.S <<EOF
1298
cat > conftest.S <<EOF
Lines 1290-1297 Link Here
1290
void _start() { glibc_conftest_frobozz = 1; }
1324
void _start() { glibc_conftest_frobozz = 1; }
1291
EOF
1325
EOF
1292
if ${CC-cc} $CFLAGS $CPPFLAGS $LDFLAGS \
1326
if ${CC-cc} $CFLAGS $CPPFLAGS $LDFLAGS \
1293
	    -nostartfiles -nostdlib \
1327
	    -nostartfiles -nostdlib -fno-stack-protector \
1294
	    -o conftest conftest.s conftest1.c 1>&AS_MESSAGE_LOG_FD 2>&AS_MESSAGE_LOG_FD; then
1328
	    -o conftest conftest.s conftest1.c $libssp 1>&AS_MESSAGE_LOG_FD 2>&AS_MESSAGE_LOG_FD; then
1295
  libc_cv_asm_set_directive=yes
1329
  libc_cv_asm_set_directive=yes
1296
else
1330
else
1297
  libc_cv_asm_set_directive=no
1331
  libc_cv_asm_set_directive=no
Lines 1348-1354 Link Here
1348
EOF
1382
EOF
1349
  if ${CC-cc} -c $ASFLAGS conftest.s 1>&AS_MESSAGE_LOG_FD 2>&AS_MESSAGE_LOG_FD; then
1383
  if ${CC-cc} -c $ASFLAGS conftest.s 1>&AS_MESSAGE_LOG_FD 2>&AS_MESSAGE_LOG_FD; then
1350
    if AC_TRY_COMMAND([${CC-cc} $CFLAGS $LDFLAGS -shared
1384
    if AC_TRY_COMMAND([${CC-cc} $CFLAGS $LDFLAGS -shared
1351
				-o conftest.so conftest.o
1385
				-o conftest.so conftest.o $libssp
1352
				-nostartfiles -nostdlib
1386
				-nostartfiles -nostdlib
1353
				-Wl,--version-script,conftest.map
1387
				-Wl,--version-script,conftest.map
1354
		       1>&AS_MESSAGE_LOG_FD]);
1388
		       1>&AS_MESSAGE_LOG_FD]);
Lines 1521-1527 Link Here
1521
int foo (void) { return 1; }
1555
int foo (void) { return 1; }
1522
int (*fp) (void) __attribute__ ((section (".init_array"))) = foo;
1556
int (*fp) (void) __attribute__ ((section (".init_array"))) = foo;
1523
EOF
1557
EOF
1524
  if AC_TRY_COMMAND([${CC-cc} $CFLAGS $CPPFLAGS $LDFLAGS -o conftest conftest.c
1558
  if AC_TRY_COMMAND([${CC-cc} $CFLAGS $CPPFLAGS $LDFLAGS $no_ssp -o conftest conftest.c
1525
		     -static -nostartfiles -nostdlib 1>&AS_MESSAGE_LOG_FD])
1559
		     -static -nostartfiles -nostdlib 1>&AS_MESSAGE_LOG_FD])
1526
  then
1560
  then
1527
    if readelf -S conftest | fgrep INIT_ARRAY > /dev/null; then
1561
    if readelf -S conftest | fgrep INIT_ARRAY > /dev/null; then
Lines 1563-1569 Link Here
1563
EOF
1597
EOF
1564
  if AC_TRY_COMMAND([${CC-cc} $CFLAGS $CPPFLAGS $LDFLAGS
1598
  if AC_TRY_COMMAND([${CC-cc} $CFLAGS $CPPFLAGS $LDFLAGS
1565
		     -fPIC -shared -o conftest.so conftest.c
1599
		     -fPIC -shared -o conftest.so conftest.c
1566
		     -nostartfiles -nostdlib
1600
		     -nostartfiles -nostdlib $libssp
1567
		     -Wl,--enable-new-dtags,-z,nodelete 1>&AS_MESSAGE_LOG_FD])
1601
		     -Wl,--enable-new-dtags,-z,nodelete 1>&AS_MESSAGE_LOG_FD])
1568
  then
1602
  then
1569
    libc_cv_z_nodelete=yes
1603
    libc_cv_z_nodelete=yes
Lines 1579-1585 Link Here
1579
EOF
1613
EOF
1580
  if AC_TRY_COMMAND([${CC-cc} $CFLAGS $CPPFLAGS $LDFLAGS
1614
  if AC_TRY_COMMAND([${CC-cc} $CFLAGS $CPPFLAGS $LDFLAGS
1581
			-fPIC -shared -o conftest.so conftest.c
1615
			-fPIC -shared -o conftest.so conftest.c
1582
			-nostartfiles -nostdlib
1616
			-nostartfiles -nostdlib $libssp
1583
			-Wl,--enable-new-dtags,-z,nodlopen 1>&AS_MESSAGE_LOG_FD])
1617
			-Wl,--enable-new-dtags,-z,nodlopen 1>&AS_MESSAGE_LOG_FD])
1584
  then
1618
  then
1585
    libc_cv_z_nodlopen=yes
1619
    libc_cv_z_nodlopen=yes
Lines 1595-1601 Link Here
1595
EOF
1629
EOF
1596
  if AC_TRY_COMMAND([${CC-cc} $CFLAGS $CPPFLAGS $LDFLAGS
1630
  if AC_TRY_COMMAND([${CC-cc} $CFLAGS $CPPFLAGS $LDFLAGS
1597
			-fPIC -shared -o conftest.so conftest.c
1631
			-fPIC -shared -o conftest.so conftest.c
1598
			-nostartfiles -nostdlib
1632
			-nostartfiles -nostdlib $libssp
1599
			-Wl,--enable-new-dtags,-z,initfirst 1>&AS_MESSAGE_LOG_FD])
1633
			-Wl,--enable-new-dtags,-z,initfirst 1>&AS_MESSAGE_LOG_FD])
1600
  then
1634
  then
1601
    libc_cv_z_initfirst=yes
1635
    libc_cv_z_initfirst=yes
Lines 1630-1636 Link Here
1630
  cat > conftest.c <<EOF
1664
  cat > conftest.c <<EOF
1631
int _start (void) { return 42; }
1665
int _start (void) { return 42; }
1632
EOF
1666
EOF
1633
  if AC_TRY_COMMAND([${CC-cc} $CFLAGS $CPPFLAGS $LDFLAGS
1667
  if AC_TRY_COMMAND([${CC-cc} $CFLAGS $CPPFLAGS $LDFLAGS $no_ssp
1634
			      -fPIC -shared -o conftest.so conftest.c
1668
			      -fPIC -shared -o conftest.so conftest.c
1635
			      -Wl,-Bgroup -nostdlib 1>&AS_MESSAGE_LOG_FD])
1669
			      -Wl,-Bgroup -nostdlib 1>&AS_MESSAGE_LOG_FD])
1636
  then
1670
  then
Lines 1663-1669 Link Here
1663
  if AC_TRY_COMMAND([${CC-cc} $CFLAGS $CPPFLAGS $LDFLAGS
1697
  if AC_TRY_COMMAND([${CC-cc} $CFLAGS $CPPFLAGS $LDFLAGS
1664
			      -fPIC -shared -o conftest.so conftest.c
1698
			      -fPIC -shared -o conftest.so conftest.c
1665
			      -lgcc_s$libc_cv_libgcc_s_suffix -Wl,--as-needed
1699
			      -lgcc_s$libc_cv_libgcc_s_suffix -Wl,--as-needed
1666
			      -nostdlib 1>&AS_MESSAGE_LOG_FD])
1700
			      -nostdlib $libssp 1>&AS_MESSAGE_LOG_FD])
1667
  then
1701
  then
1668
    libc_cv_as_needed=yes
1702
    libc_cv_as_needed=yes
1669
  else
1703
  else
Lines 1703-1709 Link Here
1703
EOF
1737
EOF
1704
  if AC_TRY_COMMAND([${CC-cc} $CFLAGS $CPPFLAGS $LDFLAGS
1738
  if AC_TRY_COMMAND([${CC-cc} $CFLAGS $CPPFLAGS $LDFLAGS
1705
			-fPIC -shared -o conftest.so conftest.c
1739
			-fPIC -shared -o conftest.so conftest.c
1706
			-nostdlib -nostartfiles
1740
			-nostdlib -nostartfiles $libssp
1707
			-Wl,-z,combreloc 1>&AS_MESSAGE_LOG_FD])
1741
			-Wl,-z,combreloc 1>&AS_MESSAGE_LOG_FD])
1708
  then
1742
  then
1709
dnl The following test is a bit weak.  We must use a tool which can test
1743
dnl The following test is a bit weak.  We must use a tool which can test
Lines 1732-1738 Link Here
1732
EOF
1766
EOF
1733
  if AC_TRY_COMMAND([${CC-cc} $CFLAGS $CPPFLAGS $LDFLAGS
1767
  if AC_TRY_COMMAND([${CC-cc} $CFLAGS $CPPFLAGS $LDFLAGS
1734
			      -fPIC -shared -o conftest.so conftest.c
1768
			      -fPIC -shared -o conftest.so conftest.c
1735
			      -Wl,-z,execstack -nostdlib
1769
			      -Wl,-z,execstack -nostdlib $libssp
1736
			      1>&AS_MESSAGE_LOG_FD])
1770
			      1>&AS_MESSAGE_LOG_FD])
1737
  then
1771
  then
1738
    libc_cv_z_execstack=yes
1772
    libc_cv_z_execstack=yes
Lines 1756-1762 Link Here
1756
EOF
1790
EOF
1757
  if AC_TRY_COMMAND([${CC-cc} $CFLAGS $CPPFLAGS $LDFLAGS
1791
  if AC_TRY_COMMAND([${CC-cc} $CFLAGS $CPPFLAGS $LDFLAGS
1758
			      -fPIC -shared -o conftest.so conftest.c
1792
			      -fPIC -shared -o conftest.so conftest.c
1759
			      -Wl,--hash-style=both -nostdlib 1>&AS_MESSAGE_LOG_FD])
1793
			      -Wl,--hash-style=both -nostdlib $libssp 1>&AS_MESSAGE_LOG_FD])
1760
  then
1794
  then
1761
    libc_cv_hashstyle=yes
1795
    libc_cv_hashstyle=yes
1762
  else
1796
  else
Lines 1785-1800 Link Here
1785
fi
1819
fi
1786
AC_SUBST(fno_unit_at_a_time)
1820
AC_SUBST(fno_unit_at_a_time)
1787
1821
1788
AC_CACHE_CHECK(for -fstack-protector, libc_cv_ssp, [dnl
1789
if AC_TRY_COMMAND([${CC-cc} $CFLAGS $CPPFLAGS -Werror -fstack-protector
1790
			    -o /dev/null -c -x c /dev/null 1>&AS_MESSAGE_LOG_FD])
1791
then
1792
  libc_cv_ssp=yes
1793
else
1794
  libc_cv_ssp=no
1795
fi])
1796
AC_SUBST(libc_cv_ssp)
1797
1798
AC_CACHE_CHECK(for -fgnu89-inline, libc_cv_gnu89_inline, [dnl
1822
AC_CACHE_CHECK(for -fgnu89-inline, libc_cv_gnu89_inline, [dnl
1799
cat > conftest.c <<EOF
1823
cat > conftest.c <<EOF
1800
int foo;
1824
int foo;
Lines 1980-1986 Link Here
1980
dnl No \ in command here because it ends up inside ''.
2004
dnl No \ in command here because it ends up inside ''.
1981
if AC_TRY_COMMAND([${CC-cc} $CFLAGS $CPPFLAGS $LDFLAGS
2005
if AC_TRY_COMMAND([${CC-cc} $CFLAGS $CPPFLAGS $LDFLAGS
1982
			    -nostdlib -nostartfiles -Wl,--no-whole-archive
2006
			    -nostdlib -nostartfiles -Wl,--no-whole-archive
1983
			    -o conftest conftest.c 1>&AS_MESSAGE_LOG_FD]); then
2007
			    -o conftest conftest.c $libssp 1>&AS_MESSAGE_LOG_FD]); then
1984
  libc_cv_ld_no_whole_archive=yes
2008
  libc_cv_ld_no_whole_archive=yes
1985
else
2009
else
1986
  libc_cv_ld_no_whole_archive=no
2010
  libc_cv_ld_no_whole_archive=no
Lines 2000-2006 Link Here
2000
dnl No \ in command here because it ends up inside ''.
2024
dnl No \ in command here because it ends up inside ''.
2001
if AC_TRY_COMMAND([${CC-cc} $CFLAGS $CPPFLAGS $LDFLAGS
2025
if AC_TRY_COMMAND([${CC-cc} $CFLAGS $CPPFLAGS $LDFLAGS
2002
			    -nostdlib -nostartfiles -fexceptions
2026
			    -nostdlib -nostartfiles -fexceptions
2003
			    -o conftest conftest.c 1>&AS_MESSAGE_LOG_FD]); then
2027
			    -o conftest conftest.c $libssp 1>&AS_MESSAGE_LOG_FD]); then
2004
  libc_cv_gcc_exceptions=yes
2028
  libc_cv_gcc_exceptions=yes
2005
else
2029
else
2006
  libc_cv_gcc_exceptions=no
2030
  libc_cv_gcc_exceptions=no
Lines 2035-2041 Link Here
2035
EOF
2059
EOF
2036
dnl No \ in command here because it ends up inside ''.
2060
dnl No \ in command here because it ends up inside ''.
2037
if AC_TRY_COMMAND([${CC-cc} $CFLAGS $CPPFLAGS $LDFLAGS -nostdlib -nostartfiles
2061
if AC_TRY_COMMAND([${CC-cc} $CFLAGS $CPPFLAGS $LDFLAGS -nostdlib -nostartfiles
2038
			    -o conftest conftest.c -lgcc >&AS_MESSAGE_LOG_FD]); then
2062
			    -o conftest conftest.c -lgcc $libssp >&AS_MESSAGE_LOG_FD]); then
2039
  libc_cv_gcc_builtin_expect=yes
2063
  libc_cv_gcc_builtin_expect=yes
2040
else
2064
else
2041
  libc_cv_gcc_builtin_expect=no
2065
  libc_cv_gcc_builtin_expect=no
(-)libc-patched.orig/csu/Makefile (+7 lines)
Lines 53-58 Link Here
53
53
54
include ../Makeconfig
54
include ../Makeconfig
55
55
56
ifeq ($(have-ssp),yes)
57
CFLAGS-.o += -fno-stack-protector
58
CFLAGS-.og += -fno-stack-protector
59
CFLAGS-.op += -fno-stack-protector
60
CFLAGS-.os += -fno-stack-protector
61
endif
62
56
ifeq (yes,$(build-shared))
63
ifeq (yes,$(build-shared))
57
extra-objs += S$(start-installed-name)
64
extra-objs += S$(start-installed-name)
58
install-lib += S$(start-installed-name)
65
install-lib += S$(start-installed-name)
(-)libc-patched.orig/Makerules (-1 / +1 lines)
Lines 252-258 Link Here
252
	     while [ $$# -ge 2 ]; do					      \
252
	     while [ $$# -ge 2 ]; do					      \
253
	       t=$$1; shift; 						      \
253
	       t=$$1; shift; 						      \
254
	       d=$$1; shift;						      \
254
	       d=$$1; shift;						      \
255
	       v=$${t%%%}; [ x"$$v" = x ] || v="\$$($${v}CPPFLAGS)";	      \
255
	       v=$${t%%%}; [ x"$$v" = x ] || v="\$$($${v}CPPFLAGS) \$$($${v}CFLAGS)";	      \
256
	       for s in $$asm .c; do					      \
256
	       for s in $$asm .c; do					      \
257
		 echo "\$$(objpfx)$$t$$o: $$dir/$$d$$s \$$(before-compile)";  \
257
		 echo "\$$(objpfx)$$t$$o: $$dir/$$d$$s \$$(before-compile)";  \
258
		 echo "	\$$(compile-command$$s) $$v";			      \
258
		 echo "	\$$(compile-command$$s) $$v";			      \
(-)libc-patched.orig/elf/rtld-Rules (-1 / +5 lines)
Lines 104-110 Link Here
104
$(objpfx)rtld-%.os: %.s $(before-compile)
104
$(objpfx)rtld-%.os: %.s $(before-compile)
105
	$(compile-command.s) $(rtld-CPPFLAGS)
105
	$(compile-command.s) $(rtld-CPPFLAGS)
106
$(objpfx)rtld-%.os: %.c $(before-compile)
106
$(objpfx)rtld-%.os: %.c $(before-compile)
107
	$(compile-command.c) $(rtld-CPPFLAGS)
107
	$(compile-command.c) $(rtld-CPPFLAGS) $(rtld-CFLAGS)
108
108
109
# The rules for generated source files.
109
# The rules for generated source files.
110
$(objpfx)rtld-%.os: $(objpfx)rtld-%.S $(before-compile); $(compile-command.S)
110
$(objpfx)rtld-%.os: $(objpfx)rtld-%.S $(before-compile); $(compile-command.S)
Lines 133-136 Link Here
133
# This here is the whole point of all the shenanigans.
133
# This here is the whole point of all the shenanigans.
134
rtld-CPPFLAGS := -DNOT_IN_libc=1 -DIS_IN_rtld=1
134
rtld-CPPFLAGS := -DNOT_IN_libc=1 -DIS_IN_rtld=1
135
135
136
ifeq ($(have-ssp),yes)
137
rtld-CFLAGS := -fno-stack-protector
138
endif
139
136
endif
140
endif
(-)libc-patched.orig/elf/Makefile (+19 lines)
Lines 129-134 Link Here
129
129
130
include ../Makeconfig
130
include ../Makeconfig
131
131
132
ifeq ($(have-ssp),yes)
133
# In the dynamic loader, some routines (which include routines called before
134
# the stack guard is initialized) are compiled without stack protection.
135
# Do the same when those routines are found in the static library.
136
137
CFLAGS-.o += $(if $(filter $(@F),$(patsubst %,%.o,$(elide-routines.os))),-fno-stack-protector)
138
CFLAGS-.op += $(if $(filter $(@F),$(patsubst %,%.op,$(elide-routines.os))),-fno-stack-protector)
139
CFLAGS-.og += $(if $(filter $(@F),$(patsubst %,%.og,$(elide-routines.os))),-fno-stack-protector)
140
endif
141
132
ifeq ($(unwind-find-fde),yes)
142
ifeq ($(unwind-find-fde),yes)
133
routines += unwind-dw2-fde-glibc
143
routines += unwind-dw2-fde-glibc
134
shared-only-routines += unwind-dw2-fde-glibc
144
shared-only-routines += unwind-dw2-fde-glibc
Lines 476-481 Link Here
476
CFLAGS-cache.c = $(SYSCONF-FLAGS)
486
CFLAGS-cache.c = $(SYSCONF-FLAGS)
477
487
478
CPPFLAGS-.os += $(if $(filter $(@F),$(patsubst %,%.os,$(all-rtld-routines))),-DNOT_IN_libc=1 -DIS_IN_rtld=1)
488
CPPFLAGS-.os += $(if $(filter $(@F),$(patsubst %,%.os,$(all-rtld-routines))),-DNOT_IN_libc=1 -DIS_IN_rtld=1)
489
ifeq ($(have-ssp),yes)
490
CFLAGS-.os += $(if $(filter $(@F),$(patsubst %,%.os,$(all-rtld-routines))),-fno-stack-protector)
491
endif
479
492
480
test-modules = $(addprefix $(objpfx),$(addsuffix .so,$(strip $(modules-names))))
493
test-modules = $(addprefix $(objpfx),$(addsuffix .so,$(strip $(modules-names))))
481
generated += $(addsuffix .so,$(strip $(modules-names)))
494
generated += $(addsuffix .so,$(strip $(modules-names)))
Lines 708-713 Link Here
708
		  $< -Wl,-F,$(objpfx)filtmod2.so
721
		  $< -Wl,-F,$(objpfx)filtmod2.so
709
$(objpfx)filter: $(objpfx)filtmod1.so
722
$(objpfx)filter: $(objpfx)filtmod1.so
710
723
724
ifeq ($(have-ssp),yes)
725
# These do not link against libc.
726
CFLAGS-filtmod1.c = -fno-stack-protector
727
CFLAGS-filtmod2.c = -fno-stack-protector
728
endif
729
711
$(objpfx)unload: $(libdl)
730
$(objpfx)unload: $(libdl)
712
$(objpfx)unload.out: $(objpfx)unloadmod.so
731
$(objpfx)unload.out: $(objpfx)unloadmod.so
713
732
(-)libc-patched.orig/nptl/Makefile (+5 lines)
Lines 314-319 Link Here
314
endif
314
endif
315
endif
315
endif
316
316
317
ifeq ($(have-ssp),yes)
318
# Parts of nptl-init.c are called before the stack guard is initialized.
319
CFLAGS-nptl-init.c += -fno-stack-protector
320
endif
321
317
modules-names = tst-atfork2mod tst-tls3mod tst-tls4moda tst-tls4modb \
322
modules-names = tst-atfork2mod tst-tls3mod tst-tls4moda tst-tls4modb \
318
		tst-tls5mod tst-tls5moda tst-tls5modb tst-tls5modc \
323
		tst-tls5mod tst-tls5moda tst-tls5modb tst-tls5modc \
319
		tst-tls5modd tst-tls5mode tst-tls5modf \
324
		tst-tls5modd tst-tls5mode tst-tls5modf \
(-)libc-patched.orig/libio/Makefile (+6 lines)
Lines 162-167 Link Here
162
CFLAGS-oldtmpfile.c = $(exceptions)
162
CFLAGS-oldtmpfile.c = $(exceptions)
163
# XXX Do we need filedoalloc and wfiledoalloc?  Others?
163
# XXX Do we need filedoalloc and wfiledoalloc?  Others?
164
164
165
ifeq ($(have-ssp),yes)
166
# libc_fatal() is called in extremis, and before static initialization
167
# is complete: don't stack-protect it.
168
CFLAGS-libc_fatal.o = -fno-stack-protector
169
endif
170
165
CFLAGS-tst_putwc.c = -DOBJPFX=\"$(objpfx)\"
171
CFLAGS-tst_putwc.c = -DOBJPFX=\"$(objpfx)\"
166
172
167
tst_wprintf2-ARGS = "Some Text"
173
tst_wprintf2-ARGS = "Some Text"
(-)libc-patched.orig/misc/Makefile (+6 lines)
Lines 112-117 Link Here
112
CFLAGS-tst-tsearch.c = $(stack-align-test-flags)
112
CFLAGS-tst-tsearch.c = $(stack-align-test-flags)
113
CFLAGS-mntent_r.c = -D_IO_MTSAFE_IO
113
CFLAGS-mntent_r.c = -D_IO_MTSAFE_IO
114
114
115
ifeq ($(have-ssp),yes)
116
# Called during static library initialization.
117
CFLAGS-sbrk.c = -fno-stack-protector
118
CFLAGS-brk.c = -fno-stack-protector
119
endif
120
115
include ../Rules
121
include ../Rules
116
122
117
$(objpfx)libbsd-compat.a: $(dep-dummy-lib); $(make-dummy-lib)
123
$(objpfx)libbsd-compat.a: $(dep-dummy-lib); $(make-dummy-lib)
(-)libc-patched.orig/string/Makefile (+5 lines)
Lines 84-89 Link Here
84
CFLAGS-tst-inlcall.c = -fno-builtin
84
CFLAGS-tst-inlcall.c = -fno-builtin
85
CFLAGS-bug-strstr1.c = -fno-builtin
85
CFLAGS-bug-strstr1.c = -fno-builtin
86
86
87
ifeq ($(have-ssp),yes)
88
# This is used in early initialization.
89
CFLAGS-memcpy.c = -fno-stack-protector
90
endif
91
87
# eglibc: ifeq ($(cross-compiling),no)
92
# eglibc: ifeq ($(cross-compiling),no)
88
tests: $(objpfx)tst-svc.out
93
tests: $(objpfx)tst-svc.out
89
$(objpfx)tst-svc.out: tst-svc.input $(objpfx)tst-svc
94
$(objpfx)tst-svc.out: tst-svc.input $(objpfx)tst-svc
(-)libc-patched.orig/stdlib/Makefile (+4 lines)
Lines 158-161 Link Here
158
158
159
$(objpfx)tst-putenvmod.so: $(objpfx)tst-putenvmod.os
159
$(objpfx)tst-putenvmod.so: $(objpfx)tst-putenvmod.os
160
	$(build-module)
160
	$(build-module)
161
# This is not only not in libc, it's not even linked with it.
161
CFLAGS-tst-putenvmod.c = -DNOT_IN_libc=1
162
CFLAGS-tst-putenvmod.c = -DNOT_IN_libc=1
163
ifeq ($(have-ssp),yes)
164
CFLAGS-tst-putenvmod.c += -fno-stack-protector
165
endif
(-)libc-patched.orig/Makeconfig (-1 / +8 lines)
Lines 620-625 Link Here
620
# actually different, so allow the compiler to merge them all.
620
# actually different, so allow the compiler to merge them all.
621
+merge-constants = -fmerge-all-constants
621
+merge-constants = -fmerge-all-constants
622
622
623
# We might want to compile with some stack-protection flag.
624
ifeq ($(stack-protect),yes)
625
+stack-protector=-fstack-protector
626
else ifeq ($(stack-protect),all)
627
+stack-protector=-fstack-protector-all
628
endif
629
623
# This is the program that generates makefile dependencies from C source files.
630
# This is the program that generates makefile dependencies from C source files.
624
# The -MP flag tells GCC >= 3.2 (which we now require) to produce dummy
631
# The -MP flag tells GCC >= 3.2 (which we now require) to produce dummy
625
# targets for headers so that removed headers don't break the build.
632
# targets for headers so that removed headers don't break the build.
Lines 679-685 Link Here
679
+cflags	:= $(default_cflags)
686
+cflags	:= $(default_cflags)
680
endif	# $(+cflags) == ""
687
endif	# $(+cflags) == ""
681
688
682
+cflags += $(cflags-cpu) $(+gccwarn) $(+merge-constants)
689
+cflags += $(cflags-cpu) $(+gccwarn) $(+merge-constants) $(+stack-protector)
683
+gcc-nowarn := -w
690
+gcc-nowarn := -w
684
691
685
# Don't duplicate options if we inherited variables from the parent.
692
# Don't duplicate options if we inherited variables from the parent.
(-)libc-patched.orig/config.make.in (+1 lines)
Lines 61-66 Link Here
61
have-fpie = @libc_cv_fpie@
61
have-fpie = @libc_cv_fpie@
62
gnu89-inline-CFLAGS = @gnu89_inline@
62
gnu89-inline-CFLAGS = @gnu89_inline@
63
have-ssp = @libc_cv_ssp@
63
have-ssp = @libc_cv_ssp@
64
stack-protect = @stack_protect@
64
have-selinux = @have_selinux@
65
have-selinux = @have_selinux@
65
have-libaudit = @have_libaudit@
66
have-libaudit = @have_libaudit@
66
have-libcap = @have_libcap@
67
have-libcap = @have_libcap@
(-)libc-patched.orig/nscd/Makefile (+4 lines)
Lines 100-106 Link Here
100
nscd-cflags += $(pie-ccflag)
100
nscd-cflags += $(pie-ccflag)
101
endif
101
endif
102
ifeq (yes,$(have-ssp))
102
ifeq (yes,$(have-ssp))
103
ifneq (all,$(stack-protect))
103
nscd-cflags += -fstack-protector
104
nscd-cflags += -fstack-protector
105
else
106
nscd-cflags += -fstack-protector-all
107
endif
104
endif
108
endif
105
109
106
CFLAGS-nscd.c += $(nscd-cflags)
110
CFLAGS-nscd.c += $(nscd-cflags)

Return to bug 7065