diff mbox

[v2,1/1] configure: use appropriate code fragment for -fstack-protector checks

Message ID 1447337068-2448-1-git-send-email-rprebello@gmail.com
State New
Headers show

Commit Message

Rodrigo Rebello Nov. 12, 2015, 2:04 p.m. UTC
The check for stack-protector support consisted in compiling and linking
the test program below (output by function write_c_skeleton()) with the
compiler flag -fstack-protector-strong first and then with
-fstack-protector-all if the first one failed to work:

  int main(void) { return 0; }

This caused false positives when using certain toolchains in which the
compiler accepted -fstack-protector-strong but no support was provided
by the C library, since for this stack-protector variant the compiler
emits canary code only for functions that meet specific conditions
(local arrays, memory references to local variables, etc.) and the code
fragment under test included none of them (hence no stack protection
code generated, no link failure).

This fix changes the test program used for -fstack-protector checks to
include a function that meets conditions which cause the compiler to
generate canary code in all variants.

Signed-off-by: Rodrigo Rebello <rprebello@gmail.com>
---
Changes v1 -> v2:
  - Use a simpler test code that works.
---
 configure | 10 ++++++++++
 1 file changed, 10 insertions(+)

Comments

Markus Armbruster Nov. 12, 2015, 4:10 p.m. UTC | #1
Rodrigo Rebello <rprebello@gmail.com> writes:

> The check for stack-protector support consisted in compiling and linking
> the test program below (output by function write_c_skeleton()) with the
> compiler flag -fstack-protector-strong first and then with
> -fstack-protector-all if the first one failed to work:
>
>   int main(void) { return 0; }
>
> This caused false positives when using certain toolchains in which the
> compiler accepted -fstack-protector-strong but no support was provided
> by the C library, since for this stack-protector variant the compiler
> emits canary code only for functions that meet specific conditions
> (local arrays, memory references to local variables, etc.) and the code
> fragment under test included none of them (hence no stack protection
> code generated, no link failure).
>
> This fix changes the test program used for -fstack-protector checks to
> include a function that meets conditions which cause the compiler to
> generate canary code in all variants.
>
> Signed-off-by: Rodrigo Rebello <rprebello@gmail.com>

Reviewed-by: Markus Armbruster <armbru@redhat.com>
Michael Tokarev Nov. 29, 2015, 10:44 a.m. UTC | #2
12.11.2015 17:04, Rodrigo Rebello wrote:
> The check for stack-protector support consisted in compiling and linking
> the test program below (output by function write_c_skeleton()) with the
> compiler flag -fstack-protector-strong first and then with
> -fstack-protector-all if the first one failed to work:
...

Applied to -trivial, thank you!

/mjt
diff mbox

Patch

diff --git a/configure b/configure
index 46fd8bd..d93c744 100755
--- a/configure
+++ b/configure
@@ -1486,6 +1486,16 @@  for flag in $gcc_flags; do
 done
 
 if test "$stack_protector" != "no"; then
+  cat > $TMPC << EOF
+int main(int argc, char *argv[])
+{
+    char arr[64], *p = arr, *c = argv[0];
+    while (*c) {
+        *p++ = *c++;
+    }
+    return 0;
+}
+EOF
   gcc_flags="-fstack-protector-strong -fstack-protector-all"
   sp_on=0
   for flag in $gcc_flags; do