From 4e57e23833fa93627e6e54e2df069775e99244fc Mon Sep 17 00:00:00 2001 From: Philip Kaufmann Date: Sat, 5 Oct 2013 13:02:47 +0200 Subject: [PATCH 1/2] enable full GCC Stack-smashing protection for all OSes - change our hardening options to use -fstack-protector-all even for Windows builds, as we recently switched to a newer compiler suite - also removes an obsolete workaround for GCC 4.5 (https://bugs.launchpad.net/ubuntu/+source/gcc-4.5/+bug/691722), which required to first set -fno-stack-protector, before -fstack-protector-all --- configure.ac | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/configure.ac b/configure.ac index 973f4398d..e29ec1550 100644 --- a/configure.ac +++ b/configure.ac @@ -284,6 +284,7 @@ AX_CHECK_LINK_FLAG([[-Wl,--large-address-aware]], [LDFLAGS="$LDFLAGS -Wl,--large if test x$use_hardening != xno; then AX_CHECK_COMPILE_FLAG([-Wstack-protector],[HARDENED_CXXFLAGS="$HARDENED_CXXFLAGS -Wstack-protector"]) + AX_CHECK_COMPILE_FLAG([-fstack-protector-all],[HARDENED_CXXFLAGS="$HARDENED_CXXFLAGS -fstack-protector-all"]) AX_CHECK_COMPILE_FLAG([-fPIE],[HARDENED_CXXFLAGS="$HARDENED_CXXFLAGS -fPIE"]) AX_CHECK_PREPROC_FLAG([-D_FORTIFY_SOURCE=2],[ @@ -299,10 +300,6 @@ if test x$use_hardening != xno; then AX_CHECK_LINK_FLAG([[-Wl,-z,now]], [LDFLAGS="-Wl,-z,now"]) if test x$TARGET_OS != xwindows; then - # -fstack-protector-all can produce broken binaries with mingw - AX_CHECK_COMPILE_FLAG([-fno-stack-protector],[HARDENED_CXXFLAGS="$HARDENED_CXXFLAGS -fno-stack-protector"]) - AX_CHECK_COMPILE_FLAG([-fstack-protector-all],[HARDENED_CXXFLAGS="$HARDENED_CXXFLAGS -fstack-protector-all"]) - # -pie will link successfully with MinGW, but it's unsupported and leads to undeterministic binaries AX_CHECK_LINK_FLAG([[-pie]], [HARDENED_LDFLAGS="$HARDENED_LDFLAGS -pie"]) fi From 6ac0b3be2d5c5277805c16b56ee5b2e59ba9e84c Mon Sep 17 00:00:00 2001 From: "Wladimir J. van der Laan" Date: Wed, 22 Jan 2014 08:44:24 +0100 Subject: [PATCH 2/2] build: Add -static for mingw builds This avoids a dependency on libssp-0.dll when built with -fstack-protector-all. --- configure.ac | 1 + 1 file changed, 1 insertion(+) diff --git a/configure.ac b/configure.ac index e29ec1550..e2eded84e 100644 --- a/configure.ac +++ b/configure.ac @@ -175,6 +175,7 @@ case $host in AC_CHECK_LIB([iphlpapi], [main],, AC_MSG_ERROR(lib missing)) AC_CHECK_LIB([crypt32], [main],, AC_MSG_ERROR(lib missing)) + AX_CHECK_LINK_FLAG([[-static]],[LDFLAGS="$LDFLAGS -static"]) AX_CHECK_LINK_FLAG([[-static-libgcc]],[LDFLAGS="$LDFLAGS -static-libgcc"]) AX_CHECK_LINK_FLAG([[-static-libstdc++]],[LDFLAGS="$LDFLAGS -static-libstdc++"])