From 076183b36b76a11438463883ff916f17aef9e001 Mon Sep 17 00:00:00 2001 From: fanquake Date: Thu, 18 Jun 2020 13:31:07 +0800 Subject: [PATCH 1/2] build: add -fcf-protection=full to hardening options Enables code instrumentation of control-flow transfers. Available in GCC 8 and Clang 7. This option is now on by default in Ubuntu GCC as of 19.10. --- configure.ac | 1 + 1 file changed, 1 insertion(+) diff --git a/configure.ac b/configure.ac index 12bece690..fe8ce1a8f 100644 --- a/configure.ac +++ b/configure.ac @@ -785,6 +785,7 @@ if test x$use_hardening != xno; then AX_CHECK_COMPILE_FLAG([-Wstack-protector],[HARDENED_CXXFLAGS="$HARDENED_CXXFLAGS -Wstack-protector"]) AX_CHECK_COMPILE_FLAG([-fstack-protector-all],[HARDENED_CXXFLAGS="$HARDENED_CXXFLAGS -fstack-protector-all"]) + AX_CHECK_COMPILE_FLAG([-fcf-protection=full],[HARDENED_CXXFLAGS="$HARDENED_CXXFLAGS -fcf-protection=full"]) dnl When enable_debug is yes, all optimizations are disabled. dnl However, FORTIFY_SOURCE requires that there is some level of optimization, otherwise it does nothing and just creates a compiler warning. dnl Since FORTIFY_SOURCE is a no-op without optimizations, do not enable it when enable_debug is yes. From b536813cefc13f5c54a28a7c2fce8c69e89d6624 Mon Sep 17 00:00:00 2001 From: fanquake Date: Thu, 18 Jun 2020 13:31:28 +0800 Subject: [PATCH 2/2] build: add -fstack-clash-protection to hardening flags This option causes the compiler to insert probes whenever stack space is allocated statically or dynamically to reliably detect stack overflows and thus mitigate the attack vector that relies on jumping over a stack guard page as provided by the operating system. This option is now enabled by default in Ubuntu GCC as of 19.10. Available in GCC 8 and Clang 11. --- configure.ac | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/configure.ac b/configure.ac index fe8ce1a8f..c26180ab3 100644 --- a/configure.ac +++ b/configure.ac @@ -786,6 +786,13 @@ if test x$use_hardening != xno; then AX_CHECK_COMPILE_FLAG([-fstack-protector-all],[HARDENED_CXXFLAGS="$HARDENED_CXXFLAGS -fstack-protector-all"]) AX_CHECK_COMPILE_FLAG([-fcf-protection=full],[HARDENED_CXXFLAGS="$HARDENED_CXXFLAGS -fcf-protection=full"]) + + dnl stack-clash-protection does not work properly when building for Windows. + dnl We use the test case from https://gcc.gnu.org/bugzilla/show_bug.cgi?id=90458 + dnl to determine if it can be enabled. + AX_CHECK_COMPILE_FLAG([-fstack-clash-protection],[HARDENED_CXXFLAGS="$HARDENED_CXXFLAGS -fstack-clash-protection"],[],["-O0"], + [AC_LANG_SOURCE([[class D {public: unsigned char buf[32768];}; int main() {D d; return 0;}]])]) + dnl When enable_debug is yes, all optimizations are disabled. dnl However, FORTIFY_SOURCE requires that there is some level of optimization, otherwise it does nothing and just creates a compiler warning. dnl Since FORTIFY_SOURCE is a no-op without optimizations, do not enable it when enable_debug is yes.