I originally mistakenly sent this message only to control@ so the message didn't show up in the BTS. Here it is again.
Matthias Klose wrote: > could you prepare a README to be included in the package? I have written a brief README, attached. My first question when I originally downloaded libssp0 was "how do I actually use it?", which is what I have aimed to answer in the README. I think it would be helpful to include the autoconf macros that can be used to check for SSP[1]. They can be found via a link from the main SSP web page[2]. I have spent some time improving the above autoconf macros. My changes are attached (as well as a full copy of the updated macros). The changes are: * Stricter language checking (C or C++) - Required for projects using both C and C++ * Adds GCC_STACK_PROTECT_LIB to add -lssp to LDFLAGS as necessary - I have found "-lssp" is sometimes required during linking * Caches all results - This is always nice to have. * Uses macros to ensure correct ouput in quiet/silent mode - Previously "yes" and "no" could have been printed erroneously. The updated macros have been sent to the original author (Tiago Sousa) and to Hiroaki Etoh. I hope this is helpful! [1] Autoconf macros: http://researchweb.watson.ibm.com/trl/projects/security/ssp/gcc2_95_3/gcc_stack_protect.m4.gz [2] Main SSP web page: http://researchweb.watson.ibm.com/trl/projects/security/ssp/ -Ted
Stack smashing protection is a feature of GCC that enables a program to
detect buffer overflows and immediately terminate execution, rather than
continuing execution with corrupt internal data structures. It uses
"canaries" and local variable reordering to reduce the likelihood of
stack corruption through buffer overflows.
Options that affect stack smashing protection:
-fstack-protector
Enables protection for functions that are vulnerable to stack
smashing, such as those that call alloca() or use pointers.
-fstack-protector-all
Enables protection for all functions.
-Wstack-protector
Warns about functions that will not be protected. Only active when
-fstack-protector has been used.
Applications built with stack smashing protection should link with the
ssp library by using the option "-lssp".
More documentation can be found at the project's website:
http://researchweb.watson.ibm.com/trl/projects/security/ssp/
--- gcc_stack_protect.m4 2006-08-26 22:35:49.000000000 +1000 +++ gcc_stack_protect.m4-new 2006-08-27 00:39:40.000000000 +1000 @@ -1,13 +1,24 @@ dnl dnl Useful macros for autoconf to check for ssp-patched gcc dnl 1.0 - September 2003 - Tiago Sousa <[EMAIL PROTECTED]> +dnl 1.1 - August 2006 - Ted Percival <[EMAIL PROTECTED]> +dnl * Stricter language checking (C or C++) +dnl * Adds GCC_STACK_PROTECT_LIB to add -lssp to LDFLAGS as necessary +dnl * Caches all results +dnl * Uses macros to ensure correct ouput in quiet/silent mode dnl dnl About ssp: dnl GCC extension for protecting applications from stack-smashing attacks dnl http://www.research.ibm.com/trl/projects/security/ssp/ dnl dnl Usage: -dnl After calling the correct AC_LANG_*, use the corresponding macro: +dnl Call GCC_STACK_PROTECT_LIB to determine if the library implementing SSP is +dnl available, then the appropriate C or C++ language's test. If you are using +dnl both C and C++ you will need to use AC_LANG_PUSH and AC_LANG_POP to ensure +dnl the right language is being used for each test. +dnl +dnl GCC_STACK_PROTECT_LIB +dnl adds libssp to the LDFLAGS if it is available dnl dnl GCC_STACK_PROTECT_CC dnl checks -fstack-protector with the C compiler, if it exists then updates @@ -18,33 +29,47 @@ dnl CXXFLAGS and defines ENABLE_SSP_CXX dnl +AC_DEFUN([GCC_STACK_PROTECT_LIB],[ + AC_CACHE_CHECK([whether libssp exists], ssp_cv_lib, + [ssp_old_ldflags="$LDFLAGS" + LDFLAGS="$LDFLAGS -lssp" + AC_TRY_LINK(,, ssp_cv_lib=yes, ssp_cv_lib=no) + LDFLAGS="$ssp_old_ldflags" + ]) + if test $ssp_cv_lib = yes; then + LDFLAGS="$LDFLAGS -lssp" + fi +]) + AC_DEFUN([GCC_STACK_PROTECT_CC],[ - ssp_cc=yes + AC_LANG_ASSERT(C) if test "X$CC" != "X"; then - AC_MSG_CHECKING([whether ${CC} accepts -fstack-protector]) - ssp_old_cflags="$CFLAGS" - CFLAGS="$CFLAGS -fstack-protector" - AC_TRY_COMPILE(,,, ssp_cc=no) - echo $ssp_cc - if test "X$ssp_cc" = "Xno"; then - CFLAGS="$ssp_old_cflags" - else + AC_CACHE_CHECK([whether ${CC} accepts -fstack-protector], + ssp_cv_cc, + [ssp_old_cflags="$CFLAGS" + CFLAGS="$CFLAGS -fstack-protector" + AC_TRY_COMPILE(,, ssp_cv_cc=yes, ssp_cv_cc=no) + CFLAGS="$ssp_old_cflags" + ]) + if test $ssp_cv_cc = yes; then + CFLAGS="$CFLAGS -fstack-protector" AC_DEFINE([ENABLE_SSP_CC], 1, [Define if SSP C support is enabled.]) fi fi ]) AC_DEFUN([GCC_STACK_PROTECT_CXX],[ - ssp_cxx=yes + AC_LANG_ASSERT(C++) if test "X$CXX" != "X"; then - AC_MSG_CHECKING([whether ${CXX} accepts -fstack-protector]) - ssp_old_cxxflags="$CXXFLAGS" - CXXFLAGS="$CXXFLAGS -fstack-protector" - AC_TRY_COMPILE(,,, ssp_cxx=no) - echo $ssp_cxx - if test "X$ssp_cxx" = "Xno"; then - CXXFLAGS="$ssp_old_cxxflags" - else + AC_CACHE_CHECK([whether ${CXX} accepts -fstack-protector], + ssp_cv_cxx, + [ssp_old_cxxflags="$CXXFLAGS" + CXXFLAGS="$CXXFLAGS -fstack-protector" + AC_TRY_COMPILE(,, ssp_cv_cxx=yes, ssp_cv_cxx=no) + CXXFLAGS="$ssp_old_cxxflags" + ]) + if test $ssp_cv_cxx = yes; then + CXXFLAGS="$CXXFLAGS -fstack-protector" AC_DEFINE([ENABLE_SSP_CXX], 1, [Define if SSP C++ support is enabled.]) fi fi
gcc_stack_protect.m4
Description: application/m4
signature.asc
Description: OpenPGP digital signature
