Here's an update of the patch
>From a73dfdbdc5081f9d45c1890ba7980acc462e6c6d Mon Sep 17 00:00:00 2001 From: Nils Goroll <[email protected]> Date: Wed, 19 Mar 2014 20:41:05 +0100 Subject: [PATCH] Enable compiler and linker options to frustrate memory corruption exploits
Automatically determine possible compiler/linker hardening options for additional stack and memory protection. This adds the --enable-hardening configure option, which is default. Use --disable-hardening to disable. based upon work documented here: http://mainisusuallyafunction.blogspot.de/2012/05/automatic-binary-hardening-with.html Changes to the above: - removed CXX support - replaced -fstack-protector-all with -fstack-protector-strong and fallback to -fstack-protector - removed -Wstack-protector (XXXLATER: disable for specific functions only?) --- build-aux/wrap-compiler-for-flag-check | 22 +++++++++ configure.ac | 82 ++++++++++++++++++++++++++++++++++ 2 files changed, 104 insertions(+) create mode 100755 build-aux/wrap-compiler-for-flag-check diff --git a/build-aux/wrap-compiler-for-flag-check b/build-aux/wrap-compiler-for-flag-check new file mode 100755 index 0000000..579f577 --- /dev/null +++ b/build-aux/wrap-compiler-for-flag-check @@ -0,0 +1,22 @@ +#!/bin/sh + +# There is no way to make clang's "argument unused" warning fatal. So when +# configure checks for supported flags, it runs $CC, $CXX, $LD via this +# wrapper. +# +# Ideally the search string would also include 'clang: ' but this output might +# depend on clang's argv[0]. + +if out=`"$@" 2>&1`; then + echo "$out" + if echo "$out" | grep 'warning: argument unused' >/dev/null; then + echo "$0: found clang warning" + exit 1 + else + exit 0 + fi +else + code=$? + echo "$out" + exit $code +fi diff --git a/configure.ac b/configure.ac index e2a0b98..8424f3b 100644 --- a/configure.ac +++ b/configure.ac @@ -48,6 +48,87 @@ LIBS="$PTHREAD_LIBS $LIBS" CFLAGS="$CFLAGS $PTHREAD_CFLAGS" CC="$PTHREAD_CC" +#### +## BEGIN autoharden configure.ac +## +## based upon: +## http://mainisusuallyafunction.blogspot.com/2012/05/automatic-binary-hardening-with.html +## https://github.com/kmcallister/autoharden +## +## changes +## - removed CXX support +## - replaced -fstack-protector-all with -fstack-protector-strong and fallback to -fstack-protector +## - removed -Wstack-protector (XXXLATER: disable for specific functions only?) +## - uppercased CHECK_* autoconf functions + +# We want to check for compiler flag support, but there is no way to make +# clang's "argument unused" warning fatal. So we invoke the compiler through a +# wrapper script that greps for this message. +saved_CC="$CC" +saved_LD="$LD" +flag_wrap="$srcdir/build-aux/wrap-compiler-for-flag-check" +CC="$flag_wrap $CC" +LD="$flag_wrap $LD" + +# We use the same hardening flags for C. We must check that each flag +# is supported by both compilers. +AC_DEFUN([CHECK_CC_FLAG], + [AX_CHECK_COMPILE_FLAG([$1], [$2], [$3], [-Werror $4])]) +AC_DEFUN([CHECK_LINK_FLAG], + [AX_CHECK_LINK_FLAG([$1], [$2], [$3], [-Werror $4])]) + +AC_ARG_ENABLE([hardening], + [AS_HELP_STRING([--enable-hardening], + [Enable compiler and linker options to frustrate memory corruption exploits @<:@yes@:>@])], + [hardening="$enableval"], + [hardening="yes"]) + +HARDEN_CFLAGS="" +HARDEN_LDFLAGS="" +AS_IF([test x"$hardening" != x"no"], [ + CHECK_CC_FLAG([-fno-strict-overflow], [HARDEN_CFLAGS="$HARDEN_CFLAGS -fno-strict-overflow"]) + + # This one will likely succeed, even on platforms where it does nothing. + CHECK_CC_FLAG([-D_FORTIFY_SOURCE=2], [HARDEN_CFLAGS="$HARDEN_CFLAGS -D_FORTIFY_SOURCE=2"]) + + CHECK_CC_FLAG([-fstack-protector-strong], + [CHECK_LINK_FLAG([-fstack-protector-strong], + [HARDEN_CFLAGS="$HARDEN_CFLAGS -fstack-protector-strong" + CHECK_CC_FLAG([--param ssp-buffer-size=1], [HARDEN_CFLAGS="$HARDEN_CFLAGS --param ssp-buffer-size=1"], + [], [-fstack-protector-strong])])], + [CHECK_LINK_FLAG([-fstack-protector], + [HARDEN_CFLAGS="$HARDEN_CFLAGS -fstack-protector" + CHECK_CC_FLAG([--param ssp-buffer-size=1], [HARDEN_CFLAGS="$HARDEN_CFLAGS --param ssp-buffer-size=1"], + [], [-fstack-protector])])]) + + # At the link step, we might want -pie (GCC) or -Wl,-pie (Clang on OS X) + # + # The linker checks also compile code, so we need to include -fPIE as well. + CHECK_CC_FLAG([-fPIE], + [CHECK_LINK_FLAG([-fPIE -pie], + [HARDEN_CFLAGS="$HARDEN_CFLAGS -fPIE" + HARDEN_LDFLAGS="$HARDEN_LDFLAGS -pie"], + [CHECK_LINK_FLAG([-fPIE -Wl,-pie], + [HARDEN_CFLAGS="$HARDEN_CFLAGS -fPIE" + HARDEN_LDFLAGS="$HARDEN_LDFLAGS -Wl,-pie"])])]) + + CHECK_LINK_FLAG([-Wl,-z,relro], + [HARDEN_LDFLAGS="$HARDEN_LDFLAGS -Wl,-z,relro" + CHECK_LINK_FLAG([-Wl,-z,now], [HARDEN_LDFLAGS="$HARDEN_LDFLAGS -Wl,-z,now"])])]) +AC_SUBST([HARDEN_CFLAGS]) +AC_SUBST([HARDEN_LDFLAGS]) + +# End of flag tests. +CC="$saved_CC" +LD="$saved_LD" + +## END autoharden configure.ac +#### + +CFLAGS="${CFLAGS} ${HARDEN_CFLAGS}" +LDFLAGS="${LDFLAGS} ${HARDEN_LDFLAGS}" + + AC_PROG_INSTALL AC_PROG_MAKE_SET @@ -497,6 +578,7 @@ DEVELOPER_CLANG_CFLAGS="-Wmissing-variable-declarations -Wno-string-plus-int" #DEVELOPER_CFLAGS="${DEVELOPER_CFLAGS} ${DEVELOPER_CLANG_CFLAGS}" # --enable-stack-protector +# XXX do we want to give up this option now that we have --enable-hardening ? AC_ARG_ENABLE(stack-protector, AS_HELP_STRING([--enable-stack-protector],[enable stack protector (default is YES)]), [], -- 1.9.0
_______________________________________________ varnish-dev mailing list [email protected] https://www.varnish-cache.org/lists/mailman/listinfo/varnish-dev
