- (djm) [configure.ac aclocal.m4] More tests to detect fallout from

platform hardening options: include some long long int arithmatic to detect missing support functions for -ftrapv in libgcc and equivalents, actually test linking when -ftrapv is supplied and set either both -pie/-fPIE or neither. feedback and ok dtucker@
author: Damien Miller <djm@mindrot.org> 2014-01-22 21:30:12 +1100
committer: Damien Miller <djm@mindrot.org> 2014-01-22 21:30:12 +1100
commit: 5c2ff5e31f57d303ebb414d84a934c02728fa568 (patch)
tree: b1c8a8a1d6eee29847c3de5d7ebe00f79f44db93
parent: 852472a54b8a0dc3e53786b313baaa86850a4273 (diff)
3 files changed, 67 insertions, 6 deletions
diff --git a/ChangeLog b/ChangeLog
index bbe112e68..b4a81f996 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -4,6 +4,11 @@
   hack surprises us by providing a setproctitle in libc; ok dtucker
 - (djm) [configure.ac] Unless specifically requested, only attempt
   to build Position Independent Executables on gcc >= 4.x; ok dtucker
+ - (djm) [configure.ac aclocal.m4] More tests to detect fallout from
+   platform hardening options: include some long long int arithmatic
+   to detect missing support functions for -ftrapv in libgcc and
+   equivalents, actually test linking when -ftrapv is supplied and
+   set either both -pie/-fPIE or neither. feedback and ok dtucker@
 20140121
 - (dtucker) [configure.ac] Make PIE a configure-time option which defaults
diff --git a/aclocal.m4 b/aclocal.m4
index 195a87636..1640683e1 100644
--- a/aclocal.m4
+++ b/aclocal.m4
@@ -1,4 +1,4 @@
-dnl $Id: aclocal.m4,v 1.12 2014/01/21 02:10:27 djm Exp $
+dnl $Id: aclocal.m4,v 1.13 2014/01/22 10:30:12 djm Exp $
 dnl
 dnl OpenSSH-specific autoconf macros
 dnl
@@ -21,7 +21,45 @@ int main(int argc, char **argv) {
        int i = 123 * argc, j = 456 + argc, k = 789 - argc;
        float l = i * 2.1;
        double m = l / 0.5;
-        printf("%d %d %d %f %f\n", i, j, k, l, m);
+        long long int n = argc * 12345LL, o = 12345LL * (long long int)argc;
+        printf("%d %d %d %f %f %lld %lld\n", i, j, k, l, m, n, o);
+        exit(0);
+}
+        ]])],
+                [
+if `grep -i "unrecognized option" conftest.err >/dev/null`
+then
+                AC_MSG_RESULT([no])
+                CFLAGS="$saved_CFLAGS"
+else
+                AC_MSG_RESULT([yes])
+                 CFLAGS="$saved_CFLAGS $_define_flag"
+fi],
+                [ AC_MSG_RESULT([no])
+                  CFLAGS="$saved_CFLAGS" ]
+        )
+}])
+dnl OSSH_CHECK_CFLAG_LINK(check_flag[, define_flag])
+dnl Check that $CC accepts a flag 'check_flag'. If it is supported append
+dnl 'define_flag' to $CFLAGS. If 'define_flag' is not specified, then append
+dnl 'check_flag'.
+AC_DEFUN([OSSH_CHECK_CFLAG_LINK], [{
+        AC_MSG_CHECKING([if $CC supports compile flag $1 and linking succeeds])
+        saved_CFLAGS="$CFLAGS"
+        CFLAGS="$CFLAGS $WERROR $1"
+        _define_flag="$2"
+        test "x$_define_flag" = "x" && _define_flag="$1"
+        AC_LINK_IFELSE([AC_LANG_SOURCE([[
+#include <stdlib.h>
+#include <stdio.h>
+int main(int argc, char **argv) {
+        /* Some math to catch -ftrapv problems in the toolchain */
+        int i = 123 * argc, j = 456 + argc, k = 789 - argc;
+        float l = i * 2.1;
+        double m = l / 0.5;
+        long long int n = argc * 12345LL, o = 12345LL * (long long int)argc;
+        printf("%d %d %d %f %f %lld %lld\n", i, j, k, l, m, n, o);
        exit(0);
 }
        ]])],
@@ -57,7 +95,8 @@ int main(int argc, char **argv) {
        int i = 123 * argc, j = 456 + argc, k = 789 - argc;
        float l = i * 2.1;
        double m = l / 0.5;
-        printf("%d %d %d %f %f\n", i, j, k, l, m);
+        long long int n = argc * 12345LL, o = 12345LL * (long long int)argc;
+        printf("%d %d %d %f %f %lld %lld\n", i, j, k, l, m, n, o);
        exit(0);
 }
                ]])],
diff --git a/configure.ac b/configure.ac
index b738f4e60..12d62e294 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1,4 +1,4 @@
-# $Id: configure.ac,v 1.557 2014/01/22 05:31:18 djm Exp $
+# $Id: configure.ac,v 1.558 2014/01/22 10:30:13 djm Exp $
 #
 # Copyright (c) 1999-2004 Damien Miller
 #
@@ -15,7 +15,7 @@
 # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org])
-AC_REVISION($Revision: 1.557 $)
+AC_REVISION($Revision: 1.558 $)
 AC_CONFIG_SRCDIR([ssh.c])
 AC_LANG([C])
@@ -164,10 +164,15 @@ if test "$GCC" = "yes" || test "$GCC" = "egcs"; then
        OSSH_CHECK_CFLAG_COMPILE([-fno-strict-aliasing])
        OSSH_CHECK_CFLAG_COMPILE([-D_FORTIFY_SOURCE=2])
    if test "x$use_toolchain_hardening" = "x1"; then
-        OSSH_CHECK_CFLAG_COMPILE([-ftrapv])
        OSSH_CHECK_LDFLAG_LINK([-Wl,-z,relro])
        OSSH_CHECK_LDFLAG_LINK([-Wl,-z,now])
        OSSH_CHECK_LDFLAG_LINK([-Wl,-z,noexecstack])
+        # NB. -ftrapv expects certain support functions to be present in
+        # the compiler library (libgcc or similar) to detect integer operations
+        # that can overflow. We must check that the result of enabling it
+        # actually links. The test program compiled/linked includes a number
+        # of integer operations that should exercise this.
+        OSSH_CHECK_CFLAG_LINK([-ftrapv])
    fi
        AC_MSG_CHECKING([gcc version])
        GCC_VER=`$CC -v 2>&1 | $AWK '/gcc version /{print $3}'`
@@ -1594,8 +1599,20 @@ if test "x$use_pie" == "xauto"; then
 )
 fi
 if test "x$use_pie" != "xno"; then
+        SAVED_CFLAGS="$CFLAGS"
+        SAVED_LDFLAGS="$LDFLAGS"
        OSSH_CHECK_CFLAG_COMPILE([-fPIE])
        OSSH_CHECK_LDFLAG_LINK([-pie])
+        # We use both -fPIE and -pie or neither.
+        AC_MSG_CHECKING([whether both -fPIE and -pie are supported])
+        if echo "x $CFLAGS"  | grep ' -fPIE' >/dev/null 2>&1 && \
+           echo "x $LDFLAGS" | grep ' -pie'  >/dev/null 2>&1 ; then
+                AC_MSG_RESULT([yes])
+        else
+                AC_MSG_RESULT([no])
+                CFLAGS="$SAVED_CFLAGS"
+                LDFLAGS="$SAVED_LDFLAGS"
+        fi
 fi
 dnl    Checks for library functions. Please keep in alphabetical order
author	Damien Miller <djm@mindrot.org>	2014-01-22 21:30:12 +1100
committer	Damien Miller <djm@mindrot.org>	2014-01-22 21:30:12 +1100
commit	5c2ff5e31f57d303ebb414d84a934c02728fa568 (patch)
tree	b1c8a8a1d6eee29847c3de5d7ebe00f79f44db93
parent	852472a54b8a0dc3e53786b313baaa86850a4273 (diff)

diff --git a/ChangeLog b/ChangeLog index bbe112e68..b4a81f996 100644 --- a/ChangeLog +++ b/ChangeLog
@@ -4,6 +4,11 @@
4	hack surprises us by providing a setproctitle in libc; ok dtucker	4	hack surprises us by providing a setproctitle in libc; ok dtucker
5	- (djm) [configure.ac] Unless specifically requested, only attempt	5	- (djm) [configure.ac] Unless specifically requested, only attempt
6	to build Position Independent Executables on gcc >= 4.x; ok dtucker	6	to build Position Independent Executables on gcc >= 4.x; ok dtucker
		7	- (djm) [configure.ac aclocal.m4] More tests to detect fallout from
		8	platform hardening options: include some long long int arithmatic
		9	to detect missing support functions for -ftrapv in libgcc and
		10	equivalents, actually test linking when -ftrapv is supplied and
		11	set either both -pie/-fPIE or neither. feedback and ok dtucker@
7		12
8	20140121	13	20140121
9	- (dtucker) [configure.ac] Make PIE a configure-time option which defaults	14	- (dtucker) [configure.ac] Make PIE a configure-time option which defaults


diff --git a/aclocal.m4 b/aclocal.m4 index 195a87636..1640683e1 100644 --- a/aclocal.m4 +++ b/aclocal.m4
@@ -1,4 +1,4 @@
1	dnl $Id: aclocal.m4,v 1.12 2014/01/21 02:10:27 djm Exp $	1	dnl $Id: aclocal.m4,v 1.13 2014/01/22 10:30:12 djm Exp $
2	dnl	2	dnl
3	dnl OpenSSH-specific autoconf macros	3	dnl OpenSSH-specific autoconf macros
4	dnl	4	dnl
@@ -21,7 +21,45 @@ int main(int argc, char **argv) {
21	int i = 123 * argc, j = 456 + argc, k = 789 - argc;	21	int i = 123 * argc, j = 456 + argc, k = 789 - argc;
22	float l = i * 2.1;	22	float l = i * 2.1;
23	double m = l / 0.5;	23	double m = l / 0.5;
24	printf("%d %d %d %f %f\n", i, j, k, l, m);	24	long long int n = argc * 12345LL, o = 12345LL * (long long int)argc;
		25	printf("%d %d %d %f %f %lld %lld\n", i, j, k, l, m, n, o);
		26	exit(0);
		27	}
		28	]])],
		29	[
		30	if `grep -i "unrecognized option" conftest.err >/dev/null`
		31	then
		32	AC_MSG_RESULT([no])
		33	CFLAGS="$saved_CFLAGS"
		34	else
		35	AC_MSG_RESULT([yes])
		36	CFLAGS="$saved_CFLAGS $_define_flag"
		37	fi],
		38	[ AC_MSG_RESULT([no])
		39	CFLAGS="$saved_CFLAGS" ]
		40	)
		41	}])
		42
		43	dnl OSSH_CHECK_CFLAG_LINK(check_flag[, define_flag])
		44	dnl Check that $CC accepts a flag 'check_flag'. If it is supported append
		45	dnl 'define_flag' to $CFLAGS. If 'define_flag' is not specified, then append
		46	dnl 'check_flag'.
		47	AC_DEFUN([OSSH_CHECK_CFLAG_LINK], [{
		48	AC_MSG_CHECKING([if $CC supports compile flag $1 and linking succeeds])
		49	saved_CFLAGS="$CFLAGS"
		50	CFLAGS="$CFLAGS $WERROR $1"
		51	_define_flag="$2"
		52	test "x$_define_flag" = "x" && _define_flag="$1"
		53	AC_LINK_IFELSE([AC_LANG_SOURCE([[
		54	#include <stdlib.h>
		55	#include <stdio.h>
		56	int main(int argc, char **argv) {
		57	/* Some math to catch -ftrapv problems in the toolchain */
		58	int i = 123 * argc, j = 456 + argc, k = 789 - argc;
		59	float l = i * 2.1;
		60	double m = l / 0.5;
		61	long long int n = argc * 12345LL, o = 12345LL * (long long int)argc;
		62	printf("%d %d %d %f %f %lld %lld\n", i, j, k, l, m, n, o);
25	exit(0);	63	exit(0);
26	}	64	}
27	]])],	65	]])],
@@ -57,7 +95,8 @@ int main(int argc, char **argv) {
57	int i = 123 * argc, j = 456 + argc, k = 789 - argc;	95	int i = 123 * argc, j = 456 + argc, k = 789 - argc;
58	float l = i * 2.1;	96	float l = i * 2.1;
59	double m = l / 0.5;	97	double m = l / 0.5;
60	printf("%d %d %d %f %f\n", i, j, k, l, m);	98	long long int n = argc * 12345LL, o = 12345LL * (long long int)argc;
		99	printf("%d %d %d %f %f %lld %lld\n", i, j, k, l, m, n, o);
61	exit(0);	100	exit(0);
62	}	101	}
63	]])],	102	]])],


diff --git a/configure.ac b/configure.ac index b738f4e60..12d62e294 100644 --- a/configure.ac +++ b/configure.ac
@@ -1,4 +1,4 @@
1	# $Id: configure.ac,v 1.557 2014/01/22 05:31:18 djm Exp $	1	# $Id: configure.ac,v 1.558 2014/01/22 10:30:13 djm Exp $
2	#	2	#
3	# Copyright (c) 1999-2004 Damien Miller	3	# Copyright (c) 1999-2004 Damien Miller
4	#	4	#
@@ -15,7 +15,7 @@
15	# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.	15	# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16		16
17	AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org])	17	AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org])
18	AC_REVISION($Revision: 1.557 $)	18	AC_REVISION($Revision: 1.558 $)
19	AC_CONFIG_SRCDIR([ssh.c])	19	AC_CONFIG_SRCDIR([ssh.c])
20	AC_LANG([C])	20	AC_LANG([C])
21		21
@@ -164,10 +164,15 @@ if test "$GCC" = "yes" \|\| test "$GCC" = "egcs"; then
164	OSSH_CHECK_CFLAG_COMPILE([-fno-strict-aliasing])	164	OSSH_CHECK_CFLAG_COMPILE([-fno-strict-aliasing])
165	OSSH_CHECK_CFLAG_COMPILE([-D_FORTIFY_SOURCE=2])	165	OSSH_CHECK_CFLAG_COMPILE([-D_FORTIFY_SOURCE=2])
166	if test "x$use_toolchain_hardening" = "x1"; then	166	if test "x$use_toolchain_hardening" = "x1"; then
167	OSSH_CHECK_CFLAG_COMPILE([-ftrapv])
168	OSSH_CHECK_LDFLAG_LINK([-Wl,-z,relro])	167	OSSH_CHECK_LDFLAG_LINK([-Wl,-z,relro])
169	OSSH_CHECK_LDFLAG_LINK([-Wl,-z,now])	168	OSSH_CHECK_LDFLAG_LINK([-Wl,-z,now])
170	OSSH_CHECK_LDFLAG_LINK([-Wl,-z,noexecstack])	169	OSSH_CHECK_LDFLAG_LINK([-Wl,-z,noexecstack])
		170	# NB. -ftrapv expects certain support functions to be present in
		171	# the compiler library (libgcc or similar) to detect integer operations
		172	# that can overflow. We must check that the result of enabling it
		173	# actually links. The test program compiled/linked includes a number
		174	# of integer operations that should exercise this.
		175	OSSH_CHECK_CFLAG_LINK([-ftrapv])
171	fi	176	fi
172	AC_MSG_CHECKING([gcc version])	177	AC_MSG_CHECKING([gcc version])
173	GCC_VER=`$CC -v 2>&1 \| $AWK '/gcc version /{print $3}'`	178	GCC_VER=`$CC -v 2>&1 \| $AWK '/gcc version /{print $3}'`
@@ -1594,8 +1599,20 @@ if test "x$use_pie" == "xauto"; then
1594	)	1599	)
1595	fi	1600	fi
1596	if test "x$use_pie" != "xno"; then	1601	if test "x$use_pie" != "xno"; then
		1602	SAVED_CFLAGS="$CFLAGS"
		1603	SAVED_LDFLAGS="$LDFLAGS"
1597	OSSH_CHECK_CFLAG_COMPILE([-fPIE])	1604	OSSH_CHECK_CFLAG_COMPILE([-fPIE])
1598	OSSH_CHECK_LDFLAG_LINK([-pie])	1605	OSSH_CHECK_LDFLAG_LINK([-pie])
		1606	# We use both -fPIE and -pie or neither.
		1607	AC_MSG_CHECKING([whether both -fPIE and -pie are supported])
		1608	if echo "x $CFLAGS" \| grep ' -fPIE' >/dev/null 2>&1 && \
		1609	echo "x $LDFLAGS" \| grep ' -pie' >/dev/null 2>&1 ; then
		1610	AC_MSG_RESULT([yes])
		1611	else
		1612	AC_MSG_RESULT([no])
		1613	CFLAGS="$SAVED_CFLAGS"
		1614	LDFLAGS="$SAVED_LDFLAGS"
		1615	fi
1599	fi	1616	fi
1600		1617
1601	dnl Checks for library functions. Please keep in alphabetical order	1618	dnl Checks for library functions. Please keep in alphabetical order