commit: 0b7eace724b0035856311008c95cc7fe18b8231b Author: Krzesimir Nowak <knowak <AT> microsoft <DOT> com> AuthorDate: Fri Mar 17 02:34:21 2023 +0000 Commit: Sam James <sam <AT> gentoo <DOT> org> CommitDate: Fri Mar 17 02:35:53 2023 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0b7eace7
sys-libs/glibc: disable CET explicitly if USE=-cet When bootstrapping, we may have a situation where CET-enabled gcc from seed is used to build CET-disabled glibc. As such, gcc implicitly enables CET if no -fcf-protection flag is passed. For a typical package it should not be a problem, but for glibc it matters as it is dealing with CET in ld.so. So if CET is supposed to be disabled for glibc, be explicit about it. [sam: cherry-picked from Flatcar at https://github.com/flatcar/coreos-overlay/commit/f4b92a6de9fcf506b30f1c6156b27c0e3d25438e] Bug: https://bugs.gentoo.org/830454 Closes: https://bugs.gentoo.org/901363 Signed-off-by: Sam James <sam <AT> gentoo.org> sys-libs/glibc/glibc-2.36-r7.ebuild | 13 ++++++++++++- sys-libs/glibc/glibc-2.37-r1.ebuild | 13 ++++++++++++- sys-libs/glibc/glibc-9999.ebuild | 13 ++++++++++++- 3 files changed, 36 insertions(+), 3 deletions(-) diff --git a/sys-libs/glibc/glibc-2.36-r7.ebuild b/sys-libs/glibc/glibc-2.36-r7.ebuild index 8bb3e20062b4..28002f738a95 100644 --- a/sys-libs/glibc/glibc-2.36-r7.ebuild +++ b/sys-libs/glibc/glibc-2.36-r7.ebuild @@ -472,7 +472,18 @@ setup_flags() { filter-flags '-fsanitize=*' # See end of bug #830454; we handle this via USE=cet - filter-flags '-fcf-protection=' + filter-flags '-fcf-protection=*' + + # When bootstrapping, we may have a situation where + # CET-enabled gcc from seed is used to build CET-disabled + # glibc. As such, gcc implicitly enables CET if no + # -fcf-protection flag is passed. For a typical package it + # should not be a problem, but for glibc it matters as it is + # dealing with CET in ld.so. So if CET is supposed to be + # disabled for glibc, be explicit about it. + if (use amd64 || use x86) && ! use cet; then + append-flags '-fcf-protection=none' + fi } use_multiarch() { diff --git a/sys-libs/glibc/glibc-2.37-r1.ebuild b/sys-libs/glibc/glibc-2.37-r1.ebuild index 55b5a05c1ef8..4b041ecc1f7e 100644 --- a/sys-libs/glibc/glibc-2.37-r1.ebuild +++ b/sys-libs/glibc/glibc-2.37-r1.ebuild @@ -472,7 +472,18 @@ setup_flags() { filter-flags '-fsanitize=*' # See end of bug #830454; we handle this via USE=cet - filter-flags '-fcf-protection=' + filter-flags '-fcf-protection=*' + + # When bootstrapping, we may have a situation where + # CET-enabled gcc from seed is used to build CET-disabled + # glibc. As such, gcc implicitly enables CET if no + # -fcf-protection flag is passed. For a typical package it + # should not be a problem, but for glibc it matters as it is + # dealing with CET in ld.so. So if CET is supposed to be + # disabled for glibc, be explicit about it. + if (use amd64 || use x86) && ! use cet; then + append-flags '-fcf-protection=none' + fi } use_multiarch() { diff --git a/sys-libs/glibc/glibc-9999.ebuild b/sys-libs/glibc/glibc-9999.ebuild index df348d783cb1..f5ec71d81a7b 100644 --- a/sys-libs/glibc/glibc-9999.ebuild +++ b/sys-libs/glibc/glibc-9999.ebuild @@ -472,7 +472,18 @@ setup_flags() { filter-flags '-fsanitize=*' # See end of bug #830454; we handle this via USE=cet - filter-flags '-fcf-protection=' + filter-flags '-fcf-protection=*' + + # When bootstrapping, we may have a situation where + # CET-enabled gcc from seed is used to build CET-disabled + # glibc. As such, gcc implicitly enables CET if no + # -fcf-protection flag is passed. For a typical package it + # should not be a problem, but for glibc it matters as it is + # dealing with CET in ld.so. So if CET is supposed to be + # disabled for glibc, be explicit about it. + if (use amd64 || use x86) && ! use cet; then + append-flags '-fcf-protection=none' + fi } use_multiarch() {
