Hi
Some time ago we discussed that we should enable stack smashing
(-fstack-protector) by default. So we opened a bug to track this [1].
The affected Gcc version will be 4.8.2 and newer. Only amd64, x86, mips, ppc,
ppc64 and arm will be affected by this change.
You can turn off ssp by using the nossp USE flag or by adding
-fno-stack-protector to the CFLAGS and/or CXXFLAGS. We are using the same
patch as Debian/Ubuntu but with some Gentoo fixes.
The patch will move the sed for the HARD_CFLAGS, ALLCFLAGS and
ALLCXXFLAGS from do_gcc_PIE_patches() to make_gcc_hard(). We will
make_gcc_hard() the default for all Gcc versions 4.8 and newer, and turn
it on or off with hardened_gcc_works() that will make some sanity checks.
/Magnus
2013-12-31 Magnus Granberg <zo...@gentoo.org>
# 484714
We Add -fstack-protector as default
--- a/eclass/toolchain.eclass 2013-12-30 21:21:05.431832881 +0100
+++ b/eclass/toolchain.eclass 2013-12-31 11:34:00.720993536 +0100
@@ -473,7 +473,9 @@ toolchain_src_prepare() {
do_gcc_PIE_patches
epatch_user
- use hardened && make_gcc_hard
+ if ( tc_version_is_at_least 4.8 || use hardened ) && ! use vanilla ; then
+ make_gcc_hard
+ fi
# install the libstdc++ python into the right location
# http://gcc.gnu.org/PR51368
@@ -606,6 +608,12 @@ do_gcc_PIE_patches() {
epatch "${WORKDIR}"/piepatch/def
fi
+ BRANDING_GCC_PKGVERSION="${BRANDING_GCC_PKGVERSION}, pie-${PIE_VER}"
+}
+
+# configure to build with the hardened GCC specs as the default
+make_gcc_hard() {
+
# we want to be able to control the pie patch logic via something other
# than ALL_CFLAGS...
sed -e '/^ALL_CFLAGS/iHARD_CFLAGS = ' \
@@ -618,38 +626,38 @@ do_gcc_PIE_patches() {
-i "${S}"/gcc/Makefile.in
fi
- BRANDING_GCC_PKGVERSION="${BRANDING_GCC_PKGVERSION}, pie-${PIE_VER}"
-}
-
-# configure to build with the hardened GCC specs as the default
-make_gcc_hard() {
- # defaults to enable for all hardened toolchains
- local gcc_hard_flags="-DEFAULT_RELRO -DEFAULT_BIND_NOW"
-
- if hardened_gcc_works ; then
- einfo "Updating gcc to use automatic PIE + SSP building ..."
- gcc_hard_flags+=" -DEFAULT_PIE_SSP"
- elif hardened_gcc_works pie ; then
- einfo "Updating gcc to use automatic PIE building ..."
- ewarn "SSP has not been enabled by default"
- gcc_hard_flags+=" -DEFAULT_PIE"
- elif hardened_gcc_works ssp ; then
- einfo "Updating gcc to use automatic SSP building ..."
- ewarn "PIE has not been enabled by default"
- gcc_hard_flags+=" -DEFAULT_SSP"
+ # defaults to enable for all toolchains
+ local gcc_hard_flags=""
+ if use hardened ; then
+ if hardened_gcc_works ; then
+ einfo "Updating gcc to use automatic PIE + SSP building ..."
+ gcc_hard_flags+=" -DEFAULT_PIE_SSP"
+ elif hardened_gcc_works pie ; then
+ einfo "Updating gcc to use automatic PIE building ..."
+ ewarn "SSP has not been enabled by default"
+ gcc_hard_flags+=" -DEFAULT_PIE"
+ elif hardened_gcc_works ssp ; then
+ einfo "Updating gcc to use automatic SSP building ..."
+ ewarn "PIE has not been enabled by default"
+ gcc_hard_flags+=" -DEFAULT_SSP"
+ else
+ # do nothing if hardened is't supported, but don't die either
+ ewarn "hardened is not supported for this arch in this gcc version"
+ return 0
+ fi
+ # rebrand to make bug reports easier
+ BRANDING_GCC_PKGVERSION=${BRANDING_GCC_PKGVERSION/Gentoo/Gentoo Hardened}
else
- # do nothing if hardened isnt supported, but dont die either
- ewarn "hardened is not supported for this arch in this gcc version"
- ebeep
- return 0
+ if hardened_gcc_works ssp ; then
+ einfo "Updating gcc to use automatic SSP building ..."
+ gcc_hard_flags+=" -DEFAULT_SSP"
+ fi
fi
sed -i \
-e "/^HARD_CFLAGS = /s|=|= ${gcc_hard_flags} |" \
"${S}"/gcc/Makefile.in || die
- # rebrand to make bug reports easier
- BRANDING_GCC_PKGVERSION=${BRANDING_GCC_PKGVERSION/Gentoo/Gentoo Hardened}
}
# This is a historical wart. The original Gentoo/amd64 port used:
