# fortify needs at least -O1, but -O2 is recommended anyway
);
my @def_cflags_stack = (
- '-fstack-protector',
+ '-fstack-protector', # keep first, used by cflags_stack_broken()
'--param[= ]ssp-buffer-size=4',
);
my @def_cflags_stack_strong = (
- '-fstack-protector-strong',
+ '-fstack-protector-strong', # keep first, used by cflags_stack_broken()
+);
+my @def_cflags_stack_bad = (
+ # Blacklist all stack protector options for simplicity.
+ '-fno-stack-protector',
+ '-fno-stack-protector-all',
+ '-fno-stack-protector-strong',
);
my @def_cflags_pie = (
'-fPIE',
\@def_cflags_fortify,
\@def_cflags_stack,
\@def_cflags_stack_strong,
+ \@def_cflags_stack_bad,
\@def_cflags_pie,
\@def_cxxflags,
\@def_cppflags,
return 1;
}
+sub cflags_stack_broken {
+ my ($line, $missing_flags, $strong) = @_;
+
+ my $flag = $strong ? $def_cflags_stack_strong[0]
+ : $def_cflags_stack[0];
+
+ if (not flag_overwritten($line, $flag, \@def_cflags_stack_bad)) {
+ return 0;
+ }
+ push @{$missing_flags}, $flag;
+ return 1;
+}
+
# Modifies $missing_flags_ref array.
sub pic_pie_conflict {
my ($line, $pie, $missing_flags_ref, @flags_pie) = @_;
# treated as a normal compiler line.
next if $line =~ m{^\s*rm\s+};
# Some build systems emit "gcc > file".
- next if $line =~ m{$cc_regex_normal\s*>\s*\S+};
+ next if $line =~ m{$cc_regex_normal\s*>\s*\S+}o;
# Check if additional hardening options were used. Used to ensure
# they are used for the complete build.
# Check hardening flags.
my @missing;
- if ($compile and not all_flags_used($line, \@missing, @cflags)
+ if ($compile and (not all_flags_used($line, \@missing, @cflags)
+ or (($harden_stack or $harden_stack_strong)
+ and cflags_stack_broken($line, \@missing,
+ $harden_stack_strong)))
# Libraries linked with -fPIC don't have to (and can't) be
# linked with -fPIE as well. It's no error if only PIE flags
# are missing.