X-Git-Url: https://ruderich.org/simon/gitweb/?p=blhc%2Fblhc.git;a=blobdiff_plain;f=bin%2Fblhc;fp=bin%2Fblhc;h=c4443832eff00b2552fcf4c1f94468775b6a9c35;hp=9040a084c873e691faae0801f8531588ec046883;hb=f1ac73364a8d0a20e279328db6b6e1e8dbfe9a4e;hpb=b35dc81d990e292f93b2dcf2cdfe46b1b4f1260c

diff --git a/bin/blhc b/bin/blhc
index 9040a08..c444383 100755
--- a/bin/blhc
+++ b/bin/blhc
@@ -237,6 +237,9 @@ my @def_cflags_stack_bad = (
     '-fno-stack-protector-all',
     '-fno-stack-protector-strong',
 );
+my @def_cflags_stack_clash = (
+    '-fstack-clash-protection',
+);
 my @def_cflags_pie = (
     '-fPIE',
 );
@@ -280,6 +283,7 @@ my @flag_refs = (
     \@def_cflags_stack,
     \@def_cflags_stack_strong,
     \@def_cflags_stack_bad,
+    \@def_cflags_stack_clash,
     \@def_cflags_pie,
     \@def_cxxflags,
     \@def_cppflags,
@@ -802,6 +806,7 @@ foreach my $file (@ARGV) {
     my $harden_fortify = 1;
     my $harden_stack   = 1;
     my $harden_stack_strong = 1;
+    my $harden_stack_clash = 1;
     my $harden_relro   = 1;
     my $harden_bindnow = $option_bindnow; # defaults to 0
     my $harden_pie     = $option_pie;     # defaults to 0
@@ -856,6 +861,7 @@ foreach my $file (@ARGV) {
 
             my $disable = 1;
             my $disable_strong = 1;
+            my $disable_clash = 1;
 
             if ($line =~ /\bdpkg-dev_(\S+)/) {
                 if (Dpkg::Version::version_compare($1, '1.16.1') >= 0) {
@@ -867,6 +873,9 @@ foreach my $file (@ARGV) {
                 if (Dpkg::Version::version_compare($1, '1.18.15') >= 0) {
                     $disable_harden_pie = 1;
                 }
+                if (Dpkg::Version::version_compare($1, '1.22.0') >= 0) {
+                    $disable_clash = 0;
+                }
             }
 
             if ($disable) {
@@ -880,6 +889,9 @@ foreach my $file (@ARGV) {
             if ($disable_strong) {
                 $harden_stack_strong = 0;
             }
+            if ($disable_clash) {
+                $harden_stack_clash = 0;
+            }
         }
 
         # The following two versions of CMake in Debian obeyed CPPFLAGS, but
@@ -1229,6 +1241,9 @@ foreach my $file (@ARGV) {
             $harden_stack = 0;
             $harden_stack_strong = 0;
         }
+        if ($arch !~ /^(?:amd64|arm64|armhf|armel)$/) {
+            $harden_stack_clash = 0;
+        }
         if ($cpu =~ /^(?:ia64|hppa)$/) {
             $harden_relro   = 0;
             $harden_bindnow = 0;
@@ -1253,6 +1268,10 @@ foreach my $file (@ARGV) {
         @cflags   = (@cflags,   @def_cflags_stack);
         @cxxflags = (@cxxflags, @def_cflags_stack);
     }
+    if ($harden_stack_clash) {
+        @cflags   = (@cflags,   @def_cflags_stack_clash);
+        @cxxflags = (@cxxflags, @def_cflags_stack_clash);
+    }
     if ($harden_fortify) {
         @cflags   = (@cflags,   @def_cflags_fortify);
         @cxxflags = (@cxxflags, @def_cflags_fortify);