Build additional files with stack protector

2018-07-06 22:53:51 +02:00 · 2018-07-06 22:53:51 +02:00 · fb3b1025ce
commit fb3b1025ce
parent cf31c32499
3 changed files with 75 additions and 1 deletions
--- a/glibc-extra-stackprot-1.patch
+++ b/glibc-extra-stackprot-1.patch
@ -0,0 +1,29 @@
+commit 38cade0c461e58770749d7e8973f85c79532838a
+Author: Florian Weimer <fweimer@redhat.com>
+Date:   Thu Jul 5 19:28:11 2018 +0200
+
+    Compile debug/stack_chk_fail_local.c with stack protector
+    
+    The resulting object file is statically linked into applications, so
+    it is desirable to have (formal) stack protector coverage there.
+
+diff --git a/debug/Makefile b/debug/Makefile
+index c6f6feb0ecf538a2..506cebc3c4ca19ff 100644
+--- a/debug/Makefile
+++ b/debug/Makefile
+@@ -58,10 +58,13 @@ static-only-routines := warning-nop stack_chk_fail_local
+ elide-routines.o := stack_chk_fail_local
+ 
+ # Building the stack-protector failure routines with stack protection
+-# makes no sense.
+# is not required since we have already failed a stack check and are
+# exiting the process.  However, the local aliases which jump to the
+# real routines should still be compiled with stack protection
+# (stack_chk_fail_local.c), so that the statically linked parts of the
+# library have the expected flags.
+ 
+ CFLAGS-stack_chk_fail.c += $(no-stack-protector)
+-CFLAGS-stack_chk_fail_local.c += $(no-stack-protector)
+ 
+ CFLAGS-backtrace.c += -fno-omit-frame-pointer -funwind-tables
+ CFLAGS-sprintf_chk.c += $(libio-mtsafe)
--- a/glibc-extra-stackprot-2.patch
+++ b/glibc-extra-stackprot-2.patch
@ -0,0 +1,38 @@
+commit 3a885c1f51b18852869a91cf59a1b39da1595c7a
+Author: Florian Weimer <fweimer@redhat.com>
+Date:   Thu Jul 5 22:57:45 2018 +0200
+
+    Build csu/elf-init.c and csu/static-reloc.c with stack protector
+    
+    This does not change generated code (with -fstack-protector-strong), but
+    is important for formal compiler flags compliance.
+    
+    Reviewed-by: Carlos O'Donell <carlos@redhat.com>
+
+diff --git a/csu/Makefile b/csu/Makefile
+index f3498960f89e3b31..88fc77662ef83479 100644
+--- a/csu/Makefile
+++ b/csu/Makefile
+@@ -50,6 +50,22 @@ CFLAGS-.o += $(no-stack-protector)
+ CFLAGS-.op += $(no-stack-protector)
+ CFLAGS-.os += $(no-stack-protector)
+ 
+# Dummy object not actually used for anything.  It is linked into
+# crt1.o nevertheless, which in turn is statically linked into
+# applications, so that build flags matter.
+# See <https://sourceware.org/ml/libc-alpha/2018-07/msg00101.html>.
+# NB: Using $(stack-protector) in this way causes a wrong definition
+# STACK_PROTECTOR_LEVEL due to the preceding $(no-stack-protector),
+# but it does not matter for this source file.
+CFLAGS-static-reloc.os += $(stack-protector)
+
+# This file is not actually part of the startup code in the nonshared
+# case and statically linked into applications.  See
+# <https://sourceware.org/bugzilla/show_bug.cgi?id=23323>,
+# <https://sourceware.org/ml/libc-alpha/2018-06/msg00717.html>.
+# Also see the note above regarding STACK_PROTECTOR_LEVEL.
+CFLAGS-elf-init.oS += $(stack-protector)
+
+ ifeq (yes,$(build-shared))
+ extra-objs += S$(start-installed-name) gmon-start.os
+ ifneq ($(start-installed-name),$(static-start-installed-name))
--- a/glibc.spec
+++ b/glibc.spec
@ -1,6 +1,6 @@
 %define glibcsrcdir glibc-2.27-71-g5fab7fe1dc
 %define glibcversion 2.27
-%define glibcrelease 26%{?dist}
+%define glibcrelease 27%{?dist}
 # Pre-release tarballs are pulled in from git using a command that is
 # effectively:
 #
@ -263,6 +263,8 @@ Patch2058: glibc-python3.patch
 Patch2059: glibc-rh1592270.patch
 Patch2060: glibc-with-nonshared-cflags.patch
 Patch2061: glibc-asflags.patch
+Patch2062: glibc-extra-stackprot-1.patch
+Patch2063: glibc-extra-stackprot-2.patch

 ##############################################################################
 # End of glibc patches.
@ -818,6 +820,8 @@ microbenchmark tests on the system.
 %patch2059 -p1
 %patch2060 -p1
 %patch2061 -p1
+%patch2062 -p1
+%patch2063 -p1

 ##############################################################################
 # %%prep - Additional prep required...
@ -2044,6 +2048,9 @@ fi
 %endif

 %changelog
+* Fri Jul  6 2018 Florian Weimer <fweimer@redhat.com> - 2.27-27
+- Build additional files with stack protector
+
 * Fri Jul  6 2018 Florian Weimer <fweimer@redhat.com> - 2.27-26
 - Enable build flags inheritance for nonshared flags