From fb3b1025ce085ce7179ad1f80184f1439517ca5d Mon Sep 17 00:00:00 2001
From: Florian Weimer <fweimer@redhat.com>
Date: Fri, 6 Jul 2018 22:53:51 +0200
Subject: [PATCH] Build additional files with stack protector

---
 glibc-extra-stackprot-1.patch | 29 ++++++++++++++++++++++++++
 glibc-extra-stackprot-2.patch | 38 +++++++++++++++++++++++++++++++++++
 glibc.spec                    |  9 ++++++++-
 3 files changed, 75 insertions(+), 1 deletion(-)
 create mode 100644 glibc-extra-stackprot-1.patch
 create mode 100644 glibc-extra-stackprot-2.patch

diff --git a/glibc-extra-stackprot-1.patch b/glibc-extra-stackprot-1.patch
new file mode 100644
index 0000000..9c16db1
--- /dev/null
+++ b/glibc-extra-stackprot-1.patch
@@ -0,0 +1,29 @@
+commit 38cade0c461e58770749d7e8973f85c79532838a
+Author: Florian Weimer <fweimer@redhat.com>
+Date:   Thu Jul 5 19:28:11 2018 +0200
+
+    Compile debug/stack_chk_fail_local.c with stack protector
+    
+    The resulting object file is statically linked into applications, so
+    it is desirable to have (formal) stack protector coverage there.
+
+diff --git a/debug/Makefile b/debug/Makefile
+index c6f6feb0ecf538a2..506cebc3c4ca19ff 100644
+--- a/debug/Makefile
++++ b/debug/Makefile
+@@ -58,10 +58,13 @@ static-only-routines := warning-nop stack_chk_fail_local
+ elide-routines.o := stack_chk_fail_local
+ 
+ # Building the stack-protector failure routines with stack protection
+-# makes no sense.
++# is not required since we have already failed a stack check and are
++# exiting the process.  However, the local aliases which jump to the
++# real routines should still be compiled with stack protection
++# (stack_chk_fail_local.c), so that the statically linked parts of the
++# library have the expected flags.
+ 
+ CFLAGS-stack_chk_fail.c += $(no-stack-protector)
+-CFLAGS-stack_chk_fail_local.c += $(no-stack-protector)
+ 
+ CFLAGS-backtrace.c += -fno-omit-frame-pointer -funwind-tables
+ CFLAGS-sprintf_chk.c += $(libio-mtsafe)
diff --git a/glibc-extra-stackprot-2.patch b/glibc-extra-stackprot-2.patch
new file mode 100644
index 0000000..82b6125
--- /dev/null
+++ b/glibc-extra-stackprot-2.patch
@@ -0,0 +1,38 @@
+commit 3a885c1f51b18852869a91cf59a1b39da1595c7a
+Author: Florian Weimer <fweimer@redhat.com>
+Date:   Thu Jul 5 22:57:45 2018 +0200
+
+    Build csu/elf-init.c and csu/static-reloc.c with stack protector
+    
+    This does not change generated code (with -fstack-protector-strong), but
+    is important for formal compiler flags compliance.
+    
+    Reviewed-by: Carlos O'Donell <carlos@redhat.com>
+
+diff --git a/csu/Makefile b/csu/Makefile
+index f3498960f89e3b31..88fc77662ef83479 100644
+--- a/csu/Makefile
++++ b/csu/Makefile
+@@ -50,6 +50,22 @@ CFLAGS-.o += $(no-stack-protector)
+ CFLAGS-.op += $(no-stack-protector)
+ CFLAGS-.os += $(no-stack-protector)
+ 
++# Dummy object not actually used for anything.  It is linked into
++# crt1.o nevertheless, which in turn is statically linked into
++# applications, so that build flags matter.
++# See <https://sourceware.org/ml/libc-alpha/2018-07/msg00101.html>.
++# NB: Using $(stack-protector) in this way causes a wrong definition
++# STACK_PROTECTOR_LEVEL due to the preceding $(no-stack-protector),
++# but it does not matter for this source file.
++CFLAGS-static-reloc.os += $(stack-protector)
++
++# This file is not actually part of the startup code in the nonshared
++# case and statically linked into applications.  See
++# <https://sourceware.org/bugzilla/show_bug.cgi?id=23323>,
++# <https://sourceware.org/ml/libc-alpha/2018-06/msg00717.html>.
++# Also see the note above regarding STACK_PROTECTOR_LEVEL.
++CFLAGS-elf-init.oS += $(stack-protector)
++
+ ifeq (yes,$(build-shared))
+ extra-objs += S$(start-installed-name) gmon-start.os
+ ifneq ($(start-installed-name),$(static-start-installed-name))
diff --git a/glibc.spec b/glibc.spec
index d5a3f95..79970b9 100644
--- a/glibc.spec
+++ b/glibc.spec
@@ -1,6 +1,6 @@
 %define glibcsrcdir glibc-2.27-71-g5fab7fe1dc
 %define glibcversion 2.27
-%define glibcrelease 26%{?dist}
+%define glibcrelease 27%{?dist}
 # Pre-release tarballs are pulled in from git using a command that is
 # effectively:
 #
@@ -263,6 +263,8 @@ Patch2058: glibc-python3.patch
 Patch2059: glibc-rh1592270.patch
 Patch2060: glibc-with-nonshared-cflags.patch
 Patch2061: glibc-asflags.patch
+Patch2062: glibc-extra-stackprot-1.patch
+Patch2063: glibc-extra-stackprot-2.patch
 
 ##############################################################################
 # End of glibc patches.
@@ -818,6 +820,8 @@ microbenchmark tests on the system.
 %patch2059 -p1
 %patch2060 -p1
 %patch2061 -p1
+%patch2062 -p1
+%patch2063 -p1
 
 ##############################################################################
 # %%prep - Additional prep required...
@@ -2044,6 +2048,9 @@ fi
 %endif
 
 %changelog
+* Fri Jul  6 2018 Florian Weimer <fweimer@redhat.com> - 2.27-27
+- Build additional files with stack protector
+
 * Fri Jul  6 2018 Florian Weimer <fweimer@redhat.com> - 2.27-26
 - Enable build flags inheritance for nonshared flags