Add configuration options for enabling SSP

... in uClibc and glibc. Fixes #681. While here, relocate additional "sources" for uClibc/binutils into packages/ directory. Signed-off-by: Alexey Neyman <stilor@att.net>
2024-12-19 21:07:54 +00:00 · 2018-12-04 16:15:37 -08:00 · 2018-12-04 16:15:37 -08:00 · f5b57504d2
commit f5b57504d2
parent 893932e90f
8 changed files with 67 additions and 4 deletions
--- a/config/libc/glibc.in
+++ b/config/libc/glibc.in
@ -320,6 +320,45 @@ config GLIBC_MIN_KERNEL
    default LINUX_VERSION                 if GLIBC_KERNEL_VERSION_AS_HEADERS
    default GLIBC_MIN_KERNEL_VERSION      if GLIBC_KERNEL_VERSION_CHOSEN

+
+choice
+    bool "Stack-smashing protection (SSP) in glibc"
+    default GLIBC_SSP_DEFAULT
+
+config GLIBC_SSP_DEFAULT
+    bool "default"
+    help
+      Glibc's configure script determines the stack protection level.
+
+config GLIBC_SSP_NO
+    bool "no"
+    help
+      Glibc functions are not protected against stack-smashing.
+
+config GLIBC_SSP_YES
+    bool "yes"
+    help
+      Glibc is compiled with -fstack-protector option.
+
+config GLIBC_SSP_ALL
+    bool "all"
+    help
+      Glibc is compiled with -fstack-protector-all option.
+
+config GLIBC_SSP_STRONG
+    bool "strong"
+    help
+      Glibc is compiled with -fstack-protector-strong option.
+
+endchoice
+
+config GLIBC_SSP
+    string
+    default "no" if GLIBC_SSP_NO
+    default "yes" if GLIBC_SSP_YES
+    default "all" if GLIBC_SSP_ALL
+    default "strong" if GLIBC_SSP_STRONG
+
 # All supported versions of glibc build cleanly with GCC7 and earlier.
 # GCC8-related fixes were only available in glibc 2.27.
 config GLIBC_ENABLE_WERROR
--- a/config/libc/uClibc.in
+++ b/config/libc/uClibc.in
@ -207,6 +207,23 @@ config LIBC_UCLIBC_RPC
    help
      Enable support for remote procedure calls (RPC) in uClibc.

+config LIBC_UCLIBC_HAS_SSP
+    bool
+    prompt "Support stack smashing protection (SSP)"
+    default y
+    help
+      Enable support for building programs with -fstack-protector family
+      of options. If this option is disabled, one can also use a standalone
+      libssp library from GCC.
+
+config LIBC_UCLIBC_BUILD_SSP
+    bool
+    prompt "Build uClibc with SSP"
+    depends on LIBC_UCLIBC_HAS_SSP
+    help
+      Build uClibc with -fstack-protector. This adds runtime overhead
+      to many function calls and is disabled by default.
+
 if ARCH_ARM
 config LIBC_UCLIBC_USE_GNU_SUFFIX
    bool
--- a/scripts/build/binutils/binutils-ld.in
+++ b/scripts/build/binutils/binutils-ld.in
--- a/contrib/uClibc-defconfigs/uClibc-ng.config
+++ b/contrib/uClibc-defconfigs/uClibc-ng.config
--- a/contrib/uClibc-defconfigs/uClibc.config
+++ b/contrib/uClibc-defconfigs/uClibc.config
--- a/scripts/build/binutils/binutils.sh
+++ b/scripts/build/binutils/binutils.sh
@ -226,7 +226,7 @@ do_binutils_backend() {
        rm -f "${prefix}/bin/${CT_TARGET}-ld"
        rm -f "${prefix}/${CT_TARGET}/bin/ld"
        sed -r -e "s/@@DEFAULT_LD@@/${CT_BINUTILS_LINKER_DEFAULT}/" \
-            "${CT_LIB_DIR}/scripts/build/binutils/binutils-ld.in"      \
+            "${CT_LIB_DIR}/packages/binutils/binutils-ld.in"      \
            >"${prefix}/bin/${CT_TARGET}-ld"
        chmod a+x "${prefix}/bin/${CT_TARGET}-ld"
        cp -a "${prefix}/bin/${CT_TARGET}-ld"   \
--- a/scripts/build/libc/glibc.sh
+++ b/scripts/build/libc/glibc.sh
@ -176,6 +176,10 @@ glibc_backend_once()
    [ -n "${CT_PKGVERSION}" ] && extra_config+=("--with-pkgversion=${CT_PKGVERSION}")
    [ -n "${CT_TOOLCHAIN_BUGURL}" ] && extra_config+=("--with-bugurl=${CT_TOOLCHAIN_BUGURL}")

+    if [ -n "${CT_GLIBC_SSP}" ]; then
+        extra_config+=("--enable-stack-protector=${CT_GLIBC_SSP}")
+    fi
+
    touch config.cache

    # Hide host C++ binary from configure
--- a/scripts/build/libc/uClibc.sh
+++ b/scripts/build/libc/uClibc.sh
@ -94,7 +94,7 @@ uClibc_backend_once()

    # Use the default config if the user did not provide one.
    if [ -z "${CT_LIBC_UCLIBC_CONFIG_FILE}" ]; then
-        CT_LIBC_UCLIBC_CONFIG_FILE="${CT_LIB_DIR}/contrib/uClibc-defconfigs/${uClibc_name}.config"
+        CT_LIBC_UCLIBC_CONFIG_FILE="${CT_LIB_DIR}/packages/${uClibc_name}/config"
    fi

    manage_uClibc_config "${CT_LIBC_UCLIBC_CONFIG_FILE}" .config "${multi_flags}"
@ -324,11 +324,14 @@ manage_uClibc_config()
    fi

    # Stack Smash Protection (SSP)
-    if [ "${CT_CC_GCC_LIBSSP}" = "y" ]; then
+    if [ "${CT_LIBC_UCLIBC_HAS_SSP}" = "y" ]; then
        CT_KconfigEnableOption "UCLIBC_HAS_SSP" "${dst}"
-        CT_KconfigEnableOption "UCLIBC_BUILD_SSP" "${dst}"
    else
        CT_KconfigDisableOption "UCLIBC_HAS_SSP" "${dst}"
+    fi
+    if [ "${CT_LIBC_UCLIBC_BUILD_SSP}" = "y" ]; then
+        CT_KconfigEnableOption "UCLIBC_BUILD_SSP" "${dst}"
+    else
        CT_KconfigDisableOption "UCLIBC_BUILD_SSP" "${dst}"
    fi