From f5b57504d28d0bdcda26a06ec21d80906bfbf11e Mon Sep 17 00:00:00 2001 From: Alexey Neyman Date: Tue, 4 Dec 2018 16:15:37 -0800 Subject: [PATCH] Add configuration options for enabling SSP ... in uClibc and glibc. Fixes #681. While here, relocate additional "sources" for uClibc/binutils into packages/ directory. Signed-off-by: Alexey Neyman --- config/libc/glibc.in | 39 +++++++++++++++++++ config/libc/uClibc.in | 17 ++++++++ .../binutils/binutils-ld.in | 0 .../uClibc-ng/config | 0 .../uClibc.config => packages/uClibc/config | 0 scripts/build/binutils/binutils.sh | 2 +- scripts/build/libc/glibc.sh | 4 ++ scripts/build/libc/uClibc.sh | 9 +++-- 8 files changed, 67 insertions(+), 4 deletions(-) rename {scripts/build => packages}/binutils/binutils-ld.in (100%) rename contrib/uClibc-defconfigs/uClibc-ng.config => packages/uClibc-ng/config (100%) rename contrib/uClibc-defconfigs/uClibc.config => packages/uClibc/config (100%) diff --git a/config/libc/glibc.in b/config/libc/glibc.in index 5916a83c..527063f4 100644 --- a/config/libc/glibc.in +++ b/config/libc/glibc.in @@ -320,6 +320,45 @@ config GLIBC_MIN_KERNEL default LINUX_VERSION if GLIBC_KERNEL_VERSION_AS_HEADERS default GLIBC_MIN_KERNEL_VERSION if GLIBC_KERNEL_VERSION_CHOSEN + +choice + bool "Stack-smashing protection (SSP) in glibc" + default GLIBC_SSP_DEFAULT + +config GLIBC_SSP_DEFAULT + bool "default" + help + Glibc's configure script determines the stack protection level. + +config GLIBC_SSP_NO + bool "no" + help + Glibc functions are not protected against stack-smashing. + +config GLIBC_SSP_YES + bool "yes" + help + Glibc is compiled with -fstack-protector option. + +config GLIBC_SSP_ALL + bool "all" + help + Glibc is compiled with -fstack-protector-all option. + +config GLIBC_SSP_STRONG + bool "strong" + help + Glibc is compiled with -fstack-protector-strong option. + +endchoice + +config GLIBC_SSP + string + default "no" if GLIBC_SSP_NO + default "yes" if GLIBC_SSP_YES + default "all" if GLIBC_SSP_ALL + default "strong" if GLIBC_SSP_STRONG + # All supported versions of glibc build cleanly with GCC7 and earlier. # GCC8-related fixes were only available in glibc 2.27. config GLIBC_ENABLE_WERROR diff --git a/config/libc/uClibc.in b/config/libc/uClibc.in index 7bdd03f4..2b11e0c9 100644 --- a/config/libc/uClibc.in +++ b/config/libc/uClibc.in @@ -207,6 +207,23 @@ config LIBC_UCLIBC_RPC help Enable support for remote procedure calls (RPC) in uClibc. +config LIBC_UCLIBC_HAS_SSP + bool + prompt "Support stack smashing protection (SSP)" + default y + help + Enable support for building programs with -fstack-protector family + of options. If this option is disabled, one can also use a standalone + libssp library from GCC. + +config LIBC_UCLIBC_BUILD_SSP + bool + prompt "Build uClibc with SSP" + depends on LIBC_UCLIBC_HAS_SSP + help + Build uClibc with -fstack-protector. This adds runtime overhead + to many function calls and is disabled by default. + if ARCH_ARM config LIBC_UCLIBC_USE_GNU_SUFFIX bool diff --git a/scripts/build/binutils/binutils-ld.in b/packages/binutils/binutils-ld.in similarity index 100% rename from scripts/build/binutils/binutils-ld.in rename to packages/binutils/binutils-ld.in diff --git a/contrib/uClibc-defconfigs/uClibc-ng.config b/packages/uClibc-ng/config similarity index 100% rename from contrib/uClibc-defconfigs/uClibc-ng.config rename to packages/uClibc-ng/config diff --git a/contrib/uClibc-defconfigs/uClibc.config b/packages/uClibc/config similarity index 100% rename from contrib/uClibc-defconfigs/uClibc.config rename to packages/uClibc/config diff --git a/scripts/build/binutils/binutils.sh b/scripts/build/binutils/binutils.sh index 73357430..d1745a34 100644 --- a/scripts/build/binutils/binutils.sh +++ b/scripts/build/binutils/binutils.sh @@ -226,7 +226,7 @@ do_binutils_backend() { rm -f "${prefix}/bin/${CT_TARGET}-ld" rm -f "${prefix}/${CT_TARGET}/bin/ld" sed -r -e "s/@@DEFAULT_LD@@/${CT_BINUTILS_LINKER_DEFAULT}/" \ - "${CT_LIB_DIR}/scripts/build/binutils/binutils-ld.in" \ + "${CT_LIB_DIR}/packages/binutils/binutils-ld.in" \ >"${prefix}/bin/${CT_TARGET}-ld" chmod a+x "${prefix}/bin/${CT_TARGET}-ld" cp -a "${prefix}/bin/${CT_TARGET}-ld" \ diff --git a/scripts/build/libc/glibc.sh b/scripts/build/libc/glibc.sh index a9adbbbc..4d44fea9 100644 --- a/scripts/build/libc/glibc.sh +++ b/scripts/build/libc/glibc.sh @@ -176,6 +176,10 @@ glibc_backend_once() [ -n "${CT_PKGVERSION}" ] && extra_config+=("--with-pkgversion=${CT_PKGVERSION}") [ -n "${CT_TOOLCHAIN_BUGURL}" ] && extra_config+=("--with-bugurl=${CT_TOOLCHAIN_BUGURL}") + if [ -n "${CT_GLIBC_SSP}" ]; then + extra_config+=("--enable-stack-protector=${CT_GLIBC_SSP}") + fi + touch config.cache # Hide host C++ binary from configure diff --git a/scripts/build/libc/uClibc.sh b/scripts/build/libc/uClibc.sh index 7b662045..ccadfeb6 100644 --- a/scripts/build/libc/uClibc.sh +++ b/scripts/build/libc/uClibc.sh @@ -94,7 +94,7 @@ uClibc_backend_once() # Use the default config if the user did not provide one. if [ -z "${CT_LIBC_UCLIBC_CONFIG_FILE}" ]; then - CT_LIBC_UCLIBC_CONFIG_FILE="${CT_LIB_DIR}/contrib/uClibc-defconfigs/${uClibc_name}.config" + CT_LIBC_UCLIBC_CONFIG_FILE="${CT_LIB_DIR}/packages/${uClibc_name}/config" fi manage_uClibc_config "${CT_LIBC_UCLIBC_CONFIG_FILE}" .config "${multi_flags}" @@ -324,11 +324,14 @@ manage_uClibc_config() fi # Stack Smash Protection (SSP) - if [ "${CT_CC_GCC_LIBSSP}" = "y" ]; then + if [ "${CT_LIBC_UCLIBC_HAS_SSP}" = "y" ]; then CT_KconfigEnableOption "UCLIBC_HAS_SSP" "${dst}" - CT_KconfigEnableOption "UCLIBC_BUILD_SSP" "${dst}" else CT_KconfigDisableOption "UCLIBC_HAS_SSP" "${dst}" + fi + if [ "${CT_LIBC_UCLIBC_BUILD_SSP}" = "y" ]; then + CT_KconfigEnableOption "UCLIBC_BUILD_SSP" "${dst}" + else CT_KconfigDisableOption "UCLIBC_BUILD_SSP" "${dst}" fi