[PATCH] build: improve stack protector check

Jeremy Allison jra at samba.org
Fri Sep 18 22:50:09 UTC 2015 

On Fri, Sep 11, 2015 at 04:57:16PM -0300, Gustavo Zacarias wrote:
> Testing a toolchain for proper -fstack-protector must go beyond ensuring
> the compiler and linker accept the option.
> If the test C program does nothing with the stack then guards aren't
> inserted and/or are optimized away giving the false impression that it
> works when in fact the libc might not support it.
> 
> Update the check to a program that uses the stack, hence making a link
> fail if proper support isn't available, for example in non-ssp enabled
> uclibc toolchains like this:
> 
> test.c:(.text.startup+0x64): undefined reference to `__stack_chk_fail'
> 
> Signed-off-by: Gustavo Zacarias <gustavo at zacarias.com.ar>
> ---
>  buildtools/wafsamba/samba_autoconf.py | 20 +++++++++++++++++---
>  1 file changed, 17 insertions(+), 3 deletions(-)
> 
> diff --git a/buildtools/wafsamba/samba_autoconf.py b/buildtools/wafsamba/samba_autoconf.py
> index c5f132c..ef34b00 100644
> --- a/buildtools/wafsamba/samba_autoconf.py
> +++ b/buildtools/wafsamba/samba_autoconf.py
> @@ -657,9 +657,23 @@ def SAMBA_CONFIG_H(conf, path=None):
>      if not IN_LAUNCH_DIR(conf):
>          return
>  
> -    if conf.CHECK_CFLAGS(['-fstack-protector']) and conf.CHECK_LDFLAGS(['-fstack-protector']):
> -        conf.ADD_CFLAGS('-fstack-protector')
> -        conf.ADD_LDFLAGS('-fstack-protector')
> +    # we need to build real code that can't be optimized away to test
> +    if conf.check(fragment='''
> +        #include <stdio.h>
> +
> +        int main(void)
> +        {
> +            char t[100000];
> +            while (fgets(t, sizeof(t), stdin));
> +            return 0;
> +        }
> +        ''',
> +        execute=0,
> +        ccflags='-fstack-protector',
> +        ldflags='-fstack-protector',
> +        msg='Checking if toolchain accepts -fstack-protector'):
> +            conf.ADD_CFLAGS('-fstack-protector')
> +            conf.ADD_LDFLAGS('-fstack-protector')
>  
>      if Options.options.debug:
>          conf.ADD_CFLAGS('-g', testflags=True)
> -- 
> 2.4.6

Reviewed-by: Jeremy Allison <jra at samba.org>

Can I get a second Team reviewer ?

Cheers,

	Jeremy.

More information about the samba-technical mailing list