From patchwork Thu Jun 29 18:41:45 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Siddhesh Poyarekar X-Patchwork-Id: 1801590 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=sourceware.org (client-ip=2620:52:3:1:0:246e:9693:128c; helo=sourceware.org; envelope-from=libc-alpha-bounces+incoming=patchwork.ozlabs.org@sourceware.org; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=pass (1024-bit key; secure) header.d=sourceware.org header.i=@sourceware.org header.a=rsa-sha256 header.s=default header.b=nNBsrjjJ; dkim-atps=neutral Received: from sourceware.org (server2.sourceware.org [IPv6:2620:52:3:1:0:246e:9693:128c]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4QsS451tYbz1yhT for ; Fri, 30 Jun 2023 04:42:29 +1000 (AEST) Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id 05AF73858017 for ; Thu, 29 Jun 2023 18:42:27 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 05AF73858017 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org; s=default; t=1688064147; bh=y4YRQaZAWHaTdPKW3gnPtxgJYfMU5aA4wvcgbpvO8Ls=; h=To:Subject:Date:In-Reply-To:References:List-Id:List-Unsubscribe: List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To: From; b=nNBsrjjJx06T6FKNmUR+s6S2ZOGEggEEA6vIt0mW7DYgfA4xKbtLsZds5Y6sICTVf 63wXI+AGGEYgwWa9kOYCvpEsDqJREiL4Pn0mujs/1s9FzTPKL6KVtyJquwRUUqr8P+ Zm2ObVpvl20ZbOt/4AlrIiQNhSYG8HmUdlUluNC0= X-Original-To: libc-alpha@sourceware.org Delivered-To: libc-alpha@sourceware.org Received: from heron.birch.relay.mailchannels.net (heron.birch.relay.mailchannels.net [23.83.209.82]) by sourceware.org (Postfix) with ESMTPS id 122E23858412 for ; Thu, 29 Jun 2023 18:42:07 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 122E23858412 X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id 66F22141732; Thu, 29 Jun 2023 18:42:06 +0000 (UTC) Received: from pdx1-sub0-mail-a286.dreamhost.com (unknown [127.0.0.6]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id A7531141105 for ; Thu, 29 Jun 2023 18:42:05 +0000 (UTC) ARC-Seal: i=1; s=arc-2022; d=mailchannels.net; t=1688064125; a=rsa-sha256; cv=none; b=29I3OUuqJ8V9AenCRrgRf7D98/x6vV0WalURE3tQnqRrd2VvxTO4TBqO7LS2b9W5QcEcRM /+tKi2u+5hktMTyV3sSUWAYCXfWGZI7En1w+76RPC4h424W55+neyKdIM15j4+XqdEG5+0 lZgwvUXyqpQxNnthde0guOBJDEXw9LeVH6CqYmWfhBlk7HWVuur5guSg3LRT+i6UjfGZp/ GAGR5fDbYZIXeTBTXFNF18fm6MiPIv6NABJvH+XOCAc34jzj/baeA+xhefdre3PKJDC1Qg OA0CPVRpGQsnr47GwOXLZm+xhOHiBIkUhBYckSGHUPhJ+Qas5BFy3GZXB6RIzQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=mailchannels.net; s=arc-2022; t=1688064125; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=y4YRQaZAWHaTdPKW3gnPtxgJYfMU5aA4wvcgbpvO8Ls=; b=qW6E4+JW9Y0Miu7ksel828G3AN0i456xxei5MjPgh2Bz0i4+CMy+m5SiZtcw1nZB7UgjA9 bqxwATMTORA5dQA7r0yz4n+5jk4VNU/mgw0PbEWh2mAwvko1cvbbz+ahXl71q5RN94NyAy IqSlDLDZ3Mmvd3aNDA++gYiNTuXjAMsidWsM1M5GPfioQ5GgXwYAeK15kJz1JhKBY9IWGd ASCyhZuKVrSydLVvDqJDffba0ImdEJLaNskmyQ6/tqsmr5h0e0uhwSsJHiRAP8ufDcnFPa DK1Fm9D6LHG57+32FoBTB7wxbZqlugZDqDjiIOhw/2jyylE0v0PUQyvx1PmwYA== ARC-Authentication-Results: i=1; rspamd-9fcc56855-jzllm; auth=pass smtp.auth=dreamhost smtp.mailfrom=siddhesh@sourceware.org X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org X-MC-Relay: Neutral X-MC-Copy: stored-urls X-MailChannels-SenderId: dreamhost|x-authsender|siddhesh@gotplt.org X-MailChannels-Auth-Id: dreamhost X-Industry-Minister: 3f7ddc12147d32e6_1688064125977_2311838898 X-MC-Loop-Signature: 1688064125977:233428197 X-MC-Ingress-Time: 1688064125977 Received: from pdx1-sub0-mail-a286.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384) by 100.103.24.91 (trex/6.9.1); Thu, 29 Jun 2023 18:42:05 +0000 Received: from fedora.redhat.com (bras-vprn-toroon4834w-lp130-09-174-91-45-44.dsl.bell.ca [174.91.45.44]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: siddhesh@gotplt.org) by pdx1-sub0-mail-a286.dreamhost.com (Postfix) with ESMTPSA id 4QsS3d2cfHzn6 for ; Thu, 29 Jun 2023 11:42:05 -0700 (PDT) To: libc-alpha@sourceware.org Subject: [PATCH 2/4] configure: Default --enable-stack-protector to strong Date: Thu, 29 Jun 2023 14:41:45 -0400 Message-ID: <20230629184156.2789945-3-siddhesh@sourceware.org> X-Mailer: git-send-email 2.41.0 In-Reply-To: <20230629184156.2789945-1-siddhesh@sourceware.org> References: <20230629184156.2789945-1-siddhesh@sourceware.org> MIME-Version: 1.0 X-Spam-Status: No, score=-1172.6 required=5.0 tests=BAYES_00, GIT_PATCH_0, KAM_DMARC_NONE, KAM_DMARC_STATUS, RCVD_IN_MSPIKE_H4, RCVD_IN_MSPIKE_WL, SPF_HELO_NONE, SPF_SOFTFAIL, TXREP, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-Patchwork-Original-From: Siddhesh Poyarekar via Libc-alpha From: Siddhesh Poyarekar Reply-To: Siddhesh Poyarekar Errors-To: libc-alpha-bounces+incoming=patchwork.ozlabs.org@sourceware.org Sender: "Libc-alpha" All major distributions use this level of stack protector, so make it the default. Signed-off-by: Siddhesh Poyarekar --- INSTALL | 3 ++- NEWS | 4 ++++ configure | 2 +- configure.ac | 2 +- manual/install.texi | 3 ++- 5 files changed, 10 insertions(+), 4 deletions(-) diff --git a/INSTALL b/INSTALL index a1e189eb9f..f02358e933 100644 --- a/INSTALL +++ b/INSTALL @@ -196,13 +196,14 @@ if ‘CFLAGS’ is specified it must enable optimization. For example: ‘--enable-stack-protector’ ‘--enable-stack-protector=strong’ ‘--enable-stack-protector=all’ +‘--enable-stack-protector=no’ Compile the C library and all other parts of the glibc package (including the threading and math libraries, NSS modules, and transliteration modules) using the GCC ‘-fstack-protector’, ‘-fstack-protector-strong’ or ‘-fstack-protector-all’ options to detect stack overruns. Only the dynamic linker and a small number of routines called directly from assembler are excluded from this - protection. + protection. This option is enabled by default and set to ‘strong’. ‘--enable-bind-now’ Disable lazy binding for installed shared objects and programs. diff --git a/NEWS b/NEWS index 709ee40e50..47ec0b741c 100644 --- a/NEWS +++ b/NEWS @@ -48,6 +48,10 @@ Major new features: * The strlcpy and strlcat functions have been added. They are derived from OpenBSD, and are expected to be added to a future POSIX version. +* The GNU C Library is now built with -fstack-protector-strong by + default. This may be overridden by using the --enable-stack-protector + configure option. + Deprecated and removed features, and other changes affecting compatibility: * In the Linux kernel for the hppa/parisc architecture some of the diff --git a/configure b/configure index 11538ee1b3..863621cabf 100755 --- a/configure +++ b/configure @@ -4462,7 +4462,7 @@ if test ${enable_stack_protector+y} then : enableval=$enable_stack_protector; enable_stack_protector=$enableval else $as_nop - enable_stack_protector=no + enable_stack_protector=strong fi case "$enable_stack_protector" in diff --git a/configure.ac b/configure.ac index 18bb989ade..d85452b3b3 100644 --- a/configure.ac +++ b/configure.ac @@ -228,7 +228,7 @@ AC_ARG_ENABLE([stack-protector], AS_HELP_STRING([--enable-stack-protector=@<:@yes|no|all|strong@:>@], [Use -fstack-protector[-all|-strong] to detect glibc buffer overflows]), [enable_stack_protector=$enableval], - [enable_stack_protector=no]) + [enable_stack_protector=strong]) case "$enable_stack_protector" in all|yes|no|strong) ;; *) AC_MSG_ERROR([Not a valid argument for --enable-stack-protector: "$enable_stack_protector"]);; diff --git a/manual/install.texi b/manual/install.texi index 52eb2d8a23..b1aa5eb60c 100644 --- a/manual/install.texi +++ b/manual/install.texi @@ -222,13 +222,14 @@ time. Consult the @file{timezone} subdirectory for more details. @item --enable-stack-protector @itemx --enable-stack-protector=strong @itemx --enable-stack-protector=all +@itemx --enable-stack-protector=no Compile the C library and all other parts of the glibc package (including the threading and math libraries, NSS modules, and transliteration modules) using the GCC @option{-fstack-protector}, @option{-fstack-protector-strong} or @option{-fstack-protector-all} options to detect stack overruns. Only the dynamic linker and a small number of routines called directly from assembler are excluded from this -protection. +protection. This option is enabled by default and set to @option{strong}. @item --enable-bind-now Disable lazy binding for installed shared objects and programs. This