Page MenuHomeFreeBSD

Only use -fstack-protector-strong with supported compilers
ClosedPublic

Authored by ngie on Oct 17 2015, 8:23 AM.
Tags
None
Referenced Files
Unknown Object (File)
Thu, Mar 28, 8:18 AM
Unknown Object (File)
Fri, Mar 1, 12:06 AM
Unknown Object (File)
Feb 26 2024, 10:40 AM
Unknown Object (File)
Feb 26 2024, 10:40 AM
Unknown Object (File)
Feb 15 2024, 7:48 AM
Unknown Object (File)
Feb 14 2024, 7:39 AM
Unknown Object (File)
Jan 27 2024, 5:27 PM
Unknown Object (File)
Jan 3 2024, 1:19 AM

Details

Summary

Only use -fstack-protector-strong with supported compilers

This includes clang 3.5.0+, gcc 4.2.1, gcc 4.8.0+

This allows me to do subdirectory makes again on 10.2-RELEASE as it
comes with clang 3.4.1.

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Passed
Unit
No Test Coverage
Build Status
Buildable 792
Build 792: arc lint + arc unit

Event Timeline

ngie retitled this revision from to Only use -fstack-protector-strong with supported compilers.
ngie updated this object.
ngie added a reviewer: pfg.
ngie added a subscriber: imp.
pfg edited edge metadata.

This should also fix some issues some ports are having with USE_GCC.

This revision is now accepted and ready to land.Oct 17 2015, 2:10 PM
share/mk/bsd.sys.mk
153

40800 is wrong; it needs to be 40804: https://svnweb.freebsd.org/ports/head/lang/gcc48/

ngie marked an inline comment as done.Oct 17 2015, 7:45 PM
ngie added inline comments.
share/mk/bsd.sys.mk
153

LGTM:

[ngie@escher ~/svn/freebsd/src/tests/sys/pjdfstest/pjdfstest]$ env CC=clang35 make -VCFLAGS:M-fstack-protector-strong
-fstack-protector-strong
[ngie@escher ~/svn/freebsd/src/tests/sys/pjdfstest/pjdfstest]$ env CC=clang make -VCFLAGS:M-fstack-protector-strong                                                                                         

[ngie@escher ~/svn/freebsd/src/tests/sys/pjdfstest/pjdfstest]$ env CC=gcc47 make -VCFLAGS:M-fstack-protector-strong                                                                                         

[ngie@escher ~/svn/freebsd/src/tests/sys/pjdfstest/pjdfstest]$ env CC=gcc48 make -VCFLAGS:M-fstack-protector-strong                                                                                         
-fstack-protector-strong
[ngie@escher ~/svn/freebsd/src/tests/sys/pjdfstest/pjdfstest]$ env CC=gcc49 make -VCFLAGS:M-fstack-protector-strong                                                                                         
-fstack-protector-strong
[ngie@escher ~/svn/freebsd/src/tests/sys/pjdfstest/pjdfstest]$ env CC=gcc make -VCFLAGS:M-fstack-protector-strong
-fstack-protector-strong
[ngie@escher ~/svn/freebsd/src/tests/sys/pjdfstest/pjdfstest]$ env CC=clang36 make -VCFLAGS:M-fstack-protector-strong                                                                                       
-fstack-protector-strong
[ngie@escher ~/svn/freebsd/src/tests/sys/pjdfstest/pjdfstest]$ env CC=clang37 make -VCFLAGS:M-fstack-protector-strong                                                                                       
-fstack-protector-strong
This revision was automatically updated to reflect the committed changes.
ngie marked an inline comment as done.

The check looks wrong, people usually get gcc from the lang/gcc port, not lang/gcc48:

% gcc48 --version
gcc48 (FreeBSD Ports Collection) 4.8.5
Copyright (C) 2015 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

% gcc48 -fstack-protector-strong
gcc48: error: unrecognized command line option '-fstack-protector-strong'
gcc48: fatal error: no input files
compilation terminated.

Also, if this ever gets MFCed, people using clang 3.4.1 will lose all stack protection.

The check looks wrong, people usually get gcc from the lang/gcc port, not lang/gcc48:

...

Also, if this ever gets MFCed, people using clang 3.4.1 will lose all stack protection.

There are no plans to MFC any of this, but you are right: we should have an .else
with the regular -fstack-protector

The check looks wrong, people usually get gcc from the lang/gcc port, not lang/gcc48:

% gcc48 --version
gcc48 (FreeBSD Ports Collection) 4.8.5
Copyright (C) 2015 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

% gcc48 -fstack-protector-strong
gcc48: error: unrecognized command line option '-fstack-protector-strong'
gcc48: fatal error: no input files
compilation terminated.

Why doesn't lang/gcc have all of the patches from lang/gcc48???

https://svnweb.freebsd.org/ports?view=revision&revision=357238

Also, if this ever gets MFCed, people using clang 3.4.1 will lose all stack protection.

clang 3.4.1 doesn't have this option:

[ngie@fbsd10 /usr/src]$ grep -r protector-strong contrib/llvm/ || echo not found
not found
[ngie@fbsd10 /usr/src]$ clang --version
FreeBSD clang version 3.4.1 (tags/RELEASE_34/dot1-final 208032) 20140512
Target: x86_64-unknown-freebsd10.2
Thread model: posix
[ngie@fbsd10 /usr/src]$ svnversion 
289467
In D3924#81535, @pfg wrote:

The check looks wrong, people usually get gcc from the lang/gcc port, not lang/gcc48:

...

Also, if this ever gets MFCed, people using clang 3.4.1 will lose all stack protection.

There are no plans to MFC any of this, but you are right: we should have an .else
with the regular -fstack-protector

Yeah... that have been added in the earlier commit.

In D3924#81536, @ngie wrote:

Why doesn't lang/gcc have all of the patches from lang/gcc48???

https://svnweb.freebsd.org/ports?view=revision&revision=357238

There's a PR: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=203751

Also, if this ever gets MFCed, people using clang 3.4.1 will lose all stack protection.

clang 3.4.1 doesn't have this option:

[ngie@fbsd10 /usr/src]$ grep -r protector-strong contrib/llvm/ || echo not found
not found
[ngie@fbsd10 /usr/src]$ clang --version
FreeBSD clang version 3.4.1 (tags/RELEASE_34/dot1-final 208032) 20140512
Target: x86_64-unknown-freebsd10.2
Thread model: posix
[ngie@fbsd10 /usr/src]$ svnversion 
289467

bug clang 3.4.1 has -fstack-protector

Reopening the revision based on input from antoine@

This revision is now accepted and ready to land.Oct 17 2015, 8:47 PM

I'm changing the conditional to only enable itself with gcc versions 4.9+ to unbreak ports.

[ngie@escher ~/svn/freebsd/src/tests/sys/pjdfstest/pjdfstest]$ env CC=clang37 make -V'CFLAGS:M-fstack-protector*'
-fstack-protector-strong
[ngie@escher ~/svn/freebsd/src/tests/sys/pjdfstest/pjdfstest]$ env CC=clang34 make -V'CFLAGS:M-fstack-protector*'
-fstack-protector
[ngie@escher ~/svn/freebsd/src/tests/sys/pjdfstest/pjdfstest]$ env CC=gcc49 make -V'CFLAGS:M-fstack-protector*'
-fstack-protector-strong
[ngie@escher ~/svn/freebsd/src/tests/sys/pjdfstest/pjdfstest]$ env CC=gcc48 make -V'CFLAGS:M-fstack-protector*'
-fstack-protector

ngie edited edge metadata.

Only use -fstack-protector-strong on gcc 4.9+, because of lang/gcc doesn't have
all of the patches from lang/gcc48

This revision now requires review to proceed.Oct 17 2015, 9:42 PM
pfg edited edge metadata.
This revision is now accepted and ready to land.Oct 17 2015, 10:14 PM
ngie removed a subscriber: antoine.
In D3924#81568, @ngie wrote:

Only use -fstack-protector-strong on gcc 4.9+, because of lang/gcc doesn't have
all of the patches from lang/gcc48

Also, use -fstack-protector if MK_SSP != no on compatible architectures.

This revision was automatically updated to reflect the committed changes.