diff --git a/share/mk/bsd.compiler.mk b/share/mk/bsd.compiler.mk --- a/share/mk/bsd.compiler.mk +++ b/share/mk/bsd.compiler.mk @@ -24,6 +24,7 @@ # - retpoline: supports the retpoline speculative execution vulnerability # mitigation. # - init-all: supports stack variable initialization. +# - stackclash:supports stack clash protection # - zeroregs: supports zeroing used registers on return # - aarch64-sha512: supports the AArch64 sha512 intrinsic functions. # @@ -264,8 +265,18 @@ ${X_}COMPILER_FEATURES+= fileprefixmap .endif +.if (${${X_}COMPILER_TYPE} == "clang" && ${${X_}COMPILER_VERSION} >= 70000 \ + && ${MACHINE_ARCH:Mriscv*} != "" && ${MACHINE_ARCH:Mpower*} != "") || \ + (${${X_}COMPILER_TYPE} == "gcc" && ${${X_}COMPILER_VERSION} >= 81000 \ + && ${MACHINE_ARCH:Mriscv*} != "") +${X_}COMPILER_FEATURES+= stackclash +.endif + + .if (${${X_}COMPILER_TYPE} == "clang" && ${${X_}COMPILER_VERSION} >= 150000) || \ - (${${X_}COMPILER_TYPE} == "gcc" && ${${X_}COMPILER_VERSION} >= 110000) + (${${X_}COMPILER_TYPE} == "gcc" && ${${X_}COMPILER_VERSION} >= 110000) && \ + ${MACHINE_ARCH:Mriscv*} != "" && ${MACHINE_ARCH:Mpower*} != "" && \ + ${MACHINE_ARCH:Marmv7*} != "" ${X_}COMPILER_FEATURES+= zeroregs .endif diff --git a/share/mk/bsd.lib.mk b/share/mk/bsd.lib.mk --- a/share/mk/bsd.lib.mk +++ b/share/mk/bsd.lib.mk @@ -170,7 +170,7 @@ ${CTFCONVERT_CMD} .c.nossppico: - ${CC} ${PICFLAG} -DPIC ${SHARED_CFLAGS:C/^-fstack-protector.*$//:C/^-fsanitize.*$//} ${CFLAGS:C/^-fstack-protector.*$//:C/^-fsanitize.*$//} -c ${.IMPSRC} -o ${.TARGET} + ${CC} ${PICFLAG} -DPIC ${SHARED_CFLAGS:C/^-fstack-protector.*$//:C/^-fstack-clash-protection.*$//:C/^-fsanitize.*$//} ${CFLAGS:C/^-fstack-protector.*$//:C/^-fstack-clash-protection.*$//:C/^-fsanitize.*$//} -c ${.IMPSRC} -o ${.TARGET} ${CTFCONVERT_CMD} .c.pieo: @@ -184,7 +184,7 @@ ${CXX} ${PICFLAG} -DPIC ${SHARED_CXXFLAGS} ${CXXFLAGS} -c ${.IMPSRC} -o ${.TARGET} .cc.nossppico .C.nossppico .cpp.nossppico .cxx.nossppico: - ${CXX} ${PICFLAG} -DPIC ${SHARED_CXXFLAGS:C/^-fstack-protector.*$//:C/^-fsanitize.*$//} ${CXXFLAGS:C/^-fstack-protector.*$//:C/^-fsanitize.*$//} -c ${.IMPSRC} -o ${.TARGET} + ${CXX} ${PICFLAG} -DPIC ${SHARED_CXXFLAGS:C/^-fstack-protector.*$//:C/^-fstack-clash-protection.*$//:C/^-fsanitize.*$//} ${CXXFLAGS:C/^-fstack-protector.*$//:C/^-fstack-clash-protection.*$//:C/^-fsanitize.*$//} -c ${.IMPSRC} -o ${.TARGET} .cc.pieo .C.pieo .cpp.pieo .cxx.pieo: ${CXX} ${PIEFLAG} ${SHARED_CXXFLAGS} ${CXXFLAGS} -c ${.IMPSRC} -o ${.TARGET} @@ -198,7 +198,7 @@ ${CTFCONVERT_CMD} .f.nossppico: - ${FC} ${PICFLAG} -DPIC ${FFLAGS:C/^-fstack-protector.*$//} -o ${.TARGET} -c ${.IMPSRC} + ${FC} ${PICFLAG} -DPIC ${FFLAGS:C/^-fstack-protector.*$//:C/^-fstack-clash-protection.*$//} -o ${.TARGET} -c ${.IMPSRC} ${CTFCONVERT_CMD} .s.po .s.pico .s.nossppico .s.pieo: @@ -217,7 +217,7 @@ .asm.nossppico: ${CC:N${CCACHE_BIN}} -x assembler-with-cpp ${PICFLAG} -DPIC \ - ${CFLAGS:C/^-fstack-protector.*$//} ${ACFLAGS} -c ${.IMPSRC} -o ${.TARGET} + ${CFLAGS:C/^-fstack-protector.*$//:C/^-fstack-clash-protection.*$//} ${ACFLAGS} -c ${.IMPSRC} -o ${.TARGET} ${CTFCONVERT_CMD} .asm.pieo: @@ -236,7 +236,7 @@ ${CTFCONVERT_CMD} .S.nossppico: - ${CC:N${CCACHE_BIN}} ${PICFLAG} -DPIC ${CFLAGS:C/^-fstack-protector.*$//} ${ACFLAGS} \ + ${CC:N${CCACHE_BIN}} ${PICFLAG} -DPIC ${CFLAGS:C/^-fstack-protector.*$//:C/^-fstack-clash-protection.*$//} ${ACFLAGS} \ -c ${.IMPSRC} -o ${.TARGET} ${CTFCONVERT_CMD} diff --git a/share/mk/bsd.sys.mk b/share/mk/bsd.sys.mk --- a/share/mk/bsd.sys.mk +++ b/share/mk/bsd.sys.mk @@ -304,7 +304,11 @@ FORTIFY_SOURCE?= 0 .if ${MK_SSP} != "no" # Don't use -Wstack-protector as it breaks world with -Werror. +.if ${COMPILER_FEATURES:Mstackclash} SSP_CFLAGS?= -fstack-protector-strong -fstack-clash-protection +.else +SSP_CFLAGS?= -fstack-protector-strong +.endif CFLAGS+= ${SSP_CFLAGS} .endif # SSP .if ${FORTIFY_SOURCE} > 0