[or-cvs] [tor/release-0.2.2 069/162] Use ssp-buffer-size param when hardening

arma at torproject.org arma at torproject.org
Mon Dec 20 03:06:33 UTC 2010


Author: Sebastian Hahn <sebastian at torproject.org>
Date: Tue, 19 Oct 2010 19:14:58 +0200
Subject: Use ssp-buffer-size param when hardening
Commit: cee4dc61015d31d27ca25ccb2a7226493f486cd5

We used to enable ssp-buffer-size=1 only when building with
--enable-gcc-warnings. That would result in warnings (and no
protection for small arrays) when building with
--enable-gcc-hardening without enabling warnings, too. Fixes bug
2031.

Also remove an XXX: We now allow to build with -fstack-protector
by using --enable-gcc-hardening.
---
 changes/bug2031 |    5 +++++
 configure.in    |    5 ++---
 2 files changed, 7 insertions(+), 3 deletions(-)
 create mode 100644 changes/bug2031

diff --git a/changes/bug2031 b/changes/bug2031
new file mode 100644
index 0000000..59afc02
--- /dev/null
+++ b/changes/bug2031
@@ -0,0 +1,5 @@
+  o Minor bugfixes:
+    - Enable protection of small arrays whenever we build with gcc hardening
+      features, not only when also building with warnings enabled. Fixes bug
+      2031; bugfix on 0.2.2.14-alpha. Reported by keb.
+
diff --git a/configure.in b/configure.in
index 891daa8..7e72ada 100644
--- a/configure.in
+++ b/configure.in
@@ -99,7 +99,7 @@ AC_ARG_ENABLE(gcc-hardening,
 [if test x$enableval = xyes; then
     CFLAGS="$CFLAGS -D_FORTIFY_SOURCE=2 -fstack-protector-all"
     CFLAGS="$CFLAGS -fwrapv -fPIE -Wstack-protector -Wformat -Wformat-security"
-    CFLAGS="$CFLAGS -Wpointer-sign"
+    CFLAGS="$CFLAGS -Wpointer-sign --param ssp-buffer-size=1"
     LDFLAGS="$LDFLAGS -pie"
 fi])
 
@@ -892,9 +892,8 @@ if test x$enable_gcc_warnings = xyes || test x$enable_gcc_warnings_advisory = xy
 
   if test x$have_gcc42 = xyes ; then 
     # These warnings break gcc 4.0.2 and work on gcc 4.2
-    # XXXX020 Use -fstack-protector.
     # XXXX020 See if any of these work with earlier versions.
-    CFLAGS="$CFLAGS -Waddress -Wmissing-noreturn -Wnormalized=id -Woverride-init -Wstrict-overflow=1 --param ssp-buffer-size=1"
+    CFLAGS="$CFLAGS -Waddress -Wmissing-noreturn -Wnormalized=id -Woverride-init -Wstrict-overflow=1"
     # We used to use -Wstrict-overflow=5, but that breaks us heavily under 4.3.
   fi
 
-- 
1.7.1




More information about the tor-commits mailing list