13274 enable -fstack-protector-strong by default in user land

Reviewed by: Andy Fiddaman <andy@omniosce.org> Reviewed by: Toomas Soome <tsoome@me.com> Approved by: Gordon Ross <gordon.w.ross@gmail.com>
author: Robert Mustacchi <rm@fingolfin.org> 2020-10-24 17:43:02 -0700
committer: Robert Mustacchi <rm@fingolfin.org> 2020-11-17 08:52:10 -0800
commit: 5a0af8165ce9590e7a18f1ef4f9badc4dd72c6e6 (patch)
tree: 762f2de7c139aee157730b0e788d3a61462554e9 /usr/src/lib
parent: 6a817834d81cc75ce12d0d393320837b1fec1e85 (diff)
download: illumos-joyent-5a0af8165ce9590e7a18f1ef4f9badc4dd72c6e6.tar.gz
10 files changed, 64 insertions, 1 deletions
diff --git a/usr/src/lib/Makefile.lib b/usr/src/lib/Makefile.lib
index fb16de1a17..2dab9d92c6 100644
--- a/usr/src/lib/Makefile.lib
+++ b/usr/src/lib/Makefile.lib
@@ -163,6 +163,13 @@ INS.liblink64=	-$(RM) $@; $(SYMLINK) $(LIBLINKPATH)$(LIBLINKS)$(VERS) $@
 INS.liblinkccc64= -$(RM) $@; $(SYMLINK) $(LIBLINKPATH)$(LIBLINKSCCC)$(VERS) $@
 
 #
+# Default to adding stack protection to all libraries.
+#
+CFLAGS +=	$(CCSTACKPROTECT)
+CFLAGS64 +=	$(CCSTACKPROTECT)
+LDLIBS +=	$(LDSTACKPROTECT)
+
+#
 # If appropriate, augment POST_PROCESS_O and POST_PROCESS_SO to do CTF
 # processing.  We'd like to just conditionally append to POST_PROCESS_O and
 # POST_PROCESS_SO, but ParallelMake has a bug which causes the same value to
diff --git a/usr/src/lib/libc/amd64/Makefile b/usr/src/lib/libc/amd64/Makefile
index 846b260cfd..717c549329 100644
--- a/usr/src/lib/libc/amd64/Makefile
+++ b/usr/src/lib/libc/amd64/Makefile
@@ -1202,6 +1202,12 @@ pics/arc4random.o :=	CPPFLAGS += -I$(SRC)/common/crypto/chacha
 pics/__clock_gettime.o := CPPFLAGS += $(COMMPAGE_CPPFLAGS)
 pics/gettimeofday.o := CPPFLAGS += $(COMMPAGE_CPPFLAGS)
 
+#
+# Disable the stack protector due to issues with bootstrapping rtld. See
+# cmd/sgs/rtld/Makefile.com for more information.
+#
+STACKPROTECT = none
+
 .KEEP_STATE:
 
 all: $(LIBS) $(LIB_PIC)
diff --git a/usr/src/lib/libc/i386/Makefile.com b/usr/src/lib/libc/i386/Makefile.com
index a45feed38a..a1c0297112 100644
--- a/usr/src/lib/libc/i386/Makefile.com
+++ b/usr/src/lib/libc/i386/Makefile.com
@@ -1267,6 +1267,12 @@ pics/arc4random.o :=	CPPFLAGS += -I$(SRC)/common/crypto/chacha
 pics/__clock_gettime.o := CPPFLAGS += $(COMMPAGE_CPPFLAGS)
 pics/gettimeofday.o := CPPFLAGS += $(COMMPAGE_CPPFLAGS)
 
+#
+# Disable the stack protector due to issues with bootstrapping rtld. See
+# cmd/sgs/rtld/Makefile.com for more information.
+#
+STACKPROTECT = none
+
 .KEEP_STATE:
 
 all: $(LIBS) $(LIB_PIC)
diff --git a/usr/src/lib/libc/sparc/Makefile.com b/usr/src/lib/libc/sparc/Makefile.com
index b2c0c36ef7..c699befe9c 100644
--- a/usr/src/lib/libc/sparc/Makefile.com
+++ b/usr/src/lib/libc/sparc/Makefile.com
@@ -1318,6 +1318,12 @@ pics/arc4random.o :=	CPPFLAGS += -I$(SRC)/common/crypto/chacha
 # Files which need extra optimization
 pics/getenv.o := sparc_COPTFLAG = -xO4
 
+#
+# Disable the stack protector due to issues with bootstrapping rtld. See
+# cmd/sgs/rtld/Makefile.com for more information.
+#
+STACKPROTECT = none
+
 .KEEP_STATE:
 
 all: $(LIBS) $(LIB_PIC)
diff --git a/usr/src/lib/libc/sparcv9/Makefile.com b/usr/src/lib/libc/sparcv9/Makefile.com
index a009541deb..120e164f62 100644
--- a/usr/src/lib/libc/sparcv9/Makefile.com
+++ b/usr/src/lib/libc/sparcv9/Makefile.com
@@ -1241,6 +1241,12 @@ pics/arc4random.o :=	CPPFLAGS += -I$(SRC)/common/crypto/chacha
 # Files which need extra optimization
 pics/getenv.o := sparcv9_COPTFLAG = -xO4
 
+#
+# Disable the stack protector due to issues with bootstrapping rtld. See
+# cmd/sgs/rtld/Makefile.com for more information.
+#
+STACKPROTECT = none
+
 .KEEP_STATE:
 
 all: $(LIBS) $(LIB_PIC)
diff --git a/usr/src/lib/libdisasm/Makefile.com b/usr/src/lib/libdisasm/Makefile.com
index 2173e5bb2c..e88d62335f 100644
--- a/usr/src/lib/libdisasm/Makefile.com
+++ b/usr/src/lib/libdisasm/Makefile.com
@@ -124,6 +124,12 @@ CERRWARN +=	$(CNOWARN_UNINIT)
 # not linted
 SMATCH=off
 
+#
+# The standalone environment currently does not support the stack
+# protector.
+#
+STACKPROTECT = none
+
 # We want the thread-specific errno in the library, but we don't want it in
 # the standalone.  $(DTS_ERRNO) is designed to add -D_TS_ERRNO to $(CPPFLAGS),
 # in order to enable this feature.  Conveniently, -D_REENTRANT does the same
diff --git a/usr/src/lib/libdtrace/Makefile.com b/usr/src/lib/libdtrace/Makefile.com
index 1016c8e295..4b42c96cdc 100644
--- a/usr/src/lib/libdtrace/Makefile.com
+++ b/usr/src/lib/libdtrace/Makefile.com
@@ -140,7 +140,7 @@ SMATCH=off
 YYCFLAGS =
 LDLIBS += -lgen -lproc -lrtld_db -lnsl -lsocket -lctf -lelf -lc
 DRTILDLIBS = $(LDLIBS.lib) -lc
-LIBDAUDITLIBS = $(LDLIBS.lib) -lmapmalloc -lc -lproc
+LIBDAUDITLIBS = $(LDLIBS.lib) -lmapmalloc -lc -lproc $(LDSTACKPROTECT)
 
 yydebug := YYCFLAGS += -DYYDEBUG
 
@@ -154,6 +154,14 @@ ROOTDLIBS = $(DLIBSRCS:%=$(ROOTDLIBDIR)/%)
 ROOTDOBJS = $(ROOTDLIBDIR)/$(DRTIOBJ) $(ROOTDLIBDIR)/$(LIBDAUDIT)
 ROOTDOBJS64 = $(ROOTDLIBDIR64)/$(DRTIOBJ) $(ROOTDLIBDIR64)/$(LIBDAUDIT)
 
+#
+# We do not build drti.o with the stack protector as otherwise
+# everything that uses dtrace -G may have a surprise stack protector
+# requirement right now. While in theory this could be handled by libc,
+# this will make the overall default transition smoother.
+#
+$(DRTIOBJ) := STACKPROTECT = none
+
 $(ROOTDLIBDIR)/%.d := FILEMODE=444
 $(ROOTDLIBDIR)/%.o := FILEMODE=444
 $(ROOTDLIBDIR64)/%.o :=	FILEMODE=444
diff --git a/usr/src/lib/libsaveargs/Makefile.com b/usr/src/lib/libsaveargs/Makefile.com
index 3f23249570..6e47b2839c 100644
--- a/usr/src/lib/libsaveargs/Makefile.com
+++ b/usr/src/lib/libsaveargs/Makefile.com
@@ -60,6 +60,12 @@ LINKTEST_OBJ = objs/linktest_stand.o
 CLOBBERFILES_standalone = $(LINKTEST_OBJ)
 CLOBBERFILES += $(CLOBBERFILES_$(CURTYPE))
 
+#
+# The standalone environment currently does not support the stack
+# protector.
+#
+$(STANDLIBRARY) := STACKPROTECT = none
+
 LIBS_standalone	= $(STANDLIBRARY)
 LIBS_library = $(DYNLIB)
 LIBS = $(LIBS_$(CURTYPE))
diff --git a/usr/src/lib/libumem/Makefile.com b/usr/src/lib/libumem/Makefile.com
index 876940f995..aabff24f69 100644
--- a/usr/src/lib/libumem/Makefile.com
+++ b/usr/src/lib/libumem/Makefile.com
@@ -155,6 +155,12 @@ CFLAGS += $(CFLAGS_$(CURTYPE)) $(CFLAGS_common)
 CFLAGS64_standalone = $(STAND_FLAGS_64)
 CFLAGS64 += $(CCVERBOSE) $(CFLAGS64_$(CURTYPE)) $(CFLAGS64_common)
 
+#
+# For the standalone environment, disable the stack protector for the
+# time being.
+#
+$(STANDLIBRARY) := STACKPROTECT = none
+
 # false positive for umem_alloc_sizes_add()
 pics/umem.o := SMOFF += index_overflow
 objs/umem.o := SMOFF += index_overflow
diff --git a/usr/src/lib/ssp_ns/Makefile.com b/usr/src/lib/ssp_ns/Makefile.com
index 5ff9bbd913..aaa9aa52a9 100644
--- a/usr/src/lib/ssp_ns/Makefile.com
+++ b/usr/src/lib/ssp_ns/Makefile.com
@@ -30,6 +30,12 @@ LIBS =		$(LIBRARY)
 SRCDIR =	../common
 CFLAGS +=	$($(MACH)_C_PICFLAGS)
 
+#
+# Disable stack protection for the things providing the stack
+# protection.
+#
+STACKPROTECT = none
+
 CLOBBERFILES +=	$(LIBRARY)
 
 .KEEP_STATE:
author	Robert Mustacchi <rm@fingolfin.org>	2020-10-24 17:43:02 -0700
committer	Robert Mustacchi <rm@fingolfin.org>	2020-11-17 08:52:10 -0800
commit	5a0af8165ce9590e7a18f1ef4f9badc4dd72c6e6 (patch)
tree	762f2de7c139aee157730b0e788d3a61462554e9 /usr/src/lib
parent	6a817834d81cc75ce12d0d393320837b1fec1e85 (diff)
download	illumos-joyent-5a0af8165ce9590e7a18f1ef4f9badc4dd72c6e6.tar.gz