From edccf53a08a5dc2a1536d248367ab3aaf477ae60 Mon Sep 17 00:00:00 2001 From: Robert Mustacchi Date: Fri, 8 Feb 2019 06:59:24 +0000 Subject: OS-7620 Use -fstack-protector-strong when available Reviewed by: Jerry Jelinek Reviewed by: John Levon Approved by: John Levon --- usr/src/uts/intel/Makefile.intel | 31 ++++++++++++++++++++++++++++++- usr/src/uts/intel/qede/Makefile | 9 ++++++++- 2 files changed, 38 insertions(+), 2 deletions(-) (limited to 'usr/src') diff --git a/usr/src/uts/intel/Makefile.intel b/usr/src/uts/intel/Makefile.intel index 5fd0439014..32f5ff1bad 100644 --- a/usr/src/uts/intel/Makefile.intel +++ b/usr/src/uts/intel/Makefile.intel @@ -135,7 +135,36 @@ CFLAGS += $(SPACEFLAG) CFLAGS += $(CCUNBOUND) CFLAGS += $(CFLAGS_uts) CFLAGS += -xstrconst -CFLAGS += -_gcc=-fstack-protector + +# +# Options to control which version of stack-protector we enable. This +# gives us a bit of flexibility and is unfortunately necessary as some +# modules do not function correctly with our defaults (qede). +# +# o STACKPROTECT_ Sets the appropriate version for the compiler +# o STACKPROTECT_strong Sets us to use strong on all of the +# compilers it supports. This is the same +# as the default. +# +# o STACKPROTECT_none Disables the stack protector. +# +# o STACKPROTECT_all Enables it for everything. +# +# o STACKPROTECT_basic Enables the basic stack protector. +# +# -fstack-protector-strong is not available in our gcc4 which is why we +# have per-compiler versions below. +# +STACKPROTECT_ = -_gcc4=-fstack-protector +STACKPROTECT_ += -_gcc7=-fstack-protector-strong +STACKPROTECT_ += -_gcc8=-fstack-protector-strong + +STACKPROTECT_strong = $(STACKPROTECT_) +STACKPROTECT_none = -_gcc=-fstack-protector-none +STACKPROTECT_all = -_gcc=-fstack-protector-all +STACKPROTECT_basic = -_gcc=-fstack-protector + +CFLAGS += $(STACKPROTECT_$(STACKPROTECT)) ASFLAGS_XARCH_32 = $(i386_ASFLAGS) ASFLAGS_XARCH_64 = $(amd64_ASFLAGS) diff --git a/usr/src/uts/intel/qede/Makefile b/usr/src/uts/intel/qede/Makefile index 1ac554f074..9fdf8cca18 100644 --- a/usr/src/uts/intel/qede/Makefile +++ b/usr/src/uts/intel/qede/Makefile @@ -10,7 +10,7 @@ # # -# Copyright (c) 2018, Joyent, Inc. +# Copyright 2019 Joyent, Inc. # UTSBASE = ../.. @@ -54,6 +54,13 @@ SMOFF += all_func_returns,indenting,no_if_block,deref_check,testing_index_after_ # real bug in qede_multicast() $(OBJS_DIR)/qede_gld.o := SMOFF += assign_vs_compare +# +# Unfortunately the default use of -fstack-protector-strong breaks the +# qede module. For the time being limit its use of stack-protector to +# the basic form (-fstack-protector). +# +STACKPROTECT=basic + ALL_TARGET = $(BINARY) $(CONFMOD) INSTALL_TARGET = $(BINARY) $(ROOTMODULE) $(ROOT_CONFFILE) -- cgit v1.2.3