diff options
author | Todd C. Miller <Todd.Miller@sudo.ws> | 2023-01-18 14:39:52 -0700 |
---|---|---|
committer | Todd C. Miller <Todd.Miller@sudo.ws> | 2023-01-18 14:39:52 -0700 |
commit | 5e8363b0fa64e31da84995209bc2b88775fab40f (patch) | |
tree | 72e5724d4b2a999e6a7b1664c526f2c35812ee3e /m4 | |
parent | 49a085dfe781c5e3b1c08821c557be7c902fb517 (diff) | |
download | sudo-5e8363b0fa64e31da84995209bc2b88775fab40f.tar.gz |
Limit some of the hardening tests to compilers that define __GNUC__.
This should avoid false positives on other compilers.
Diffstat (limited to 'm4')
-rw-r--r-- | m4/hardening.m4 | 50 |
1 files changed, 26 insertions, 24 deletions
diff --git a/m4/hardening.m4 b/m4/hardening.m4 index c5195e435..fb1e22555 100644 --- a/m4/hardening.m4 +++ b/m4/hardening.m4 @@ -30,7 +30,7 @@ AC_DEFUN([SUDO_CHECK_HARDENING], [ dnl dnl The following tests rely on AC_LANG_WERROR. dnl - if test "$enable_ssp" != "no"; then + if test -n "$GCC" -a "$enable_ssp" != "no"; then AC_CACHE_CHECK([for compiler stack protector support], [sudo_cv_var_stack_protector], [ @@ -86,31 +86,33 @@ AC_DEFUN([SUDO_CHECK_HARDENING], [ # machine-specific code does not support it. We use a test program # with a large stack allocation to try to cause the compiler to # insert the stack clash protection code, or fail if not supported. - AC_CACHE_CHECK([whether C compiler supports -fstack-clash-protection], - [sudo_cv_check_cflags___fstack_clash_protection], - [ - _CFLAGS="$CFLAGS" - CFLAGS="$CFLAGS -fstack-clash-protection" - AC_COMPILE_IFELSE([ - AC_LANG_SOURCE([[int main(int argc, char *argv[]) { char buf[16384], *src = argv[0], *dst = buf; while ((*dst++ = *src++) != '\0') { continue; } return buf[argc]; }]]) - ], [sudo_cv_check_cflags___fstack_clash_protection=yes], [sudo_cv_check_cflags___fstack_clash_protection=no]) - CFLAGS="$_CFLAGS" - ] - ) - if test X"$sudo_cv_check_cflags___fstack_clash_protection" = X"yes"; then - AX_CHECK_LINK_FLAG([-fstack-clash-protection], [ - AX_APPEND_FLAG([-fstack-clash-protection], [HARDENING_CFLAGS]) - AX_APPEND_FLAG([-Wc,-fstack-clash-protection], [HARDENING_LDFLAGS]) - ]) - fi + if test -n "$GCC"; then + AC_CACHE_CHECK([whether C compiler supports -fstack-clash-protection], + [sudo_cv_check_cflags___fstack_clash_protection], + [ + _CFLAGS="$CFLAGS" + CFLAGS="$CFLAGS -fstack-clash-protection" + AC_COMPILE_IFELSE([ + AC_LANG_SOURCE([[int main(int argc, char *argv[]) { char buf[16384], *src = argv[0], *dst = buf; while ((*dst++ = *src++) != '\0') { continue; } return buf[argc]; }]]) + ], [sudo_cv_check_cflags___fstack_clash_protection=yes], [sudo_cv_check_cflags___fstack_clash_protection=no]) + CFLAGS="$_CFLAGS" + ] + ) + if test X"$sudo_cv_check_cflags___fstack_clash_protection" = X"yes"; then + AX_CHECK_LINK_FLAG([-fstack-clash-protection], [ + AX_APPEND_FLAG([-fstack-clash-protection], [HARDENING_CFLAGS]) + AX_APPEND_FLAG([-Wc,-fstack-clash-protection], [HARDENING_LDFLAGS]) + ]) + fi - # Check for control-flow transfer instrumentation (Intel CET). - AX_CHECK_COMPILE_FLAG([-fcf-protection], [ - AX_CHECK_LINK_FLAG([-fcf-protection], [ - AX_APPEND_FLAG([-fcf-protection], [HARDENING_CFLAGS]) - AX_APPEND_FLAG([-Wc,-fcf-protection], [HARDENING_LDFLAGS]) + # Check for control-flow transfer instrumentation (Intel CET). + AX_CHECK_COMPILE_FLAG([-fcf-protection], [ + AX_CHECK_LINK_FLAG([-fcf-protection], [ + AX_APPEND_FLAG([-fcf-protection], [HARDENING_CFLAGS]) + AX_APPEND_FLAG([-Wc,-fcf-protection], [HARDENING_LDFLAGS]) + ]) ]) - ]) + fi # Linker-specific hardening flags. AX_CHECK_LINK_FLAG([-Wl,-z,relro], [AX_APPEND_FLAG([-Wl,-z,relro], [HARDENING_LDFLAGS])]) |