From b50457044c2fa7e19c60615f498e2a7ab1ed9bbf Mon Sep 17 00:00:00 2001 From: fanquake Date: Mon, 8 Feb 2021 13:33:59 +0800 Subject: [PATCH] Merge #20720: build: more robustly check for fcf-protection support e9189a750b237eba1befc6b16c12c2cee3e0176c build: more robustly check for fcf-protection support (fanquake) Pull request description: When using Clang 7, we may end up trying to use the flag when it won't work properly, which can lead to confusing errors. i.e: ```bash /usr/bin/ld: error: ... ``` Use `AX_CHECK_LINK_FLAG` & `--fatal-warnings` to ensure we wont use the flag in this case. We do this as even when the error is emitted, compilation succeeds, and the binaries produced will run. This means we can't just check if the compiler accepts the flag, or if compilation succeeds (without or without `-Werror`, and/or passing `-Wl,--fatal-warnings`, which may not be passed through to the linker). This was reported by someone configuring for fuzzing, on Debian 10, where Clang 7 is the default. See here for a minimal example of the problematic behaviour: https://gist.github.com/fanquake/9b33555fcfebef8eb8c0795a71732bc6 ACKs for top commit: pstratem: tested ACK e9189a750b237eba1befc6b16c12c2cee3e0176c MarcoFalke: not an ACK e9189a750b237eba1befc6b16c12c2cee3e0176c , I only tested configure on my system (gcc-10, clang-11): hebasto: ACK e9189a750b237eba1befc6b16c12c2cee3e0176c, tested with clang-7, clang-10 and gcc: the `-fcf-protection=full` is not applied for clang-7, but applied for others compilers. Tree-SHA512: ec24b0cc5523b90139c96cbb33bb98d1e6a24d858c466aa7dfb3c474caf8c50aca53e570fdbc0ff88378406b0ac5d687542452637b1b5fa062e829291b886fc1 --- configure.ac | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/configure.ac b/configure.ac index 41f4b89441..90912de480 100644 --- a/configure.ac +++ b/configure.ac @@ -890,7 +890,10 @@ if test x$use_hardening != xno; then AX_CHECK_COMPILE_FLAG([-Wstack-protector],[HARDENED_CXXFLAGS="$HARDENED_CXXFLAGS -Wstack-protector"]) AX_CHECK_COMPILE_FLAG([-fstack-protector-all],[HARDENED_CXXFLAGS="$HARDENED_CXXFLAGS -fstack-protector-all"]) - AX_CHECK_COMPILE_FLAG([-fcf-protection=full],[HARDENED_CXXFLAGS="$HARDENED_CXXFLAGS -fcf-protection=full"]) + dnl -fcf-protection used with Clang 7 causes ld to emit warnings: + dnl ld: error: ... + dnl Use CHECK_LINK_FLAG & --fatal-warnings to ensure we wont use the flag in this case. + AX_CHECK_LINK_FLAG([-fcf-protection=full],[HARDENED_CXXFLAGS="$HARDENED_CXXFLAGS -fcf-protection=full"],, [[$LDFLAG_WERROR]]) dnl stack-clash-protection does not work properly when building for Windows. dnl We use the test case from https://gcc.gnu.org/bugzilla/show_bug.cgi?id=90458