[libvirt] [PATCH 3/3] build: prefer -fstack-protector-strong to -all

Daniel P. Berrange berrange at redhat.com
Wed Jun 11 09:36:27 UTC 2014


On Wed, Jun 11, 2014 at 11:00:22AM +0200, Ján Tomko wrote:
> Check upfront if it's supported, to avoid putting both of them
> on the command line.
> ---
>  m4/virt-compile-warnings.m4 | 22 ++++++++++++++++++----
>  1 file changed, 18 insertions(+), 4 deletions(-)
> 
> diff --git a/m4/virt-compile-warnings.m4 b/m4/virt-compile-warnings.m4
> index 196afa7..6d632f9 100644
> --- a/m4/virt-compile-warnings.m4
> +++ b/m4/virt-compile-warnings.m4
> @@ -156,6 +156,15 @@ AC_DEFUN([LIBVIRT_COMPILE_WARNINGS],[
>      wantwarn="$wantwarn -Wframe-larger-than=4096"
>      dnl wantwarn="$wantwarn -Wframe-larger-than=256"
>  
> +    AC_CACHE_CHECK([whether the C compiler supports stack-protector-strong],
> +      [lv_cv_gcc_fstack_protector_strong], [
> +      save_CFLAGS=$CFLAGS
> +      CFLAGS='-fstack-protector-strong -Werror'
> +      AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[]])],
> +      [lv_cv_gcc_fstack_protector_strong=yes],
> +      [lv_cv_gcc_fstack_protector_strong=no])
> +      CFLAGS=$save_CFLAGS])

This is really re-inventing the gnulib compiler arg checking which
I don't think is desirable.

> @@ -164,13 +173,18 @@ AC_DEFUN([LIBVIRT_COMPILE_WARNINGS],[
>         dnl "error: -fstack-protector not supported for this target [-Werror]"
>         ;;
>         *-*-linux*)
> -       dnl Fedora only uses -fstack-protector, but doesn't seem to
> -       dnl be great overhead in adding -fstack-protector-all instead
> +       dnl Prefer -fstack-protector-strong if it's available.
> +       dnl There doesn't seem to be great overhead in adding
> +       dnl -fstack-protector-all instead of -fstack-protector.
>         dnl
> -       dnl We also don't need ssp-buffer-size with -all,
> +       dnl We also don't need ssp-buffer-size with -all or -strong,
>         dnl since functions are protected regardless of buffer size.
>         dnl wantwarn="$wantwarn --param=ssp-buffer-size=4"
> -       wantwarn="$wantwarn -fstack-protector-all"
> +       if test "$lv_cv_gcc_fstack_protector_strong" = yes; then
> +           wantwarn="$wantwarn -fstack-protector-strong"
> +       else
> +           wantwarn="$wantwarn -fstack-protector-all"
> +       fi
>         ;;
>         *-*-freebsd*)
>         dnl FreeBSD ships old gcc 4.2.1 which doesn't handle

I'd suggest we only list 'wantwarn="$wantwarn -fstack-protector-strong'
here. Then, after the 'gl_WARN_ADD' call has processed everything in
$wantwarn we check to see if $WARNING_CFLAGS contains the desired
-fstack-protector-strong arg and if not, we call gl_WARN_ADD for
-fstack-protector-all


Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|




More information about the libvir-list mailing list