summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRich Felker <dalias@aerifal.cx>2015-10-23 00:01:01 -0400
committerRich Felker <dalias@aerifal.cx>2015-10-23 00:01:01 -0400
commitbc0c48414eaba9e974e54aa8ef611b78037fd387 (patch)
treedc099c4dbf6f0ef64c2b16253a1656c4ea99aa56
parentbe76cdcf81bdf60d2b7981d9f7d09593f88ef4e6 (diff)
downloadmusl-bc0c48414eaba9e974e54aa8ef611b78037fd387.tar.gz
musl-bc0c48414eaba9e974e54aa8ef611b78037fd387.tar.bz2
musl-bc0c48414eaba9e974e54aa8ef611b78037fd387.tar.xz
musl-bc0c48414eaba9e974e54aa8ef611b78037fd387.zip
prevent user CFLAGS overrides from exposing executable stack
the option to suppress executable stack tagging was placed in CFLAGS, which is treated as optional and overridable by the build system. if a user replaces CFLAGS after configure has run, it could get lost, resulting in a libc.so that's flagged as needing executable stack, which would cause the kernel to map the initial stack as executable. move -Wa,--noexecstack to CFLAGS_C99FSE, the make variable used for mandatory compiler options.
-rwxr-xr-xconfigure14
1 files changed, 7 insertions, 7 deletions
diff --git a/configure b/configure
index 03c0ebe0..742ca261 100755
--- a/configure
+++ b/configure
@@ -330,6 +330,13 @@ CFLAGS_C99FSE="$CFLAGS_C99FSE -D__may_alias__="
fi
#
+# The GNU toolchain defaults to assuming unmarked files need an
+# executable stack, potentially exposing vulnerabilities in programs
+# linked with such object files. Fix this.
+#
+tryflag CFLAGS_C99FSE -Wa,--noexecstack
+
+#
# Check for options to disable stack protector, which needs to be
# disabled for a few early-bootstrap translation units. If not found,
# this is not an error; we assume the toolchain does not do ssp.
@@ -430,13 +437,6 @@ tryflag CFLAGS_AUTO -fno-unwind-tables
tryflag CFLAGS_AUTO -fno-asynchronous-unwind-tables
#
-# The GNU toolchain defaults to assuming unmarked files need an
-# executable stack, potentially exposing vulnerabilities in programs
-# linked with such object files. Fix this.
-#
-tryflag CFLAGS_AUTO -Wa,--noexecstack
-
-#
# On x86, make sure we don't have incompatible instruction set
# extensions enabled by default. This is bad for making static binaries.
# We cheat and use i486 rather than i386 because i386 really does not