diff options
author | Rich Felker <dalias@aerifal.cx> | 2015-10-23 00:01:01 -0400 |
---|---|---|
committer | Rich Felker <dalias@aerifal.cx> | 2015-10-23 00:01:01 -0400 |
commit | bc0c48414eaba9e974e54aa8ef611b78037fd387 (patch) | |
tree | dc099c4dbf6f0ef64c2b16253a1656c4ea99aa56 | |
parent | be76cdcf81bdf60d2b7981d9f7d09593f88ef4e6 (diff) | |
download | musl-bc0c48414eaba9e974e54aa8ef611b78037fd387.tar.gz musl-bc0c48414eaba9e974e54aa8ef611b78037fd387.tar.bz2 musl-bc0c48414eaba9e974e54aa8ef611b78037fd387.tar.xz musl-bc0c48414eaba9e974e54aa8ef611b78037fd387.zip |
prevent user CFLAGS overrides from exposing executable stack
the option to suppress executable stack tagging was placed in CFLAGS,
which is treated as optional and overridable by the build system. if a
user replaces CFLAGS after configure has run, it could get lost,
resulting in a libc.so that's flagged as needing executable stack,
which would cause the kernel to map the initial stack as executable.
move -Wa,--noexecstack to CFLAGS_C99FSE, the make variable used for
mandatory compiler options.
-rwxr-xr-x | configure | 14 |
1 files changed, 7 insertions, 7 deletions
@@ -330,6 +330,13 @@ CFLAGS_C99FSE="$CFLAGS_C99FSE -D__may_alias__=" fi # +# The GNU toolchain defaults to assuming unmarked files need an +# executable stack, potentially exposing vulnerabilities in programs +# linked with such object files. Fix this. +# +tryflag CFLAGS_C99FSE -Wa,--noexecstack + +# # Check for options to disable stack protector, which needs to be # disabled for a few early-bootstrap translation units. If not found, # this is not an error; we assume the toolchain does not do ssp. @@ -430,13 +437,6 @@ tryflag CFLAGS_AUTO -fno-unwind-tables tryflag CFLAGS_AUTO -fno-asynchronous-unwind-tables # -# The GNU toolchain defaults to assuming unmarked files need an -# executable stack, potentially exposing vulnerabilities in programs -# linked with such object files. Fix this. -# -tryflag CFLAGS_AUTO -Wa,--noexecstack - -# # On x86, make sure we don't have incompatible instruction set # extensions enabled by default. This is bad for making static binaries. # We cheat and use i486 rather than i386 because i386 really does not |