[openssh-commits] [openssh] 01/01: Add new compiler hardening flags.
git+noreply at mindrot.org
git+noreply at mindrot.org
Wed Sep 29 10:56:42 AEST 2021
This is an automated email from the git hooks/post-receive script.
dtucker pushed a commit to branch master
in repository openssh.
commit 39f2111b1d5f00206446257377dcce58cc72369f
Author: Darren Tucker <dtucker at dtucker.net>
Date: Wed Sep 29 10:53:55 2021 +1000
Add new compiler hardening flags.
Add -fzero-call-used-regs and -ftrivial-auto-var-init to the list of
compiler hardening flags that configure checks for. These are supported
by clang and gcc, and make ROP gadgets less useful and mitigate
stack-based infoleaks respectively. ok djm@
---
configure.ac | 2 ++
1 file changed, 2 insertions(+)
diff --git a/configure.ac b/configure.ac
index 413913a7..821a75ba 100644
--- a/configure.ac
+++ b/configure.ac
@@ -190,6 +190,8 @@ if test "$GCC" = "yes" || test "$GCC" = "egcs"; then
# actually links. The test program compiled/linked includes a number
# of integer operations that should exercise this.
OSSH_CHECK_CFLAG_LINK([-ftrapv])
+ OSSH_CHECK_CFLAG_COMPILE([-fzero-call-used-regs=all])
+ OSSH_CHECK_CFLAG_COMPILE([-ftrivial-auto-var-init=zero])
fi
AC_MSG_CHECKING([gcc version])
GCC_VER=`$CC -v 2>&1 | $AWK '/gcc version /{print $3}'`
--
To stop receiving notification emails like this one, please contact
djm at mindrot.org.
More information about the openssh-commits
mailing list