[openssh-commits] [openssh] 01/01: Add new compiler hardening flags.

git+noreply at mindrot.org git+noreply at mindrot.org
Wed Sep 29 10:56:42 AEST 2021


This is an automated email from the git hooks/post-receive script.

dtucker pushed a commit to branch master
in repository openssh.

commit 39f2111b1d5f00206446257377dcce58cc72369f
Author: Darren Tucker <dtucker at dtucker.net>
Date:   Wed Sep 29 10:53:55 2021 +1000

    Add new compiler hardening flags.
    
    Add -fzero-call-used-regs and -ftrivial-auto-var-init to the list of
    compiler hardening flags that configure checks for.  These are supported
    by clang and gcc, and make ROP gadgets less useful and mitigate
    stack-based infoleaks respectively.  ok djm@
---
 configure.ac | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/configure.ac b/configure.ac
index 413913a7..821a75ba 100644
--- a/configure.ac
+++ b/configure.ac
@@ -190,6 +190,8 @@ if test "$GCC" = "yes" || test "$GCC" = "egcs"; then
 	# actually links. The test program compiled/linked includes a number
 	# of integer operations that should exercise this.
 	OSSH_CHECK_CFLAG_LINK([-ftrapv])
+	OSSH_CHECK_CFLAG_COMPILE([-fzero-call-used-regs=all])
+	OSSH_CHECK_CFLAG_COMPILE([-ftrivial-auto-var-init=zero])
     fi
 	AC_MSG_CHECKING([gcc version])
 	GCC_VER=`$CC -v 2>&1 | $AWK '/gcc version /{print $3}'`

-- 
To stop receiving notification emails like this one, please contact
djm at mindrot.org.


More information about the openssh-commits mailing list