Bug 620058 - Add a --enable-hardening flag, which compiles with -fstack-protector-strong on GCC and Clang r=froydnj
authorAlex Gaynor <agaynor@mozilla.com>
Wed, 12 Apr 2017 13:58:22 -0400
changeset 354866 4f091d53060cc9857668bee0640a44fb1654c8c9
parent 354865 706f342e29423db815adc86aa066991b8a5724af
child 354867 a3dfb4b9dc66b864ca0084e523114bde34bd6da2
push id31716
push usercbook@mozilla.com
push dateWed, 26 Apr 2017 06:40:19 +0000
treeherdermozilla-central@08a5a97f615f [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersfroydnj
bugs620058
milestone55.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 620058 - Add a --enable-hardening flag, which compiles with -fstack-protector-strong on GCC and Clang r=froydnj This flag enables the stack-cookie exploit mitigation for all functions which manipulate stack-based buffers, providing better protections than -fstack-protector, at considerably lower performance overhead than -fstack-protector-all. r=froydnj MozReview-Commit-ID: 7ZNAHHAf376
build/moz.configure/toolchain.configure
old-configure.in
--- a/build/moz.configure/toolchain.configure
+++ b/build/moz.configure/toolchain.configure
@@ -969,8 +969,21 @@ set_config('VISIBILITY_FLAGS', visibilit
 
 # We only want to include windows.configure when we are compiling on
 # Windows, for Windows.
 @depends(target, host)
 def is_windows(target, host):
     return host.kernel == 'WINNT' and target.kernel == 'WINNT'
 
 include('windows.configure', when=is_windows)
+
+# Security Hardening
+# ==============================================================
+
+option('--enable-hardening', env='MOZ_SECURITY_HARDENING',
+       help='Enables security hardening compiler options')
+
+@depends('--enable-hardening', c_compiler)
+def security_hardening_cflags(value, c_compiler):
+    if value and c_compiler.type in ['gcc', 'clang']:
+        return '-fstack-protector-strong'
+
+add_old_configure_assignment('HARDENING_CFLAGS', security_hardening_cflags)
--- a/old-configure.in
+++ b/old-configure.in
@@ -548,16 +548,21 @@ fi
 if test -n "${CLANG_CXX}${CLANG_CL}"; then
     _WARNINGS_CXXFLAGS="-Qunused-arguments ${_WARNINGS_CXXFLAGS}"
 fi
 
 if test -n "$COMPILE_ENVIRONMENT"; then
    MOZ_CONFIG_SANITIZE
 fi
 
+# Add the hardening flags from moz.configure
+CFLAGS="$CFLAGS $HARDENING_CFLAGS"
+CPPFLAGS="$CPPFLAGS $HARDENING_CFLAGS"
+CXXFLAGS="$CXXFLAGS $HARDENING_CFLAGS"
+
 dnl ========================================================
 dnl GNU specific defaults
 dnl ========================================================
 if test "$GNU_CC"; then
     MMX_FLAGS="-mmmx"
     SSE_FLAGS="-msse"
     SSE2_FLAGS="-msse2"
     SSSE3_FLAGS="-mssse3"