Bug 620058 - Add a --enable-hardening flag, which compiles with -fstack-protector-strong on GCC and Clang draft
authorAlex Gaynor <agaynor@mozilla.com>
Wed, 12 Apr 2017 13:58:22 -0400
changeset 567246 675bac8f31ec81b9edc1f1537778a1e820c8dfb4
parent 567163 62b649c6b314f756f21cb95f2b0d491e2664e944
child 625570 cc3031c7f177399a5934d83526737695dd3dd5f6
push id55490
push userbmo:agaynor@mozilla.com
push dateMon, 24 Apr 2017 15:24:40 +0000
bugs620058
milestone55.0a1
Bug 620058 - Add a --enable-hardening flag, which compiles with -fstack-protector-strong on GCC and Clang This flag enables the stack-cookie exploit mitigation for all functions which manipulate stack-based buffers, providing better protections than -fstack-protector, at considerably lower performance overhead than -fstack-protector-all. MozReview-Commit-ID: 7ZNAHHAf376
moz.configure
old-configure.in
--- a/moz.configure
+++ b/moz.configure
@@ -365,16 +365,31 @@ def nsis_version(nsis):
 @checking('for 32-bit NSIS')
 def nsis_binary_type(nsis):
     bin_type = windows_binary_type(nsis)
     if bin_type != 'win32':
         raise FatalCheckError('%s is not a 32-bit Windows application' % nsis)
 
     return 'yes'
 
+# Security Hardening
+# ==============================================================
+
+option('--enable-hardening', env='MOZ_SECURITY_HARDENING',
+       help='Enables security hardening compiler options')
+
+@depends('--enable-hardening', c_compiler)
+def security_hardening_cflags(value, c_compiler):
+    if value and c_compiler.type in ['gcc', 'clang', 'clang-cl']:
+        return '-fstack-protector-strong'
+    else:
+        return ''
+
+add_old_configure_assignment('HARDENING_CFLAGS', security_hardening_cflags)
+
 
 # Fallthrough to autoconf-based configure
 include('build/moz.configure/old.configure')
 
 @imports('__sandbox__')
 def all_paths():
     return __sandbox__._all_paths
 
--- a/old-configure.in
+++ b/old-configure.in
@@ -548,16 +548,21 @@ fi
 if test -n "${CLANG_CXX}${CLANG_CL}"; then
     _WARNINGS_CXXFLAGS="-Qunused-arguments ${_WARNINGS_CXXFLAGS}"
 fi
 
 if test -n "$COMPILE_ENVIRONMENT"; then
    MOZ_CONFIG_SANITIZE
 fi
 
+# Add the hardening flags from moz.configure
+CFLAGS="$CFLAGS $HARDENING_CFLAGS"
+CPPFLAGS="$CPPFLAGS $HARDENING_CFLAGS"
+CXXFLAGS="$CXXFLAGS $HARDENING_CFLAGS"
+
 dnl ========================================================
 dnl GNU specific defaults
 dnl ========================================================
 if test "$GNU_CC"; then
     MMX_FLAGS="-mmmx"
     SSE_FLAGS="-msse"
     SSE2_FLAGS="-msse2"
     SSSE3_FLAGS="-mssse3"