From 98d9ea003c5f51c7b64f998d1e743abd60c6f777 Mon Sep 17 00:00:00 2001 From: Nate Ohlson Date: Thu, 20 Jun 2024 21:40:48 -0500 Subject: [PATCH 1/5] Enable subset of flags with low performance impact and no warnings --- configure | 164 +++++++++++++++++++++++++++++++++++++++++++++++++++ configure.ac | 12 ++++ 2 files changed, 176 insertions(+) diff --git a/configure b/configure index 0f7ea7dfb5259d..02eed9925151ec 100755 --- a/configure +++ b/configure @@ -9605,6 +9605,170 @@ else $as_nop BASECFLAGS="$BASECFLAGS $NO_STRICT_OVERFLOW_CFLAGS" fi + +# Enable flags that warn and protect for potential security vulnerabilities. +# These flags should be enabled by default for all builds. +{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -Wimplicit-fallthrough" >&5 +printf %s "checking whether C compiler accepts -Wimplicit-fallthrough... " >&6; } +if test ${ax_cv_check_cflags___Wimplicit_fallthrough+y} +then : + printf %s "(cached) " >&6 +else $as_nop + + ax_check_save_flags=$CFLAGS + CFLAGS="$CFLAGS -Wimplicit-fallthrough" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +int +main (void) +{ + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO" +then : + ax_cv_check_cflags___Wimplicit_fallthrough=yes +else $as_nop + ax_cv_check_cflags___Wimplicit_fallthrough=no +fi +rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext + CFLAGS=$ax_check_save_flags +fi +{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags___Wimplicit_fallthrough" >&5 +printf "%s\n" "$ax_cv_check_cflags___Wimplicit_fallthrough" >&6; } +if test "x$ax_cv_check_cflags___Wimplicit_fallthrough" = xyes +then : + BASECFLAGS="$BASECFLAGS -Wimplicit-fallthrough" +else $as_nop + { printf "%s\n" "$as_me:${as_lineno-$LINENO}: WARNING: -Wimplicit-fallthrough not supported" >&5 +printf "%s\n" "$as_me: WARNING: -Wimplicit-fallthrough not supported" >&2;} +fi + +{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -fstack-protector-strong" >&5 +printf %s "checking whether C compiler accepts -fstack-protector-strong... " >&6; } +if test ${ax_cv_check_cflags___fstack_protector_strong+y} +then : + printf %s "(cached) " >&6 +else $as_nop + + ax_check_save_flags=$CFLAGS + CFLAGS="$CFLAGS -fstack-protector-strong" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +int +main (void) +{ + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO" +then : + ax_cv_check_cflags___fstack_protector_strong=yes +else $as_nop + ax_cv_check_cflags___fstack_protector_strong=no +fi +rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext + CFLAGS=$ax_check_save_flags +fi +{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags___fstack_protector_strong" >&5 +printf "%s\n" "$ax_cv_check_cflags___fstack_protector_strong" >&6; } +if test "x$ax_cv_check_cflags___fstack_protector_strong" = xyes +then : + BASECFLAGS="$BASECFLAGS -fstack-protector-strong" +else $as_nop + { printf "%s\n" "$as_me:${as_lineno-$LINENO}: WARNING: -fstack-protector-strong not supported" >&5 +printf "%s\n" "$as_me: WARNING: -fstack-protector-strong not supported" >&2;} +fi + +{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -fno-strict-overflow" >&5 +printf %s "checking whether C compiler accepts -fno-strict-overflow... " >&6; } +if test ${ax_cv_check_cflags___fno_strict_overflow+y} +then : + printf %s "(cached) " >&6 +else $as_nop + + ax_check_save_flags=$CFLAGS + CFLAGS="$CFLAGS -fno-strict-overflow" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +int +main (void) +{ + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO" +then : + ax_cv_check_cflags___fno_strict_overflow=yes +else $as_nop + ax_cv_check_cflags___fno_strict_overflow=no +fi +rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext + CFLAGS=$ax_check_save_flags +fi +{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags___fno_strict_overflow" >&5 +printf "%s\n" "$ax_cv_check_cflags___fno_strict_overflow" >&6; } +if test "x$ax_cv_check_cflags___fno_strict_overflow" = xyes +then : + BASECFLAGS="$BASECFLAGS -fno-strict-overflow" +else $as_nop + { printf "%s\n" "$as_me:${as_lineno-$LINENO}: WARNING: -fno-strict-overflow not supported" >&5 +printf "%s\n" "$as_me: WARNING: -fno-strict-overflow not supported" >&2;} +fi + +case $CC in + *gcc*) + # Add GCC-specific compiler flags + { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -Wtrampolines" >&5 +printf %s "checking whether C compiler accepts -Wtrampolines... " >&6; } +if test ${ax_cv_check_cflags___Wtrampolines+y} +then : + printf %s "(cached) " >&6 +else $as_nop + + ax_check_save_flags=$CFLAGS + CFLAGS="$CFLAGS -Wtrampolines" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +int +main (void) +{ + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO" +then : + ax_cv_check_cflags___Wtrampolines=yes +else $as_nop + ax_cv_check_cflags___Wtrampolines=no +fi +rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext + CFLAGS=$ax_check_save_flags +fi +{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags___Wtrampolines" >&5 +printf "%s\n" "$ax_cv_check_cflags___Wtrampolines" >&6; } +if test "x$ax_cv_check_cflags___Wtrampolines" = xyes +then : + BASECFLAGS="$BASECFLAGS -Wtrampolines" +else $as_nop + { printf "%s\n" "$as_me:${as_lineno-$LINENO}: WARNING: -Wtrampolines not supported" >&5 +printf "%s\n" "$as_me: WARNING: -Wtrampolines not supported" >&2;} +fi + +esac + case $GCC in yes) CFLAGS_NODIST="$CFLAGS_NODIST -std=c11" diff --git a/configure.ac b/configure.ac index a4698451465155..67a3783407b7db 100644 --- a/configure.ac +++ b/configure.ac @@ -2451,6 +2451,18 @@ AS_VAR_IF([with_strict_overflow], [yes], [BASECFLAGS="$BASECFLAGS $STRICT_OVERFLOW_CFLAGS"], [BASECFLAGS="$BASECFLAGS $NO_STRICT_OVERFLOW_CFLAGS"]) + +# Enable flags that warn and protect for potential security vulnerabilities. +# These flags should be enabled by default for all builds. +AX_CHECK_COMPILE_FLAG([-Wimplicit-fallthrough], [BASECFLAGS="$BASECFLAGS -Wimplicit-fallthrough"], [AC_MSG_WARN([-Wimplicit-fallthrough not supported])]) +AX_CHECK_COMPILE_FLAG([-fstack-protector-strong], [BASECFLAGS="$BASECFLAGS -fstack-protector-strong"], [AC_MSG_WARN([-fstack-protector-strong not supported])]) +AX_CHECK_COMPILE_FLAG([-fno-strict-overflow], [BASECFLAGS="$BASECFLAGS -fno-strict-overflow"], [AC_MSG_WARN([-fno-strict-overflow not supported])]) +case $CC in + *gcc*) + # Add GCC-specific compiler flags + AX_CHECK_COMPILE_FLAG([-Wtrampolines], [BASECFLAGS="$BASECFLAGS -Wtrampolines"], [AC_MSG_WARN([-Wtrampolines not supported])]) +esac + case $GCC in yes) CFLAGS_NODIST="$CFLAGS_NODIST -std=c11" From 1e84a8738344229a138bce2500a9033bf2bc921d Mon Sep 17 00:00:00 2001 From: Nate Ohlson Date: Mon, 24 Jun 2024 23:31:01 -0500 Subject: [PATCH 2/5] Remove redundant -fno-strict-overflow option from config --- configure | 40 ---------------------------------------- configure.ac | 2 -- 2 files changed, 42 deletions(-) diff --git a/configure b/configure index 02eed9925151ec..81697f70dbcbc0 100755 --- a/configure +++ b/configure @@ -9605,7 +9605,6 @@ else $as_nop BASECFLAGS="$BASECFLAGS $NO_STRICT_OVERFLOW_CFLAGS" fi - # Enable flags that warn and protect for potential security vulnerabilities. # These flags should be enabled by default for all builds. { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -Wimplicit-fallthrough" >&5 @@ -9686,45 +9685,6 @@ else $as_nop printf "%s\n" "$as_me: WARNING: -fstack-protector-strong not supported" >&2;} fi -{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -fno-strict-overflow" >&5 -printf %s "checking whether C compiler accepts -fno-strict-overflow... " >&6; } -if test ${ax_cv_check_cflags___fno_strict_overflow+y} -then : - printf %s "(cached) " >&6 -else $as_nop - - ax_check_save_flags=$CFLAGS - CFLAGS="$CFLAGS -fno-strict-overflow" - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - -int -main (void) -{ - - ; - return 0; -} -_ACEOF -if ac_fn_c_try_compile "$LINENO" -then : - ax_cv_check_cflags___fno_strict_overflow=yes -else $as_nop - ax_cv_check_cflags___fno_strict_overflow=no -fi -rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext - CFLAGS=$ax_check_save_flags -fi -{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags___fno_strict_overflow" >&5 -printf "%s\n" "$ax_cv_check_cflags___fno_strict_overflow" >&6; } -if test "x$ax_cv_check_cflags___fno_strict_overflow" = xyes -then : - BASECFLAGS="$BASECFLAGS -fno-strict-overflow" -else $as_nop - { printf "%s\n" "$as_me:${as_lineno-$LINENO}: WARNING: -fno-strict-overflow not supported" >&5 -printf "%s\n" "$as_me: WARNING: -fno-strict-overflow not supported" >&2;} -fi - case $CC in *gcc*) # Add GCC-specific compiler flags diff --git a/configure.ac b/configure.ac index 67a3783407b7db..2f3f72b39c87e0 100644 --- a/configure.ac +++ b/configure.ac @@ -2451,12 +2451,10 @@ AS_VAR_IF([with_strict_overflow], [yes], [BASECFLAGS="$BASECFLAGS $STRICT_OVERFLOW_CFLAGS"], [BASECFLAGS="$BASECFLAGS $NO_STRICT_OVERFLOW_CFLAGS"]) - # Enable flags that warn and protect for potential security vulnerabilities. # These flags should be enabled by default for all builds. AX_CHECK_COMPILE_FLAG([-Wimplicit-fallthrough], [BASECFLAGS="$BASECFLAGS -Wimplicit-fallthrough"], [AC_MSG_WARN([-Wimplicit-fallthrough not supported])]) AX_CHECK_COMPILE_FLAG([-fstack-protector-strong], [BASECFLAGS="$BASECFLAGS -fstack-protector-strong"], [AC_MSG_WARN([-fstack-protector-strong not supported])]) -AX_CHECK_COMPILE_FLAG([-fno-strict-overflow], [BASECFLAGS="$BASECFLAGS -fno-strict-overflow"], [AC_MSG_WARN([-fno-strict-overflow not supported])]) case $CC in *gcc*) # Add GCC-specific compiler flags From 257e3d77338925cd6e5c6bd92e3793fc1e2d1284 Mon Sep 17 00:00:00 2001 From: "blurb-it[bot]" <43283697+blurb-it[bot]@users.noreply.github.com> Date: Tue, 25 Jun 2024 04:42:44 +0000 Subject: [PATCH 3/5] =?UTF-8?q?=F0=9F=93=9C=F0=9F=A4=96=20Added=20by=20blu?= =?UTF-8?q?rb=5Fit.?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../next/Security/2024-06-25-04-42-43.gh-issue-112301.god4IC.rst | 1 + 1 file changed, 1 insertion(+) create mode 100644 Misc/NEWS.d/next/Security/2024-06-25-04-42-43.gh-issue-112301.god4IC.rst diff --git a/Misc/NEWS.d/next/Security/2024-06-25-04-42-43.gh-issue-112301.god4IC.rst b/Misc/NEWS.d/next/Security/2024-06-25-04-42-43.gh-issue-112301.god4IC.rst new file mode 100644 index 00000000000000..697d04eca41cdd --- /dev/null +++ b/Misc/NEWS.d/next/Security/2024-06-25-04-42-43.gh-issue-112301.god4IC.rst @@ -0,0 +1 @@ +Add default compiler options to improve security From 154fa056cbbfb6dd01c319d85f6ffd5ab027fcd4 Mon Sep 17 00:00:00 2001 From: Nate Ohlson Date: Tue, 25 Jun 2024 14:25:39 -0500 Subject: [PATCH 4/5] Include explicit compiler options in news --- .../Security/2024-06-25-04-42-43.gh-issue-112301.god4IC.rst | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Misc/NEWS.d/next/Security/2024-06-25-04-42-43.gh-issue-112301.god4IC.rst b/Misc/NEWS.d/next/Security/2024-06-25-04-42-43.gh-issue-112301.god4IC.rst index 697d04eca41cdd..dd06bc59baa675 100644 --- a/Misc/NEWS.d/next/Security/2024-06-25-04-42-43.gh-issue-112301.god4IC.rst +++ b/Misc/NEWS.d/next/Security/2024-06-25-04-42-43.gh-issue-112301.god4IC.rst @@ -1 +1,2 @@ -Add default compiler options to improve security +Add default compiler options to improve security. Enable +-Wimplicit-fallthrough, -fstack-protector-strong, -Wtrampolines. From 1917b93af9c2bd05071d002bf579f5673061e143 Mon Sep 17 00:00:00 2001 From: Nate Ohlson Date: Tue, 25 Jun 2024 16:39:26 -0500 Subject: [PATCH 5/5] Remove trailing whitespace in news --- .../Security/2024-06-25-04-42-43.gh-issue-112301.god4IC.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Misc/NEWS.d/next/Security/2024-06-25-04-42-43.gh-issue-112301.god4IC.rst b/Misc/NEWS.d/next/Security/2024-06-25-04-42-43.gh-issue-112301.god4IC.rst index dd06bc59baa675..68058a06f0bf49 100644 --- a/Misc/NEWS.d/next/Security/2024-06-25-04-42-43.gh-issue-112301.god4IC.rst +++ b/Misc/NEWS.d/next/Security/2024-06-25-04-42-43.gh-issue-112301.god4IC.rst @@ -1,2 +1,2 @@ -Add default compiler options to improve security. Enable +Add default compiler options to improve security. Enable -Wimplicit-fallthrough, -fstack-protector-strong, -Wtrampolines.