mirror of
https://github.com/unrealircd/unrealircd.git
synced 2026-06-12 17:14:46 +02:00
Hardening: add -fzero-call-used-regs=used-gpr
Is defense in depth to make ROP harder. In general this is reported to have a performance impact of 2% worst-case. Linux kernel reports 1%. Should be closer to 0% for us, or that 1% if i am wrong. https://lwn.net/Articles/870045/ has some background on this.
This commit is contained in:
Bram Matthys
@@ -5085,6 +5085,61 @@ ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $
|
||||
ac_compiler_gnu=$ac_cv_c_compiler_gnu
|
||||
|
||||
|
||||
# Clear registers on return (performance penalty, but acceptable, makes ROP harder)
|
||||
ac_ext=c
|
||||
ac_cpp='$CPP $CPPFLAGS'
|
||||
ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
|
||||
ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
|
||||
ac_compiler_gnu=$ac_cv_c_compiler_gnu
|
||||
|
||||
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -fzero-call-used-regs=used-gpr" >&5
|
||||
printf %s "checking whether C compiler accepts -fzero-call-used-regs=used-gpr... " >&6; }
|
||||
if test ${ax_cv_check_cflags__Werror___fzero_call_used_regs_used_gpr+y}
|
||||
then :
|
||||
printf %s "(cached) " >&6
|
||||
else case e in #(
|
||||
e)
|
||||
ax_check_save_flags=$CFLAGS
|
||||
CFLAGS="$CFLAGS -Werror -fzero-call-used-regs=used-gpr"
|
||||
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
|
||||
/* end confdefs.h. */
|
||||
|
||||
int
|
||||
main (void)
|
||||
{
|
||||
|
||||
;
|
||||
return 0;
|
||||
}
|
||||
_ACEOF
|
||||
if ac_fn_c_try_compile "$LINENO"
|
||||
then :
|
||||
ax_cv_check_cflags__Werror___fzero_call_used_regs_used_gpr=yes
|
||||
else case e in #(
|
||||
e) ax_cv_check_cflags__Werror___fzero_call_used_regs_used_gpr=no ;;
|
||||
esac
|
||||
fi
|
||||
rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext
|
||||
CFLAGS=$ax_check_save_flags ;;
|
||||
esac
|
||||
fi
|
||||
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags__Werror___fzero_call_used_regs_used_gpr" >&5
|
||||
printf "%s\n" "$ax_cv_check_cflags__Werror___fzero_call_used_regs_used_gpr" >&6; }
|
||||
if test x"$ax_cv_check_cflags__Werror___fzero_call_used_regs_used_gpr" = xyes
|
||||
then :
|
||||
HARDEN_CFLAGS="$HARDEN_CFLAGS -fzero-call-used-regs=used-gpr"
|
||||
else case e in #(
|
||||
e) : ;;
|
||||
esac
|
||||
fi
|
||||
|
||||
ac_ext=c
|
||||
ac_cpp='$CPP $CPPFLAGS'
|
||||
ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
|
||||
ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
|
||||
ac_compiler_gnu=$ac_cv_c_compiler_gnu
|
||||
|
||||
|
||||
# At the link step, we might want -pie (GCC) or -Wl,-pie (Clang on OS X)
|
||||
#
|
||||
# The linker checks also compile code, so we need to include -fPIE as well.
|
||||
|
||||
@@ -150,6 +150,9 @@ AS_IF([test x"$hardening" != x"no"], [
|
||||
# Since we have moved from name[1] to name[], setting this should help bounds checking:
|
||||
check_cc_flag([-fstrict-flex-arrays=3], [HARDEN_CFLAGS="$HARDEN_CFLAGS -fstrict-flex-arrays=3"])
|
||||
|
||||
# Clear registers on return (performance penalty, but acceptable, makes ROP harder)
|
||||
check_cc_flag([-fzero-call-used-regs=used-gpr], [HARDEN_CFLAGS="$HARDEN_CFLAGS -fzero-call-used-regs=used-gpr"])
|
||||
|
||||
# At the link step, we might want -pie (GCC) or -Wl,-pie (Clang on OS X)
|
||||
#
|
||||
# The linker checks also compile code, so we need to include -fPIE as well.
|
||||
|
||||
Reference in New Issue
Block a user