diff options
| author | Darren Tucker <dtucker@dtucker.net> | 2021-09-29 10:53:55 +1000 |
|---|---|---|
| committer | Darren Tucker <dtucker@dtucker.net> | 2021-09-29 10:53:55 +1000 |
| commit | 39f2111b1d5f00206446257377dcce58cc72369f (patch) | |
| tree | b6ae9b1b5555fbcba60e9fdd98a4b2070f0b5328 | |
| parent | bf944e3794eff5413f2df1ef37cddf96918c6bde (diff) | |
Add new compiler hardening flags.
Add -fzero-call-used-regs and -ftrivial-auto-var-init to the list of
compiler hardening flags that configure checks for. These are supported
by clang and gcc, and make ROP gadgets less useful and mitigate
stack-based infoleaks respectively. ok djm@
| -rw-r--r-- | configure.ac | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/configure.ac b/configure.ac index 413913a7..821a75ba 100644 --- a/configure.ac +++ b/configure.ac @@ -190,6 +190,8 @@ if test "$GCC" = "yes" || test "$GCC" = "egcs"; then # actually links. The test program compiled/linked includes a number # of integer operations that should exercise this. OSSH_CHECK_CFLAG_LINK([-ftrapv]) + OSSH_CHECK_CFLAG_COMPILE([-fzero-call-used-regs=all]) + OSSH_CHECK_CFLAG_COMPILE([-ftrivial-auto-var-init=zero]) fi AC_MSG_CHECKING([gcc version]) GCC_VER=`$CC -v 2>&1 | $AWK '/gcc version /{print $3}'` |