From: Siddhesh Poyarekar <siddhesh@sourceware.org>
To: libc-alpha@sourceware.org
Subject: [PATCH 2/4] configure: Default --enable-stack-protector to strong
Date: Thu, 29 Jun 2023 14:41:45 -0400 [thread overview]
Message-ID: <20230629184156.2789945-3-siddhesh@sourceware.org> (raw)
In-Reply-To: <20230629184156.2789945-1-siddhesh@sourceware.org>
All major distributions use this level of stack protector, so make it
the default.
Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
---
INSTALL | 3 ++-
NEWS | 4 ++++
configure | 2 +-
configure.ac | 2 +-
manual/install.texi | 3 ++-
5 files changed, 10 insertions(+), 4 deletions(-)
diff --git a/INSTALL b/INSTALL
index a1e189eb9f..f02358e933 100644
--- a/INSTALL
+++ b/INSTALL
@@ -196,13 +196,14 @@ if ‘CFLAGS’ is specified it must enable optimization. For example:
‘--enable-stack-protector’
‘--enable-stack-protector=strong’
‘--enable-stack-protector=all’
+‘--enable-stack-protector=no’
Compile the C library and all other parts of the glibc package
(including the threading and math libraries, NSS modules, and
transliteration modules) using the GCC ‘-fstack-protector’,
‘-fstack-protector-strong’ or ‘-fstack-protector-all’ options to
detect stack overruns. Only the dynamic linker and a small number
of routines called directly from assembler are excluded from this
- protection.
+ protection. This option is enabled by default and set to ‘strong’.
‘--enable-bind-now’
Disable lazy binding for installed shared objects and programs.
diff --git a/NEWS b/NEWS
index 709ee40e50..47ec0b741c 100644
--- a/NEWS
+++ b/NEWS
@@ -48,6 +48,10 @@ Major new features:
* The strlcpy and strlcat functions have been added. They are derived
from OpenBSD, and are expected to be added to a future POSIX version.
+* The GNU C Library is now built with -fstack-protector-strong by
+ default. This may be overridden by using the --enable-stack-protector
+ configure option.
+
Deprecated and removed features, and other changes affecting compatibility:
* In the Linux kernel for the hppa/parisc architecture some of the
diff --git a/configure b/configure
index 11538ee1b3..863621cabf 100755
--- a/configure
+++ b/configure
@@ -4462,7 +4462,7 @@ if test ${enable_stack_protector+y}
then :
enableval=$enable_stack_protector; enable_stack_protector=$enableval
else $as_nop
- enable_stack_protector=no
+ enable_stack_protector=strong
fi
case "$enable_stack_protector" in
diff --git a/configure.ac b/configure.ac
index 18bb989ade..d85452b3b3 100644
--- a/configure.ac
+++ b/configure.ac
@@ -228,7 +228,7 @@ AC_ARG_ENABLE([stack-protector],
AS_HELP_STRING([--enable-stack-protector=@<:@yes|no|all|strong@:>@],
[Use -fstack-protector[-all|-strong] to detect glibc buffer overflows]),
[enable_stack_protector=$enableval],
- [enable_stack_protector=no])
+ [enable_stack_protector=strong])
case "$enable_stack_protector" in
all|yes|no|strong) ;;
*) AC_MSG_ERROR([Not a valid argument for --enable-stack-protector: "$enable_stack_protector"]);;
diff --git a/manual/install.texi b/manual/install.texi
index 52eb2d8a23..b1aa5eb60c 100644
--- a/manual/install.texi
+++ b/manual/install.texi
@@ -222,13 +222,14 @@ time. Consult the @file{timezone} subdirectory for more details.
@item --enable-stack-protector
@itemx --enable-stack-protector=strong
@itemx --enable-stack-protector=all
+@itemx --enable-stack-protector=no
Compile the C library and all other parts of the glibc package
(including the threading and math libraries, NSS modules, and
transliteration modules) using the GCC @option{-fstack-protector},
@option{-fstack-protector-strong} or @option{-fstack-protector-all}
options to detect stack overruns. Only the dynamic linker and a small
number of routines called directly from assembler are excluded from this
-protection.
+protection. This option is enabled by default and set to @option{strong}.
@item --enable-bind-now
Disable lazy binding for installed shared objects and programs. This
--
2.41.0
next prev parent reply other threads:[~2023-06-29 18:42 UTC|newest]
Thread overview: 45+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-06-29 18:41 [PATCH 0/4] Update default build configuration Siddhesh Poyarekar
2023-06-29 18:41 ` [PATCH 1/4] configure: Use autoconf 2.71 Siddhesh Poyarekar
2023-06-29 19:48 ` Joseph Myers
2023-06-29 19:56 ` Siddhesh Poyarekar
2023-06-29 20:03 ` Siddhesh Poyarekar
2023-06-29 20:07 ` Joseph Myers
2023-06-29 22:16 ` Zack Weinberg
2023-06-29 18:41 ` Siddhesh Poyarekar [this message]
2023-06-29 18:41 ` [PATCH 3/4] Disable lazy binding by default Siddhesh Poyarekar
2023-06-29 21:54 ` Michael Hudson-Doyle
2023-06-29 22:16 ` Siddhesh Poyarekar
2023-06-29 18:41 ` [PATCH 4/4] configure: Disable building libcrypt " Siddhesh Poyarekar
2023-06-29 18:45 ` Dmitry V. Levin
2023-06-29 19:02 ` Siddhesh Poyarekar
2023-07-14 6:21 ` Sam James
2023-07-17 15:24 ` Siddhesh Poyarekar
2023-07-17 17:26 ` Sam James
2023-06-30 1:42 ` [PATCH v2 0/4] Update default build configuration Siddhesh Poyarekar
2023-06-30 1:42 ` [PATCH v2 1/4] configure: Use autoconf 2.71 Siddhesh Poyarekar
2023-07-14 21:00 ` Carlos O'Donell
2023-07-17 14:21 ` [PATCH v3] " Siddhesh Poyarekar
2023-07-17 14:46 ` Siddhesh Poyarekar
2023-06-30 1:42 ` [PATCH v2 2/4] configure: Default --enable-stack-protector to strong Siddhesh Poyarekar
2023-07-13 9:51 ` Florian Weimer
2023-07-17 14:55 ` Siddhesh Poyarekar
2023-07-17 15:45 ` Florian Weimer
2023-07-17 15:52 ` Siddhesh Poyarekar
2023-08-03 10:06 ` Florian Weimer
2023-06-30 1:42 ` [PATCH v2 3/4] configure: Disable lazy binding by default Siddhesh Poyarekar
2023-07-13 9:38 ` Florian Weimer
2023-07-17 14:57 ` Siddhesh Poyarekar
2023-07-17 15:30 ` Florian Weimer
2023-07-17 15:55 ` Siddhesh Poyarekar
2023-07-18 16:25 ` Andreas K. Huettel
2023-06-30 1:42 ` [PATCH v2 4/4] configure: Disable building libcrypt " Siddhesh Poyarekar
2023-07-13 9:40 ` Florian Weimer
2023-07-14 4:16 ` Mark Harris
2023-07-17 15:13 ` Siddhesh Poyarekar
2023-07-17 16:44 ` [PATCH v3] " Siddhesh Poyarekar
2023-07-17 17:18 ` Andreas Schwab
2023-07-17 18:17 ` Siddhesh Poyarekar
2023-07-20 18:05 ` Joseph Myers
2023-07-20 18:39 ` Andreas K. Huettel
2023-07-07 10:31 ` [ping][PATCH v2 0/4] Update default build configuration Siddhesh Poyarekar
2023-07-12 21:51 ` [ping2][PATCH " Siddhesh Poyarekar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230629184156.2789945-3-siddhesh@sourceware.org \
--to=siddhesh@sourceware.org \
--cc=libc-alpha@sourceware.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).