diff options
| author |   Sergei Trofimovich <slyfox@gentoo.org> | 2019-03-09 10:46:05 +0000 |
|---|---|---|
| committer | Sergei Trofimovich <slyfox@gentoo.org> | 2019-03-09 10:46:40 +0000 |
| commit | 5aca3ae8606fb422955eedb5e45d50166e91c339 (patch) | |
| tree | d13008a9e0058fae32e59b4609f74236668bc243 /sys-libs/glibc | |
| parent | sys-libs/glibc: sort flags in metadata.xml (diff) | |
| download | gentoo-5aca3ae8606fb422955eedb5e45d50166e91c339.tar.gz gentoo-5aca3ae8606fb422955eedb5e45d50166e91c339.tar.bz2 gentoo-5aca3ae8606fb422955eedb5e45d50166e91c339.zip | |
sys-libs/glibc: make stack protection optional, bug #679788
The change adds new USE=ssp to optionally disable protection of
glibc's internals. Before the change protection was
unconditionally enabled.
It's useful to disable ssp to validate if stack protection
causes any damage (glibc bugs like https://sourceware.org/PR24202
or gcc bugs like https://gcc.gnu.org/PR81996).
And also useful to get more predictable binaries like in
https://bugs.gentoo.org/679788.
Reported-by: Agostino Sarubbo
Bug: https://bugs.gentoo.org/679788
Package-Manager: Portage-2.3.62, Repoman-2.3.12
Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org>
Diffstat (limited to 'sys-libs/glibc')
| -rw-r--r-- | sys-libs/glibc/glibc-2.28-r5.ebuild | 4 | ||||
| -rw-r--r-- | sys-libs/glibc/glibc-2.29.ebuild | 4 | ||||
| -rw-r--r-- | sys-libs/glibc/glibc-9999.ebuild | 9 | ||||
| -rw-r--r-- | sys-libs/glibc/metadata.xml | 1 |
4 files changed, 12 insertions, 6 deletions
diff --git a/sys-libs/glibc/glibc-2.28-r5.ebuild b/sys-libs/glibc/glibc-2.28-r5.ebuild index 9087d26caafa..3ae8a3553cb8 100644 --- a/sys-libs/glibc/glibc-2.28-r5.ebuild +++ b/sys-libs/glibc/glibc-2.28-r5.ebuild @@ -32,7 +32,7 @@ PATCH_VER=8 SRC_URI+=" https://dev.gentoo.org/~dilfridge/distfiles/${P}-patches-${PATCH_VER}.tar.xz" SRC_URI+=" multilib? ( https://dev.gentoo.org/~dilfridge/distfiles/gcc-multilib-bootstrap-${GCC_BOOTSTRAP_VER}.tar.xz )" -IUSE="audit caps cet compile-locales doc gd headers-only +multiarch multilib nscd profile selinux suid systemtap test vanilla" +IUSE="audit caps cet compile-locales doc gd headers-only +multiarch multilib nscd profile selinux +ssp suid systemtap test vanilla" # Minimum kernel version that glibc requires MIN_KERN_VER="3.2.0" @@ -813,7 +813,7 @@ glibc_do_configure() { myconf+=( --enable-stack-protector=no ) ;; *) - myconf+=( --enable-stack-protector=all ) + myconf+=( --enable-stack-protector=$(usex ssp all no) ) ;; esac myconf+=( --enable-stackguard-randomization ) diff --git a/sys-libs/glibc/glibc-2.29.ebuild b/sys-libs/glibc/glibc-2.29.ebuild index 4ac98457b485..98113f0210bf 100644 --- a/sys-libs/glibc/glibc-2.29.ebuild +++ b/sys-libs/glibc/glibc-2.29.ebuild @@ -35,7 +35,7 @@ PATCH_VER=1 SRC_URI+=" https://dev.gentoo.org/~dilfridge/distfiles/${P}-patches-${PATCH_VER}.tar.xz" SRC_URI+=" multilib? ( https://dev.gentoo.org/~dilfridge/distfiles/gcc-multilib-bootstrap-${GCC_BOOTSTRAP_VER}.tar.xz )" -IUSE="audit caps cet compile-locales doc gd headers-only +multiarch multilib nscd profile selinux suid systemtap test vanilla" +IUSE="audit caps cet compile-locales doc gd headers-only +multiarch multilib nscd profile selinux +ssp suid systemtap test vanilla" # Minimum kernel version that glibc requires MIN_KERN_VER="3.2.0" @@ -814,7 +814,7 @@ glibc_do_configure() { myconf+=( --enable-stack-protector=no ) ;; *) - myconf+=( --enable-stack-protector=all ) + myconf+=( --enable-stack-protector=$(usex ssp all no) ) ;; esac myconf+=( --enable-stackguard-randomization ) diff --git a/sys-libs/glibc/glibc-9999.ebuild b/sys-libs/glibc/glibc-9999.ebuild index 1dcf217a492e..b488b70b7015 100644 --- a/sys-libs/glibc/glibc-9999.ebuild +++ b/sys-libs/glibc/glibc-9999.ebuild @@ -35,7 +35,7 @@ PATCH_VER=10 SRC_URI+=" https://dev.gentoo.org/~dilfridge/distfiles/${P}-patches-${PATCH_VER}.tar.xz" SRC_URI+=" multilib? ( https://dev.gentoo.org/~dilfridge/distfiles/gcc-multilib-bootstrap-${GCC_BOOTSTRAP_VER}.tar.xz )" -IUSE="audit caps cet compile-locales doc gd headers-only +multiarch multilib nscd profile selinux suid systemtap test vanilla" +IUSE="audit caps cet compile-locales doc gd headers-only +multiarch multilib nscd profile selinux +ssp suid systemtap test vanilla" # Minimum kernel version that glibc requires MIN_KERN_VER="3.2.0" @@ -800,6 +800,11 @@ glibc_do_configure() { local myconf=() case ${CTARGET} in + m68k*) + # setjmp() is not compatible with stack protection: + # https://sourceware.org/PR24202 + myconf+=( --enable-stack-protector=no ) + ;; powerpc-*) # Currently gcc on powerpc32 generates invalid code for # __builtin_return_address(0) calls. Normally programs @@ -809,7 +814,7 @@ glibc_do_configure() { myconf+=( --enable-stack-protector=no ) ;; *) - myconf+=( --enable-stack-protector=all ) + myconf+=( --enable-stack-protector=$(usex ssp all no) ) ;; esac myconf+=( --enable-stackguard-randomization ) diff --git a/sys-libs/glibc/metadata.xml b/sys-libs/glibc/metadata.xml index 86b9046f11ca..58d861be0305 100644 --- a/sys-libs/glibc/metadata.xml +++ b/sys-libs/glibc/metadata.xml @@ -13,6 +13,7 @@ <flag name="multiarch">enable optimizations for multiple CPU architectures (detected at runtime)</flag> <flag name="nscd">Build, and enable support for, the Name Service Cache Daemon</flag> <flag name="rpc">Enable obsolete RPC/NIS layers</flag> + <flag name="ssp">protect stack of glibc internals</flag> <flag name="suid">Make internal pt_chown helper setuid -- not needed if using Linux and have /dev/pts mounted with gid=5</flag> <flag name="systemtap">enable systemtap static probe points</flag> </use> |