From 2df6c922f47fb9a1242f1ef4e837d39d76162891 Mon Sep 17 00:00:00 2001 From: Ayappan Date: Tue, 2 Jul 2024 05:13:48 -0500 Subject: [PATCH 1/4] pythongh-121045: Disable -fstack-protector-strong for gcc compiler in AIX --- configure | 15 +++++++++++++-- configure.ac | 14 ++++++++++++-- 2 files changed, 25 insertions(+), 4 deletions(-) diff --git a/configure b/configure index 922d33edc00cb5..243cba60431f6a 100755 --- a/configure +++ b/configure @@ -9680,7 +9680,16 @@ fi # Enable flags that warn and protect for potential security vulnerabilities. # These flags should be enabled by default for all builds. -{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -fstack-protector-strong" >&5 +case $ac_sys_system/$CC in + AIX*/gcc*) + # In AIX with GCC, the compile check passes with -fstack-protector-strong + # even though it is not supported and is exposed only by a run/link check. + # So disable it. + { printf "%s\n" "$as_me:${as_lineno-$LINENO}: WARNING: -fstack-protector-strong not supported in AIX with gcc" >&5 +printf "%s\n" "$as_me: WARNING: -fstack-protector-strong not supported in AIX with gcc" >&2;} + ;; + *) + { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -fstack-protector-strong" >&5 printf %s "checking whether C compiler accepts -fstack-protector-strong... " >&6; } if test ${ax_cv_check_cflags__Werror__fstack_protector_strong+y} then : @@ -9719,7 +9728,7 @@ else $as_nop printf "%s\n" "$as_me: WARNING: -fstack-protector-strong not supported" >&2;} fi -{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -Wtrampolines" >&5 + { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -Wtrampolines" >&5 printf %s "checking whether C compiler accepts -Wtrampolines... " >&6; } if test ${ax_cv_check_cflags__Werror__Wtrampolines+y} then : @@ -9758,6 +9767,8 @@ else $as_nop printf "%s\n" "$as_me: WARNING: -Wtrampolines not supported" >&2;} fi + ;; +esac case $GCC in yes) diff --git a/configure.ac b/configure.ac index a70e673623de81..6514f740b8cfd2 100644 --- a/configure.ac +++ b/configure.ac @@ -2511,8 +2511,18 @@ AS_VAR_IF([with_strict_overflow], [yes], # Enable flags that warn and protect for potential security vulnerabilities. # These flags should be enabled by default for all builds. -AX_CHECK_COMPILE_FLAG([-fstack-protector-strong], [BASECFLAGS="$BASECFLAGS -fstack-protector-strong"], [AC_MSG_WARN([-fstack-protector-strong not supported])], [-Werror]) -AX_CHECK_COMPILE_FLAG([-Wtrampolines], [BASECFLAGS="$BASECFLAGS -Wtrampolines"], [AC_MSG_WARN([-Wtrampolines not supported])], [-Werror]) +case $ac_sys_system/$CC in + AIX*/gcc*) + # In AIX with GCC, the compile check passes with -fstack-protector-strong + # even though it is not supported and is exposed only by a run/link check. + # So disable it. + AC_MSG_WARN([-fstack-protector-strong not supported in AIX with gcc]) + ;; + *) + AX_CHECK_COMPILE_FLAG([-fstack-protector-strong], [BASECFLAGS="$BASECFLAGS -fstack-protector-strong"], [AC_MSG_WARN([-fstack-protector-strong not supported])], [-Werror]) + AX_CHECK_COMPILE_FLAG([-Wtrampolines], [BASECFLAGS="$BASECFLAGS -Wtrampolines"], [AC_MSG_WARN([-Wtrampolines not supported])], [-Werror]) + ;; +esac case $GCC in yes) From 89fa13559cead536c43afe22587a8b1e3799d1c1 Mon Sep 17 00:00:00 2001 From: Ayappan Date: Mon, 22 Jul 2024 11:35:37 -0500 Subject: [PATCH 2/4] pythongh-121045: Use link test to check -fstack-protector-strong flag --- configure | 48 +++++++++++++++++++++++------------------------- configure.ac | 28 +++++++++++++++++----------- 2 files changed, 40 insertions(+), 36 deletions(-) diff --git a/configure b/configure index d09c74805a8eb7..8aabe2762c7975 100755 --- a/configure +++ b/configure @@ -9656,6 +9656,8 @@ UNIVERSAL_ARCH_FLAGS= + + # tweak BASECFLAGS based on compiler and platform if test "x$with_strict_overflow" = xyes then : @@ -9666,25 +9668,18 @@ fi # Enable flags that warn and protect for potential security vulnerabilities. # These flags should be enabled by default for all builds. -case $ac_sys_system/$CC in - AIX*/gcc*) - # In AIX with GCC, the compile check passes with -fstack-protector-strong - # even though it is not supported and is exposed only by a run/link check. - # So disable it. - { printf "%s\n" "$as_me:${as_lineno-$LINENO}: WARNING: -fstack-protector-strong not supported in AIX with gcc" >&5 -printf "%s\n" "$as_me: WARNING: -fstack-protector-strong not supported in AIX with gcc" >&2;} - ;; - *) - { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -fstack-protector-strong" >&5 -printf %s "checking whether C compiler accepts -fstack-protector-strong... " >&6; } -if test ${ax_cv_check_cflags__Werror__fstack_protector_strong+y} + + + { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking if we can add -fstack-protector-strong" >&5 +printf %s "checking if we can add -fstack-protector-strong... " >&6; } +if test ${ac_cv_enable_stack_protector_strong_flag+y} then : printf %s "(cached) " >&6 else $as_nop - ax_check_save_flags=$CFLAGS - CFLAGS="$CFLAGS -Werror -fstack-protector-strong" - cat confdefs.h - <<_ACEOF >conftest.$ac_ext + py_cflags=$CFLAGS + as_fn_append CFLAGS " -fstack-protector-strong -Werror" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int @@ -9695,26 +9690,29 @@ main (void) return 0; } _ACEOF -if ac_fn_c_try_compile "$LINENO" +if ac_fn_c_try_link "$LINENO" then : - ax_cv_check_cflags__Werror__fstack_protector_strong=yes + ac_cv_enable_stack_protector_strong_flag=yes else $as_nop - ax_cv_check_cflags__Werror__fstack_protector_strong=no + ac_cv_enable_stack_protector_strong_flag=no fi -rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext - CFLAGS=$ax_check_save_flags +rm -f core conftest.err conftest.$ac_objext conftest.beam \ + conftest$ac_exeext conftest.$ac_ext + CFLAGS=$py_cflags + fi -{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags__Werror__fstack_protector_strong" >&5 -printf "%s\n" "$ax_cv_check_cflags__Werror__fstack_protector_strong" >&6; } -if test "x$ax_cv_check_cflags__Werror__fstack_protector_strong" = xyes +{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_enable_stack_protector_strong_flag" >&5 +printf "%s\n" "$ac_cv_enable_stack_protector_strong_flag" >&6; } + + +if test "x$ac_cv_enable_stack_protector_strong_flag" = xyes then : BASECFLAGS="$BASECFLAGS -fstack-protector-strong" else $as_nop { printf "%s\n" "$as_me:${as_lineno-$LINENO}: WARNING: -fstack-protector-strong not supported" >&5 printf "%s\n" "$as_me: WARNING: -fstack-protector-strong not supported" >&2;} fi - - { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -Wtrampolines" >&5 +{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -Wtrampolines" >&5 printf %s "checking whether C compiler accepts -Wtrampolines... " >&6; } if test ${ax_cv_check_cflags__Werror__Wtrampolines+y} then : diff --git a/configure.ac b/configure.ac index 64bae0576cc581..6ceacd598ef8d5 100644 --- a/configure.ac +++ b/configure.ac @@ -2492,6 +2492,20 @@ AC_DEFUN([PY_CHECK_CC_WARNING], [ AS_VAR_POPDEF([py_var]) ]) +dnl PY_CHECK_CC_CFLAG(ENABLE, CFLAG, [MSG]) +AC_DEFUN([PY_CHECK_CC_CFLAG], [ + AS_VAR_PUSHDEF([py_var], [ac_cv_$1_]m4_normalize($2)[_flag]) + AC_CACHE_CHECK([m4_ifblank([$3], [if we can $1 $CC $2 flag], [$3])], [py_var], [ + AS_VAR_COPY([py_cflags], [CFLAGS]) + AS_VAR_APPEND([CFLAGS], [" -f$2 -Werror"]) + AC_LINK_IFELSE([AC_LANG_PROGRAM([[]], [[]])], + [AS_VAR_SET([py_var], [yes])], + [AS_VAR_SET([py_var], [no])]) + AS_VAR_COPY([CFLAGS], [py_cflags]) + ]) + AS_VAR_POPDEF([py_var]) +]) + # tweak BASECFLAGS based on compiler and platform AS_VAR_IF([with_strict_overflow], [yes], [BASECFLAGS="$BASECFLAGS $STRICT_OVERFLOW_CFLAGS"], @@ -2499,17 +2513,9 @@ AS_VAR_IF([with_strict_overflow], [yes], # Enable flags that warn and protect for potential security vulnerabilities. # These flags should be enabled by default for all builds. -case $ac_sys_system/$CC in - AIX*/gcc*) - # In AIX with GCC, the compile check passes with -fstack-protector-strong - # even though it is not supported and is exposed only by a run/link check. - # So disable it. - AC_MSG_WARN([-fstack-protector-strong not supported in AIX with gcc]) - ;; - *) - AX_CHECK_COMPILE_FLAG([-fstack-protector-strong], [BASECFLAGS="$BASECFLAGS -fstack-protector-strong"], [AC_MSG_WARN([-fstack-protector-strong not supported])], [-Werror]) - ;; -esac +PY_CHECK_CC_CFLAG([enable], [stack-protector-strong], [if we can add -fstack-protector-strong]) +AS_VAR_IF([ac_cv_enable_stack_protector_strong_flag], [yes], + [BASECFLAGS="$BASECFLAGS -fstack-protector-strong"], AC_MSG_WARN([-fstack-protector-strong not supported])) AX_CHECK_COMPILE_FLAG([-Wtrampolines], [BASECFLAGS="$BASECFLAGS -Wtrampolines"], [AC_MSG_WARN([-Wtrampolines not supported])], [-Werror]) AX_CHECK_COMPILE_FLAG([-D_FORTIFY_SOURCE=3], [BASECFLAGS="$BASECFLAGS -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=3"], [AC_MSG_WARN([-D_FORTIFY_SOURCE=3 not supported])]) From ea1b825419e7b2b3bbdd3f2e188e34508e82a5ec Mon Sep 17 00:00:00 2001 From: Ayappan Date: Tue, 23 Jul 2024 03:40:26 -0500 Subject: [PATCH 3/4] Regenerate configure file --- configure | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/configure b/configure index 9831bd3104a8c0..af68850c92c4c7 100755 --- a/configure +++ b/configure @@ -9695,6 +9695,8 @@ printf "%s\n" "$disable_safety" >&6; } if test "$disable_safety" = "no" then + + { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking if we can add -fstack-protector-strong" >&5 printf %s "checking if we can add -fstack-protector-strong... " >&6; } if test ${ac_cv_enable_stack_protector_strong_flag+y} @@ -9730,14 +9732,14 @@ fi printf "%s\n" "$ac_cv_enable_stack_protector_strong_flag" >&6; } -if test "x$ac_cv_enable_stack_protector_strong_flag" = xyes + if test "x$ac_cv_enable_stack_protector_strong_flag" = xyes then : BASECFLAGS="$BASECFLAGS -fstack-protector-strong" else $as_nop { printf "%s\n" "$as_me:${as_lineno-$LINENO}: WARNING: -fstack-protector-strong not supported" >&5 printf "%s\n" "$as_me: WARNING: -fstack-protector-strong not supported" >&2;} fi -{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -Wtrampolines" >&5 + { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -Wtrampolines" >&5 printf %s "checking whether C compiler accepts -Wtrampolines... " >&6; } if test ${ax_cv_check_cflags__Werror__Wtrampolines+y} then : From fe9e133b959268c96357cef9da765bd6152a1bbe Mon Sep 17 00:00:00 2001 From: Ayappan Date: Thu, 1 Aug 2024 04:35:49 -0500 Subject: [PATCH 4/4] Regenerate configure file --- configure | 1 + 1 file changed, 1 insertion(+) diff --git a/configure b/configure index 25dea9fb54e4b3..61d015d2154a85 100755 --- a/configure +++ b/configure @@ -9739,6 +9739,7 @@ else $as_nop { printf "%s\n" "$as_me:${as_lineno-$LINENO}: WARNING: -fstack-protector-strong not supported" >&5 printf "%s\n" "$as_me: WARNING: -fstack-protector-strong not supported" >&2;} fi + { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -Wtrampolines" >&5 printf %s "checking whether C compiler accepts -Wtrampolines... " >&6; } if test ${ax_cv_check_cflags__Werror__Wtrampolines+y}