From 076183b36b76a11438463883ff916f17aef9e001 Mon Sep 17 00:00:00 2001 From: fanquake Date: Thu, 18 Jun 2020 13:31:07 +0800 Subject: [PATCH] build: add -fcf-protection=full to hardening options Enables code instrumentation of control-flow transfers. Available in GCC 8 and Clang 7. This option is now on by default in Ubuntu GCC as of 19.10. --- configure.ac | 1 + 1 file changed, 1 insertion(+) diff --git a/configure.ac b/configure.ac index 12bece69032..fe8ce1a8f79 100644 --- a/configure.ac +++ b/configure.ac @@ -785,6 +785,7 @@ if test x$use_hardening != xno; then AX_CHECK_COMPILE_FLAG([-Wstack-protector],[HARDENED_CXXFLAGS="$HARDENED_CXXFLAGS -Wstack-protector"]) AX_CHECK_COMPILE_FLAG([-fstack-protector-all],[HARDENED_CXXFLAGS="$HARDENED_CXXFLAGS -fstack-protector-all"]) + AX_CHECK_COMPILE_FLAG([-fcf-protection=full],[HARDENED_CXXFLAGS="$HARDENED_CXXFLAGS -fcf-protection=full"]) dnl When enable_debug is yes, all optimizations are disabled. dnl However, FORTIFY_SOURCE requires that there is some level of optimization, otherwise it does nothing and just creates a compiler warning. dnl Since FORTIFY_SOURCE is a no-op without optimizations, do not enable it when enable_debug is yes.