Fix sahib#109

The default executable stack setting on Linux can be fixed in two different ways: - By adding the `.section .note.GNU-stack,"",%progbits` special incantation - By passing the `--noexecstack` flag to the assembler This patch implements both, but only one of them is strictly necessary. I've also added some additional hardening flags to the Makefile. May not be portable.
SeeSpotRun · Aug 23, 2020 · adbf07d · adbf07d
1 parent 8dc30a2
commit adbf07d
Show file tree

Hide file tree

Showing 4 changed files with 18 additions and 5 deletions.
diff --git a/c/Makefile.testing b/c/Makefile.testing
@@ -3,10 +3,11 @@
 
 NAME=blake3
 CC=gcc
-CFLAGS=-O3 -Wall -Wextra -std=c11 -pedantic
+CFLAGS=-O3 -Wall -Wextra -std=c11 -pedantic -fstack-protector-strong -D_FORTIFY_SOURCE=2 -fPIE -fvisibility=hidden
+LDFLAGS=-pie -Wl,-z,relro,-z,now
 TARGETS=
 ASM_TARGETS=
-EXTRAFLAGS=
+EXTRAFLAGS=-Wa,--noexecstack
 
 ifdef BLAKE3_NO_SSE41
 EXTRAFLAGS += -DBLAKE3_NO_SSE41
@@ -35,7 +36,7 @@ TARGETS += blake3_neon.o
 endif
 
 all: blake3.c blake3_dispatch.c blake3_portable.c main.c $(TARGETS)
-	$(CC) $(CFLAGS) $(EXTRAFLAGS) $^ -o $(NAME)
+	$(CC) $(CFLAGS) $(EXTRAFLAGS) $^ -o $(NAME) $(LDFLAGS)
 
 blake3_sse41.o: blake3_sse41.c
 	$(CC) $(CFLAGS) $(EXTRAFLAGS) -c $^ -o $@ -msse4.1
@@ -54,9 +55,9 @@ test: all
 	./test.py
 
 asm: blake3.c blake3_dispatch.c blake3_portable.c main.c $(ASM_TARGETS)
-	$(CC) $(CFLAGS) $(EXTRAFLAGS) $^ -o $(NAME)
+	$(CC) $(CFLAGS) $(EXTRAFLAGS) $^ -o $(NAME) $(LDFLAGS)
 
-test_asm: CFLAGS += -DBLAKE3_TESTING -fsanitize=address,undefined
+test_asm: CFLAGS += -DBLAKE3_TESTING -fsanitize=address,undefined 
 test_asm: asm
 	./test.py
 

diff --git a/c/blake3_avx2_x86-64_unix.S b/c/blake3_avx2_x86-64_unix.S
@@ -1,3 +1,7 @@
+#if defined(__ELF__) && defined(__linux__)
+.section .note.GNU-stack,"",%progbits
+#endif
+
 #if defined(__ELF__) && defined(__CET__) && defined(__has_include)
 #if __has_include(<cet.h>)
 #include <cet.h>

diff --git a/c/blake3_avx512_x86-64_unix.S b/c/blake3_avx512_x86-64_unix.S
@@ -1,3 +1,7 @@
+#if defined(__ELF__) && defined(__linux__)
+.section .note.GNU-stack,"",%progbits
+#endif
+
 #if defined(__ELF__) && defined(__CET__) && defined(__has_include)
 #if __has_include(<cet.h>)
 #include <cet.h>

diff --git a/c/blake3_sse41_x86-64_unix.S b/c/blake3_sse41_x86-64_unix.S
@@ -1,3 +1,7 @@
+#if defined(__ELF__) && defined(__linux__)
+.section .note.GNU-stack,"",%progbits
+#endif
+
 #if defined(__ELF__) && defined(__CET__) && defined(__has_include)
 #if __has_include(<cet.h>)
 #include <cet.h>