security: enable stack protector

Enable stack-proctector-strong option for gcc emiting extra code to check buffer overflow. Enable noexecstack option for marking the object as not requiring executable stack. Tracked-On: 224003 Signed-off-by: wenshelx <wenshengx.wang@intel.com>
2025-06-28 08:16:54 +00:00 · 2018-02-11 15:51:35 +08:00 · 2018-02-11 15:51:35 +08:00 · 156d61e20f
commit 156d61e20f
parent f86d91e1e1
1 changed files with 20 additions and 0 deletions
--- a/devicemodel/Makefile
+++ b/devicemodel/Makefile
@ -21,6 +21,26 @@ CFLAGS += -Werror
 CFLAGS += -I$(BASEDIR)/include
 CFLAGS += -I$(BASEDIR)/include/public

+GCC_MAJOR=$(shell echo __GNUC__ | $(CC) -E -x c - | tail -n 1)
+GCC_MINOR=$(shell echo __GNUC_MINOR__ | $(CC) -E -x c - | tail -n 1)
+
+#enable stack overflow check
+STACK_PROTECTOR := 1
+
+ifdef STACK_PROTECTOR
+ifeq (true, $(shell [ $(GCC_MAJOR) -gt 4 ] && echo true))
+CFLAGS += -fstack-protector-strong
+else
+ifeq (true, $(shell [ $(GCC_MAJOR) -eq 4 ] && [ $(GCC_MINOR) -ge 9 ] && echo true))
+CFLAGS += -fstack-protector-strong
+else
+CFLAGS += -fstack-protector
+endif
+endif
+endif
+
+LDFLAGS += -Wl,-z,noexecstack
+
 LIBS = -lrt
 LIBS += -lpthread
 LIBS += -lcrypto