build: Add --enable-hardening flag to enable stack protection and enhanced buffer overflow protection.

Prints the hardening status on global init to the log. Closes #2027. Was #2040.
author: Nomis101 <[email protected]> 2019-04-22 20:31:28 +0200
committer: Bradley Sepos <[email protected]> 2019-06-19 14:10:45 -0400
commit: 5351c1f6194f8e12d30bc693c0dfe75c87b21410 (patch)
tree: 05059aa6dd57493a28a24e9afb85a90d9b262743
parent: 79ea65ee6d16d93bf1c536fedfb49b0d29a25fc3 (diff)
5 files changed, 23 insertions, 1 deletions
diff --git a/libhb/hb.c b/libhb/hb.c
index 9b3cea166..720a7585d 100644
--- a/libhb/hb.c
+++ b/libhb/hb.c
@@ -1652,6 +1652,11 @@ int hb_global_init_no_hardware()
 
 int hb_global_init()
 {
+    /* Print hardening status on global init */
+#ifdef HB_PROJECT_HOST_HARDEN
+    hb_log( "Compile-time hardening features are enabled" );
+#endif
+
     int result = 0;
 
     result = hb_platform_init();
diff --git a/libhb/project.h.m4 b/libhb/project.h.m4
index ff727e006..2ce9fac68 100644
--- a/libhb/project.h.m4
+++ b/libhb/project.h.m4
@@ -38,6 +38,7 @@ dnl
 <<#>>define HB_PROJECT_HOST_RELEASE              "__HOST_release"
 <<#>>define HB_PROJECT_HOST_TITLE                "__HOST_title"
 <<#>>define HB_PROJECT_HOST_ARCH                 "__HOST_arch"
+<<#>>define HB_PROJECT_HOST_HARDEN               __HOST_harden
 
 <<#>>define HB_PROJECT_FEATURE_ASM               __FEATURE_asm
 <<#>>define HB_PROJECT_FEATURE_FDK_AAC           __FEATURE_fdk_aac
diff --git a/macosx/HBOutputPanelController.m b/macosx/HBOutputPanelController.m
index 5da8ebaf9..83b5b2268 100644
--- a/macosx/HBOutputPanelController.m
+++ b/macosx/HBOutputPanelController.m
@@ -9,6 +9,7 @@
 #import "HBOutputRedirect.h"
 #import "HBOutputFileWriter.h"
 #import "HBUtilities.h"
+#import "project.h"
 
 /// Maximum amount of characters that can be shown in the view.
 #define TextStorageUpperSizeLimit 125000
@@ -77,6 +78,11 @@
         NSDictionary *infoDict = [[NSBundle mainBundle] infoDictionary];
         NSString *versionStringFull = [NSString stringWithFormat:@"Handbrake Version: %@  (%@)", infoDict[@"CFBundleShortVersionString"], infoDict[@"CFBundleVersion"]];
         [HBUtilities writeToActivityLog: "%s", versionStringFull.UTF8String];
+        
+        // Lets also report the hardening status to the activity log, if enabled
+#if HB_PROJECT_HOST_HARDEN == 1
+        [HBUtilities writeToActivityLog:"Compile-time hardening features are enabled"];
+#endif
     }
     return self;
 }
diff --git a/make/configure.py b/make/configure.py
index b3dcc205e..eb12c34c9 100644
--- a/make/configure.py
+++ b/make/configure.py
@@ -686,7 +686,7 @@ class ArchAction( Action ):
 
             ## special cases in that powerpc does not match gcc -arch value
             ## which we like to use; so it has to be removed.
-            ## note: we don't know if apple will release Ssnow Leopad/ppc64 yet; just a guess.
+            ## note: we don't know if apple will release Snow Leopard/ppc64 yet; just a guess.
             if 'powerpc' in self.mode:
                 del self.mode['powerpc']
                 self.mode.mode = 'ppc'
@@ -1399,6 +1399,8 @@ def createCLI( cross = None ):
     arch.mode.cli_add_argument( grp, '--arch' )
     grp.add_argument( '--cross', default=None, action='store', metavar='SPEC',
         help='specify GCC cross-compilation spec' )
+    grp.add_argument( '--enable-hardening', dest="enable_host_harden", default=None, action='store_true',
+        help='enable buffer overflow protection' )
     cli.add_argument_group( grp )
 
     ## add Xcode options
@@ -1948,6 +1950,7 @@ int main()
         doc.add( 'HOST.cross.prefix', '' )
 
     doc.add( 'HOST.arch',   arch.mode.mode )
+    doc.add( 'HOST.harden', int( options.enable_host_harden != None))
 
     doc.addBlank()
     doc.add( 'SRC',     cfg.src_final )
diff --git a/make/include/gcc.defs b/make/include/gcc.defs
index 7a67f4b2f..bd2d82dd0 100644
--- a/make/include/gcc.defs
+++ b/make/include/gcc.defs
@@ -86,6 +86,13 @@ GCC.args.extra.hpp_o   =
 GCC.args.extra.cpp_o   =
 GCC.args.extra.dylib++ = $(LDFLAGS)
 GCC.args.extra.exe++   = $(LDFLAGS)
+# If hardening is enabled -D_FORTIFY_SOURCE=2 adds compile-time protection and run-time
+# checking against static sized buffer overflow flaws. -fstack-protector-strong enables
+# stack canaries to detect stack buffer overflows (stack overwrites).
+ifeq (1,$(HOST.harden))
+    GCC.args.extra     += $(CFLAGS) $(CXXFLAGS) $(CPPFLAGS) -fstack-protector-strong -D_FORTIFY_SOURCE=2
+    GCC.args.extra.exe += -fstack-protector-strong
+endif
 
 ###############################################################################
author	Nomis101 <[email protected]>	2019-04-22 20:31:28 +0200
committer	Bradley Sepos <[email protected]>	2019-06-19 14:10:45 -0400
commit	5351c1f6194f8e12d30bc693c0dfe75c87b21410 (patch)
tree	05059aa6dd57493a28a24e9afb85a90d9b262743
parent	79ea65ee6d16d93bf1c536fedfb49b0d29a25fc3 (diff)