main/llvm: SSP by default, use -Wl,-z,now

clang was already patched to do -Wl,-z,relro by default. now it also passes
the equivalent of -Wl,-z,now.

clang's normal behavior on linux defaults to using stack smashing protection
whenever a function defines an 8 character or more local array. this is the
equivalent of passing in -fstack-protector with no additional options in gcc.

this release patches clang's default behavior to instead behave like
-fstack-protector-strong was passed in, enabling the canary in many more
conditions without the performance impact of adding it to ALL functions as is
the case with -fstack-protector-all. these conditions include:

  local variable's address used as part of right hand side of assignment
  local variable's address used as function argument
  local variable is an array, regardless of array type or length
  same as above, but local variable is a union containing an array
  uses register local variables

SSP can still be disabled by passing in -fno-stack-protector.
You can still use -fstack-protector-all to add a canary to all functions.

1 files changed, 53 insertions, 0 deletions

diff --git a/main/llvm/clang-0011-alpine-SSP-by-default.patch b/main/llvm/clang-0011-alpine-SSP-by-default.patch
new file mode 100644
index 0000000000..e08efbd643
--- /dev/null
+++ b/main/llvm/clang-0011-alpine-SSP-by-default.patch
@@ -0,0 +1,53 @@
+diff --git i/lib/Driver/ToolChains.cpp w/lib/Driver/ToolChains.cpp
+index e3ff0d7..68ed764 100644
+--- i/lib/Driver/ToolChains.cpp
++++ w/lib/Driver/ToolChains.cpp
+@@ -3408,6 +3408,13 @@ bool Linux::isPIEDefault() const {
+   return getSanitizerArgs().requiresPIE();
+ }
+ 
++unsigned Linux::GetDefaultStackProtectorLevel(bool KernelOrKext) const {
++  StringRef VendorName = Linux::getTriple().getVendorName();
++  if (VendorName.compare("alpine") == 0)
++    return 2;
++  return 1;
++}
++
+ /// DragonFly - DragonFly tool chain which can call as(1) and ld(1) directly.
+ 
+ DragonFly::DragonFly(const Driver &D, const llvm::Triple& Triple, const ArgList &Args)
+diff --git i/lib/Driver/ToolChains.h w/lib/Driver/ToolChains.h
+index 47fb10d..3714a6f 100644
+--- i/lib/Driver/ToolChains.h
++++ w/lib/Driver/ToolChains.h
+@@ -641,6 +641,7 @@ public:
+   AddClangCXXStdlibIncludeArgs(const llvm::opt::ArgList &DriverArgs,
+                                llvm::opt::ArgStringList &CC1Args) const override;
+   bool isPIEDefault() const override;
++  unsigned GetDefaultStackProtectorLevel(bool KernelOrKext) const override;
+ 
+   std::string Linker;
+   std::vector<std::string> ExtraOpts;
+diff --git i/test/Driver/stack-protector.c w/test/Driver/stack-protector.c
+index 7fecd1b..f29cee0 100644
+--- i/test/Driver/stack-protector.c
++++ w/test/Driver/stack-protector.c
+@@ -23,3 +23,18 @@
+ // RUN: %clang -fstack-protector-all -### %s 2>&1 | FileCheck %s -check-prefix=SSP-ALL
+ // SSP-ALL: "-stack-protector" "3"
+ // SSP-ALL-NOT: "-stack-protector-buffer-size" 
++
++// RUN: %clang -target x86_64-alpine-linux-musl -### %s 2>&1 | FileCheck %s -check-prefix=ALPINE
++// ALPINE: "-stack-protector" "2"
++
++// RUN: %clang -target x86_64-alpine-linux-musl -fstack-protector -### %s 2>&1 | FileCheck %s -check-prefix=ALPINE_SPS
++// ALPINE_SPS: "-stack-protector" "2"
++
++// RUN: %clang -target x86_64-alpine-linux-musl -fstack-protector-all -### %s 2>&1 | FileCheck %s -check-prefix=ALPINE_ALL
++// ALPINE_ALL: "-stack-protector" "3"
++// ALPINE_ALL-NOT: "-stack-protector-buffer-size"
++
++// RUN: %clang -target x86_64-alpine-linux-musl -fno-stack-protector -### %s 2>&1 | FileCheck %s -check-prefix=ALPINE_NOSSP
++// ALPINE_NOSSP-NOT: "-stack-protector"
++// ALPINE_NOSSP-NOT: "-stack-protector-buffer-size"
++