11 files changed, 85 insertions, 6 deletions

diff --git a/config/binutils/binutils.in b/config/binutils/binutils.in
index bd32bd6b..928659af 100644
--- a/config/binutils/binutils.in
+++ b/config/binutils/binutils.in
@@ -79,7 +79,7 @@ config BINUTILS_LINKER_LD_GOLD
 config BINUTILS_LINKER_GOLD_LD
     bool
     prompt "gold, ld"
-    depends on !BINUTILS_FORCE_LD_BFD_ONLY
+    depends on !BINUTILS_FORCE_LD_BFD_DEFAULT && !BINUTILS_FORCE_LD_BFD_ONLY
     depends on BINUTILS_GOLD_SUPPORT
     select BINUTILS_GOLD_INSTALLED
     select BINUTILS_LINKER_BOTH
@@ -146,6 +146,16 @@ config BINUTILS_PLUGINS
       Especially, gold can use the lto-plugin, as installed
       by gcc, to handle LTO.
 
+config BINUTILS_RELRO
+    tristate
+    prompt "Enable -z relro in ELF linker by default" if BINUTILS_2_27_or_later
+    default m
+    help
+      Setting this option forces "-z relro" by default in the ELF linker.
+      Clearing this option forces "-z norelro" by default in the ELF linker.
+      Setting this option to 'M' configures binutils with their internal
+      default for the selected architecture.
+
 config BINUTILS_EXTRA_CONFIG_ARRAY
     string
     prompt "binutils extra config"
diff --git a/config/libc/glibc.in b/config/libc/glibc.in
index 5916a83c..527063f4 100644
--- a/config/libc/glibc.in
+++ b/config/libc/glibc.in
@@ -320,6 +320,45 @@ config GLIBC_MIN_KERNEL
     default LINUX_VERSION                 if GLIBC_KERNEL_VERSION_AS_HEADERS
     default GLIBC_MIN_KERNEL_VERSION      if GLIBC_KERNEL_VERSION_CHOSEN
 
+
+choice
+    bool "Stack-smashing protection (SSP) in glibc"
+    default GLIBC_SSP_DEFAULT
+
+config GLIBC_SSP_DEFAULT
+    bool "default"
+    help
+      Glibc's configure script determines the stack protection level.
+
+config GLIBC_SSP_NO
+    bool "no"
+    help
+      Glibc functions are not protected against stack-smashing.
+
+config GLIBC_SSP_YES
+    bool "yes"
+    help
+      Glibc is compiled with -fstack-protector option.
+
+config GLIBC_SSP_ALL
+    bool "all"
+    help
+      Glibc is compiled with -fstack-protector-all option.
+
+config GLIBC_SSP_STRONG
+    bool "strong"
+    help
+      Glibc is compiled with -fstack-protector-strong option.
+
+endchoice
+
+config GLIBC_SSP
+    string
+    default "no" if GLIBC_SSP_NO
+    default "yes" if GLIBC_SSP_YES
+    default "all" if GLIBC_SSP_ALL
+    default "strong" if GLIBC_SSP_STRONG
+
 # All supported versions of glibc build cleanly with GCC7 and earlier.
 # GCC8-related fixes were only available in glibc 2.27.
 config GLIBC_ENABLE_WERROR
diff --git a/config/libc/mingw-w64.in b/config/libc/mingw-w64.in
index 02b18a27..d176e477 100644
--- a/config/libc/mingw-w64.in
+++ b/config/libc/mingw-w64.in
@@ -5,6 +5,7 @@
 ## select LIBC_SUPPORT_THREADS_NATIVE
 ## select LIBC_SUPPORT_THREADS_POSIX
 ## select CC_CORE_PASS_2_NEEDED
+## select BINUTILS_FORCE_LD_BFD_DEFAULT
 ##
 ## help The de-facto standard for Mingw distributions.
 
diff --git a/config/libc/uClibc.in b/config/libc/uClibc.in
index 7bdd03f4..2b11e0c9 100644
--- a/config/libc/uClibc.in
+++ b/config/libc/uClibc.in
@@ -207,6 +207,23 @@ config LIBC_UCLIBC_RPC
     help
       Enable support for remote procedure calls (RPC) in uClibc.
 
+config LIBC_UCLIBC_HAS_SSP
+    bool
+    prompt "Support stack smashing protection (SSP)"
+    default y
+    help
+      Enable support for building programs with -fstack-protector family
+      of options. If this option is disabled, one can also use a standalone
+      libssp library from GCC.
+
+config LIBC_UCLIBC_BUILD_SSP
+    bool
+    prompt "Build uClibc with SSP"
+    depends on LIBC_UCLIBC_HAS_SSP
+    help
+      Build uClibc with -fstack-protector. This adds runtime overhead
+      to many function calls and is disabled by default.
+
 if ARCH_ARM
 config LIBC_UCLIBC_USE_GNU_SUFFIX
     bool
diff --git a/scripts/build/binutils/binutils-ld.in b/packages/binutils/binutils-ld.in
index 30f4591b..30f4591b 100644
--- a/scripts/build/binutils/binutils-ld.in
+++ b/packages/binutils/binutils-ld.in
diff --git a/packages/binutils/package.desc b/packages/binutils/package.desc
index cf38889b..317cd6c1 100644
--- a/packages/binutils/package.desc
+++ b/packages/binutils/package.desc
@@ -1,6 +1,6 @@
 repository='git git://sourceware.org/git/binutils-gdb.git'
 mirrors='$(CT_Mirrors GNU binutils) $(CT_Mirrors sourceware binutils/releases)'
 origin='GNU'
-milestones='2.23 2.25 2.30'
+milestones='2.23 2.25 2.27 2.30'
 archive_formats='.tar.xz .tar.bz2 .tar.gz'
 signature_format='packed/.sig'
diff --git a/contrib/uClibc-defconfigs/uClibc-ng.config b/packages/uClibc-ng/config
index 1f0a8c17..1f0a8c17 100644
--- a/contrib/uClibc-defconfigs/uClibc-ng.config
+++ b/packages/uClibc-ng/config
diff --git a/contrib/uClibc-defconfigs/uClibc.config b/packages/uClibc/config
index 104eb5c6..104eb5c6 100644
--- a/contrib/uClibc-defconfigs/uClibc.config
+++ b/packages/uClibc/config
diff --git a/scripts/build/binutils/binutils.sh b/scripts/build/binutils/binutils.sh
index f61b5563..d1745a34 100644
--- a/scripts/build/binutils/binutils.sh
+++ b/scripts/build/binutils/binutils.sh
@@ -153,6 +153,11 @@ do_binutils_backend() {
     if [ "${CT_BINUTILS_PLUGINS}" = "y" ]; then
         extra_config+=( --enable-plugins )
     fi
+    if [ "${CT_BINUTILES_RELRO}" = "y" ]; then
+        extra_config+=( --enable-relro )
+    elif [ "${CT_BINUTILS_RELRO}" != "m" ]; then
+        extra_config+=( --disable-relro )
+    fi
     if [ "${CT_BINUTILS_HAS_PKGVERSION_BUGURL}" = "y" ]; then
         [ -n "${CT_PKGVERSION}" ] && extra_config+=("--with-pkgversion=${CT_PKGVERSION}")
         [ -n "${CT_TOOLCHAIN_BUGURL}" ] && extra_config+=("--with-bugurl=${CT_TOOLCHAIN_BUGURL}")
@@ -221,7 +226,7 @@ do_binutils_backend() {
         rm -f "${prefix}/bin/${CT_TARGET}-ld"
         rm -f "${prefix}/${CT_TARGET}/bin/ld"
         sed -r -e "s/@@DEFAULT_LD@@/${CT_BINUTILS_LINKER_DEFAULT}/" \
-            "${CT_LIB_DIR}/scripts/build/binutils/binutils-ld.in"      \
+            "${CT_LIB_DIR}/packages/binutils/binutils-ld.in"      \
             >"${prefix}/bin/${CT_TARGET}-ld"
         chmod a+x "${prefix}/bin/${CT_TARGET}-ld"
         cp -a "${prefix}/bin/${CT_TARGET}-ld"   \
diff --git a/scripts/build/libc/glibc.sh b/scripts/build/libc/glibc.sh
index a9adbbbc..4d44fea9 100644
--- a/scripts/build/libc/glibc.sh
+++ b/scripts/build/libc/glibc.sh
@@ -176,6 +176,10 @@ glibc_backend_once()
     [ -n "${CT_PKGVERSION}" ] && extra_config+=("--with-pkgversion=${CT_PKGVERSION}")
     [ -n "${CT_TOOLCHAIN_BUGURL}" ] && extra_config+=("--with-bugurl=${CT_TOOLCHAIN_BUGURL}")
 
+    if [ -n "${CT_GLIBC_SSP}" ]; then
+        extra_config+=("--enable-stack-protector=${CT_GLIBC_SSP}")
+    fi
+
     touch config.cache
 
     # Hide host C++ binary from configure
diff --git a/scripts/build/libc/uClibc.sh b/scripts/build/libc/uClibc.sh
index 7b662045..ccadfeb6 100644
--- a/scripts/build/libc/uClibc.sh
+++ b/scripts/build/libc/uClibc.sh
@@ -94,7 +94,7 @@ uClibc_backend_once()
 
     # Use the default config if the user did not provide one.
     if [ -z "${CT_LIBC_UCLIBC_CONFIG_FILE}" ]; then
-        CT_LIBC_UCLIBC_CONFIG_FILE="${CT_LIB_DIR}/contrib/uClibc-defconfigs/${uClibc_name}.config"
+        CT_LIBC_UCLIBC_CONFIG_FILE="${CT_LIB_DIR}/packages/${uClibc_name}/config"
     fi
 
     manage_uClibc_config "${CT_LIBC_UCLIBC_CONFIG_FILE}" .config "${multi_flags}"
@@ -324,11 +324,14 @@ manage_uClibc_config()
     fi
 
     # Stack Smash Protection (SSP)
-    if [ "${CT_CC_GCC_LIBSSP}" = "y" ]; then
+    if [ "${CT_LIBC_UCLIBC_HAS_SSP}" = "y" ]; then
         CT_KconfigEnableOption "UCLIBC_HAS_SSP" "${dst}"
-        CT_KconfigEnableOption "UCLIBC_BUILD_SSP" "${dst}"
     else
         CT_KconfigDisableOption "UCLIBC_HAS_SSP" "${dst}"
+    fi
+    if [ "${CT_LIBC_UCLIBC_BUILD_SSP}" = "y" ]; then
+        CT_KconfigEnableOption "UCLIBC_BUILD_SSP" "${dst}"
+    else
         CT_KconfigDisableOption "UCLIBC_BUILD_SSP" "${dst}"
     fi