From c057692da7f15a97a06581ab76c388f5892529c7 Mon Sep 17 00:00:00 2001
From: "Todd C. Miller" <Todd.Miller@courtesan.com>
Date: Thu, 30 May 2013 09:29:36 -0400
Subject: [PATCH] On Solaris 11 and higher, tag binaries for ASLR if supported
 by the linker.

---
 NEWS         |  3 +++
 configure    | 46 ++++++++++++++++++++++++++++++++++++++++++++--
 configure.in |  8 ++++++++
 3 files changed, 55 insertions(+), 2 deletions(-)

diff --git a/NEWS b/NEWS
index bae1c688e..51a00834d 100644
--- a/NEWS
+++ b/NEWS
@@ -107,6 +107,9 @@ What's new in Sudo 1.8.7?
    by default on Linux systems and verifies that a trivial test
    program builds and runs.
 
+ * On Solaris 11.1 and higher, sudo binaries will now have the
+   ASLR tag enabled if supported by the linker.
+
 What's new in Sudo 1.8.6p8?
 
  * Terminal detection now works properly on 64-bit AIX kernels.
diff --git a/configure b/configure
index 3df050948..aa3737568 100755
--- a/configure
+++ b/configure
@@ -1567,8 +1567,7 @@ Optional Features:
   --enable-werror         Whether to enable the -Werror compiler option
   --disable-hardening     Do not use compiler/linker exploit mitigation
                           options
-  --disable-pie           Do not build position independent executables, even
-                          if the compiler/linker supports them
+  --enable-pie            Build sudo as a position independent executable.
   --enable-admin-flag     Whether to create a Ubuntu-style admin flag file
   --disable-nls           Disable natural language support using gettext
   --disable-rpath         Disable passing of -Rpath to the linker
@@ -21144,6 +21143,49 @@ fi
 	fi
     fi
 fi
+if test "$enable_pie" != "yes"; then
+    # Solaris 11.1 and higher supports tagging binaries to use ASLR
+    case "$host_os" in
+	solaris2.1[1-9]|solaris2.[2-9][0-9])
+	    { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the linker accepts -Wl,-z,aslr" >&5
+$as_echo_n "checking whether the linker accepts -Wl,-z,aslr... " >&6; }
+if ${ax_cv_check_ldflags___Wl__z_aslr+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+
+  ax_check_save_flags=$LDFLAGS
+  LDFLAGS="$LDFLAGS  -Wl,-z,aslr"
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+  ax_cv_check_ldflags___Wl__z_aslr=yes
+else
+  ax_cv_check_ldflags___Wl__z_aslr=no
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
+  LDFLAGS=$ax_check_save_flags
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_ldflags___Wl__z_aslr" >&5
+$as_echo "$ax_cv_check_ldflags___Wl__z_aslr" >&6; }
+if test x"$ax_cv_check_ldflags___Wl__z_aslr" = xyes; then :
+  PIE_LDFLAGS="${PIE_LDFLAGS}${PIE_LDFLAGS+ }-Wl,-z,aslr"
+else
+  :
+fi
+
+	    ;;
+    esac
+fi
 
 if test "$enable_hardening" != "no"; then
     if test -n "$GCC"; then
diff --git a/configure.in b/configure.in
index 570169b7f..7328151bc 100644
--- a/configure.in
+++ b/configure.in
@@ -3463,6 +3463,14 @@ if test -n "$GCC"; then
 	fi
     fi
 fi
+if test "$enable_pie" != "yes"; then
+    # Solaris 11.1 and higher supports tagging binaries to use ASLR
+    case "$host_os" in
+	solaris2.1[[1-9]]|solaris2.[[2-9]][[0-9]])
+	    AX_CHECK_LINK_FLAG([-Wl,-z,aslr], [PIE_LDFLAGS="${PIE_LDFLAGS}${PIE_LDFLAGS+ }-Wl,-z,aslr"])
+	    ;;
+    esac
+fi
 
 dnl
 dnl Check for -fstack-protector and -z relro support