GCC version number checks are broken, picking suboptimal -fstack-protector arg

[berrange]

Many of the makefiles have repeated the following check:

CC_BELOW_4_9 := $(shell expr "`$(CC) -dumpversion`" \< "4.9")

which is then used to select stack protection flags

ifeq ($(CC_BELOW_4_9), 1)
    COMMON_FLAGS += -fstack-protector
else
    COMMON_FLAGS += -fstack-protector-strong
endif

This expr command is broken when the GCC version is 10 or larger.

The presence of the '.' character in the expr comparison appears to make it perform a string comparison, instead of a numeric comparison. This only works as long as all parts of the version number are single digits. As soon as you have two digits it breaks.

As a result, with GCC >= 10, builds are getting weaker stack protection than expected - they're built with -fstack-protector instead of -fstack-protector-strong

Fortunately the NixOS build env for the enclaves only has GCC 9.5.0, so the AE builds have not been weakened, but anyone building non-enclave code on a modern Linux OS is using sub-optimal build args

[berrange]

NB, GCC 4.9.0 series was released way back in 2016. Rather than attempting to support a compiler that is over 9 years old, I'd suggest just deleting the version checks and assume -fstack-protector-strong always exists.

[berrange]

Proposed dropping the broken checks in #478