rpms / gcc

Clone
Source Code
GIT

Blame SOURCES/gcc11-bind-now.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c7-ppc64le c8 c8-beta c8s c9 c9-beta
  1.   c9
  2.   SOURCES
  3.   gcc11-bind-now.patch
Blob History Raw
e7fd42 
From 36362544fb039599c0eb58d839e90ffb5410ad27 Mon Sep 17 00:00:00 2001
e7fd42 
From: Marek Polacek <polacek@redhat.com>
e7fd42 
Date: Wed, 9 Feb 2022 15:18:43 -0500
e7fd42 
Subject: [PATCH] configure: Implement --enable-host-bind-now
e7fd42
e7fd42 
As promised in the --enable-host-pie patch, this patch adds another
e7fd42 
configure option, --enable-host-bind-now, which adds -z now when linking
e7fd42 
the compiler executables in order to extend hardening.  BIND_NOW with RELRO
e7fd42 
allows the GOT to be marked RO; this prevents GOT modification attacks.
e7fd42
e7fd42 
This option does not affect linking of target libraries; you can use
e7fd42 
LDFLAGS_FOR_TARGET=-Wl,-z,relro,-z,now to enable RELRO/BIND_NOW.
e7fd42
e7fd42 
Bootstrapped/regtested on x86_64-pc-linux-gnu (with the option enabled vs
e7fd42 
not enabled).  I suppose this is GCC 13 material, but maybe I'll get some
e7fd42 
comments anyway.
e7fd42
e7fd42 
c++tools/ChangeLog:
e7fd42
e7fd42 
	* configure.ac (--enable-host-bind-now): New check.
e7fd42 
	* configure: Regenerate.
e7fd42
e7fd42 
gcc/ChangeLog:
e7fd42
e7fd42 
	* configure.ac (--enable-host-bind-now): New check.  Add
e7fd42 
	-Wl,-z,now to LD_PICFLAG if --enable-host-bind-now.
e7fd42 
	* configure: Regenerate.
e7fd42 
	* doc/install.texi: Document --enable-host-bind-now.
e7fd42
e7fd42 
lto-plugin/ChangeLog:
e7fd42
e7fd42 
	* configure.ac (--enable-host-bind-now): New check.  Link with
e7fd42 
	-z,now.
e7fd42 
	* configure: Regenerate.
e7fd42 
---
e7fd42 
 c++tools/configure      | 11 +++++++++++
e7fd42 
 c++tools/configure.ac   |  7 +++++++
e7fd42 
 gcc/configure           | 20 ++++++++++++++++++--
e7fd42 
 gcc/configure.ac        | 13 ++++++++++++-
e7fd42 
 gcc/doc/install.texi    |  6 ++++++
e7fd42 
 lto-plugin/configure    | 20 ++++++++++++++++++--
e7fd42 
 lto-plugin/configure.ac | 11 +++++++++++
e7fd42 
 7 files changed, 83 insertions(+), 5 deletions(-)
e7fd42
e7fd42 
diff --git a/c++tools/configure b/c++tools/configure
e7fd42 
index c1aceb8404a..25432b5040d 100755
e7fd42 
--- a/c++tools/configure
e7fd42 
+++ b/c++tools/configure
e7fd42 
@@ -631,6 +631,7 @@ ac_ct_CC
e7fd42 
 CFLAGS
e7fd42 
 CC
e7fd42 
 LD_PICFLAG
e7fd42 
+enable_host_bind_now
e7fd42 
 PICFLAG
e7fd42 
 MAINTAINER
e7fd42 
 CXX_AUX_TOOLS
e7fd42 
@@ -704,6 +705,7 @@ enable_c___tools
e7fd42 
 enable_maintainer_mode
e7fd42 
 enable_default_pie
e7fd42 
 enable_host_pie
e7fd42 
+enable_host_bind_now
e7fd42 
 with_gcc_major_version_only
e7fd42 
 '
e7fd42 
       ac_precious_vars='build_alias
e7fd42 
@@ -1336,6 +1338,7 @@ Optional Features:
e7fd42 
                           configurey bits
e7fd42 
   --enable-default-pie    enable Position Independent Executable as default
e7fd42 
   --enable-host-pie       build host code as PIE
e7fd42 
+  --enable-host-bind-now  link host code as BIND_NOW
e7fd42
e7fd42 
 Optional Packages:
e7fd42 
   --with-PACKAGE[=ARG]    use PACKAGE [ARG=yes]
e7fd42 
@@ -3009,6 +3012,14 @@ fi
e7fd42
e7fd42
e7fd42
e7fd42 
+# Enable --enable-host-bind-now
e7fd42 
+# Check whether --enable-host-bind-now was given.
e7fd42 
+if test "${enable_host_bind_now+set}" = set; then :
e7fd42 
+  enableval=$enable_host_bind_now; LD_PICFLAG="$LD_PICFLAG -Wl,-z,now"
e7fd42 
+fi
e7fd42 
+
e7fd42 
+
e7fd42 
+
e7fd42
e7fd42 
 # Check if O_CLOEXEC is defined by fcntl
e7fd42 
 ac_ext=c
e7fd42 
diff --git a/c++tools/configure.ac b/c++tools/configure.ac
e7fd42 
index 1e42689f2eb..d3f23f66f00 100644
e7fd42 
--- a/c++tools/configure.ac
e7fd42 
+++ b/c++tools/configure.ac
e7fd42 
@@ -110,6 +110,13 @@ AC_ARG_ENABLE(host-pie,
e7fd42 
 		[build host code as PIE])],
e7fd42 
 [PICFLAG=-fPIE; LD_PICFLAG=-pie], [])
e7fd42 
 AC_SUBST(PICFLAG)
e7fd42 
+
e7fd42 
+# Enable --enable-host-bind-now
e7fd42 
+AC_ARG_ENABLE(host-bind-now,
e7fd42 
+[AS_HELP_STRING([--enable-host-bind-now],
e7fd42 
+       [link host code as BIND_NOW])],
e7fd42 
+[LD_PICFLAG="$LD_PICFLAG -Wl,-z,now"], [])
e7fd42 
+AC_SUBST(enable_host_bind_now)
e7fd42 
 AC_SUBST(LD_PICFLAG)
e7fd42
e7fd42 
 # Check if O_CLOEXEC is defined by fcntl
e7fd42 
diff --git a/gcc/configure b/gcc/configure
e7fd42 
index 2ded5d4c50b..5671dc7dcf4 100755
e7fd42 
--- a/gcc/configure
e7fd42 
+++ b/gcc/configure
e7fd42 
@@ -635,6 +635,7 @@ CET_HOST_FLAGS
e7fd42 
 LD_PICFLAG
e7fd42 
 PICFLAG
e7fd42 
 enable_default_pie
e7fd42 
+enable_host_bind_now
e7fd42 
 enable_host_pie
e7fd42 
 enable_host_shared
e7fd42 
 enable_plugin
e7fd42 
@@ -1023,6 +1024,7 @@ enable_version_specific_runtime_libs
e7fd42 
 enable_plugin
e7fd42 
 enable_host_shared
e7fd42 
 enable_host_pie
e7fd42 
+enable_host_bind_now
e7fd42 
 enable_libquadmath_support
e7fd42 
 with_linker_hash_style
e7fd42 
 with_diagnostics_color
e7fd42 
@@ -1786,6 +1788,7 @@ Optional Features:
e7fd42 
   --enable-plugin         enable plugin support
e7fd42 
   --enable-host-shared    build host code as shared libraries
e7fd42 
   --enable-host-pie       build host code as PIE
e7fd42 
+  --enable-host-bind-now  link host code as BIND_NOW
e7fd42 
   --disable-libquadmath-support
e7fd42 
                           disable libquadmath support for Fortran
e7fd42 
   --enable-default-pie    enable Position Independent Executable as default
e7fd42 
@@ -32109,6 +32112,14 @@ fi
e7fd42
e7fd42
e7fd42
e7fd42 
+# Enable --enable-host-bind-now
e7fd42 
+# Check whether --enable-host-bind-now was given.
e7fd42 
+if test "${enable_host_bind_now+set}" = set; then :
e7fd42 
+  enableval=$enable_host_bind_now;
e7fd42 
+fi
e7fd42 
+
e7fd42 
+
e7fd42 
+
e7fd42 
 # Check whether --enable-libquadmath-support was given.
e7fd42 
 if test "${enable_libquadmath_support+set}" = set; then :
e7fd42 
   enableval=$enable_libquadmath_support; ENABLE_LIBQUADMATH_SUPPORT=$enableval
e7fd42 
@@ -32295,6 +32306,8 @@ else
e7fd42 
   PICFLAG=
e7fd42 
 fi
e7fd42
e7fd42 
+
e7fd42 
+
e7fd42 
 if test x$enable_host_pie = xyes; then
e7fd42 
   LD_PICFLAG=-pie
e7fd42 
 elif test x$gcc_cv_no_pie = xyes; then
e7fd42 
@@ -32303,6 +32316,9 @@ else
e7fd42 
   LD_PICFLAG=
e7fd42 
 fi
e7fd42
e7fd42 
+if test x$enable_host_bind_now = xyes; then
e7fd42 
+  LD_PICFLAG="$LD_PICFLAG -Wl,-z,now"
e7fd42 
+fi
e7fd42
e7fd42
e7fd42
e7fd42 
diff --git a/gcc/configure.ac b/gcc/configure.ac
e7fd42 
index dca995aeec7..6017bcbc8c6 100644
e7fd42 
--- a/gcc/configure.ac
e7fd42 
+++ b/gcc/configure.ac
e7fd42 
@@ -7497,6 +7497,12 @@ AC_ARG_ENABLE(host-pie,
e7fd42 
 		[build host code as PIE])])
e7fd42 
 AC_SUBST(enable_host_pie)
e7fd42
e7fd42 
+# Enable --enable-host-bind-now
e7fd42 
+AC_ARG_ENABLE(host-bind-now,
e7fd42 
+[AS_HELP_STRING([--enable-host-bind-now],
e7fd42 
+		[link host code as BIND_NOW])])
e7fd42 
+AC_SUBST(enable_host_bind_now)
e7fd42 
+
e7fd42 
 AC_ARG_ENABLE(libquadmath-support,
e7fd42 
 [AS_HELP_STRING([--disable-libquadmath-support],
e7fd42 
   [disable libquadmath support for Fortran])],
e7fd42 
@@ -7638,6 +7644,8 @@ else
e7fd42 
   PICFLAG=
e7fd42 
 fi
e7fd42
e7fd42 
+AC_SUBST([PICFLAG])
e7fd42 
+
e7fd42 
 if test x$enable_host_pie = xyes; then
e7fd42 
   LD_PICFLAG=-pie
e7fd42 
 elif test x$gcc_cv_no_pie = xyes; then
e7fd42 
@@ -7646,7 +7654,10 @@ else
e7fd42 
   LD_PICFLAG=
e7fd42 
 fi
e7fd42
e7fd42 
-AC_SUBST([PICFLAG])
e7fd42 
+if test x$enable_host_bind_now = xyes; then
e7fd42 
+  LD_PICFLAG="$LD_PICFLAG -Wl,-z,now"
e7fd42 
+fi
e7fd42 
+
e7fd42 
 AC_SUBST([LD_PICFLAG])
e7fd42
e7fd42 
 # Enable Intel CET on Intel CET enabled host if jit is enabled.
e7fd42 
diff --git a/gcc/doc/install.texi b/gcc/doc/install.texi
e7fd42 
index 9747f832a75..b59af198d3e 100644
e7fd42 
--- a/gcc/doc/install.texi
e7fd42 
+++ b/gcc/doc/install.texi
e7fd42 
@@ -1041,6 +1041,12 @@ protection against Return Oriented Programming (ROP) attacks.
e7fd42 
 in which case @option{-fPIC} is used when compiling, and @option{-pie} when
e7fd42 
 linking.
e7fd42
e7fd42 
+@item --enable-host-bind-now
e7fd42 
+Specify that the @emph{host} executables should be linked with the option
e7fd42 
+@option{-Wl,-z,now}, which means that the dynamic linker will resolve all
e7fd42 
+symbols when the executables are started, and that in turn allows RELRO to
e7fd42 
+mark the GOT read-only, resulting in better security.
e7fd42 
+
e7fd42 
 @item @anchor{with-gnu-as}--with-gnu-as
e7fd42 
 Specify that the compiler should assume that the
e7fd42 
 assembler it finds is the GNU assembler.  However, this does not modify
e7fd42 
diff --git a/lto-plugin/configure b/lto-plugin/configure
e7fd42 
index baa84adbb6c..669ccaede52 100755
e7fd42 
--- a/lto-plugin/configure
e7fd42 
+++ b/lto-plugin/configure
e7fd42 
@@ -656,6 +656,7 @@ accel_dir_suffix
e7fd42 
 gcc_build_dir
e7fd42 
 CET_HOST_FLAGS
e7fd42 
 ac_lto_plugin_ldflags
e7fd42 
+enable_host_bind_now
e7fd42 
 ac_lto_plugin_warn_cflags
e7fd42 
 EGREP
e7fd42 
 GREP
e7fd42 
@@ -771,6 +772,7 @@ enable_maintainer_mode
e7fd42 
 with_libiberty
e7fd42 
 enable_dependency_tracking
e7fd42 
 enable_largefile
e7fd42 
+enable_host_bind_now
e7fd42 
 enable_cet
e7fd42 
 with_gcc_major_version_only
e7fd42 
 enable_shared
e7fd42 
@@ -1418,6 +1420,7 @@ Optional Features:
e7fd42 
   --disable-dependency-tracking
e7fd42 
                           speeds up one-time build
e7fd42 
   --disable-largefile     omit support for large files
e7fd42 
+  --enable-host-bind-now  link host code as BIND_NOW
e7fd42 
   --enable-cet            enable Intel CET in host libraries [default=auto]
e7fd42 
   --enable-shared[=PKGS]  build shared libraries [default=yes]
e7fd42 
   --enable-static[=PKGS]  build static libraries [default=yes]
e7fd42 
@@ -5662,6 +5665,19 @@ if test "x$have_static_libgcc" = xyes; then
e7fd42 
    ac_lto_plugin_ldflags="-Wc,-static-libgcc"
e7fd42 
 fi
e7fd42
e7fd42 
+# Enable --enable-host-bind-now
e7fd42 
+# Check whether --enable-host-bind-now was given.
e7fd42 
+if test "${enable_host_bind_now+set}" = set; then :
e7fd42 
+  enableval=$enable_host_bind_now;
e7fd42 
+fi
e7fd42 
+
e7fd42 
+
e7fd42 
+
e7fd42 
+if test x$enable_host_bind_now = xyes; then
e7fd42 
+  ac_lto_plugin_ldflags="$ac_lto_plugin_ldflags -Wl,-z,now"
e7fd42 
+fi
e7fd42 
+
e7fd42 
+
e7fd42
e7fd42 
  # Check whether --enable-cet was given.
e7fd42 
 if test "${enable_cet+set}" = set; then :
e7fd42 
diff --git a/lto-plugin/configure.ac b/lto-plugin/configure.ac
e7fd42 
index 7e6f729e9dc..5d5fea8fe70 100644
e7fd42 
--- a/lto-plugin/configure.ac
e7fd42 
+++ b/lto-plugin/configure.ac
e7fd42 
@@ -25,6 +25,17 @@ LDFLAGS="$saved_LDFLAGS"
e7fd42 
 if test "x$have_static_libgcc" = xyes; then
e7fd42 
    ac_lto_plugin_ldflags="-Wc,-static-libgcc"
e7fd42 
 fi
e7fd42 
+
e7fd42 
+# Enable --enable-host-bind-now
e7fd42 
+AC_ARG_ENABLE(host-bind-now,
e7fd42 
+[AS_HELP_STRING([--enable-host-bind-now],
e7fd42 
+       [link host code as BIND_NOW])])
e7fd42 
+AC_SUBST(enable_host_bind_now)
e7fd42 
+
e7fd42 
+if test x$enable_host_bind_now = xyes; then
e7fd42 
+  ac_lto_plugin_ldflags="$ac_lto_plugin_ldflags -Wl,-z,now"
e7fd42 
+fi
e7fd42 
+
e7fd42 
 AC_SUBST(ac_lto_plugin_ldflags)
e7fd42
e7fd42 
 GCC_CET_HOST_FLAGS(CET_HOST_FLAGS)
e7fd42
e7fd42 
base-commit: bf799d3409cb9a189114a6c9ff5b7cd123915764
e7fd42 
--
e7fd42 
2.34.1
e7fd42

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation