Message ID | 1321281869-4280-1-git-send-email-avi@redhat.com |
---|---|
State | New |
Headers | show |
On 11/14/2011 08:44 AM, Avi Kivity wrote: > Change the default to building PIE (position independent executables); instead > of restricting the option to user-only targets, apply it to all targets. > > In addition, set the relocation sections to read-only (relro) when available; > this reduces the attack surface by disallowing changes to relocation tables > at runtime. > > While PIE reduces performance and relro increases load time, it greatly > improves security, with the potential to reduce a code execution vulnerability > to a self denial of service. > > Signed-off-by: Avi Kivity<avi@redhat.com> > --- > > v2: improves description to include relro > > While we are past the feature freeze, I feel this deserves an exception. I'm inclined to agree. I don't want to put this in -rc2 since there's not enough time to test it, but I'll start testing it tomorrow and we can try to do it by -rc3. Regards, Anthony Liguori > I'd > much rather see "CVE-2012-wxyz QEMU Self denial of service" than > "CVE-2012-wxyz QEMU code execution". The fact that the option is available > for user targets implies that it is compatible with TCG, and some light testing > agrees. > > configure | 35 +++++++++++++++++------------------ > 1 files changed, 17 insertions(+), 18 deletions(-) > > diff --git a/configure b/configure > index 6c77fbb..7436361 100755 > --- a/configure > +++ b/configure > @@ -172,7 +172,7 @@ aix="no" > blobs="yes" > pkgversion="" > check_utests="" > -user_pie="no" > +pie="yes" > zero_malloc="" > trace_backend="nop" > trace_file="trace" > @@ -701,9 +701,9 @@ for opt do > ;; > --disable-guest-base) guest_base="no" > ;; > - --enable-user-pie) user_pie="yes" > + --enable-pie) pie="yes" > ;; > - --disable-user-pie) user_pie="no" > + --disable-pie) pie="no" > ;; > --enable-uname-release=*) uname_release="$optarg" > ;; > @@ -1031,8 +1031,8 @@ echo " --disable-bsd-user disable all BSD usermode emulation targets" > echo " --enable-guest-base enable GUEST_BASE support for usermode" > echo " emulation targets" > echo " --disable-guest-base disable GUEST_BASE support" > -echo " --enable-user-pie build usermode emulation targets as PIE" > -echo " --disable-user-pie do not build usermode emulation targets as PIE" > +echo " --enable-pie build Position Independent Executables" > +echo " --disable-pie do not build Position Independent Executables" > echo " --fmod-lib path to FMOD library" > echo " --fmod-inc path to FMOD includes" > echo " --oss-lib path to OSS library" > @@ -1099,6 +1099,17 @@ for flag in $gcc_flags; do > fi > done > > +if test "$pie" = "yes" ; then > + QEMU_CFLAGS="-fPIE -DPIE $QEMU_CFLAGS" > + LDFLAGS="-Wl,-pie $LDFLAGS" > + cat> $TMPC<< EOF > +int main(void) { return 0; } > +EOF > + if compile_prog "-fPIE -DPIE" "-Wl,-pie -Wl,-z,relro -Wl,-z,now"; then > + LDFLAGS="-Wl,-z,relro -Wl,-z,now $LDFLAGS" > + fi > +fi > + > # > # Solaris specific configure tool chain decisions > # > @@ -2765,7 +2776,7 @@ echo "Documentation $docs" > echo "uname -r $uname_release" > echo "NPTL support $nptl" > echo "GUEST_BASE $guest_base" > -echo "PIE user targets $user_pie" > +echo "PIE $pie" > echo "vde support $vde" > echo "Linux AIO support $linux_aio" > echo "ATTR/XATTR support $attr" > @@ -3225,9 +3236,6 @@ for d in libdis libdis-user; do > symlink $source_path/Makefile.dis $d/Makefile > echo> $d/config.mak > done > -if test "$static" = "no" -a "$user_pie" = "yes" ; then > - echo "QEMU_CFLAGS+=-fpie"> libdis-user/config.mak > -fi > > for target in $target_list; do > target_dir="$target" > @@ -3646,12 +3654,6 @@ if test "$target_softmmu" = "yes" ; then > esac > fi > > -if test "$target_user_only" = "yes" -a "$static" = "no" -a \ > - "$user_pie" = "yes" ; then > - cflags="-fpie $cflags" > - ldflags="-pie $ldflags" > -fi > - > if test "$target_softmmu" = "yes" -a \( \ > "$TARGET_ARCH" = "microblaze" -o \ > "$TARGET_ARCH" = "cris" \) ; then > @@ -3775,9 +3777,6 @@ d=libuser > mkdir -p $d > mkdir -p $d/trace > symlink $source_path/Makefile.user $d/Makefile > -if test "$static" = "no" -a "$user_pie" = "yes" ; then > - echo "QEMU_CFLAGS+=-fpie"> $d/config.mak > -fi > > if test "$docs" = "yes" ; then > mkdir -p QMP
diff --git a/configure b/configure index 6c77fbb..7436361 100755 --- a/configure +++ b/configure @@ -172,7 +172,7 @@ aix="no" blobs="yes" pkgversion="" check_utests="" -user_pie="no" +pie="yes" zero_malloc="" trace_backend="nop" trace_file="trace" @@ -701,9 +701,9 @@ for opt do ;; --disable-guest-base) guest_base="no" ;; - --enable-user-pie) user_pie="yes" + --enable-pie) pie="yes" ;; - --disable-user-pie) user_pie="no" + --disable-pie) pie="no" ;; --enable-uname-release=*) uname_release="$optarg" ;; @@ -1031,8 +1031,8 @@ echo " --disable-bsd-user disable all BSD usermode emulation targets" echo " --enable-guest-base enable GUEST_BASE support for usermode" echo " emulation targets" echo " --disable-guest-base disable GUEST_BASE support" -echo " --enable-user-pie build usermode emulation targets as PIE" -echo " --disable-user-pie do not build usermode emulation targets as PIE" +echo " --enable-pie build Position Independent Executables" +echo " --disable-pie do not build Position Independent Executables" echo " --fmod-lib path to FMOD library" echo " --fmod-inc path to FMOD includes" echo " --oss-lib path to OSS library" @@ -1099,6 +1099,17 @@ for flag in $gcc_flags; do fi done +if test "$pie" = "yes" ; then + QEMU_CFLAGS="-fPIE -DPIE $QEMU_CFLAGS" + LDFLAGS="-Wl,-pie $LDFLAGS" + cat > $TMPC << EOF +int main(void) { return 0; } +EOF + if compile_prog "-fPIE -DPIE" "-Wl,-pie -Wl,-z,relro -Wl,-z,now"; then + LDFLAGS="-Wl,-z,relro -Wl,-z,now $LDFLAGS" + fi +fi + # # Solaris specific configure tool chain decisions # @@ -2765,7 +2776,7 @@ echo "Documentation $docs" echo "uname -r $uname_release" echo "NPTL support $nptl" echo "GUEST_BASE $guest_base" -echo "PIE user targets $user_pie" +echo "PIE $pie" echo "vde support $vde" echo "Linux AIO support $linux_aio" echo "ATTR/XATTR support $attr" @@ -3225,9 +3236,6 @@ for d in libdis libdis-user; do symlink $source_path/Makefile.dis $d/Makefile echo > $d/config.mak done -if test "$static" = "no" -a "$user_pie" = "yes" ; then - echo "QEMU_CFLAGS+=-fpie" > libdis-user/config.mak -fi for target in $target_list; do target_dir="$target" @@ -3646,12 +3654,6 @@ if test "$target_softmmu" = "yes" ; then esac fi -if test "$target_user_only" = "yes" -a "$static" = "no" -a \ - "$user_pie" = "yes" ; then - cflags="-fpie $cflags" - ldflags="-pie $ldflags" -fi - if test "$target_softmmu" = "yes" -a \( \ "$TARGET_ARCH" = "microblaze" -o \ "$TARGET_ARCH" = "cris" \) ; then @@ -3775,9 +3777,6 @@ d=libuser mkdir -p $d mkdir -p $d/trace symlink $source_path/Makefile.user $d/Makefile -if test "$static" = "no" -a "$user_pie" = "yes" ; then - echo "QEMU_CFLAGS+=-fpie" > $d/config.mak -fi if test "$docs" = "yes" ; then mkdir -p QMP
Change the default to building PIE (position independent executables); instead of restricting the option to user-only targets, apply it to all targets. In addition, set the relocation sections to read-only (relro) when available; this reduces the attack surface by disallowing changes to relocation tables at runtime. While PIE reduces performance and relro increases load time, it greatly improves security, with the potential to reduce a code execution vulnerability to a self denial of service. Signed-off-by: Avi Kivity <avi@redhat.com> --- v2: improves description to include relro While we are past the feature freeze, I feel this deserves an exception. I'd much rather see "CVE-2012-wxyz QEMU Self denial of service" than "CVE-2012-wxyz QEMU code execution". The fact that the option is available for user targets implies that it is compatible with TCG, and some light testing agrees. configure | 35 +++++++++++++++++------------------ 1 files changed, 17 insertions(+), 18 deletions(-)