Patchwork configure: build position independent executables across the board, by default

login
register
mail settings
Submitter Avi Kivity
Date Nov. 14, 2011, 3:30 p.m.
Message ID <1321284602-17939-1-git-send-email-avi@redhat.com>
Download mbox | patch
Permalink /patch/125551/
State New
Headers show

Comments

Avi Kivity - Nov. 14, 2011, 3:30 p.m.
Change the default to building PIE (position independent executables); instead
of restricting the option to user-only targets, apply it to all targets.

In addition, set the relocation sections to read-only (relro) when available;
this reduces the attack surface by disallowing changes to relocation tables
at runtime.

While PIE reduces performance and relro increases load time, it greatly
improves security, with the potential to reduce a code execution vulnerability
to a self denial of service.

Signed-off-by: Avi Kivity <avi@redhat.com>
---

v3: detect toolchain support for PIE at configure time

v2: improve description to include relro

 configure |   40 ++++++++++++++++++++++------------------
 1 files changed, 22 insertions(+), 18 deletions(-)
Paolo Bonzini - Nov. 14, 2011, 4:58 p.m.
On 11/14/2011 04:30 PM, Avi Kivity wrote:
> +if test "$pie" = "yes" ; then
> +  cat>  $TMPC<<  EOF
> +int main(void) { return 0; }
> +EOF
> +  if compile_prog "-fPIE -dPIE" "-Wl,-pie"; then

Uppercase d.

> +    QEMU_CFLAGS="-fPIE -DPIE $QEMU_CFLAGS"
> +    LDFLAGS="-Wl,-pie $LDFLAGS"
> +    if compile_prog "-fPIE -DPIE" "-Wl,-pie -Wl,-z,relro -Wl,-z,now"; then
> +      LDFLAGS="-Wl,-z,relro -Wl,-z,now $LDFLAGS"
> +    fi
> +  else
> +    echo "Diabling PIE due missing toolchain support"

Disabling.

> +    pie="no"
> +  fi
> +fi
> +

Paolo

Patch

diff --git a/configure b/configure
index 6c77fbb..ff000f0 100755
--- a/configure
+++ b/configure
@@ -172,7 +172,7 @@  aix="no"
 blobs="yes"
 pkgversion=""
 check_utests=""
-user_pie="no"
+pie="yes"
 zero_malloc=""
 trace_backend="nop"
 trace_file="trace"
@@ -701,9 +701,9 @@  for opt do
   ;;
   --disable-guest-base) guest_base="no"
   ;;
-  --enable-user-pie) user_pie="yes"
+  --enable-pie) pie="yes"
   ;;
-  --disable-user-pie) user_pie="no"
+  --disable-pie) pie="no"
   ;;
   --enable-uname-release=*) uname_release="$optarg"
   ;;
@@ -1031,8 +1031,8 @@  echo "  --disable-bsd-user       disable all BSD usermode emulation targets"
 echo "  --enable-guest-base      enable GUEST_BASE support for usermode"
 echo "                           emulation targets"
 echo "  --disable-guest-base     disable GUEST_BASE support"
-echo "  --enable-user-pie        build usermode emulation targets as PIE"
-echo "  --disable-user-pie       do not build usermode emulation targets as PIE"
+echo "  --enable-pie             build Position Independent Executables"
+echo "  --disable-pie            do not build Position Independent Executables"
 echo "  --fmod-lib               path to FMOD library"
 echo "  --fmod-inc               path to FMOD includes"
 echo "  --oss-lib                path to OSS library"
@@ -1099,6 +1099,22 @@  for flag in $gcc_flags; do
     fi
 done
 
+if test "$pie" = "yes" ; then
+  cat > $TMPC << EOF
+int main(void) { return 0; }
+EOF
+  if compile_prog "-fPIE -dPIE" "-Wl,-pie"; then
+    QEMU_CFLAGS="-fPIE -DPIE $QEMU_CFLAGS"
+    LDFLAGS="-Wl,-pie $LDFLAGS"
+    if compile_prog "-fPIE -DPIE" "-Wl,-pie -Wl,-z,relro -Wl,-z,now"; then
+      LDFLAGS="-Wl,-z,relro -Wl,-z,now $LDFLAGS"
+    fi
+  else
+    echo "Diabling PIE due missing toolchain support"
+    pie="no"
+  fi
+fi
+
 #
 # Solaris specific configure tool chain decisions
 #
@@ -2765,7 +2781,7 @@  echo "Documentation     $docs"
 echo "uname -r          $uname_release"
 echo "NPTL support      $nptl"
 echo "GUEST_BASE        $guest_base"
-echo "PIE user targets  $user_pie"
+echo "PIE               $pie"
 echo "vde support       $vde"
 echo "Linux AIO support $linux_aio"
 echo "ATTR/XATTR support $attr"
@@ -3225,9 +3241,6 @@  for d in libdis libdis-user; do
     symlink $source_path/Makefile.dis $d/Makefile
     echo > $d/config.mak
 done
-if test "$static" = "no" -a "$user_pie" = "yes" ; then
-  echo "QEMU_CFLAGS+=-fpie" > libdis-user/config.mak
-fi
 
 for target in $target_list; do
 target_dir="$target"
@@ -3646,12 +3659,6 @@  if test "$target_softmmu" = "yes" ; then
   esac
 fi
 
-if test "$target_user_only" = "yes" -a "$static" = "no" -a \
-	"$user_pie" = "yes" ; then
-  cflags="-fpie $cflags"
-  ldflags="-pie $ldflags"
-fi
-
 if test "$target_softmmu" = "yes" -a \( \
         "$TARGET_ARCH" = "microblaze" -o \
         "$TARGET_ARCH" = "cris" \) ; then
@@ -3775,9 +3782,6 @@  d=libuser
 mkdir -p $d
 mkdir -p $d/trace
 symlink $source_path/Makefile.user $d/Makefile
-if test "$static" = "no" -a "$user_pie" = "yes" ; then
-  echo "QEMU_CFLAGS+=-fpie" > $d/config.mak
-fi
 
 if test "$docs" = "yes" ; then
   mkdir -p QMP