From patchwork Tue Jun 20 18:18:49 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Frederic Berat X-Patchwork-Id: 1797501 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=sourceware.org (client-ip=2620:52:3:1:0:246e:9693:128c; helo=sourceware.org; envelope-from=libc-alpha-bounces+incoming=patchwork.ozlabs.org@sourceware.org; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=pass (1024-bit key; secure) header.d=sourceware.org header.i=@sourceware.org header.a=rsa-sha256 header.s=default header.b=CCkK1WN0; dkim-atps=neutral Received: from sourceware.org (server2.sourceware.org [IPv6:2620:52:3:1:0:246e:9693:128c]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4Qlw085Nd9z20Xf for ; Wed, 21 Jun 2023 04:19:52 +1000 (AEST) Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id 7B9DC3857C51 for ; Tue, 20 Jun 2023 18:19:49 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 7B9DC3857C51 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org; s=default; t=1687285189; bh=2aoLntQeH6ajqkTAsTZ11USJjiSKlWcv4b37/54c+7c=; h=To:Cc:Subject:Date:In-Reply-To:References:List-Id: List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe: From:Reply-To:From; b=CCkK1WN0ojHsUEpB44yOkYFGumt5sSDKzJVpCmYibUBpSnk+0qMxk39BKde2cRbOk eSyFRPoEOSDcwH0yKOlUsM9l3RY9dTESlk9e2GAVUyBc2aYL1d99V9MqS+oXrgwDi2 FBZAWAef3hGkndnTP9Phj0Gtlp7etmbH3c94AoK0= X-Original-To: libc-alpha@sourceware.org Delivered-To: libc-alpha@sourceware.org Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by sourceware.org (Postfix) with ESMTPS id 46F323858D1E for ; Tue, 20 Jun 2023 18:19:31 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 46F323858D1E Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-377-zSmZcOO4PSuKrIAGAxM_CQ-1; Tue, 20 Jun 2023 14:19:27 -0400 X-MC-Unique: zSmZcOO4PSuKrIAGAxM_CQ-1 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com [10.11.54.3]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 322C4185A792; Tue, 20 Jun 2023 18:19:27 +0000 (UTC) Received: from Nymeria-redhat.redhat.com (unknown [10.39.193.72]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 6E01D112132C; Tue, 20 Jun 2023 18:19:26 +0000 (UTC) To: libc-alpha@sourceware.org Cc: siddhesh@gotplt.org, fberat@redhat.com Subject: [PATCH 01/21] Add --enable-fortify-source option Date: Tue, 20 Jun 2023 20:18:49 +0200 Message-ID: <20230620181910.1506893-2-fberat@redhat.com> In-Reply-To: <20230620181910.1506893-1-fberat@redhat.com> References: <20230620181910.1506893-1-fberat@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.1 on 10.11.54.3 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com X-Spam-Status: No, score=-12.3 required=5.0 tests=BAYES_00, DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0, RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_NONE, TXREP, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-Patchwork-Original-From: =?utf-8?q?Fr=C3=A9d=C3=A9ric_B=C3=A9rat_via_Libc-alpha?= From: Frederic Berat Reply-To: =?utf-8?b?RnLDqWTDqXJpYyBCw6lyYXQ=?= Errors-To: libc-alpha-bounces+incoming=patchwork.ozlabs.org@sourceware.org Sender: "Libc-alpha" It is now possible to enable fortification. The level may be given as parameter, if none is provided, the configure script will determine what is the highest level possible that can be set considering GCC built-ins availability and set it. If level is explicitly set to 3, configure checks if the compiler supports the built-in function necessary for it or raise an error if it isn't. The result of the configure checks is 2 variables, $fortify_source and $no_fortify_source that are used to appropriately populate CFLAGS. Since the feature needs some of the routines provided by Glibc, these are excluded from the fortification. --- Makeconfig | 33 ++++++++++++++++++++++++--- config.make.in | 3 ++- configure.ac | 60 +++++++++++++++++++++++++++++++++++--------------- elf/rtld-Rules | 2 +- 4 files changed, 75 insertions(+), 23 deletions(-) diff --git a/Makeconfig b/Makeconfig index 2514db35f6..59fbd9ebf9 100644 --- a/Makeconfig +++ b/Makeconfig @@ -543,12 +543,13 @@ endif # +link # ARM, gcc always produces different debugging symbols when invoked with # a -O greater than 0 than when invoked with -O0, regardless of anything else # we're using to suppress optimizations. Therefore, we need to explicitly pass -# -O0 to it through CFLAGS. +# -O0 to it through CFLAGS. By side effect, any fortification needs to be +# disabled as it needs -O greater than 0. # Additionally, the build system will try to -include $(common-objpfx)/config.h # when compiling the tests, which will throw an error if some special macros # (such as __OPTIMIZE__ and IS_IN_build) aren't defined. To avoid this, we # tell gcc to define IS_IN_build. -CFLAGS-printers-tests := -O0 -ggdb3 -DIS_IN_build +CFLAGS-printers-tests := -O0 -ggdb3 -DIS_IN_build $(no-fortify-source) ifeq (yes,$(build-shared)) # These indicate whether to link using the built ld.so or the installed one. @@ -901,6 +902,16 @@ define elide-stack-protector $(if $(filter $(@F),$(patsubst %,%$(1),$(2))), $(no-stack-protector)) endef +# We might want to compile with fortify-source +ifneq ($(fortify-source),) ++fortify-source=$(fortify-source) +endif + +# Some routine can't be fortified like the ones used by fortify +define elide-fortify-source +$(if $(filter $(@F),$(patsubst %,%$(1),$(2))), $(no-fortify-source)) +endef + # The program that makes Emacs-style TAGS files. ETAGS := etags @@ -961,6 +972,16 @@ endif # $(+cflags) == "" $(+stack-protector) -fno-common +gcc-nowarn := -w +# We must filter out elf because the early bootstrap of the dynamic loader +# cannot be fortified. Likewise we exclude dlfcn because it is entangled +# with the loader. We must filter out csu because early startup, like the +# loader, cannot be fortified. Lastly debug is the fortification routines +# themselves and they cannot be fortified. +do-fortify = $(filter-out elf dlfcn csu debug,$(subdir)) +ifeq ($(do-fortify),$(subdir)) ++cflags += $(+fortify-source) +endif + # Each sysdeps directory can contain header files that both will be # used to compile and will be installed. Each can also contain an # include/ subdirectory, whose header files will be used to compile @@ -1010,7 +1031,7 @@ module-cppflags = $(if $(filter %.mk.i %.v.i,$(@F)),,$(module-cppflags-real)) # Note that we can't use -std=* in CPPFLAGS, because it overrides # the implicit -lang-asm and breaks cpp behavior for .S files--notably # it causes cpp to stop predefining __ASSEMBLER__. -CPPFLAGS = $(config-extra-cppflags) $(CPPUNDEFS) $(CPPFLAGS-config) \ +CPPFLAGS = $(config-extra-cppflags) $(CPPFLAGS-config) \ $($(subdir)-CPPFLAGS) \ $(+includes) $(defines) $(module-cppflags) \ -include $(..)include/libc-symbols.h $(sysdep-CPPFLAGS) \ @@ -1049,6 +1070,8 @@ object-suffixes := CPPFLAGS-.o = $(pic-default) # libc.a must be compiled with -fPIE/-fpie for static PIE. CFLAGS-.o = $(filter %frame-pointer,$(+cflags)) $(pie-default) +CFLAGS-.o += $(call elide-fortify-source,.o,$(routines_no_fortify)) +CFLAGS-.o += $(call elide-fortify-source,_chk.o,$(routines_no_fortify)) libtype.o := lib%.a object-suffixes += .o ifeq (yes,$(build-shared)) @@ -1058,6 +1081,8 @@ object-suffixes += .os pic-cppflags = -DPIC -DSHARED CPPFLAGS-.os = $(pic-cppflags) CFLAGS-.os = $(filter %frame-pointer,$(+cflags)) $(pic-ccflag) +CFLAGS-.os += $(call elide-fortify-source,.os,$(routines_no_fortify)) +CFLAGS-.os += $(call elide-fortify-source,_chk.os,$(routines_no_fortify)) libtype.os := lib%_pic.a # This can be changed by a sysdep makefile pic-ccflag = -fPIC @@ -1077,6 +1102,8 @@ object-suffixes += .op CPPFLAGS-.op = -DPROF $(pic-default) # libc_p.a must be compiled with -fPIE/-fpie for static PIE. CFLAGS-.op = -pg $(pie-default) +CFLAGS-.op += $(call elide-fortify-source,.op,$(routines_no_fortify)) +CFLAGS-.op += $(call elide-fortify-source,_chk.op,$(routines_no_fortify)) libtype.op = lib%_p.a endif diff --git a/config.make.in b/config.make.in index 4afd37feaf..d487a4f4e9 100644 --- a/config.make.in +++ b/config.make.in @@ -64,6 +64,8 @@ have-fpie = @libc_cv_fpie@ have-ssp = @libc_cv_ssp@ stack-protector = @stack_protector@ no-stack-protector = @no_stack_protector@ +fortify-source = @fortify_source@ +no-fortify-source = @no_fortify_source@ have-selinux = @have_selinux@ have-libaudit = @have_libaudit@ have-libcap = @have_libcap@ @@ -101,7 +103,6 @@ CXX = @CXX@ BUILD_CC = @BUILD_CC@ CFLAGS = @CFLAGS@ CPPFLAGS-config = @CPPFLAGS@ -CPPUNDEFS = @CPPUNDEFS@ extra-nonshared-cflags = @extra_nonshared_cflags@ rtld-early-cflags = @rtld_early_cflags@ ASFLAGS-config = @ASFLAGS_config@ diff --git a/configure.ac b/configure.ac index 21879c933c..ec4de6e551 100644 --- a/configure.ac +++ b/configure.ac @@ -466,6 +466,17 @@ AC_ARG_ENABLE([scv], AS_IF([[test "$use_scv" != "no"]],[AC_DEFINE(USE_PPC_SCV)]) +dnl Build glibc with _FORTIFY_SOURCE +AC_ARG_ENABLE(fortify-source, + AS_HELP_STRING([--enable-fortify-source@<:@=1|2|3@:>@], + [Use -D_FORTIFY_SOURCE=[1|2|3] to control code hardening, defaults to highest possible value for your system]), + [enable_fortify_source=$enableval], + [enable_fortify_source=no]) +case "$enable_fortify_source" in +1|2|3|no|yes) ;; +*) AC_MSG_ERROR([Not a valid argument for --enable-fortify-source: "$enable_fortify_source"]);; +esac + # We keep the original values in `$config_*' and never modify them, so we # can write them unchanged into config.make. Everything else uses # $machine, $vendor, and $os, and changes them whenever convenient. @@ -1559,24 +1570,37 @@ if test "x$have_selinux" = xyes; then fi AC_SUBST(have_selinux) -CPPUNDEFS= -dnl Check for silly hacked compilers predefining _FORTIFY_SOURCE. -dnl Since we are building the implementations of the fortified functions here, -dnl having the macro defined interacts very badly. -dnl _FORTIFY_SOURCE requires compiler optimization level 1 (gcc -O1) -dnl and above (see "man FEATURE_TEST_MACROS"). -dnl So do NOT replace AC_COMPILE_IFELSE with AC_PREPROC_IFELSE. -AC_CACHE_CHECK([for _FORTIFY_SOURCE predefine], libc_cv_predef_fortify_source, -[AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[]], [[ -#ifdef _FORTIFY_SOURCE -# error bogon -#endif]])], - [libc_cv_predef_fortify_source=no], - [libc_cv_predef_fortify_source=yes])]) -if test $libc_cv_predef_fortify_source = yes; then - CPPUNDEFS="${CPPUNDEFS:+$CPPUNDEFS }-U_FORTIFY_SOURCE" -fi -AC_SUBST(CPPUNDEFS) +dnl Check if we support the requested _FORTIFY_SOURCE level +dnl If not, then don't use it. +dnl Note that _FORTIFY_SOURCE may have been set through FLAGS too. +dnl _FORTIFY_SOURCE value will be selectively disabled for function that can't +dnl support it +fortify_source="" +no_fortify_source="-Wp,-U_FORTIFY_SOURCE" + +AC_CACHE_CHECK([for __builtin_dynamic_object_size], [libc_cv___builtin_dynamic_object_size], [ + AC_LINK_IFELSE([AC_LANG_PROGRAM([], [__builtin_dynamic_object_size("", 0)])], + [libc_cv___builtin_dynamic_object_size=yes + AS_IF([test "$enable_fortify_source" = yes], [enable_fortify_source=3])], + [libc_cv___builtin_dynamic_object_size=no + AS_IF([test "$enable_fortify_source" = yes], [enable_fortify_source=2])]) +]) + +AS_CASE([$enable_fortify_source], + [1|2], [libc_cv_fortify_source=yes], + [3], [AS_IF([test "$libc_cv___builtin_dynamic_object_size" = yes], + [libc_cv_fortify_source=yes], + [AC_MSG_ERROR([Compiler doesn't provide necessary support for _FORTIFY_SOURCE=3])])], + [libc_cv_fortify_source=no]) + +AS_IF([test "$libc_cv_fortify_source" = yes], + [fortify_source="${no_fortify_source},-D_FORTIFY_SOURCE=${enable_fortify_source}"] + ) + +AC_SUBST(enable_fortify_source) +AC_SUBST(libc_cv_fortify_source) +AC_SUBST(no_fortify_source) +AC_SUBST(fortify_source) dnl Starting with binutils 2.35, GAS can attach multiple symbol versions dnl to one symbol (PR 23840). diff --git a/elf/rtld-Rules b/elf/rtld-Rules index 56bc4543de..365a3408f3 100644 --- a/elf/rtld-Rules +++ b/elf/rtld-Rules @@ -144,6 +144,6 @@ cpp-srcs-left := $(rtld-modules:%.os=%) lib := rtld include $(patsubst %,$(..)libof-iterator.mk,$(cpp-srcs-left)) -rtld-CFLAGS += $(no-stack-protector) +rtld-CFLAGS += $(no-stack-protector) $(no-fortify-source) endif