From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-wr1-x42f.google.com (mail-wr1-x42f.google.com [IPv6:2a00:1450:4864:20::42f]) by sourceware.org (Postfix) with ESMTPS id 80455385840D for ; Sat, 2 Dec 2023 10:24:21 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 80455385840D Authentication-Results: sourceware.org; dmarc=pass (p=quarantine dis=none) header.from=googlemail.com Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=googlemail.com ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 80455385840D Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=2a00:1450:4864:20::42f ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1701512663; cv=none; b=ZYgYteuIGQd1omMp8Sy6QxsQsIgKXIuzhUf1bDwD4mT7yZfHLvdspkfG3ZWebN/ItCVc1i790U4EUJ6RRG3juZr5uLkclLXZ3f/wropyosALXdyjsgffiWmES0aa4rpGbh7cbZkN/02P60uTPF9ce1wzY+/B92THfZA4r1eCE0M= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1701512663; c=relaxed/simple; bh=3O0AAE5zSAxJePQOISDys7g88V83I/KExb5ztNtEc+Y=; h=DKIM-Signature:Mime-Version:Subject:From:Date:Message-Id:To; b=qXFUiloPvgyhaka28Xvqhixb6bwkn7ktUWy9+a8fCF9FlN9l4FNHYn7+tbTdDQv96Wc6vNcPhYp64iVG7uVZdKWMU0hvwGH78gTM3ih4CqwHd7a9m5d48skmXMJv+qe456swWCYSWiOyynv1DgIPrHHOmlEpeAlQ6DpGAnqNhX4= ARC-Authentication-Results: i=1; server2.sourceware.org Received: by mail-wr1-x42f.google.com with SMTP id ffacd0b85a97d-33338c67d20so414970f8f.0 for ; Sat, 02 Dec 2023 02:24:21 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20230601; t=1701512660; x=1702117460; darn=gcc.gnu.org; h=to:references:message-id:content-transfer-encoding:cc:date :in-reply-to:from:subject:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=4Gioz6yzUsXv/BL4FL7a1nZs68i7Yk+uCpFUdUXcGJo=; b=Ep0bZLhE3SDMSu2/iQpGigTrrIX4W1s3gh7dcgMcl7mdfuxzDLX6oS9noDeio45Nm6 wz0wPMhXRyny3C0B/YiAwzKRTu+ktY5cWK5//gOdP+Eb68ixzLONtDaP+96M5Ra3nQRA So9rTm4Vdan52+MjkBPf1/+D/ET6qN03qO2WXC5gat8AKNKvLyOtSzLnC1bvkwO5vHUR ufBIx0VXe5ctV7DhbK8p7RDydvCsLa5BpUyj9id0DVSEQ4IGQlPQJpyTqerxfFr152VD 11J2KHz38W7XhWyhcwjoZTSY8u5oInorbBAqeMN87mNqvY8Qqzt/CTZUvULore1S04S7 yRVg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1701512660; x=1702117460; h=to:references:message-id:content-transfer-encoding:cc:date :in-reply-to:from:subject:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=4Gioz6yzUsXv/BL4FL7a1nZs68i7Yk+uCpFUdUXcGJo=; b=SLieh6xS6VeHYi1Pa03iJ9q41csYdGPY7wfsLnbM62whMMiSHObi7SsvVDFeJu/h9e Y5f/L6Sasu+euyPt8muFMwsOMKcsyy2SI5dVWFJRVVAcsl5JSNs0Tc8hvyo7UFUEGl3L RBKCu0yIVDoPN/xDDaaVZ3cPZ1Yku9te0AckirIiIUD9pSAAD8Efp1qlK0UTbPXB2U5o 3zS/0TVXOMTqPK7utPzwf/OgJLxNEUASQSR8IiwHhdRGe6Y/RmsSz/p/RvCdnwMXQI+L YPahs69IGpXloDuoiu4h/bd8VN4i6RHJ8KY5Gr2jauD01yCrhxN4ngyeqK2xokmtDyeP KU6Q== X-Gm-Message-State: AOJu0YwEp0MkF6H1KZTadn6hTGT02nwDpF7N3i1a1hk20OzXPdmiJ6aJ pCS4JtfDw8ADfPnkHllOkio= X-Google-Smtp-Source: AGHT+IG05X6UuyIGfRcTpwLWK8uJF1x//ked7rx+dthVb3nmkRJx+wO8HHcTQQgXL/ZDG3/Yf6ftBA== X-Received: by 2002:adf:ea83:0:b0:333:3b99:af9d with SMTP id s3-20020adfea83000000b003333b99af9dmr295672wrm.46.1701512659606; Sat, 02 Dec 2023 02:24:19 -0800 (PST) Received: from smtpclient.apple (host81-138-1-83.in-addr.btopenworld.com. [81.138.1.83]) by smtp.googlemail.com with ESMTPSA id u6-20020a5d6da6000000b00332e84210c2sm6473342wrs.88.2023.12.02.02.24.18 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Sat, 02 Dec 2023 02:24:19 -0800 (PST) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.4\)) Subject: Re: [PATCH] gcc: Disallow trampolines when -fhardened From: Iain Sandoe In-Reply-To: Date: Sat, 2 Dec 2023 10:24:18 +0000 Cc: Marek Polacek , GCC Patches Content-Transfer-Encoding: quoted-printable Message-Id: <4AC5F53B-EF9E-4A9C-959C-4FFE86156AC4@googlemail.com> References: To: Martin Uecker X-Mailer: Apple Mail (2.3696.120.41.1.4) X-Spam-Status: No, score=-8.7 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,GIT_PATCH_0,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,TXREP,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: > On 2 Dec 2023, at 09:42, Martin Uecker wrote: >=20 >=20 >> Bootstrapped/regtested on x86_64-pc-linux-gnu, ok for trunk? >>=20 >> -- >8 -- >> It came up that a good hardening strategy is to disable trampolines >> which may require executable stack. Therefore the following patch >> adds -Werror=3Dtrampolines to -fhardened. >=20 > This would add a warning about specific code (where it is then > unclear whether rewriting it is feasible or even an improvement), > which seems different to all the other flags -fhardening has > now. >=20 > GCC now has an option to allocate trampolines on the heap, > which would seem to be a better fit. Indeed, I was thinking of mentioning this. > On the other hand, > it does not work with longjmp which may be a limitation. I suspect that we can make this work using handlers and forced unwind, but unfortunately do not have time to work on it at the moment. Iain >=20 > Martin >=20 >=20 >>=20 >> gcc/ChangeLog: >>=20 >> * common.opt (Wtrampolines): Enable by -fhardened. >> * doc/invoke.texi: Reflect that -fhardened enables = -Werror=3Dtrampolines. >> * opts.cc (print_help_hardened): Add -Werror=3Dtrampolines. >> * toplev.cc (process_options): Enable -Werror=3Dtrampolines for >> -fhardened. >>=20 >> gcc/testsuite/ChangeLog: >>=20 >> * gcc.dg/fhardened-1.c: New test. >> * gcc.dg/fhardened-2.c: New test. >> * gcc.dg/fhardened-3.c: New test. >> * gcc.dg/fhardened-4.c: New test. >> * gcc.dg/fhardened-5.c: New test. >> --- >> gcc/common.opt | 2 +- >> gcc/doc/invoke.texi | 1 + >> gcc/opts.cc | 1 + >> gcc/testsuite/gcc.dg/fhardened-1.c | 27 +++++++++++++++++++++++++++ >> gcc/testsuite/gcc.dg/fhardened-2.c | 25 +++++++++++++++++++++++++ >> gcc/testsuite/gcc.dg/fhardened-3.c | 25 +++++++++++++++++++++++++ >> gcc/testsuite/gcc.dg/fhardened-4.c | 25 +++++++++++++++++++++++++ >> gcc/testsuite/gcc.dg/fhardened-5.c | 27 +++++++++++++++++++++++++++ >> gcc/toplev.cc | 8 +++++++- >> 9 files changed, 139 insertions(+), 2 deletions(-) >> create mode 100644 gcc/testsuite/gcc.dg/fhardened-1.c >> create mode 100644 gcc/testsuite/gcc.dg/fhardened-2.c >> create mode 100644 gcc/testsuite/gcc.dg/fhardened-3.c >> create mode 100644 gcc/testsuite/gcc.dg/fhardened-4.c >> create mode 100644 gcc/testsuite/gcc.dg/fhardened-5.c >>=20 >> diff --git a/gcc/common.opt b/gcc/common.opt >> index 161a035d736..9b09c7cb3df 100644 >> --- a/gcc/common.opt >> +++ b/gcc/common.opt >> @@ -807,7 +807,7 @@ Common Var(warn_system_headers) Warning >> Do not suppress warnings from system headers. >>=20 >> Wtrampolines >> -Common Var(warn_trampolines) Warning >> +Common Var(warn_trampolines) Warning EnabledBy(fhardened) >> Warn whenever a trampoline is generated. >>=20 >> Wtrivial-auto-var-init >> diff --git a/gcc/doc/invoke.texi b/gcc/doc/invoke.texi >> index 2fab4c5d71f..c1664a1a0f1 100644 >> --- a/gcc/doc/invoke.texi >> +++ b/gcc/doc/invoke.texi >> @@ -17745,6 +17745,7 @@ may change between major releases of GCC, but = are currently: >> -fstack-protector-strong >> -fstack-clash-protection >> -fcf-protection=3Dfull @r{(x86 GNU/Linux only)} >> +-Werror=3Dtrampolines >> } >>=20 >> The list of options enabled by @option{-fhardened} can be generated = using >> diff --git a/gcc/opts.cc b/gcc/opts.cc >> index 5d5efaf1b9e..aa062b87cef 100644 >> --- a/gcc/opts.cc >> +++ b/gcc/opts.cc >> @@ -2517,6 +2517,7 @@ print_help_hardened () >> printf (" %s\n", "-fstack-protector-strong"); >> printf (" %s\n", "-fstack-clash-protection"); >> printf (" %s\n", "-fcf-protection=3Dfull"); >> + printf (" %s\n", "-Werror=3Dtrampolines"); >> putchar ('\n'); >> } >>=20 >> diff --git a/gcc/testsuite/gcc.dg/fhardened-1.c = b/gcc/testsuite/gcc.dg/fhardened-1.c >> new file mode 100644 >> index 00000000000..8710959b6f1 >> --- /dev/null >> +++ b/gcc/testsuite/gcc.dg/fhardened-1.c >> @@ -0,0 +1,27 @@ >> +/* { dg-do compile { target *-*-linux* *-*-gnu* } } */ >> +/* { dg-require-effective-target trampolines } */ >> +/* { dg-options "-fhardened -O" } */ >> + >> +static void >> +baz (int (*bar) (void)) >> +{ >> + bar (); >> +} >> + >> +int >> +main (void) >> +{ >> + int a =3D 6; >> + >> + int >> + bar (void) // { dg-error "trampoline" } >> + { >> + return a; >> + } >> + >> + baz (bar); >> + >> + return 0; >> +} >> + >> +/* { dg-prune-output "some warnings being treated as errors" } */ >> diff --git a/gcc/testsuite/gcc.dg/fhardened-2.c = b/gcc/testsuite/gcc.dg/fhardened-2.c >> new file mode 100644 >> index 00000000000..d47512aa47f >> --- /dev/null >> +++ b/gcc/testsuite/gcc.dg/fhardened-2.c >> @@ -0,0 +1,25 @@ >> +/* { dg-do compile { target *-*-linux* *-*-gnu* } } */ >> +/* { dg-require-effective-target trampolines } */ >> +/* { dg-options "-fhardened -O -Wno-trampolines" } */ >> + >> +static void >> +baz (int (*bar) (void)) >> +{ >> + bar (); >> +} >> + >> +int >> +main (void) >> +{ >> + int a =3D 6; >> + >> + int >> + bar (void) // { dg-bogus "trampoline" } >> + { >> + return a; >> + } >> + >> + baz (bar); >> + >> + return 0; >> +} >> diff --git a/gcc/testsuite/gcc.dg/fhardened-3.c = b/gcc/testsuite/gcc.dg/fhardened-3.c >> new file mode 100644 >> index 00000000000..cebae13d8be >> --- /dev/null >> +++ b/gcc/testsuite/gcc.dg/fhardened-3.c >> @@ -0,0 +1,25 @@ >> +/* { dg-do compile { target *-*-linux* *-*-gnu* } } */ >> +/* { dg-require-effective-target trampolines } */ >> +/* { dg-options "-fhardened -O -Wno-error" } */ >> + >> +static void >> +baz (int (*bar) (void)) >> +{ >> + bar (); >> +} >> + >> +int >> +main (void) >> +{ >> + int a =3D 6; >> + >> + int >> + bar (void) // { dg-warning "trampoline" } >> + { >> + return a; >> + } >> + >> + baz (bar); >> + >> + return 0; >> +} >> diff --git a/gcc/testsuite/gcc.dg/fhardened-4.c = b/gcc/testsuite/gcc.dg/fhardened-4.c >> new file mode 100644 >> index 00000000000..7e62ed3385d >> --- /dev/null >> +++ b/gcc/testsuite/gcc.dg/fhardened-4.c >> @@ -0,0 +1,25 @@ >> +/* { dg-do compile { target *-*-linux* *-*-gnu* } } */ >> +/* { dg-require-effective-target trampolines } */ >> +/* { dg-options "-fhardened -O -Wno-error=3Dtrampolines" } */ >> + >> +static void >> +baz (int (*bar) (void)) >> +{ >> + bar (); >> +} >> + >> +int >> +main (void) >> +{ >> + int a =3D 6; >> + >> + int >> + bar (void) // { dg-warning "trampoline" } >> + { >> + return a; >> + } >> + >> + baz (bar); >> + >> + return 0; >> +} >> diff --git a/gcc/testsuite/gcc.dg/fhardened-5.c = b/gcc/testsuite/gcc.dg/fhardened-5.c >> new file mode 100644 >> index 00000000000..5d3f0dcae8e >> --- /dev/null >> +++ b/gcc/testsuite/gcc.dg/fhardened-5.c >> @@ -0,0 +1,27 @@ >> +/* { dg-do compile { target *-*-linux* *-*-gnu* } } */ >> +/* { dg-require-effective-target trampolines } */ >> +/* { dg-options "-fhardened -O -Wtrampolines" } */ >> + >> +static void >> +baz (int (*bar) (void)) >> +{ >> + bar (); >> +} >> + >> +int >> +main (void) >> +{ >> + int a =3D 6; >> + >> + int >> + bar (void) // { dg-error "trampoline" } >> + { >> + return a; >> + } >> + >> + baz (bar); >> + >> + return 0; >> +} >> + >> +/* { dg-prune-output "some warnings being treated as errors" } */ >> diff --git a/gcc/toplev.cc b/gcc/toplev.cc >> index 85450d97a1a..2f0ac74dee0 100644 >> --- a/gcc/toplev.cc >> +++ b/gcc/toplev.cc >> @@ -1682,7 +1682,7 @@ process_options () >> flag_ipa_ra =3D 0; >>=20 >> /* Enable -Werror=3Dcoverage-mismatch when -Werror and -Wno-error >> - have not been set. */ >> + have not been set. Also enable -Werror=3Dtrampolines for = -fhardened. */ >> if (!OPTION_SET_P (warnings_are_errors)) >> { >> if (warn_coverage_mismatch >> @@ -1693,6 +1693,12 @@ process_options () >> && option_unspecified_p (OPT_Wcoverage_invalid_line_number)) >> diagnostic_classify_diagnostic (global_dc, = OPT_Wcoverage_invalid_line_number, >> DK_ERROR, UNKNOWN_LOCATION); >> + >> + if (flag_hardened >> + && warn_trampolines >> + && option_unspecified_p (OPT_Wtrampolines)) >> + diagnostic_classify_diagnostic (global_dc, OPT_Wtrampolines, >> + DK_ERROR, UNKNOWN_LOCATION); >> } >>=20 >> /* Save the current optimization options. */ >>=20 >> base-commit: b8edb812ff4934c609fdfafe2e1c7f932bc18305 >> --=20 >> 2.42.0 >>=20 >=20