From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by sourceware.org (Postfix) with ESMTPS id 7D0A7385843B for ; Thu, 24 Feb 2022 20:32:55 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 7D0A7385843B Received: from mail-qk1-f198.google.com (mail-qk1-f198.google.com [209.85.222.198]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-474-piSLsw1-Pfy6htNJgpfIdQ-1; Thu, 24 Feb 2022 15:32:47 -0500 X-MC-Unique: piSLsw1-Pfy6htNJgpfIdQ-1 Received: by mail-qk1-f198.google.com with SMTP id t17-20020a05620a035100b0060df15e2977so3760750qkm.21 for ; Thu, 24 Feb 2022 12:32:47 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=lnuui2yEwKK71f+l5JilkGNqnxonNLCae8XkJcYvjDA=; b=Yqzelh+UwgXgxieAix/wGdd8qyVEVfQSePltyFl8ZOEUKD06mxyKXWFs+XG/UVVBlW 74IXlLn5HRxkALIuQmahqzDj+Vs+mcqgzzeNtW67ZIn1bI0V/Z5JLp/GvxIXmDcK08Ry Amy9g/MmtBaOEWAkW0/rZkRtn3VhMlFl7LZP41IwXaCUdSfjKqBF8mx1l6/R6P0OiFAD DDwKjzk0O/PXIYry+zN5XjB+6q2tYv90VOvXfmE6TZ81DByf1g8/+rIQslhfeGpWZ344 gZ1i1GZmUyAgSBWceLy73RnYh7xt3ty7wZTJPjG3bsZOOhdYUab0sHiQhwK7I+Wvap+g ieCA== X-Gm-Message-State: AOAM5326HO9iUOnjUFiFowJQZAKxHp0PH0smzTOROkpwTSF2MnrB6Pns nVIqev6OqCXKzGEJlvAn1yHFyauQ/zSuZfRb6lpZPgqBHttLrxpcuhjykKZpuE4rpe53bZRJnc6 eI6W8xi0Qmv9EfoOt1g== X-Received: by 2002:a37:6215:0:b0:508:c213:72de with SMTP id w21-20020a376215000000b00508c21372demr2901224qkb.30.1645734765607; Thu, 24 Feb 2022 12:32:45 -0800 (PST) X-Google-Smtp-Source: ABdhPJx2O2m9hNrUy3Oen5rgqDL/3JahgMfXXJGjYzzwJ8C1HL7q6M2OkTflp+O7mR8/m6F0hqjYvg== X-Received: by 2002:a37:6215:0:b0:508:c213:72de with SMTP id w21-20020a376215000000b00508c21372demr2901188qkb.30.1645734764930; Thu, 24 Feb 2022 12:32:44 -0800 (PST) Received: from redhat.com ([2601:184:4780:4310::3f37]) by smtp.gmail.com with ESMTPSA id e5-20020a05620a014500b0060dd4af0cefsm307483qkn.68.2022.02.24.12.32.43 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 24 Feb 2022 12:32:44 -0800 (PST) Date: Thu, 24 Feb 2022 15:32:42 -0500 From: Marek Polacek To: Joseph Myers Cc: GCC Patches , Jakub Jelinek , Paolo Bonzini , Alexandre Oliva Subject: [PATCH v2] configure: Implement --enable-host-pie Message-ID: References: <20220210164805.580636-1-polacek@redhat.com> MIME-Version: 1.0 In-Reply-To: User-Agent: Mutt/2.1.5 (2021-12-30) X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Spam-Status: No, score=-13.4 required=5.0 tests=BAYES_00, DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0, RCVD_IN_DNSWL_LOW, RCVD_IN_MSPIKE_H5, RCVD_IN_MSPIKE_WL, SPF_HELO_NONE, SPF_NONE, TXREP, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.4 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on server2.sourceware.org X-BeenThere: gcc-patches@gcc.gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Gcc-patches mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Feb 2022 20:33:00 -0000 On Thu, Feb 10, 2022 at 09:10:17PM +0000, Joseph Myers wrote: > Some general observations: Thanks for the comment and sorry for the delay (I was on vacation). > * There are various toplevel GCC subdirectories that are built for the > host (possibly in addition to the target in some cases) but aren't changed > in this patch. Do they get a PIE or PIC build anyway by default? Such > directories include, I think: fixincludes (as a corner case, for the > installed fixincludes), gmp, mpfr, mpc, isl (host libraries whose > configure scripts aren't part of GCC, so any changes to ensure they build > as PIE when needed would need to be at top level), intl, libbacktrace, > libiberty, gnattools, gotools. > > (Using a bootstrap compiler that *doesn't* default to PIE might help > detect any such issues, though only for directores that get built for the > host in that build - some may not get built by default.) For fixincludes: the original patch didn't make fixincl in fixincludes PIE, but the following one does (when --enable-host-pie). gmp/mpfr/mpc/isl are DSOs I believe and therefore always PIC. intl: I have no idea about this; I don't see any binaries in that directory after a bootstrap. libbacktrace builds with -fPIC already (at least the object files in libbacktrace/.libs). libiberty is built twice, once as PIC (in pic/). gnattools: that directory is empty even when I build Ada, so not sure what's with that. gotools: here the binaries aren't PIE/PIC. I don't really have plans to change that as Go is not a priority. > For directories that are only used as host libraries but don't install any > executables, even if this patch needs additions the -z now one shouldn't. Yes, that makes sense. My goal is to simply build the compilers like cc1 as PIE when requested. That involved several other changes like using the pic/ version of libiberty, but I didn't consider every toplevel subdirectory. > * I don't see anything obvious here (or for the existing > --enable-host-shared) that actually causes the configure option to apply > only to the host and not to the target, in the case of subdirectories such > as libbacktrace that get built for both host and target. (Though static > target libraries may well default to PIC in many cases anyway.) Good point. I don't think there's anything insuring that the option affects only the host binaries. The configure option name is misleading in that way. I'm not sure that I would know how to fix that though. Here's a v2 which additionally builds fixincludes/ as PIE. That necessitated a change in libiberty/: I needed a pic/ version even for the host, not just the target. That's why I'm setting shared when --enable-host-pie is on. Thanks again for taking a look. Bootstrapped/regtested on x86_64-pc-linux-gnu. -- >8 -- This patch implements the --enable-host-pie configure option which makes the compiler executables PIE. This can be used to enhance protection against ROP attacks, and can be viewed as part of a wider trend to harden binaries. It is similar to the option --enable-host-shared, except that --e-h-s won't add -shared to the linker flags whereas --e-h-p will add -pie. It is different from --enable-default-pie because that option just adds an implicit -fPIE/-pie when the compiler is invoked, but the compiler itself isn't PIE. Since r12-5768-gfe7c3ecf, PCH works well with PIE, so there are no PCH regressions. I plan to add an option to link with -Wl,-z,now. c++tools/ChangeLog: * Makefile.in: Rename PIEFLAG to PICFLAG. Set LD_PICFLAG. Use it. Use pic/libiberty.a if PICFLAG is set. * configure.ac (--enable-default-pie): Set PICFLAG instead of PIEFLAG. (--enable-host-pie): New check. * configure: Regenerate. fixincludes/ChangeLog: * Makefile.in: Set and use PICFLAG and LD_PICFLAG. Use the "pic" build of libiberty if PICFLAG is set. * configure.ac: * configure: Regenerate. gcc/ChangeLog: * Makefile.in: Set LD_PICFLAG. Use it. Set enable_host_pie. Remove NO_PIE_CFLAGS and NO_PIE_FLAG. Pass LD_PICFLAG to ALL_LINKERFLAGS. Use the "pic" build of libiberty if --enable-host-pie. * configure.ac (--enable-host-shared): Don't set PICFLAG here. (--enable-host-pie): New check. Set PICFLAG and LD_PICFLAG after this check. * configure: Regenerate. * d/Make-lang.in: Remove NO_PIE_CFLAGS. * doc/install.texi: Document --enable-host-pie. libcody/ChangeLog: * Makefile.in: Pass LD_PICFLAG to LDFLAGS. * configure.ac (--enable-host-shared): Don't set PICFLAG here. (--enable-host-pie): New check. Set PICFLAG and LD_PICFLAG after this check. * configure: Regenerate. libcpp/ChangeLog: * configure.ac (--enable-host-shared): Don't set PICFLAG here. (--enable-host-pie): New check. Set PICFLAG after this check. * configure: Regenerate. libdecnumber/ChangeLog: * configure.ac (--enable-host-shared): Don't set PICFLAG here. (--enable-host-pie): New check. Set PICFLAG after this check. * configure: Regenerate. libiberty/ChangeLog: * configure.ac: Also set shared when enable_host_pie. * configure: Regenerate. zlib/ChangeLog: * configure.ac (--enable-host-shared): Don't set PICFLAG here. (--enable-host-pie): New check. Set PICFLAG after this check. * configure: Regenerate. --- c++tools/Makefile.in | 11 ++++++--- c++tools/configure | 17 +++++++++++--- c++tools/configure.ac | 11 +++++++-- fixincludes/Makefile.in | 14 ++++++++---- fixincludes/configure | 15 ++++++++++++- fixincludes/configure.ac | 8 +++++++ gcc/Makefile.in | 29 ++++++++++++++---------- gcc/configure | 47 +++++++++++++++++++++++++++------------ gcc/configure.ac | 36 +++++++++++++++++++++--------- gcc/d/Make-lang.in | 2 +- gcc/doc/install.texi | 16 +++++++++++-- libcody/Makefile.in | 2 +- libcody/configure | 30 ++++++++++++++++++++++++- libcody/configure.ac | 26 ++++++++++++++++++++-- libcpp/configure | 22 +++++++++++++++++- libcpp/configure.ac | 19 ++++++++++++++-- libdecnumber/configure | 22 +++++++++++++++++- libdecnumber/configure.ac | 19 ++++++++++++++-- libiberty/configure | 4 ++-- libiberty/configure.ac | 4 ++-- zlib/configure | 30 ++++++++++++++++++++----- zlib/configure.ac | 21 ++++++++++++++--- 22 files changed, 331 insertions(+), 74 deletions(-) diff --git a/c++tools/Makefile.in b/c++tools/Makefile.in index d6a33613732..4d5a5b0522b 100644 --- a/c++tools/Makefile.in +++ b/c++tools/Makefile.in @@ -28,8 +28,9 @@ AUTOCONF := @AUTOCONF@ AUTOHEADER := @AUTOHEADER@ CXX := @CXX@ CXXFLAGS := @CXXFLAGS@ -PIEFLAG := @PIEFLAG@ -CXXOPTS := $(CXXFLAGS) $(PIEFLAG) -fno-exceptions -fno-rtti +PICFLAG := @PICFLAG@ +LD_PICFLAG := @LD_PICFLAG@ +CXXOPTS := $(CXXFLAGS) $(PICFLAG) -fno-exceptions -fno-rtti LDFLAGS := @LDFLAGS@ exeext := @EXEEXT@ LIBIBERTY := ../libiberty/libiberty.a @@ -88,11 +89,15 @@ ifeq (@CXX_AUX_TOOLS@,yes) all::g++-mapper-server$(exeext) +ifneq ($(PICFLAG),) +override LIBIBERTY := ../libiberty/pic/libiberty.a +endif + MAPPER.O := server.o resolver.o CODYLIB = ../libcody/libcody.a CXXINC += -I$(srcdir)/../libcody -I$(srcdir)/../include -I$(srcdir)/../gcc -I. -I../gcc g++-mapper-server$(exeext): $(MAPPER.O) $(CODYLIB) - +$(CXX) $(LDFLAGS) $(PIEFLAG) -o $@ $^ $(LIBIBERTY) $(NETLIBS) + +$(CXX) $(LDFLAGS) $(PICFLAG) $(LD_PICFLAG) -o $@ $^ $(LIBIBERTY) $(NETLIBS) # copy to gcc dir so tests there can run all::../gcc/g++-mapper-server$(exeext) diff --git a/c++tools/configure b/c++tools/configure index 742816e4253..88087009383 100755 --- a/c++tools/configure +++ b/c++tools/configure @@ -627,7 +627,8 @@ get_gcc_base_ver EGREP GREP CXXCPP -PIEFLAG +LD_PICFLAG +PICFLAG MAINTAINER CXX_AUX_TOOLS AUTOHEADER @@ -700,6 +701,7 @@ enable_c___tools enable_maintainer_mode enable_checking enable_default_pie +enable_host_pie with_gcc_major_version_only ' ac_precious_vars='build_alias @@ -1333,6 +1335,7 @@ Optional Features: only specific categories of checks. Categories are: yes,no,all,none,release. --enable-default-pie enable Position Independent Executable as default + --enable-host-pie build host code as PIE Optional Packages: --with-PACKAGE[=ARG] use PACKAGE [ARG=yes] @@ -2990,12 +2993,20 @@ fi # Check whether --enable-default-pie was given. # Check whether --enable-default-pie was given. if test "${enable_default_pie+set}" = set; then : - enableval=$enable_default_pie; PIEFLAG=-fPIE + enableval=$enable_default_pie; PICFLAG=-fPIE else - PIEFLAG= + PICFLAG= fi +# Enable --enable-host-pie +# Check whether --enable-host-pie was given. +if test "${enable_host_pie+set}" = set; then : + enableval=$enable_host_pie; PICFLAG=-fPIE; LD_PICFLAG=-pie +fi + + + # Check if O_CLOEXEC is defined by fcntl diff --git a/c++tools/configure.ac b/c++tools/configure.ac index 6662b5ad7c9..1e42689f2eb 100644 --- a/c++tools/configure.ac +++ b/c++tools/configure.ac @@ -102,8 +102,15 @@ fi AC_ARG_ENABLE(default-pie, [AS_HELP_STRING([--enable-default-pie], [enable Position Independent Executable as default])], -[PIEFLAG=-fPIE], [PIEFLAG=]) -AC_SUBST([PIEFLAG]) +[PICFLAG=-fPIE], [PICFLAG=]) + +# Enable --enable-host-pie +AC_ARG_ENABLE(host-pie, +[AS_HELP_STRING([--enable-host-pie], + [build host code as PIE])], +[PICFLAG=-fPIE; LD_PICFLAG=-pie], []) +AC_SUBST(PICFLAG) +AC_SUBST(LD_PICFLAG) # Check if O_CLOEXEC is defined by fcntl AC_CACHE_CHECK(for O_CLOEXEC, ac_cv_o_cloexec, [ diff --git a/fixincludes/Makefile.in b/fixincludes/Makefile.in index 1937dcaa32d..990c08e5699 100644 --- a/fixincludes/Makefile.in +++ b/fixincludes/Makefile.in @@ -30,6 +30,8 @@ CC = @CC@ CFLAGS = @CFLAGS@ WARN_CFLAGS = @WARN_CFLAGS@ @WARN_PEDANTIC@ @WERROR@ LDFLAGS = @LDFLAGS@ +PICFLAG = @PICFLAG@ +LD_PICFLAG = @LD_PICFLAG@ INCLUDES = -I. -I$(srcdir) -I../include -I$(srcdir)/../include FIXINC_CFLAGS = -DHAVE_CONFIG_H $(INCLUDES) @@ -73,7 +75,7 @@ default : all # Now figure out from those variables how to compile and link. .c.o: - $(CC) -c $(CFLAGS) $(WARN_CFLAGS) $(CPPFLAGS) $(FIXINC_CFLAGS) $< + $(CC) -c $(CFLAGS) $(PICFLAG) $(WARN_CFLAGS) $(CPPFLAGS) $(FIXINC_CFLAGS) $< # The only suffixes we want for implicit rules are .c and .o. .SUFFIXES: @@ -87,7 +89,11 @@ default : all ## ## # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # +ifeq ($(PICFLAG),) LIBIBERTY=../libiberty/libiberty.a +else +LIBIBERTY=../libiberty/pic/libiberty.a +endif ALLOBJ = fixincl.o fixtests.o fixfixes.o server.o procopen.o \ fixlib.o fixopts.o @@ -107,15 +113,15 @@ oneprocess : full-stamp twoprocess : test-stamp $(AF) full-stamp : $(ALLOBJ) $(LIBIBERTY) - $(CC) $(CFLAGS) $(LDFLAGS) -o $(FI) $(ALLOBJ) $(LIBIBERTY) + $(CC) $(CFLAGS) $(PICFLAG) $(LDFLAGS) $(LD_PICFLAG) -o $(FI) $(ALLOBJ) $(LIBIBERTY) $(STAMP) $@ test-stamp : $(TESTOBJ) $(LIBIBERTY) - $(CC) $(CFLAGS) $(LDFLAGS) -o $(FI) $(TESTOBJ) $(LIBIBERTY) + $(CC) $(CFLAGS) $(PICFLAG) $(LDFLAGS) $(LD_PICFLAG) -o $(FI) $(TESTOBJ) $(LIBIBERTY) $(STAMP) $@ $(AF): $(FIXOBJ) $(LIBIBERTY) - $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $(FIXOBJ) $(LIBIBERTY) + $(CC) $(CFLAGS) $(PICFLAG) $(LDFLAGS) $(LD_PICFLAG) -o $@ $(FIXOBJ) $(LIBIBERTY) $(ALLOBJ) : $(HDR) fixincl.o : fixincl.c $(srcdir)/fixincl.x diff --git a/fixincludes/configure b/fixincludes/configure index 6e2d67b655b..67a7597a30b 100755 --- a/fixincludes/configure +++ b/fixincludes/configure @@ -623,6 +623,8 @@ ac_subst_vars='LTLIBOBJS LIBOBJS get_gcc_base_ver MAINT +LD_PICFLAG +PICFLAG TARGET target_noncanonical WERROR @@ -695,6 +697,7 @@ enable_option_checking enable_werror_always with_local_prefix enable_twoprocess +enable_host_pie enable_maintainer_mode with_gcc_major_version_only ' @@ -1323,6 +1326,7 @@ Optional Features: --enable-FEATURE[=ARG] include FEATURE [ARG=yes] --enable-werror-always enable -Werror despite compiler version --enable-twoprocess Use a separate process to apply the fixes + --enable-host-pie build host code as PIE --enable-maintainer-mode enable make rules and dependencies not useful (and sometimes confusing) to the casual installer @@ -2644,7 +2648,7 @@ ac_configure="$SHELL $ac_aux_dir/configure" # Please don't use this var. # _LT_DARWIN_LINKER_FEATURES # -------------------------- -# Checks for linker and compiler features on darwin +# Checks for linker and compiler features on Darwin / macOS / iOS # _LT_SYS_MODULE_PATH_AIX @@ -4835,6 +4839,15 @@ $as_echo "#define SEPARATE_FIX_PROC 1" >>confdefs.h fi +# Enable --enable-host-pie. +# Check whether --enable-host-pie was given. +if test "${enable_host_pie+set}" = set; then : + enableval=$enable_host_pie; PICFLAG=-fPIE; LD_PICFLAG=-pie +fi + + + + case $host in vax-dec-bsd* ) diff --git a/fixincludes/configure.ac b/fixincludes/configure.ac index 14813b910f1..ec8534f769f 100644 --- a/fixincludes/configure.ac +++ b/fixincludes/configure.ac @@ -68,6 +68,14 @@ if test $TARGET = twoprocess; then [Define if testing and fixing are done by separate process]) fi +# Enable --enable-host-pie. +AC_ARG_ENABLE(host-pie, +[AS_HELP_STRING([--enable-host-pie], + [build host code as PIE])], +[PICFLAG=-fPIE; LD_PICFLAG=-pie], []) +AC_SUBST(PICFLAG) +AC_SUBST(LD_PICFLAG) + case $host in vax-dec-bsd* ) AC_DEFINE(exit, xexit, [Define to xexit if the host system does not support atexit]) diff --git a/gcc/Makefile.in b/gcc/Makefile.in index 31ff95500c9..151dbfa54ec 100644 --- a/gcc/Makefile.in +++ b/gcc/Makefile.in @@ -155,6 +155,9 @@ LDFLAGS = @LDFLAGS@ # Should we build position-independent host code? PICFLAG = @PICFLAG@ +# The linker flag for the above. +LD_PICFLAG = @LD_PICFLAG@ + # Flags to determine code coverage. When coverage is disabled, this will # contain the optimization flags, as you normally want code coverage # without optimization. @@ -263,18 +266,17 @@ LINKER = $(CC) LINKER_FLAGS = $(CFLAGS) endif +enable_host_pie = @enable_host_pie@ + # Enable Intel CET on Intel CET enabled host if needed. CET_HOST_FLAGS = @CET_HOST_FLAGS@ COMPILER += $(CET_HOST_FLAGS) -NO_PIE_CFLAGS = @NO_PIE_CFLAGS@ -NO_PIE_FLAG = @NO_PIE_FLAG@ - -# We don't want to compile the compilers with -fPIE, it make PCH fail. -COMPILER += $(NO_PIE_CFLAGS) +# Maybe compile the compilers with -fPIE or -fPIC. +COMPILER += $(PICFLAG) -# Link with -no-pie since we compile the compiler with -fno-PIE. -LINKER += $(NO_PIE_FLAG) +# Link with -pie, or -no-pie, depending on the above. +LINKER += $(LD_PICFLAG) # Like LINKER, but use a mutex for serializing front end links. ifeq (@DO_LINK_MUTEX@,true) @@ -1057,18 +1059,21 @@ ALL_CPPFLAGS = $(INCLUDES) $(CPPFLAGS) ALL_COMPILERFLAGS = $(ALL_CXXFLAGS) # This is the variable to use when using $(LINKER). -ALL_LINKERFLAGS = $(ALL_CXXFLAGS) +ALL_LINKERFLAGS = $(ALL_CXXFLAGS) $(LD_PICFLAG) # Build and host support libraries. -# Use the "pic" build of libiberty if --enable-host-shared, unless we are -# building for mingw. +# Use the "pic" build of libiberty if --enable-host-shared or --enable-host-pie, +# unless we are building for mingw. LIBIBERTY_PICDIR=$(if $(findstring mingw,$(target)),,pic) -ifeq ($(enable_host_shared),yes) +ifneq ($(enable_host_shared)$(enable_host_pie),) LIBIBERTY = ../libiberty/$(LIBIBERTY_PICDIR)/libiberty.a -BUILD_LIBIBERTY = $(build_libobjdir)/libiberty/$(LIBIBERTY_PICDIR)/libiberty.a else LIBIBERTY = ../libiberty/libiberty.a +endif +ifeq ($(enable_host_shared),yes) +BUILD_LIBIBERTY = $(build_libobjdir)/libiberty/$(LIBIBERTY_PICDIR)/libiberty.a +else BUILD_LIBIBERTY = $(build_libobjdir)/libiberty/libiberty.a endif diff --git a/gcc/configure b/gcc/configure index 22eb3451e3d..20e0019861d 100755 --- a/gcc/configure +++ b/gcc/configure @@ -632,10 +632,10 @@ ac_includes_default="\ ac_subst_vars='LTLIBOBJS LIBOBJS CET_HOST_FLAGS -NO_PIE_FLAG -NO_PIE_CFLAGS -enable_default_pie +LD_PICFLAG PICFLAG +enable_default_pie +enable_host_pie enable_host_shared enable_plugin pluginlibs @@ -1025,6 +1025,7 @@ enable_link_serialization enable_version_specific_runtime_libs enable_plugin enable_host_shared +enable_host_pie enable_libquadmath_support with_linker_hash_style with_diagnostics_color @@ -1787,6 +1788,7 @@ Optional Features: in a compiler-specific directory --enable-plugin enable plugin support --enable-host-shared build host code as shared libraries + --enable-host-pie build host code as PIE --disable-libquadmath-support disable libquadmath support for Fortran --enable-default-pie enable Position Independent Executable as default @@ -19667,7 +19669,7 @@ else lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 lt_status=$lt_dlunknown cat > conftest.$ac_ext <<_LT_EOF -#line 19670 "configure" +#line 19684 "configure" #include "confdefs.h" #if HAVE_DLFCN_H @@ -19773,7 +19775,7 @@ else lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 lt_status=$lt_dlunknown cat > conftest.$ac_ext <<_LT_EOF -#line 19776 "configure" +#line 19790 "configure" #include "confdefs.h" #if HAVE_DLFCN_H @@ -32229,13 +32231,17 @@ fi # Enable --enable-host-shared # Check whether --enable-host-shared was given. if test "${enable_host_shared+set}" = set; then : - enableval=$enable_host_shared; PICFLAG=-fPIC -else - PICFLAG= + enableval=$enable_host_shared; fi +# Enable --enable-host-pie +# Check whether --enable-host-pie was given. +if test "${enable_host_pie+set}" = set; then : + enableval=$enable_host_pie; +fi + # Check whether --enable-libquadmath-support was given. @@ -32389,10 +32395,6 @@ rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $gcc_cv_c_no_fpie" >&5 $as_echo "$gcc_cv_c_no_fpie" >&6; } -if test "$gcc_cv_c_no_fpie" = "yes"; then - NO_PIE_CFLAGS="-fno-PIE" -fi - # Check if -no-pie works. { $as_echo "$as_me:${as_lineno-$LINENO}: checking for -no-pie option" >&5 @@ -32417,11 +32419,28 @@ rm -f core conftest.err conftest.$ac_objext \ fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $gcc_cv_no_pie" >&5 $as_echo "$gcc_cv_no_pie" >&6; } -if test "$gcc_cv_no_pie" = "yes"; then - NO_PIE_FLAG="-no-pie" + +if test x$enable_host_shared = xyes; then + PICFLAG=-fPIC +elif test x$enable_host_pie = xyes; then + PICFLAG=-fPIE +elif test x$gcc_cv_c_no_fpie = xyes; then + PICFLAG=-fno-PIE +else + PICFLAG= +fi + +if test x$enable_host_pie = xyes; then + LD_PICFLAG=-pie +elif test x$gcc_cv_no_pie = xyes; then + LD_PICFLAG=-no-pie +else + LD_PICFLAG= fi + + # Enable Intel CET on Intel CET enabled host if jit is enabled. # Check whether --enable-cet was given. if test "${enable_cet+set}" = set; then : diff --git a/gcc/configure.ac b/gcc/configure.ac index 20da90901f8..e8257f5053a 100644 --- a/gcc/configure.ac +++ b/gcc/configure.ac @@ -7496,11 +7496,14 @@ fi # Enable --enable-host-shared AC_ARG_ENABLE(host-shared, [AS_HELP_STRING([--enable-host-shared], - [build host code as shared libraries])], -[PICFLAG=-fPIC], [PICFLAG=]) + [build host code as shared libraries])]) AC_SUBST(enable_host_shared) -AC_SUBST(PICFLAG) +# Enable --enable-host-pie +AC_ARG_ENABLE(host-pie, +[AS_HELP_STRING([--enable-host-pie], + [build host code as PIE])]) +AC_SUBST(enable_host_pie) AC_ARG_ENABLE(libquadmath-support, [AS_HELP_STRING([--disable-libquadmath-support], @@ -7622,10 +7625,6 @@ AC_CACHE_CHECK([for -fno-PIE option], [gcc_cv_c_no_fpie=yes], [gcc_cv_c_no_fpie=no]) CXXFLAGS="$saved_CXXFLAGS"]) -if test "$gcc_cv_c_no_fpie" = "yes"; then - NO_PIE_CFLAGS="-fno-PIE" -fi -AC_SUBST([NO_PIE_CFLAGS]) # Check if -no-pie works. AC_CACHE_CHECK([for -no-pie option], @@ -7636,10 +7635,27 @@ AC_CACHE_CHECK([for -no-pie option], [gcc_cv_no_pie=yes], [gcc_cv_no_pie=no]) LDFLAGS="$saved_LDFLAGS"]) -if test "$gcc_cv_no_pie" = "yes"; then - NO_PIE_FLAG="-no-pie" + +if test x$enable_host_shared = xyes; then + PICFLAG=-fPIC +elif test x$enable_host_pie = xyes; then + PICFLAG=-fPIE +elif test x$gcc_cv_c_no_fpie = xyes; then + PICFLAG=-fno-PIE +else + PICFLAG= fi -AC_SUBST([NO_PIE_FLAG]) + +if test x$enable_host_pie = xyes; then + LD_PICFLAG=-pie +elif test x$gcc_cv_no_pie = xyes; then + LD_PICFLAG=-no-pie +else + LD_PICFLAG= +fi + +AC_SUBST([PICFLAG]) +AC_SUBST([LD_PICFLAG]) # Enable Intel CET on Intel CET enabled host if jit is enabled. GCC_CET_HOST_FLAGS(CET_HOST_FLAGS) diff --git a/gcc/d/Make-lang.in b/gcc/d/Make-lang.in index 6c90657d65f..88573d5fac6 100644 --- a/gcc/d/Make-lang.in +++ b/gcc/d/Make-lang.in @@ -60,7 +60,7 @@ WARN_DFLAGS = -Wall -Wdeprecated $(NOCOMMON_FLAG) ALL_DFLAGS = $(DFLAGS-$@) $(GDCFLAGS) -fversion=IN_GCC $(CHECKING_DFLAGS) \ $(PICFLAG) $(ALIASING_FLAGS) $(COVERAGE_FLAGS) $(WARN_DFLAGS) -DCOMPILE.base = $(GDC) $(NO_PIE_CFLAGS) -c $(ALL_DFLAGS) -o $@ +DCOMPILE.base = $(GDC) -c $(ALL_DFLAGS) -o $@ DCOMPILE = $(DCOMPILE.base) -MT $@ -MMD -MP -MF $(@D)/$(DEPDIR)/$(*F).TPo DPOSTCOMPILE = @mv $(@D)/$(DEPDIR)/$(*F).TPo $(@D)/$(DEPDIR)/$(*F).Po DLINKER = $(GDC) $(NO_PIE_FLAG) -lstdc++ diff --git a/gcc/doc/install.texi b/gcc/doc/install.texi index 7258f9def6c..9747f832a75 100644 --- a/gcc/doc/install.texi +++ b/gcc/doc/install.texi @@ -1021,14 +1021,26 @@ code. @item --enable-host-shared Specify that the @emph{host} code should be built into position-independent -machine code (with -fPIC), allowing it to be used within shared libraries, -but yielding a slightly slower compiler. +machine code (with @option{-fPIC}), allowing it to be used within shared +libraries, but yielding a slightly slower compiler. This option is required when building the libgccjit.so library. Contrast with @option{--enable-shared}, which affects @emph{target} libraries. +@item --enable-host-pie +Specify that the @emph{host} executables should be built into +position-independent executables (with @option{-fPIE} and @option{-pie}), +yielding a slightly slower compiler (but faster than +@option{--enable-host-shared}). Position-independent executables are loaded +at random addresses each time they are executed, therefore provide additional +protection against Return Oriented Programming (ROP) attacks. + +@option{--enable-host-pie}) may be used with @option{--enable-host-shared}), +in which case @option{-fPIC} is used when compiling, and @option{-pie} when +linking. + @item @anchor{with-gnu-as}--with-gnu-as Specify that the compiler should assume that the assembler it finds is the GNU assembler. However, this does not modify diff --git a/libcody/Makefile.in b/libcody/Makefile.in index 7eaf8ace8ce..0ff1625a39f 100644 --- a/libcody/Makefile.in +++ b/libcody/Makefile.in @@ -31,7 +31,7 @@ endif CXXOPTS += $(filter-out -DHAVE_CONFIG_H,@DEFS@) -include config.h # Linker options -LDFLAGS := @LDFLAGS@ +LDFLAGS := @LDFLAGS@ @LD_PICFLAG@ LIBS := @LIBS@ # Per-source & per-directory compile flags (warning: recursive) diff --git a/libcody/configure b/libcody/configure index da52a5cfca5..0e536c0ccb0 100755 --- a/libcody/configure +++ b/libcody/configure @@ -591,7 +591,10 @@ configure_args AR RANLIB EXCEPTIONS +LD_PICFLAG PICFLAG +enable_host_pie +enable_host_shared OBJEXT EXEEXT ac_ct_CXX @@ -653,6 +656,7 @@ enable_maintainer_mode with_compiler enable_checking enable_host_shared +enable_host_pie enable_exceptions ' ac_precious_vars='build_alias @@ -1286,6 +1290,7 @@ Optional Features: yes,no,all,none,release. Flags are: misc,valgrind or other strings --enable-host-shared build host code as shared libraries + --enable-host-pie build host code as PIE --enable-exceptions enable exceptions & rtti Optional Packages: @@ -2635,11 +2640,34 @@ fi # Enable --enable-host-shared. # Check whether --enable-host-shared was given. if test "${enable_host_shared+set}" = set; then : - enableval=$enable_host_shared; PICFLAG=-fPIC + enableval=$enable_host_shared; +fi + + + +# Enable --enable-host-pie. +# Check whether --enable-host-pie was given. +if test "${enable_host_pie+set}" = set; then : + enableval=$enable_host_pie; +fi + + + +if test x$enable_host_shared = xyes; then + PICFLAG=-fPIC +elif test x$enable_host_pie = xyes; then + PICFLAG=-fPIE else PICFLAG= fi +if test x$enable_host_pie = xyes; then + LD_PICFLAG=-pie +else + LD_PICFLAG= +fi + + # Check whether --enable-exceptions was given. diff --git a/libcody/configure.ac b/libcody/configure.ac index 960191ecb72..14e8dd4a226 100644 --- a/libcody/configure.ac +++ b/libcody/configure.ac @@ -63,9 +63,31 @@ fi # Enable --enable-host-shared. AC_ARG_ENABLE(host-shared, [AS_HELP_STRING([--enable-host-shared], - [build host code as shared libraries])], -[PICFLAG=-fPIC], [PICFLAG=]) + [build host code as shared libraries])]) +AC_SUBST(enable_host_shared) + +# Enable --enable-host-pie. +AC_ARG_ENABLE(host-pie, +[AS_HELP_STRING([--enable-host-pie], + [build host code as PIE])]) +AC_SUBST(enable_host_pie) + +if test x$enable_host_shared = xyes; then + PICFLAG=-fPIC +elif test x$enable_host_pie = xyes; then + PICFLAG=-fPIE +else + PICFLAG= +fi + +if test x$enable_host_pie = xyes; then + LD_PICFLAG=-pie +else + LD_PICFLAG= +fi + AC_SUBST(PICFLAG) +AC_SUBST(LD_PICFLAG) NMS_ENABLE_EXCEPTIONS diff --git a/libcpp/configure b/libcpp/configure index 75145390215..85168273cd1 100755 --- a/libcpp/configure +++ b/libcpp/configure @@ -625,6 +625,8 @@ ac_includes_default="\ ac_subst_vars='LTLIBOBJS CET_HOST_FLAGS PICFLAG +enable_host_pie +enable_host_shared MAINT USED_CATALOGS PACKAGE @@ -738,6 +740,7 @@ enable_maintainer_mode enable_checking enable_canonical_system_headers enable_host_shared +enable_host_pie enable_cet enable_valgrind_annotations ' @@ -1379,6 +1382,7 @@ Optional Features: --enable-canonical-system-headers enable or disable system headers canonicalization --enable-host-shared build host code as shared libraries + --enable-host-pie build host code as PIE --enable-cet enable Intel CET in host libraries [default=auto] --enable-valgrind-annotations enable valgrind runtime interaction @@ -7605,7 +7609,23 @@ esac # Enable --enable-host-shared. # Check whether --enable-host-shared was given. if test "${enable_host_shared+set}" = set; then : - enableval=$enable_host_shared; PICFLAG=-fPIC + enableval=$enable_host_shared; +fi + + + +# Enable --enable-host-pie. +# Check whether --enable-host-pie was given. +if test "${enable_host_pie+set}" = set; then : + enableval=$enable_host_pie; +fi + + + +if test x$enable_host_shared = xyes; then + PICFLAG=-fPIC +elif test x$enable_host_pie = xyes; then + PICFLAG=-fPIE else PICFLAG= fi diff --git a/libcpp/configure.ac b/libcpp/configure.ac index 9b6042518e5..d25bf5f414f 100644 --- a/libcpp/configure.ac +++ b/libcpp/configure.ac @@ -211,8 +211,23 @@ esac # Enable --enable-host-shared. AC_ARG_ENABLE(host-shared, [AS_HELP_STRING([--enable-host-shared], - [build host code as shared libraries])], -[PICFLAG=-fPIC], [PICFLAG=]) + [build host code as shared libraries])]) +AC_SUBST(enable_host_shared) + +# Enable --enable-host-pie. +AC_ARG_ENABLE(host-pie, +[AS_HELP_STRING([--enable-host-pie], + [build host code as PIE])]) +AC_SUBST(enable_host_pie) + +if test x$enable_host_shared = xyes; then + PICFLAG=-fPIC +elif test x$enable_host_pie = xyes; then + PICFLAG=-fPIE +else + PICFLAG= +fi + AC_SUBST(PICFLAG) # Enable Intel CET on Intel CET enabled host if jit is enabled. diff --git a/libdecnumber/configure b/libdecnumber/configure index da5302f9315..d805fdeab5a 100755 --- a/libdecnumber/configure +++ b/libdecnumber/configure @@ -626,6 +626,8 @@ ac_subst_vars='LTLIBOBJS LIBOBJS CET_HOST_FLAGS PICFLAG +enable_host_pie +enable_host_shared ADDITIONAL_OBJS enable_decimal_float target_os @@ -706,6 +708,7 @@ enable_werror_always enable_maintainer_mode enable_decimal_float enable_host_shared +enable_host_pie enable_cet ' ac_precious_vars='build_alias @@ -1338,6 +1341,7 @@ Optional Features: or 'dpd' choses which decimal floating point format to use --enable-host-shared build host code as shared libraries + --enable-host-pie build host code as PIE --enable-cet enable Intel CET in host libraries [default=auto] Some influential environment variables: @@ -5185,7 +5189,23 @@ $as_echo "#define AC_APPLE_UNIVERSAL_BUILD 1" >>confdefs.h # Enable --enable-host-shared. # Check whether --enable-host-shared was given. if test "${enable_host_shared+set}" = set; then : - enableval=$enable_host_shared; PICFLAG=-fPIC + enableval=$enable_host_shared; +fi + + + +# Enable --enable-host-pie. +# Check whether --enable-host-pie was given. +if test "${enable_host_pie+set}" = set; then : + enableval=$enable_host_pie; +fi + + + +if test x$enable_host_shared = xyes; then + PICFLAG=-fPIC +elif test x$enable_host_pie = xyes; then + PICFLAG=-fPIE else PICFLAG= fi diff --git a/libdecnumber/configure.ac b/libdecnumber/configure.ac index 0794031ec83..14f67f926d1 100644 --- a/libdecnumber/configure.ac +++ b/libdecnumber/configure.ac @@ -100,8 +100,23 @@ AC_C_BIGENDIAN # Enable --enable-host-shared. AC_ARG_ENABLE(host-shared, [AS_HELP_STRING([--enable-host-shared], - [build host code as shared libraries])], -[PICFLAG=-fPIC], [PICFLAG=]) + [build host code as shared libraries])]) +AC_SUBST(enable_host_shared) + +# Enable --enable-host-pie. +AC_ARG_ENABLE(host-pie, +[AS_HELP_STRING([--enable-host-pie], + [build host code as PIE])]) +AC_SUBST(enable_host_pie) + +if test x$enable_host_shared = xyes; then + PICFLAG=-fPIC +elif test x$enable_host_pie = xyes; then + PICFLAG=-fPIE +else + PICFLAG= +fi + AC_SUBST(PICFLAG) # Enable Intel CET on Intel CET enabled host if jit is enabled. diff --git a/libiberty/configure b/libiberty/configure index 0a797255c70..bab5eb72700 100755 --- a/libiberty/configure +++ b/libiberty/configure @@ -5254,8 +5254,8 @@ case "${enable_shared}" in *) shared=yes ;; esac -# ...unless --enable-host-shared was passed from top-level config: -if [ "${enable_host_shared}" = "yes" ]; then +# ...unless --enable-host-{shared,pie} was passed from top-level config: +if [ "${enable_host_shared}" = "yes" ] || [ "${enable_host_pie}" = "yes" ]; then shared=yes fi diff --git a/libiberty/configure.ac b/libiberty/configure.ac index 84a7b378fad..bf3f9fe77ee 100644 --- a/libiberty/configure.ac +++ b/libiberty/configure.ac @@ -232,8 +232,8 @@ case "${enable_shared}" in *) shared=yes ;; esac -# ...unless --enable-host-shared was passed from top-level config: -if [[ "${enable_host_shared}" = "yes" ]]; then +# ...unless --enable-host-{shared,pie} was passed from top-level config: +if [[ "${enable_host_shared}" = "yes" ]] || [[ "${enable_host_pie}" = "yes" ]]; then shared=yes fi diff --git a/zlib/configure b/zlib/configure index f489f31bc70..0dfc1982844 100755 --- a/zlib/configure +++ b/zlib/configure @@ -635,6 +635,8 @@ am__EXEEXT_TRUE LTLIBOBJS LIBOBJS PICFLAG +enable_host_pie +enable_host_shared TARGET_LIBRARY_FALSE TARGET_LIBRARY_TRUE toolexeclibdir @@ -778,6 +780,7 @@ with_gnu_ld enable_libtool_lock with_toolexeclibdir enable_host_shared +enable_host_pie ' ac_precious_vars='build_alias host_alias @@ -1420,6 +1423,7 @@ Optional Features: optimize for fast installation [default=yes] --disable-libtool-lock avoid locking (might break parallel builds) --enable-host-shared build host code as shared libraries + --enable-host-pie build host code as PIE Optional Packages: --with-PACKAGE[=ARG] use PACKAGE [ARG=yes] @@ -4169,7 +4173,7 @@ case "$host" in case "$enable_cet" in auto) # Check if target supports multi-byte NOPs - # and if assembler supports CET insn. + # and if compiler and assembler support CET insn. cet_save_CFLAGS="$CFLAGS" CFLAGS="$CFLAGS -fcf-protection" cat confdefs.h - <<_ACEOF >conftest.$ac_ext @@ -10735,7 +10739,7 @@ else lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 lt_status=$lt_dlunknown cat > conftest.$ac_ext <<_LT_EOF -#line 10748 "configure" +#line 10754 "configure" #include "confdefs.h" #if HAVE_DLFCN_H @@ -10841,7 +10845,7 @@ else lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 lt_status=$lt_dlunknown cat > conftest.$ac_ext <<_LT_EOF -#line 10854 "configure" +#line 10860 "configure" #include "confdefs.h" #if HAVE_DLFCN_H @@ -11524,15 +11528,31 @@ else multilib_arg= fi +# Enable --enable-host-shared. # Check whether --enable-host-shared was given. if test "${enable_host_shared+set}" = set; then : - enableval=$enable_host_shared; PICFLAG=-fPIC + enableval=$enable_host_shared; +fi + + + +# Enable --enable-host-pie. +# Check whether --enable-host-pie was given. +if test "${enable_host_pie+set}" = set; then : + enableval=$enable_host_pie; +fi + + + +if test x$enable_host_shared = xyes; then + PICFLAG=-fPIC +elif test x$enable_host_pie = xyes; then + PICFLAG=-fPIE else PICFLAG= fi - ac_config_files="$ac_config_files Makefile" cat >confcache <<\_ACEOF diff --git a/zlib/configure.ac b/zlib/configure.ac index be1cfe29651..adf7aad4e51 100644 --- a/zlib/configure.ac +++ b/zlib/configure.ac @@ -122,11 +122,26 @@ else multilib_arg= fi +# Enable --enable-host-shared. AC_ARG_ENABLE(host-shared, [AS_HELP_STRING([--enable-host-shared], - [build host code as shared libraries])], -[PICFLAG=-fPIC], [PICFLAG=]) -AC_SUBST(PICFLAG) + [build host code as shared libraries])]) +AC_SUBST(enable_host_shared) + +# Enable --enable-host-pie. +AC_ARG_ENABLE(host-pie, +[AS_HELP_STRING([--enable-host-pie], + [build host code as PIE])]) +AC_SUBST(enable_host_pie) + +if test x$enable_host_shared = xyes; then + PICFLAG=-fPIC +elif test x$enable_host_pie = xyes; then + PICFLAG=-fPIE +else + PICFLAG= +fi +AC_SUBST(PICFLAG) AC_CONFIG_FILES([Makefile]) AC_OUTPUT base-commit: 157cc4e0117756503c7c63df97cf31de7570b088 -- 2.35.1