From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-ed1-x52c.google.com (mail-ed1-x52c.google.com [IPv6:2a00:1450:4864:20::52c]) by sourceware.org (Postfix) with ESMTPS id 5D0B23858C98 for ; Sat, 2 Dec 2023 09:43:00 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 5D0B23858C98 Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=gmail.com ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 5D0B23858C98 Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=2a00:1450:4864:20::52c ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1701510182; cv=none; b=I3+yia2A839waV44yb3di4aKTPIZDL7XR/C5M4TwYCokHZzTW9qCj7WvQfz92dOUwwi/CEVMvpdqtWuxbG2yMT74T7yvuoQBCQ0X9aQYfTTWpa12gHY0gJ1QZc56VzlIajYkOrPFYOJbzDybDFjcjwbIofvkVggW31qLL7H8Iw8= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1701510182; c=relaxed/simple; bh=Myj3WpynMMJOkhDBcPe4n3AsI9JzcbXOJeojqjCGkc4=; h=DKIM-Signature:Message-ID:Subject:From:To:Date:MIME-Version; b=drdk1TLx8lVBhmkVgeRtbEWrj0emz+J02zflQJJ04QqER36yKi0xfcXgOnrpv4C4k6eq0VCunkGG+22x46VPPXsT/M1Y21De2NiJtJivMm6CIqtsc1UZWDW4GKZqTqEApz5sYbZ3w4teXQWuJKWjj5a0UgEYuM+vRvZQozW48c4= ARC-Authentication-Results: i=1; server2.sourceware.org Received: by mail-ed1-x52c.google.com with SMTP id 4fb4d7f45d1cf-54c74b3cd4cso1384803a12.1 for ; Sat, 02 Dec 2023 01:43:00 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1701510179; x=1702114979; darn=gcc.gnu.org; h=mime-version:user-agent:content-transfer-encoding:in-reply-to:date :cc:to:from:subject:message-id:from:to:cc:subject:date:message-id :reply-to; bh=LHnArKP6YuuPTa87f5iZ3EL2LxGJxFnZwk83t0EF77g=; b=lfzZjAQiax5uklL0XoU3ksJ3YjOGCMlZudFg6rT4VmZ/yIoEyhNa9t3l2Z1qKOrzw+ Gc1kdlM/4TS+8okbhM41YH+2IHOkCmMNd4jnMqBKJg5uuNjxrmjqITa+SJrmd7CuOqGS LLZSQpeX0zugjWWBENWr1Y8gngQXlUuTcc/AG0+Kuxg7bz4jLkICgX3RyK1/DIar0jSY k1WJH7Brp8eZLHdguDQAzzBSSNw3f8XxdUHW/Kg5QWoorUXTa5YpeUGWowr9e5XqwRF5 fxojY2wXafDkhXRch7DZsKKqs5nwBYCDh8l22xITvEHJDp03OqIDb/AbOgyUsyjcNj4g Cd2w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1701510179; x=1702114979; h=mime-version:user-agent:content-transfer-encoding:in-reply-to:date :cc:to:from:subject:message-id:x-gm-message-state:from:to:cc:subject :date:message-id:reply-to; bh=LHnArKP6YuuPTa87f5iZ3EL2LxGJxFnZwk83t0EF77g=; b=N3ixQxLzUedO9ILwfFf1ECCwJK0v2RHxgW/fXIBEjVfYrl/eQgOnilvAEmqG/JXjYM 7gYPFv4zz23Ak2A2penYdZlSolcnxpC5BlH0U1nTHrZk+j91gDB1apu38e9gAc3BcLUU vay41KEOj3v4txBx+Q5r39U40uiMaLnucx0zVgIDevR/Ky5YqaKROkbEN/rzWOl89gDD dyjrDQVOYBSAKTDK/RAabA33N2KH7zolxOyIc+BwHM4LLWwm0gUYyyJxpU7CgT1m21Fk EmsN7wuz2k0bUQgUgXxlKiS9M4e920T6rn2gWBo6k5qO4gvix78KoGd6X+wI4NR5tLzl kX5A== X-Gm-Message-State: AOJu0YxigCd1yUJLg73wyVh39W1QPdiXZEZqFUezEk9ao8O51xUj+jbz YJAEPFqdMVdqggXNc3Nb9b8= X-Google-Smtp-Source: AGHT+IEMM6kn6iHSn/BrlIqYg+RkshoA7MG4QUCNM6s9ACt4HFy53/lqj1i8aGEmSFxwqq8ZHmMfQg== X-Received: by 2002:a50:c04b:0:b0:54c:7235:92a0 with SMTP id u11-20020a50c04b000000b0054c723592a0mr1283999edd.43.1701510178617; Sat, 02 Dec 2023 01:42:58 -0800 (PST) Received: from 2a02-8388-e203-9700-eddb-fb4f-5189-911d.cable.dynamic.v6.surfer.at (2a02-8388-e203-9700-eddb-fb4f-5189-911d.cable.dynamic.v6.surfer.at. [2a02:8388:e203:9700:eddb:fb4f:5189:911d]) by smtp.gmail.com with ESMTPSA id i22-20020a05640242d600b0054c72a6a07csm792221edc.84.2023.12.02.01.42.57 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 02 Dec 2023 01:42:58 -0800 (PST) Message-ID: Subject: Re: [PATCH] gcc: Disallow trampolines when -fhardened From: Martin Uecker To: polacek@redhat.com Cc: gcc-patches@gcc.gnu.org Date: Sat, 02 Dec 2023 10:42:56 +0100 In-Reply-To: <20231201193359.108618-1-polacek@redhat.com> Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable User-Agent: Evolution 3.46.4-2 MIME-Version: 1.0 X-Spam-Status: No, score=-8.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,GIT_PATCH_0,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,TXREP,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: > Bootstrapped/regtested on x86_64-pc-linux-gnu, ok for trunk? >=20 > -- >8 -- > It came up that a good hardening strategy is to disable trampolines > which may require executable stack. Therefore the following patch > adds -Werror=3Dtrampolines to -fhardened. This would add a warning about specific code (where it is then unclear whether rewriting it is feasible or even an improvement), which seems different to all the other flags -fhardening has now. GCC now has an option to allocate trampolines on the heap, which would seem to be a better fit. On the other hand, it does not work with longjmp which may be a limitation. Martin >=20 > gcc/ChangeLog: >=20 > * common.opt (Wtrampolines): Enable by -fhardened. > * doc/invoke.texi: Reflect that -fhardened enables -Werror=3Dtrampolines= . > * opts.cc (print_help_hardened): Add -Werror=3Dtrampolines. > * toplev.cc (process_options): Enable -Werror=3Dtrampolines for > -fhardened. >=20 > gcc/testsuite/ChangeLog: >=20 > * gcc.dg/fhardened-1.c: New test. > * gcc.dg/fhardened-2.c: New test. > * gcc.dg/fhardened-3.c: New test. > * gcc.dg/fhardened-4.c: New test. > * gcc.dg/fhardened-5.c: New test. > --- > gcc/common.opt | 2 +- > gcc/doc/invoke.texi | 1 + > gcc/opts.cc | 1 + > gcc/testsuite/gcc.dg/fhardened-1.c | 27 +++++++++++++++++++++++++++ > gcc/testsuite/gcc.dg/fhardened-2.c | 25 +++++++++++++++++++++++++ > gcc/testsuite/gcc.dg/fhardened-3.c | 25 +++++++++++++++++++++++++ > gcc/testsuite/gcc.dg/fhardened-4.c | 25 +++++++++++++++++++++++++ > gcc/testsuite/gcc.dg/fhardened-5.c | 27 +++++++++++++++++++++++++++ > gcc/toplev.cc | 8 +++++++- > 9 files changed, 139 insertions(+), 2 deletions(-) > create mode 100644 gcc/testsuite/gcc.dg/fhardened-1.c > create mode 100644 gcc/testsuite/gcc.dg/fhardened-2.c > create mode 100644 gcc/testsuite/gcc.dg/fhardened-3.c > create mode 100644 gcc/testsuite/gcc.dg/fhardened-4.c > create mode 100644 gcc/testsuite/gcc.dg/fhardened-5.c >=20 > diff --git a/gcc/common.opt b/gcc/common.opt > index 161a035d736..9b09c7cb3df 100644 > --- a/gcc/common.opt > +++ b/gcc/common.opt > @@ -807,7 +807,7 @@ Common Var(warn_system_headers) Warning > Do not suppress warnings from system headers. > =20 > Wtrampolines > -Common Var(warn_trampolines) Warning > +Common Var(warn_trampolines) Warning EnabledBy(fhardened) > Warn whenever a trampoline is generated. > =20 > Wtrivial-auto-var-init > diff --git a/gcc/doc/invoke.texi b/gcc/doc/invoke.texi > index 2fab4c5d71f..c1664a1a0f1 100644 > --- a/gcc/doc/invoke.texi > +++ b/gcc/doc/invoke.texi > @@ -17745,6 +17745,7 @@ may change between major releases of GCC, but are= currently: > -fstack-protector-strong > -fstack-clash-protection > -fcf-protection=3Dfull @r{(x86 GNU/Linux only)} > +-Werror=3Dtrampolines > } > =20 > The list of options enabled by @option{-fhardened} can be generated usin= g > diff --git a/gcc/opts.cc b/gcc/opts.cc > index 5d5efaf1b9e..aa062b87cef 100644 > --- a/gcc/opts.cc > +++ b/gcc/opts.cc > @@ -2517,6 +2517,7 @@ print_help_hardened () > printf (" %s\n", "-fstack-protector-strong"); > printf (" %s\n", "-fstack-clash-protection"); > printf (" %s\n", "-fcf-protection=3Dfull"); > + printf (" %s\n", "-Werror=3Dtrampolines"); > putchar ('\n'); > } > =20 > diff --git a/gcc/testsuite/gcc.dg/fhardened-1.c b/gcc/testsuite/gcc.dg/fh= ardened-1.c > new file mode 100644 > index 00000000000..8710959b6f1 > --- /dev/null > +++ b/gcc/testsuite/gcc.dg/fhardened-1.c > @@ -0,0 +1,27 @@ > +/* { dg-do compile { target *-*-linux* *-*-gnu* } } */ > +/* { dg-require-effective-target trampolines } */ > +/* { dg-options "-fhardened -O" } */ > + > +static void > +baz (int (*bar) (void)) > +{ > + bar (); > +} > + > +int > +main (void) > +{ > + int a =3D 6; > + > + int > + bar (void) // { dg-error "trampoline" } > + { > + return a; > + } > + > + baz (bar); > + > + return 0; > +} > + > +/* { dg-prune-output "some warnings being treated as errors" } */ > diff --git a/gcc/testsuite/gcc.dg/fhardened-2.c b/gcc/testsuite/gcc.dg/fh= ardened-2.c > new file mode 100644 > index 00000000000..d47512aa47f > --- /dev/null > +++ b/gcc/testsuite/gcc.dg/fhardened-2.c > @@ -0,0 +1,25 @@ > +/* { dg-do compile { target *-*-linux* *-*-gnu* } } */ > +/* { dg-require-effective-target trampolines } */ > +/* { dg-options "-fhardened -O -Wno-trampolines" } */ > + > +static void > +baz (int (*bar) (void)) > +{ > + bar (); > +} > + > +int > +main (void) > +{ > + int a =3D 6; > + > + int > + bar (void) // { dg-bogus "trampoline" } > + { > + return a; > + } > + > + baz (bar); > + > + return 0; > +} > diff --git a/gcc/testsuite/gcc.dg/fhardened-3.c b/gcc/testsuite/gcc.dg/fh= ardened-3.c > new file mode 100644 > index 00000000000..cebae13d8be > --- /dev/null > +++ b/gcc/testsuite/gcc.dg/fhardened-3.c > @@ -0,0 +1,25 @@ > +/* { dg-do compile { target *-*-linux* *-*-gnu* } } */ > +/* { dg-require-effective-target trampolines } */ > +/* { dg-options "-fhardened -O -Wno-error" } */ > + > +static void > +baz (int (*bar) (void)) > +{ > + bar (); > +} > + > +int > +main (void) > +{ > + int a =3D 6; > + > + int > + bar (void) // { dg-warning "trampoline" } > + { > + return a; > + } > + > + baz (bar); > + > + return 0; > +} > diff --git a/gcc/testsuite/gcc.dg/fhardened-4.c b/gcc/testsuite/gcc.dg/fh= ardened-4.c > new file mode 100644 > index 00000000000..7e62ed3385d > --- /dev/null > +++ b/gcc/testsuite/gcc.dg/fhardened-4.c > @@ -0,0 +1,25 @@ > +/* { dg-do compile { target *-*-linux* *-*-gnu* } } */ > +/* { dg-require-effective-target trampolines } */ > +/* { dg-options "-fhardened -O -Wno-error=3Dtrampolines" } */ > + > +static void > +baz (int (*bar) (void)) > +{ > + bar (); > +} > + > +int > +main (void) > +{ > + int a =3D 6; > + > + int > + bar (void) // { dg-warning "trampoline" } > + { > + return a; > + } > + > + baz (bar); > + > + return 0; > +} > diff --git a/gcc/testsuite/gcc.dg/fhardened-5.c b/gcc/testsuite/gcc.dg/fh= ardened-5.c > new file mode 100644 > index 00000000000..5d3f0dcae8e > --- /dev/null > +++ b/gcc/testsuite/gcc.dg/fhardened-5.c > @@ -0,0 +1,27 @@ > +/* { dg-do compile { target *-*-linux* *-*-gnu* } } */ > +/* { dg-require-effective-target trampolines } */ > +/* { dg-options "-fhardened -O -Wtrampolines" } */ > + > +static void > +baz (int (*bar) (void)) > +{ > + bar (); > +} > + > +int > +main (void) > +{ > + int a =3D 6; > + > + int > + bar (void) // { dg-error "trampoline" } > + { > + return a; > + } > + > + baz (bar); > + > + return 0; > +} > + > +/* { dg-prune-output "some warnings being treated as errors" } */ > diff --git a/gcc/toplev.cc b/gcc/toplev.cc > index 85450d97a1a..2f0ac74dee0 100644 > --- a/gcc/toplev.cc > +++ b/gcc/toplev.cc > @@ -1682,7 +1682,7 @@ process_options () > flag_ipa_ra =3D 0; > =20 > /* Enable -Werror=3Dcoverage-mismatch when -Werror and -Wno-error > - have not been set. */ > + have not been set. Also enable -Werror=3Dtrampolines for -fhardene= d. */ > if (!OPTION_SET_P (warnings_are_errors)) > { > if (warn_coverage_mismatch > @@ -1693,6 +1693,12 @@ process_options () > && option_unspecified_p (OPT_Wcoverage_invalid_line_number)) > diagnostic_classify_diagnostic (global_dc, OPT_Wcoverage_invalid_line_n= umber, > DK_ERROR, UNKNOWN_LOCATION); > + > + if (flag_hardened > + && warn_trampolines > + && option_unspecified_p (OPT_Wtrampolines)) > + diagnostic_classify_diagnostic (global_dc, OPT_Wtrampolines, > + DK_ERROR, UNKNOWN_LOCATION); > } > =20 > /* Save the current optimization options. */ >=20 > base-commit: b8edb812ff4934c609fdfafe2e1c7f932bc18305 > --=20 > 2.42.0 >=20