| Message ID | 20191218031920.6414-6-richard.henderson@linaro.org |
|---|---|
| State | New |
| Headers | show |
| Series | configure: Improve PIE and other linkage | expand |
On 18/12/2019 04.19, Richard Henderson wrote: > There is nothing about these options that is related to PIE. > Nor is there anything that specifically ties them to each other. > Use them unconditionally. > > Signed-off-by: Richard Henderson <richard.henderson@linaro.org> > --- > configure | 13 ++++++++++--- > 1 file changed, 10 insertions(+), 3 deletions(-) > > diff --git a/configure b/configure > index 972ce7396f..f8981eec15 100755 > --- a/configure > +++ b/configure > @@ -2034,9 +2034,6 @@ if test "$pie" != "no" ; then > QEMU_CFLAGS="-fPIE -DPIE $QEMU_CFLAGS" > LDFLAGS="-pie $LDFLAGS" > pie="yes" > - if compile_prog "" "-Wl,-z,relro -Wl,-z,now" ; then > - LDFLAGS="-Wl,-z,relro -Wl,-z,now $LDFLAGS" > - fi > else > if test "$pie" = "yes"; then > error_exit "PIE not available due to missing toolchain support" > @@ -2047,6 +2044,16 @@ if test "$pie" != "no" ; then > fi > fi > > +# Detect support for DT_BIND_NOW. > +if compile_prog "" "-Wl,-z,now" ; then > + LDFLAGS="-Wl,-z,now $LDFLAGS" > +fi > + > +# Detect support for PT_GNU_RELRO. > +if compile_prog "" "-Wl,-z,relro" ; then > + LDFLAGS="-Wl,-z,relro $LDFLAGS" > +fi Looking at https://mudongliang.github.io/2016/07/11/relro-a-not-so-well-known-memory-corruption-mitigation-technique.html the idea of specifying these two options together was likely to get "Full RELRO" instead of only "Partial RELRO". Thus, does it make sense to have "-Wl,-z,now" without "-Wl,-z,relro" in QEMU? Or should this rather check whether both are possible, then use both, otherwise just try to use "relro" alone? Thomas
On 12/17/19 10:11 PM, Thomas Huth wrote: >> +# Detect support for DT_BIND_NOW. >> +if compile_prog "" "-Wl,-z,now" ; then >> + LDFLAGS="-Wl,-z,now $LDFLAGS" >> +fi >> + >> +# Detect support for PT_GNU_RELRO. >> +if compile_prog "" "-Wl,-z,relro" ; then >> + LDFLAGS="-Wl,-z,relro $LDFLAGS" >> +fi > > Looking at > https://mudongliang.github.io/2016/07/11/relro-a-not-so-well-known-memory-corruption-mitigation-technique.html > the idea of specifying these two options together was likely to get > "Full RELRO" instead of only "Partial RELRO". Sure. > Thus, does it make sense to have "-Wl,-z,now" without "-Wl,-z,relro" in > QEMU? Or should this rather check whether both are possible, then use > both, otherwise just try to use "relro" alone? Honestly, I expect them both to be supported in any binutils. I split the two tests just because they didn't seem to be logically connected. But I had forgotten about, or perhaps never heard, the terms "full" and "partial" relro. I can put them back together with an appropriate comment it you like. One less thing to run during configure... r~
On 18/12/2019 17.58, Richard Henderson wrote: > On 12/17/19 10:11 PM, Thomas Huth wrote: >>> +# Detect support for DT_BIND_NOW. >>> +if compile_prog "" "-Wl,-z,now" ; then >>> + LDFLAGS="-Wl,-z,now $LDFLAGS" >>> +fi >>> + >>> +# Detect support for PT_GNU_RELRO. >>> +if compile_prog "" "-Wl,-z,relro" ; then >>> + LDFLAGS="-Wl,-z,relro $LDFLAGS" >>> +fi >> >> Looking at >> https://mudongliang.github.io/2016/07/11/relro-a-not-so-well-known-memory-corruption-mitigation-technique.html >> the idea of specifying these two options together was likely to get >> "Full RELRO" instead of only "Partial RELRO". > > Sure. > >> Thus, does it make sense to have "-Wl,-z,now" without "-Wl,-z,relro" in >> QEMU? Or should this rather check whether both are possible, then use >> both, otherwise just try to use "relro" alone? > > Honestly, I expect them both to be supported in any binutils. > > I split the two tests just because they didn't seem to be logically connected. > But I had forgotten about, or perhaps never heard, the terms "full" and > "partial" relro. > > I can put them back together with an appropriate comment it you like. One less > thing to run during configure... Yes, please. Thanks, Thomas
diff --git a/configure b/configure index 972ce7396f..f8981eec15 100755 --- a/configure +++ b/configure @@ -2034,9 +2034,6 @@ if test "$pie" != "no" ; then QEMU_CFLAGS="-fPIE -DPIE $QEMU_CFLAGS" LDFLAGS="-pie $LDFLAGS" pie="yes" - if compile_prog "" "-Wl,-z,relro -Wl,-z,now" ; then - LDFLAGS="-Wl,-z,relro -Wl,-z,now $LDFLAGS" - fi else if test "$pie" = "yes"; then error_exit "PIE not available due to missing toolchain support" @@ -2047,6 +2044,16 @@ if test "$pie" != "no" ; then fi fi +# Detect support for DT_BIND_NOW. +if compile_prog "" "-Wl,-z,now" ; then + LDFLAGS="-Wl,-z,now $LDFLAGS" +fi + +# Detect support for PT_GNU_RELRO. +if compile_prog "" "-Wl,-z,relro" ; then + LDFLAGS="-Wl,-z,relro $LDFLAGS" +fi + ########################################## # __sync_fetch_and_and requires at least -march=i486. Many toolchains # use i686 as default anyway, but for those that don't, an explicit
There is nothing about these options that is related to PIE. Nor is there anything that specifically ties them to each other. Use them unconditionally. Signed-off-by: Richard Henderson <richard.henderson@linaro.org> --- configure | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) -- 2.20.1