From nobody Thu Dec 18 17:56:05 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1592993143; cv=none; d=zohomail.com; s=zohoarc; b=DhMNv4Y92MAqbn0hx32wMJt39eeEgEsugRSwXhy8Rm9Iw/psH4sv4k+5RydRBCUJP+TDRBl/SQQhSalgIvmvUJvZqyrbvw8Ii2amZmYSARqLoVOeNK4jOX9PzqV8txJ1g65Q1pZ/yxU5642yDpnxpm7nPfJxLT7O0kqK+mCkOtg= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1592993143; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=vInTGCffotXESgrOE+sQ/HjsitRb+VUYibAP46TUiF4=; b=XmCLZX+j+qZ8D/keXSzNHCskA8jBfWBexaFB2tbuOH0e02WW3+Y1af+KLYx+tq7XVSL6emcirC5Lpn83srQxyZRqa1zstbXn1bJd5U9JksHJVW/03oUdSFvUWgtqM3lnHVVMB7GPGd3PDuzrOYSV7IlZFC1A15gmS+cs9gmLmvI= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail header.from= (p=none dis=none) header.from= Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 159299314370046.00383620725279; Wed, 24 Jun 2020 03:05:43 -0700 (PDT) Received: from localhost ([::1]:48448 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jo2Hm-0006VS-Fj for importer@patchew.org; Wed, 24 Jun 2020 06:05:42 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:43450) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jo2Es-0001YZ-VQ for qemu-devel@nongnu.org; Wed, 24 Jun 2020 06:02:42 -0400 Received: from us-smtp-delivery-1.mimecast.com ([205.139.110.120]:45177 helo=us-smtp-1.mimecast.com) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.90_1) (envelope-from ) id 1jo2Er-0003a4-1W for qemu-devel@nongnu.org; Wed, 24 Jun 2020 06:02:42 -0400 Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-450-_TkRBPyZNpOpvnJchgsTNQ-1; Wed, 24 Jun 2020 06:02:38 -0400 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id DB3D7107ACCD; Wed, 24 Jun 2020 10:02:36 +0000 (UTC) Received: from localhost (ovpn-114-150.ams2.redhat.com [10.36.114.150]) by smtp.corp.redhat.com (Postfix) with ESMTP id 91C385D9D3; Wed, 24 Jun 2020 10:02:33 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1592992960; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=vInTGCffotXESgrOE+sQ/HjsitRb+VUYibAP46TUiF4=; b=IFrZbl1awfJ1qmAM4azsnxS/0+nFspT2BBezxKhuwZ2yM1X0fgeJwve8cf5uMzNxv4f4MF 7LmXLgiFEsy2fV8iX75uwRnojbLtpZi2J/YmTDPR8rwkef3KSaRwi+DGsUdhv1ZnHjXpMr S3Qej1/BwslLFHR/5GRvgw1H/iU6N7w= X-MC-Unique: _TkRBPyZNpOpvnJchgsTNQ-1 From: Stefan Hajnoczi To: qemu-devel@nongnu.org, Peter Maydell Subject: [PULL 04/12] configure: add flags to support SafeStack Date: Wed, 24 Jun 2020 11:02:02 +0100 Message-Id: <20200624100210.59975-5-stefanha@redhat.com> In-Reply-To: <20200624100210.59975-1-stefanha@redhat.com> References: <20200624100210.59975-1-stefanha@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=205.139.110.120; envelope-from=stefanha@redhat.com; helo=us-smtp-1.mimecast.com X-detected-operating-system: by eggs.gnu.org: First seen = 2020/06/24 03:27:53 X-ACL-Warn: Detected OS = Linux 2.2.x-3.x [generic] [fuzzy] X-Spam_score_int: -13 X-Spam_score: -1.4 X-Spam_bar: - X-Spam_report: (-1.4 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-1, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, MIME_BASE64_TEXT=1.741, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=_AUTOLEARN X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Kevin Wolf , Fam Zheng , Eduardo Habkost , qemu-block@nongnu.org, Max Reitz , Stefan Hajnoczi , Cleber Rosa , Daniele Buono Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail-DKIM: fail (Header signature does not verify) Content-Type: text/plain; charset="utf-8" From: Daniele Buono This patch adds a flag to enable/disable the SafeStack instrumentation provided by LLVM. On enable, make sure that the compiler supports the flags, and that we are using the proper coroutine implementation (coroutine-ucontext). On disable, explicitly disable the option if it was enabled by default. While SafeStack is supported only on Linux, NetBSD, FreeBSD and macOS, we are not checking for the O.S. since this is already done by LLVM. Signed-off-by: Daniele Buono Message-id: 20200529205122.714-4-dbuono@linux.vnet.ibm.com Signed-off-by: Stefan Hajnoczi --- configure | 73 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 73 insertions(+) diff --git a/configure b/configure index ba88fd1824..ae8737d5a2 100755 --- a/configure +++ b/configure @@ -307,6 +307,7 @@ audio_win_int=3D"" libs_qga=3D"" debug_info=3D"yes" stack_protector=3D"" +safe_stack=3D"" use_containers=3D"yes" gdb_bin=3D$(command -v "gdb-multiarch" || command -v "gdb") =20 @@ -1287,6 +1288,10 @@ for opt do ;; --disable-stack-protector) stack_protector=3D"no" ;; + --enable-safe-stack) safe_stack=3D"yes" + ;; + --disable-safe-stack) safe_stack=3D"no" + ;; --disable-curses) curses=3D"no" ;; --enable-curses) curses=3D"yes" @@ -1829,6 +1834,8 @@ disabled with --disable-FEATURE, default is enabled i= f available: debug-tcg TCG debugging (default is disabled) debug-info debugging information sparse sparse checker + safe-stack SafeStack Stack Smash Protection. Depends on + clang/llvm >=3D 3.7 and requires coroutine backend ucont= ext. =20 gnutls GNUTLS cryptography support nettle nettle cryptography support @@ -5573,6 +5580,67 @@ if test "$debug_stack_usage" =3D "yes"; then fi fi =20 +################################################## +# SafeStack + + +if test "$safe_stack" =3D "yes"; then +cat > $TMPC << EOF +int main(int argc, char *argv[]) +{ +#if ! __has_feature(safe_stack) +#error SafeStack Disabled +#endif + return 0; +} +EOF + flag=3D"-fsanitize=3Dsafe-stack" + # Check that safe-stack is supported and enabled. + if compile_prog "-Werror $flag" "$flag"; then + # Flag needed both at compilation and at linking + QEMU_CFLAGS=3D"$QEMU_CFLAGS $flag" + QEMU_LDFLAGS=3D"$QEMU_LDFLAGS $flag" + else + error_exit "SafeStack not supported by your compiler" + fi + if test "$coroutine" !=3D "ucontext"; then + error_exit "SafeStack is only supported by the coroutine backend ucont= ext" + fi +else +cat > $TMPC << EOF +int main(int argc, char *argv[]) +{ +#if defined(__has_feature) +#if __has_feature(safe_stack) +#error SafeStack Enabled +#endif +#endif + return 0; +} +EOF +if test "$safe_stack" =3D "no"; then + # Make sure that safe-stack is disabled + if ! compile_prog "-Werror" ""; then + # SafeStack was already enabled, try to explicitly remove the feature + flag=3D"-fno-sanitize=3Dsafe-stack" + if ! compile_prog "-Werror $flag" "$flag"; then + error_exit "Configure cannot disable SafeStack" + fi + QEMU_CFLAGS=3D"$QEMU_CFLAGS $flag" + QEMU_LDFLAGS=3D"$QEMU_LDFLAGS $flag" + fi +else # "$safe_stack" =3D "" + # Set safe_stack to yes or no based on pre-existing flags + if compile_prog "-Werror" ""; then + safe_stack=3D"no" + else + safe_stack=3D"yes" + if test "$coroutine" !=3D "ucontext"; then + error_exit "SafeStack is only supported by the coroutine backend uco= ntext" + fi + fi +fi +fi =20 ########################################## # check if we have open_by_handle_at @@ -6765,6 +6833,7 @@ echo "sparse enabled $sparse" echo "strip binaries $strip_opt" echo "profiler $profiler" echo "static build $static" +echo "safe stack $safe_stack" if test "$darwin" =3D "yes" ; then echo "Cocoa support $cocoa" fi @@ -8370,6 +8439,10 @@ if test "$ccache_cpp2" =3D "yes"; then echo "export CCACHE_CPP2=3Dy" >> $config_host_mak fi =20 +if test "$safe_stack" =3D "yes"; then + echo "CONFIG_SAFESTACK=3Dy" >> $config_host_mak +fi + # If we're using a separate build tree, set it up now. # DIRS are directories which we simply mkdir in the build tree; # LINKS are things to symlink back into the source tree --=20 2.26.2