[Qemu-devel] [PATCH v5 1.0] configure: build position independent executables across for x86 hosts

[Qemu-devel] [PATCH v5 1.0] configure: build position independent executables across for x86 hosts

[Avi Kivity]

Change the default on x86 hosts to building PIE (position independent
executables); instead of restricting the option to user-only targets,
apply it to all targets.

In addition, set the relocation sections to read-only (relro) when available;
this reduces the attack surface by disallowing changes to relocation tables
at runtime.

While PIE reduces performance and relro increases load time, it greatly
improves security, with the potential to reduce a code execution vulnerability
to a self denial of service.

Non-x86 are not changed, as they require TCG changes.

Signed-off-by: Avi Kivity <avi@redhat.com>
---

v5: fix typos; only default enable for x86; mutually exclusive with -static

v4: say it's v4 and for 1.0

v3: detect toolchain support for PIE at configure time

v2: improve description to include relro


 configure |   55 +++++++++++++++++++++++++++++++++++++------------------
 1 files changed, 37 insertions(+), 18 deletions(-)

diff --git a/configure b/configure
index 6c77fbb..024e603 100755
--- a/configure
+++ b/configure
@@ -172,7 +172,7 @@ aix="no"
 blobs="yes"
 pkgversion=""
 check_utests=""
-user_pie="no"
+pie=""
 zero_malloc=""
 trace_backend="nop"
 trace_file="trace"
@@ -701,9 +701,9 @@ for opt do
   ;;
   --disable-guest-base) guest_base="no"
   ;;
-  --enable-user-pie) user_pie="yes"
+  --enable-pie) pie="yes"
   ;;
-  --disable-user-pie) user_pie="no"
+  --disable-pie) pie="no"
   ;;
   --enable-uname-release=*) uname_release="$optarg"
   ;;
@@ -1031,8 +1031,8 @@ echo "  --disable-bsd-user       disable all BSD usermode emulation targets"
 echo "  --enable-guest-base      enable GUEST_BASE support for usermode"
 echo "                           emulation targets"
 echo "  --disable-guest-base     disable GUEST_BASE support"
-echo "  --enable-user-pie        build usermode emulation targets as PIE"
-echo "  --disable-user-pie       do not build usermode emulation targets as PIE"
+echo "  --enable-pie             build Position Independent Executables"
+echo "  --disable-pie            do not build Position Independent Executables"
 echo "  --fmod-lib               path to FMOD library"
 echo "  --fmod-inc               path to FMOD includes"
 echo "  --oss-lib                path to OSS library"
@@ -1099,6 +1099,37 @@ for flag in $gcc_flags; do
     fi
 done
 
+if test "$pie" = "yes" -a "$static" = "yes" ; then
+  echo "static and pie are mutually incompatible"
+  exit 1
+fi
+
+if test "$pie" != "no" -a "$static" != "yes" ; then
+  case "$cpu" in
+    i386|x86_64)
+      pie="yes"
+      ;;
+    *)
+      ;;
+  esac
+fi
+
+if test "$pie" = "yes" ; then
+  cat > $TMPC << EOF
+int main(void) { return 0; }
+EOF
+  if compile_prog "-fPIE -DPIE" "-Wl,-pie"; then
+    QEMU_CFLAGS="-fPIE -DPIE $QEMU_CFLAGS"
+    LDFLAGS="-Wl,-pie $LDFLAGS"
+    if compile_prog "-fPIE -DPIE" "-Wl,-pie -Wl,-z,relro -Wl,-z,now"; then
+      LDFLAGS="-Wl,-z,relro -Wl,-z,now $LDFLAGS"
+    fi
+  else
+    echo "Disabling PIE due to missing toolchain support"
+    pie="no"
+  fi
+fi
+
 #
 # Solaris specific configure tool chain decisions
 #
@@ -2765,7 +2796,7 @@ echo "Documentation     $docs"
 echo "uname -r          $uname_release"
 echo "NPTL support      $nptl"
 echo "GUEST_BASE        $guest_base"
-echo "PIE user targets  $user_pie"
+echo "PIE               $pie"
 echo "vde support       $vde"
 echo "Linux AIO support $linux_aio"
 echo "ATTR/XATTR support $attr"
@@ -3225,9 +3256,6 @@ for d in libdis libdis-user; do
     symlink $source_path/Makefile.dis $d/Makefile
     echo > $d/config.mak
 done
-if test "$static" = "no" -a "$user_pie" = "yes" ; then
-  echo "QEMU_CFLAGS+=-fpie" > libdis-user/config.mak
-fi
 
 for target in $target_list; do
 target_dir="$target"
@@ -3646,12 +3674,6 @@ if test "$target_softmmu" = "yes" ; then
   esac
 fi
 
-if test "$target_user_only" = "yes" -a "$static" = "no" -a \
-	"$user_pie" = "yes" ; then
-  cflags="-fpie $cflags"
-  ldflags="-pie $ldflags"
-fi
-
 if test "$target_softmmu" = "yes" -a \( \
         "$TARGET_ARCH" = "microblaze" -o \
         "$TARGET_ARCH" = "cris" \) ; then
@@ -3775,9 +3797,6 @@ d=libuser
 mkdir -p $d
 mkdir -p $d/trace
 symlink $source_path/Makefile.user $d/Makefile
-if test "$static" = "no" -a "$user_pie" = "yes" ; then
-  echo "QEMU_CFLAGS+=-fpie" > $d/config.mak
-fi
 
 if test "$docs" = "yes" ; then
   mkdir -p QMP
-- 
1.7.7.1

Re: [Qemu-devel] [PATCH v5 1.0] configure: build position independent executables across for x86 hosts

[Peter Maydell]

On 15 November 2011 08:00, Avi Kivity <avi@redhat.com> wrote:

> @@ -1099,6 +1099,37 @@ for flag in $gcc_flags; do
>     fi
>  done
>
> +if test "$pie" = "yes" -a "$static" = "yes" ; then
> +  echo "static and pie are mutually incompatible"
> +  exit 1
> +fi

The -a operator to test has been marked obsolescent in
POSIX -- please don't use it in new code. (Use
if test "$pie" = yes && test "$static" = yes; then )

> +if test "$pie" = "yes" ; then
> +  cat > $TMPC << EOF
> +int main(void) { return 0; }
> +EOF
> +  if compile_prog "-fPIE -DPIE" "-Wl,-pie"; then
> +    QEMU_CFLAGS="-fPIE -DPIE $QEMU_CFLAGS"
> +    LDFLAGS="-Wl,-pie $LDFLAGS"
> +    if compile_prog "-fPIE -DPIE" "-Wl,-pie -Wl,-z,relro -Wl,-z,now"; then
> +      LDFLAGS="-Wl,-z,relro -Wl,-z,now $LDFLAGS"

Why does this second compile test put -fPIE -DPIE into
its local cflags and -Wl,-pie into its local ldflags
when we just put them into the global cflags/ldflags?

> +    fi
> +  else
> +    echo "Disabling PIE due to missing toolchain support"
> +    pie="no"

This means that if the user explicitly asked for PIE (with
--enable-pie") we will carry on even if we couldn't do it.
Usually for configure if the user asked for something then
not providing it is a fatal error.

-- PMM

Re: [Qemu-devel] [PATCH v5 1.0] configure: build position independent executables across for x86 hosts

[Avi Kivity]

On 11/15/2011 11:10 AM, Peter Maydell wrote:
> On 15 November 2011 08:00, Avi Kivity <avi@redhat.com> wrote:
>
> > @@ -1099,6 +1099,37 @@ for flag in $gcc_flags; do
> >     fi
> >  done
> >
> > +if test "$pie" = "yes" -a "$static" = "yes" ; then
> > +  echo "static and pie are mutually incompatible"
> > +  exit 1
> > +fi
>
> The -a operator to test has been marked obsolescent in
> POSIX -- please don't use it in new code. (Use
> if test "$pie" = yes && test "$static" = yes; then )

Okay.  For 1.1, I'll convert this script to python.

> > +if test "$pie" = "yes" ; then
> > +  cat > $TMPC << EOF
> > +int main(void) { return 0; }
> > +EOF
> > +  if compile_prog "-fPIE -DPIE" "-Wl,-pie"; then
> > +    QEMU_CFLAGS="-fPIE -DPIE $QEMU_CFLAGS"
> > +    LDFLAGS="-Wl,-pie $LDFLAGS"
> > +    if compile_prog "-fPIE -DPIE" "-Wl,-pie -Wl,-z,relro -Wl,-z,now"; then
> > +      LDFLAGS="-Wl,-z,relro -Wl,-z,now $LDFLAGS"
>
> Why does this second compile test put -fPIE -DPIE into
> its local cflags and -Wl,-pie into its local ldflags
> when we just put them into the global cflags/ldflags?

Ah, I didn't realize compile_prog considered those.  Will make
parallelizing it harder.  Will fix.

> > +    fi
> > +  else
> > +    echo "Disabling PIE due to missing toolchain support"
> > +    pie="no"
>
> This means that if the user explicitly asked for PIE (with
> --enable-pie") we will carry on even if we couldn't do it.
> Usually for configure if the user asked for something then
> not providing it is a fatal error.

Yeah.

-- 
error compiling committee.c: too many arguments to function