As promised in the --enable-host-pie patch, this patch adds another
configure option, --enable-host-bind-now, which adds -z now when linking
the compiler executables in order to extend hardening. BIND_NOW with RELRO
allows the GOT to be marked RO; this prevents GOT modification attacks.
This option does not affect linking of target libraries; you can use
LDFLAGS_FOR_TARGET=-Wl,-z,relro,-z,now to enable RELRO/BIND_NOW.
c++tools/ChangeLog:
* configure.ac (--enable-host-bind-now): New check.
* configure: Regenerate.
gcc/ChangeLog:
* configure.ac (--enable-host-bind-now): New check. Add
-Wl,-z,now to LD_PICFLAG if --enable-host-bind-now.
* configure: Regenerate.
* doc/install.texi: Document --enable-host-bind-now.
lto-plugin/ChangeLog:
* configure.ac (--enable-host-bind-now): New check. Link with
-z,now.
* configure: Regenerate.
This patch implements the --enable-host-pie configure option which
makes the compiler executables PIE. This can be used to enhance
protection against ROP attacks, and can be viewed as part of a wider
trend to harden binaries.
It is similar to the option --enable-host-shared, except that --e-h-s
won't add -shared to the linker flags whereas --e-h-p will add -pie.
It is different from --enable-default-pie because that option just
adds an implicit -fPIE/-pie when the compiler is invoked, but the
compiler itself isn't PIE.
Since r12-5768-gfe7c3ecf, PCH works well with PIE, so there are no PCH
regressions.
When building the compiler, the build process may use various in-tree
libraries; these need to be built with -fPIE so that it's possible to
use them when building a PIE. For instance, when --with-included-gettext
is in effect, intl object files must be compiled with -fPIE. Similarly,
when building in-tree gmp, isl, mpfr and mpc, they must be compiled with
-fPIE.
I plan to add an option to link with -Wl,-z,now.
ChangeLog:
* Makefile.def: Pass $(PICFLAG) to AM_CFLAGS for gmp, mpfr, mpc, and
isl.
* Makefile.in: Regenerate.
* Makefile.tpl: Set PICFLAG.
* configure.ac (--enable-host-pie): New check. Set PICFLAG after this
check.
* configure: Regenerate.
c++tools/ChangeLog:
* Makefile.in: Rename PIEFLAG to PICFLAG. Set LD_PICFLAG. Use it.
Use pic/libiberty.a if PICFLAG is set.
* configure.ac (--enable-default-pie): Set PICFLAG instead of PIEFLAG.
(--enable-host-pie): New check.
* configure: Regenerate.
fixincludes/ChangeLog:
* Makefile.in: Set and use PICFLAG and LD_PICFLAG. Use the "pic"
build of libiberty if PICFLAG is set.
* configure.ac:
* configure: Regenerate.
gcc/ChangeLog:
* Makefile.in: Set LD_PICFLAG. Use it. Set enable_host_pie.
Remove NO_PIE_CFLAGS and NO_PIE_FLAG. Pass LD_PICFLAG to
ALL_LINKERFLAGS. Use the "pic" build of libiberty if --enable-host-pie.
* configure.ac (--enable-host-shared): Don't set PICFLAG here.
(--enable-host-pie): New check. Set PICFLAG and LD_PICFLAG after this
check.
* configure: Regenerate.
* doc/install.texi: Document --enable-host-pie.
gcc/d/ChangeLog:
* Make-lang.in: Remove NO_PIE_CFLAGS.
intl/ChangeLog:
* Makefile.in: Use @PICFLAG@ in COMPILE as well.
* configure.ac (--enable-host-shared): Don't set PICFLAG here.
(--enable-host-pie): New check. Set PICFLAG after this check.
* configure: Regenerate.
libcody/ChangeLog:
* Makefile.in: Pass LD_PICFLAG to LDFLAGS.
* configure.ac (--enable-host-shared): Don't set PICFLAG here.
(--enable-host-pie): New check. Set PICFLAG and LD_PICFLAG after this
check.
* configure: Regenerate.
libcpp/ChangeLog:
* configure.ac (--enable-host-shared): Don't set PICFLAG here.
(--enable-host-pie): New check. Set PICFLAG after this check.
* configure: Regenerate.
libdecnumber/ChangeLog:
* configure.ac (--enable-host-shared): Don't set PICFLAG here.
(--enable-host-pie): New check. Set PICFLAG after this check.
* configure: Regenerate.
libiberty/ChangeLog:
* configure.ac: Also set shared when enable_host_pie.
* configure: Regenerate.
zlib/ChangeLog:
* configure.ac (--enable-host-shared): Don't set PICFLAG here.
(--enable-host-pie): New check. Set PICFLAG after this check.
* configure: Regenerate.
The c++tools configure fragments need to be built with a C++ compiler.
In addition, the stand-alone server uses diagnostic mechanisms in common
with GCC, but needs to define implementations for gcc_assert and
supporting output functions.
Signed-off-by: Iain Sandoe <iain@sandoe.co.uk>
PR c++/98821 - modules : c++tools configures with CC but code fragments assume CXX.
PR c++/98821
c++tools/ChangeLog:
* config.h.in: Regenerate.
* configure: Regenerate.
* configure.ac: Configure using C++. Pull logic to
detect enabled checking modes; default to release
checking.
* server.cc (AI_NUMERICSERV): Define a fallback value.
(gcc_assert): New.
(gcc_unreachable): New.
(fancy_abort): Only build when checking is enabled.
Co-authored-by: Jakub Jelinek <jakub@redhat.com>
While looking at PR100731, I have noticed the copyright years are 2020-ish
only. This patch adds it to update-copyright.py and updates those.
2021-05-25 Jakub Jelinek <jakub@redhat.com>
contrib/
* update-copyright.py: Add c++tools.
c++tools/
* Makefile.in: Update copyright year.
* configure.ac: Likewise.
* resolver.cc: Likewise.
* resolver.h: Likewise.
* server.cc: Likewise.
(print_version): Update copyright notice date.
With the introduction of C++20 modules and libcody, cc1plus and
cc1objplus gained a dependency on the socket functions. Before those
were merged into libc in Solaris 11.4, one needed to link with -lsocket -lnsl
on Solaris, so that merge broke the Solaris 11.3 build.
While we already have 4 different checks for those libraries in the
tree, I decided to import autoconf-archive's AX_LIB_SOCKET_NSL macro
instead. At the same time, the patch only links libcody and the
networking libs where needed (cc1plus, cc1objplus).
Bootstrapped without regressions on i386-pc-solaris2.11 (Solaris 11.3
and 11.4), sparc-sun-solaris2.11, and x86_64-pc-linux-gnu.
2020-12-16 Rainer Orth <ro@CeBiTec.Uni-Bielefeld.DE>
c++tools:
PR c++/98316
* configure.ac: Include ../config/ax_lib_socket_nsl.m4.
(NETLIBS): Determine using AX_LIB_SOCKET_NSL.
* configure: Regenerate.
* Makefile.in (NETLIBS): Define.
(g++-mapper-server$(exeext)): Add $(NETLIBS).
gcc/objcp:
PR c++/98316
* Make-lang.in (cc1objplus$(exeext)): Add $(CODYLIB), $(NETLIBS).
gcc/cp:
PR c++/98316
* Make-lang.in (cc1plus$(exeext)): Add $(CODYLIB), $(NETLIBS).
gcc:
PR c++/98316
* configure.ac (NETLIBS): Determine using AX_LIB_SOCKET_NSL.
* aclocal.m4, configure: Regenerate.
* Makefile.in (NETLIBS): Define.
(BACKEND): Remove $(CODYLIB).
config:
PR c++/98316
* ax_lib_socket_nsl.m4: Import from autoconf-archive.
This adds --enable-default-pie support to c++tools, so that the sample
server is build -fPIE if requested.
PR bootstrap/98324
c++tools/
* Makefile.in: Add FLAGPIE.
* configure.ac: Add --enable-default-pie support.
* configure: Rebuilt.
When breaking out the sample server from the gcc/cp directory, it lost
its check for mmap, and the sample resolver just assumed it was there.
Fixed thusly. The non-mapping paths in module.cc weren't (recently)
excercised, and led to a signedness warning. Finally I'd missed
c++tools's config.h.in in the gcc_update script. There I took the
opportunity of adding a 'tools' segment of the dependency lists.
PR bootstrap/98300
contrib/
* gcc_update: Add c++tools/config.h.in.
c++tools/
* configure.ac: Check for sys/mman.h.
* resolver.cc: Don't assume mmap, O_CLOEXEC are available. Use
xmalloc.
* config.h.in: Regenerated.
* configure: Regenerated.
gcc/cp/
* module.cc: Fix ::read, ::write result signedness comparisons.
Seems c++tools doesn't honor --with-gcc-major-version-only.
Our distro uses that flag and so everything is installed in
/usr/lib/gcc/<target>/11/...
/usr/libexec/gcc/<target>/11/...
except
/usr/libexec/gcc/<target>/11.0.0/g++-mapper-server
The following patch should fix that.
2020-12-17 Jakub Jelinek <jakub@redhat.com>
* configure.ac: Add GCC_BASE_VER.
* Makefile.in (version): Remove variable.
(gcc_version): New variable.
(libexecsubdir): Use $(gcc_version) instead of $(version).
* configure: Regenerated.
I'd missed an install-strip rule in c++tools. Here it is, cribbed
from gcc/ subdir.
c++tools/
* Makefile.in (INSTALL): Replace with ...
(INSTALL_PROGRAM): ... this.
(INSTALL_STRIP_PROGRAM): New.
(install-strip): New target.
(install): Use INSTALL_PROGRAM.
* configure.ac: Add INSTALL_PROGRAM.
* configure: Regenerated.
Part of our module implementation adds a sample mapper server, the
guts of which are used by the default in-process mapping of cc1plus.
Rather than add another executable to gcc/cp/, this creates a new
c++tools directory where this and any other c++ tools might live.
The toplevel changes are a subsequent commit, because ... git.
c++tools/ChangeLog:
* Makefile.in: New.
* config.h.in: New.
* configure: New.
* configure.ac: New.
* resolver.cc: New.
* resolver.h: New.
* server.cc: New.
Jakub Jelinek