Commit 1e4f6065 authored by Daniele Buono's avatar Daniele Buono Committed by Stefan Hajnoczi
Browse files

configure: add flags to support SafeStack 



This patch adds a flag to enable/disable the SafeStack instrumentation
provided by LLVM.

On enable, make sure that the compiler supports the flags, and that we
are using the proper coroutine implementation (coroutine-ucontext).
On disable, explicitly disable the option if it was enabled by default.

While SafeStack is supported only on Linux, NetBSD, FreeBSD and macOS,
we are not checking for the O.S. since this is already done by LLVM.

Signed-off-by: default avatarDaniele Buono <dbuono@linux.vnet.ibm.com>
Message-id: 20200529205122.714-4-dbuono@linux.vnet.ibm.com
Signed-off-by: default avatarStefan Hajnoczi <stefanha@redhat.com>
parent ff76097a

configure

+73 −0
Original line number Diff line number Diff line
@@ -307,6 +307,7 @@ audio_win_int="" 
libs_qga=""

debug_info="yes"

stack_protector=""

safe_stack=""

use_containers="yes"

gdb_bin=$(command -v "gdb-multiarch" || command -v "gdb")
@@ -1287,6 +1288,10 @@ for opt do 
  ;;

  --disable-stack-protector) stack_protector="no"

  ;;

  --enable-safe-stack) safe_stack="yes"

  ;;

  --disable-safe-stack) safe_stack="no"

  ;;

  --disable-curses) curses="no"

  ;;

  --enable-curses) curses="yes"
@@ -1829,6 +1834,8 @@ disabled with --disable-FEATURE, default is enabled if available: 
  debug-tcg       TCG debugging (default is disabled)

  debug-info      debugging information

  sparse          sparse checker

  safe-stack      SafeStack Stack Smash Protection. Depends on

                  clang/llvm >= 3.7 and requires coroutine backend ucontext.



  gnutls          GNUTLS cryptography support

  nettle          nettle cryptography support
@@ -5573,6 +5580,67 @@ if test "$debug_stack_usage" = "yes"; then 
  fi

fi



##################################################

# SafeStack





if test "$safe_stack" = "yes"; then

cat > $TMPC << EOF

int main(int argc, char *argv[])

{

#if ! __has_feature(safe_stack)

#error SafeStack Disabled

#endif

    return 0;

}

EOF

  flag="-fsanitize=safe-stack"

  # Check that safe-stack is supported and enabled.

  if compile_prog "-Werror $flag" "$flag"; then

    # Flag needed both at compilation and at linking

    QEMU_CFLAGS="$QEMU_CFLAGS $flag"

    QEMU_LDFLAGS="$QEMU_LDFLAGS $flag"

  else

    error_exit "SafeStack not supported by your compiler"

  fi

  if test "$coroutine" != "ucontext"; then

    error_exit "SafeStack is only supported by the coroutine backend ucontext"

  fi

else

cat > $TMPC << EOF

int main(int argc, char *argv[])

{

#if defined(__has_feature)

#if __has_feature(safe_stack)

#error SafeStack Enabled

#endif

#endif

    return 0;

}

EOF

if test "$safe_stack" = "no"; then

  # Make sure that safe-stack is disabled

  if ! compile_prog "-Werror" ""; then

    # SafeStack was already enabled, try to explicitly remove the feature

    flag="-fno-sanitize=safe-stack"

    if ! compile_prog "-Werror $flag" "$flag"; then

      error_exit "Configure cannot disable SafeStack"

    fi

    QEMU_CFLAGS="$QEMU_CFLAGS $flag"

    QEMU_LDFLAGS="$QEMU_LDFLAGS $flag"

  fi

else # "$safe_stack" = ""

  # Set safe_stack to yes or no based on pre-existing flags

  if compile_prog "-Werror" ""; then

    safe_stack="no"

  else

    safe_stack="yes"

    if test "$coroutine" != "ucontext"; then

      error_exit "SafeStack is only supported by the coroutine backend ucontext"

    fi

  fi

fi

fi



##########################################

# check if we have open_by_handle_at
@@ -6765,6 +6833,7 @@ echo "sparse enabled $sparse" 
echo "strip binaries    $strip_opt"

echo "profiler          $profiler"

echo "static build      $static"

echo "safe stack        $safe_stack"

if test "$darwin" = "yes" ; then

    echo "Cocoa support     $cocoa"

fi
@@ -8370,6 +8439,10 @@ if test "$ccache_cpp2" = "yes"; then 
  echo "export CCACHE_CPP2=y" >> $config_host_mak

fi



if test "$safe_stack" = "yes"; then

  echo "CONFIG_SAFESTACK=y" >> $config_host_mak

fi



# If we're using a separate build tree, set it up now.

# DIRS are directories which we simply mkdir in the build tree;

# LINKS are things to symlink back into the source tree