1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
|
--- gcc/gcc/config/linux.h.piedef~ 2005-03-01 17:18:15 +0100
+++ gcc/gcc/config/linux.h 2005-03-01 17:21:52 +0100
@@ -38,8 +38,12 @@
provides part of the support for getting C++ file-scope static
object constructed before entering `main'. */
+#undef HARDENED_STARTFILE_SPEC
#undef STARTFILE_SPEC
-#if defined HAVE_LD_PIE
+#ifdef HAVE_LD_PIE
+#define HARDENED_STARTFILE_SPEC \
+ "%{!shared: %{pg|p|profile:gcrt1.o%s;static|nopie:crt1.o%s;:Scrt1.o%s}} \
+ crti.o%s %{static:crtbeginT.o%s;nopie:crtbegin.o%s;:crtbeginS.o%s}"
#define STARTFILE_SPEC \
"%{!shared: %{pg|p|profile:gcrt1.o%s;pie:Scrt1.o%s;:crt1.o%s}} \
crti.o%s %{static:crtbeginT.o%s;shared|pie:crtbeginS.o%s;:crtbegin.o%s}"
@@ -55,8 +59,11 @@
object constructed before entering `main', followed by a normal
GNU/Linux "finalizer" file, `crtn.o'. */
+#undef HARDENED_ENDFILE_SPEC
#undef ENDFILE_SPEC
#ifdef HAVE_LD_PIE
+#define HARDENED_ENDFILE_SPEC \
+ "%{static|nopie:crtend.o%s;:crtendS.o%s} crtn.o%s"
#define ENDFILE_SPEC \
"%{shared|pie:crtendS.o%s;:crtend.o%s} crtn.o%s"
#else
--- gcc/gcc/gcc.c.piedef~ 2005-03-01 17:18:15 +0100
+++ gcc/gcc/gcc.c 2005-03-01 17:19:59 +0100
@@ -86,6 +86,15 @@
#include "gcc.h"
#include "flags.h"
+#include "pie-ssp-setup.h"
+#include "pie-ssp-modus.h"
+#include "pie-ssp-chain.h"
+
+#if !( defined(EFAULT_PIE) || defined(EFAULT_PIE_SSP) )
+#undef HARDENED_STARTFILE_SPEC
+#undef HARDENED_ENDFILE_SPEC
+#endif
+
#ifdef HAVE_SYS_RESOURCE_H
#include <sys/resource.h>
#endif
@@ -734,8 +747,16 @@
static const char *mfwrap_spec = MFWRAP_SPEC;
static const char *mflib_spec = MFLIB_SPEC;
static const char *libgcc_spec = LIBGCC_SPEC;
+#ifdef HARDENED_ENDFILE_SPEC
+static const char *endfile_spec = HARDENED_ENDFILE_SPEC;
+#else
static const char *endfile_spec = ENDFILE_SPEC;
+#endif
+#ifdef HARDENED_STARTFILE_SPEC
+static const char *startfile_spec = HARDENED_STARTFILE_SPEC;
+#else
static const char *startfile_spec = STARTFILE_SPEC;
+#endif
static const char *switches_need_spaces = SWITCHES_NEED_SPACES;
static const char *linker_name_spec = LINKER_NAME;
static const char *link_command_spec = LINK_COMMAND_SPEC;
--- gcc/gcc/pie-ssp-chain.h.piedef~ 2005-03-01 17:19:59 +0100
+++ gcc/gcc/pie-ssp-chain.h 2005-03-01 17:19:59 +0100
@@ -0,0 +1,77 @@
+#ifndef LINUX_PIE_SSP_CHAIN_H
+#define LINUX_PIE_SSP_CHAIN_H
+
+/*
+ * cc1:
+ ****************************************************************************
+ * C compiler generating code - for nonintel arches fpic/fPIC is not the same
+ * Thu Feb 5 22:32:02 CET 2004 -fpie is causing TEXT relocations in binaries
+ *
+ * -fPIE/-fpie may not be used, it produces unusable objects for shared libs
+ * if it becomes usable, then -fPIE should be used instead of -fpie (arch dep)
+ *
+ * we take care now not using -fPIE on shared libs, by checking for -fPIC/fpic
+ ****************************************************************************
+ */
+
+#define CC1_PIE "%{!fPIC:%{!fpic:-fPIE}}"
+
+#define CC1_SSP "-fstack-protector"
+#define CC1_SSP_ALL "%{!fno-stack-protector-all:-fstack-protector-all}"
+#define CC1_SSP_DUMMY "%{fstack-protector:} %{fno-stack-protector:} %{fstack-protector-all:} %{fno-stack-protector-all:}"
+
+#if ! ( defined ( __hppa__ ) || defined ( USE_HTB ) )
+#define HARDENED_SSP_SPEC_SUFFIX SSP_CHAIN_EXCLUDE( STD_SSP_TRIGGER( CC1_SSP " " SSP_LIBC_EXCLUDE(CC1_SSP_ALL) ) )
+#else
+#define HARDENED_SSP_SPEC_SUFFIX CC1_SSP_DUMMY
+#endif
+
+#define HARDENED_CC1_SPEC_SUFFIX STD_CHAIN_EXCLUDE( CC1_CHAIN_EXCLUDE( STD_PIE_TRIGGER(CC1_PIE) ) " " HARDENED_SSP_SPEC_SUFFIX )
+
+/*
+ * startfile:
+ * we have 4 types of archs:
+ * default: x86[_64]/mips/parisc
+ * not using profile: alpha/rs6000/sparc[64]
+ * not using crtbeginT.o for static: arm/ia64
+ * having some addon: rs6000(mnewlib)
+ */
+
+/*
+ * endfile:
+ * we have 3 types of archs:
+ * default: x86[_64]/mips/parisc
+ * fastmath addon: alpha/ia64/sparc[64]
+ * having some other addon: rs6000(mnewlib)
+ */
+
+/* special cases: rs6000 uses STARTFILE_LINUX_SPEC/ENDFILE_LINUX_SPEC */
+
+/* the above variety explains why the startfile/endfile sections are moved directly to gcc */
+
+/*
+ * link:
+ *****************************************************************************
+ * building of position independent executables is enabled by binutils:ld -pie
+ * use the x86 Redhat branch update provided support for LINK_PIE_SPEC section
+ *****************************************************************************
+ */
+
+#define LINKSEC_PIE_LNK "-pie"
+
+#define LINKSEC_RELRO_LNK "-z relro"
+
+#define LINKSEC_NOW_LNK "-z now"
+
+/* disable default */
+#ifdef LINK_PIE_SPEC
+#undef LINK_PIE_SPEC
+#endif
+
+#ifdef HAVE_LD_PIE
+#define LINK_PIE_SPEC STD_PIE_TRIGGER( LNK_CHAIN_EXCLUDE( PIE_CHAIN_EXCLUDE(LINKSEC_PIE_LNK) ) ) " " OPP_PIE_TRIGGER() " " STD_RELRO_TRIGGER(LINKSEC_RELRO_LNK) " " OPP_RELRO_TRIGGER() " " STD_NOW_TRIGGER(LINKSEC_NOW_LNK) " " OPP_NOW_TRIGGER()
+#else
+#error we need ld w/ -pie support
+#endif
+
+#endif /* LINUX_PIE_SSP_CHAIN_H */
--- gcc/gcc/pie-ssp-modus.h.piedef~ 2005-03-01 17:19:59 +0100
+++ gcc/gcc/pie-ssp-modus.h 2005-03-01 17:19:59 +0100
@@ -0,0 +1,127 @@
+#ifndef LINUX_PIE_SSP_MODUS_H
+#define LINUX_PIE_SSP_MODUS_H
+
+/*
+ * The enabler and inverse is used for the proper inclusion of the
+ * startfile and endfile chaining of the crt1, crtbegin and crtend
+ * to use caution not issuing zero or double occurrences of object
+ * in the respective sections of the currently utilized definition
+ */
+
+/*
+ ****************************************************************
+ * set up the trigger logic for stack smashing protector with CC1
+ ****************************************************************
+ */
+
+#if defined ( EFAULT_SSP ) || defined ( EFAULT_PIE_SSP )
+
+#define STD_SSP_TRIGGER(flag) \
+ NSPEC("fno-stack-protector", \
+ flag \
+ )
+
+#else /* defined ( EFAULT_SSP ) || defined ( EFAULT_PIE_SSP ) */
+
+#define STD_SSP_TRIGGER(flag) \
+ PSPEC("fstack-protector", \
+ flag \
+ )
+
+#endif /* defined ( EFAULT_SSP ) || defined ( EFAULT_PIE_SSP ) */
+
+/*
+ ****************************************************************
+ * define the trigger logic for setting up position independence
+ ****************************************************************
+ */
+
+#if defined ( EFAULT_PIE ) || defined ( EFAULT_PIE_SSP )
+
+#define STD_PIE_TRIGGER(flag) \
+ NSPEC("nopie", \
+ flag \
+ )
+
+#define INV_PIE_TRIGGER(flag) \
+ PSPEC("nopie", \
+ flag \
+ )
+
+#define OPP_PIE_TRIGGER(flag) \
+ PSPEC("pie", \
+ flag \
+ )
+
+#else /* defined ( DEFAULT_PIE ) || defined ( EFAULT_PIE_SSP) */
+
+#define STD_PIE_TRIGGER(flag) \
+ PSPEC("pie", \
+ flag \
+ )
+
+#define INV_PIE_TRIGGER(flag) \
+ NSPEC("pie", \
+ flag \
+ )
+
+#define OPP_PIE_TRIGGER(flag) \
+ PSPEC("nopie", \
+ flag \
+ )
+
+#endif /* defined ( EFAULT_PIE ) || defined ( EFAULT_PIE_SSP ) */
+
+#if defined ( EFAULT_RELRO )
+
+#define STD_RELRO_TRIGGER(flag) \
+ NSPEC("norelro", \
+ flag \
+ )
+
+#define OPP_RELRO_TRIGGER(flag) \
+ PSPEC("relro", \
+ flag \
+ )
+
+#else /* defined ( EFAULT_RELRO ) */
+
+#define STD_RELRO_TRIGGER(flag) \
+ PSPEC("relro", \
+ flag \
+ )
+
+#define OPP_RELRO_TRIGGER(flag) \
+ PSPEC("norelro", \
+ flag \
+ )
+
+#endif /* defined ( EFAULT_RELRO ) */
+
+#if defined ( EFAULT_BIND_NOW )
+
+#define STD_NOW_TRIGGER(flag) \
+ NSPEC("nonow", \
+ flag \
+ )
+
+#define OPP_NOW_TRIGGER(flag) \
+ PSPEC("now", \
+ flag \
+ )
+
+#else /* EFAULT_BIND_NOW */
+
+#define STD_NOW_TRIGGER(flag) \
+ PSPEC("now", \
+ flag \
+ )
+
+#define OPP_NOW_TRIGGER(flag) \
+ PSPEC("nonow", \
+ flag \
+ )
+
+#endif /* EFAULT_BIND_NOW */
+
+#endif /* LINUX_PIE_SSP_MODUS_H */
--- gcc/gcc/pie-ssp-setup.h.piedef~ 2005-03-01 17:19:59 +0100
+++ gcc/gcc/pie-ssp-setup.h 2005-03-01 17:19:59 +0100
@@ -0,0 +1,84 @@
+#ifndef LINUX_PIE_SSP_SETUP_H
+#define LINUX_PIE_SSP_SETUP_H
+
+/* ********************************************************************************** */
+/* definition of macros and functions needed for constructing the specs file sections */
+/* ********************************************************************************** */
+
+#define PSPEC(a,b) "%{"a": "b"} "
+
+#define NSPEC(a,b) "%{!"a": "b"} "
+
+/*
+ * standard exclusion
+ * disables -fPIE
+ * disables SSP
+ * applies to cc1
+ */
+#define STD_CHAIN_EXCLUDE(flag) \
+ NSPEC("D__KERNEL__", \
+ flag \
+ )
+
+/*
+ * link section exclusion
+ * disables -fPIE
+ * ibcs not added (yet)
+ * applies to cc1 and link_command
+ */
+#define PIE_LNK_CHAIN_EXCLUDE(flag) \
+ NSPEC("static", \
+ flag \
+ )
+
+/* pic exclusion, applies to cc1 */
+#define PIC_CHAIN_EXCLUDE(flag) \
+ NSPEC("fno-PIC", \
+ NSPEC("fno-pic", \
+ flag \
+ ))
+
+/*
+ * pie exclusion
+ * disables -fPIE and -pie
+ * applies to cc1 and link_command
+ */
+#define PIE_CHAIN_EXCLUDE(flag) \
+ NSPEC("shared", \
+ NSPEC("nostdlib", \
+ NSPEC("nostartfiles", \
+ NSPEC("fno-PIE", \
+ NSPEC("fno-pie", \
+ flag \
+ )))))
+
+/*
+ * pie exclusion
+ * disables -pie
+ * applies to link_command
+ */
+#define LNK_GEN_CHAIN_EXCLUDE(flag) \
+ NSPEC("A", \
+ flag \
+ )
+
+#define CC1_CHAIN_EXCLUDE(flag) PIE_LNK_CHAIN_EXCLUDE( PIC_CHAIN_EXCLUDE( PIE_CHAIN_EXCLUDE(flag) ) )
+#define LNK_CHAIN_EXCLUDE(flag) PIE_LNK_CHAIN_EXCLUDE( LNK_GEN_CHAIN_EXCLUDE(flag) )
+
+/*
+ * ssp exclusion
+ * disables SSP
+ * applies to cc1
+ */
+#define SSP_CHAIN_EXCLUDE(flag) \
+ NSPEC("nostdlib", \
+ flag \
+ )
+
+#define SSP_LIBC_EXCLUDE(flag) \
+ NSPEC("D_LIBC", \
+ NSPEC("D_LIBC_REENTRANT", \
+ flag \
+ ))
+
+#endif /* LINUX_PIE_SSP_SETUP_H */
|
GitWeb