Hi,
On Tue, Jun 27 2023, Marek Polacek wrote:
> On Tue, Jun 27, 2023 at 01:39:16PM +0200, Martin Jambor wrote:
>> Hello,
>>
>> On Tue, May 16 2023, Marek Polacek via Gcc-patches wrote:
>> > As promised in the --enable-host-pie patch, this patch adds another
>> > configure option, --enable-host-bind-now, which adds -z now when linking
>> > the compiler executables in order to extend hardening. BIND_NOW with RELRO
>> > allows the GOT to be marked RO; this prevents GOT modification attacks.
>> >
>> > This option does not affect linking of target libraries; you can use
>> > LDFLAGS_FOR_TARGET=-Wl,-z,relro,-z,now to enable RELRO/BIND_NOW.
>> >
>> > With this patch:
>> > $ readelf -Wd cc1{,plus} | grep FLAGS
>> > 0x000000000000001e (FLAGS) BIND_NOW
>> > 0x000000006ffffffb (FLAGS_1) Flags: NOW PIE
>> > 0x000000000000001e (FLAGS) BIND_NOW
>> > 0x000000006ffffffb (FLAGS_1) Flags: NOW PIE
>> >
>> > Bootstrapped/regtested on x86_64-pc-linux-gnu, ok for trunk?
>> >
>> > c++tools/ChangeLog:
>> >
>> > * configure.ac (--enable-host-bind-now): New check.
>> > * configure: Regenerate.
>> >
>> > gcc/ChangeLog:
>> >
>> > * configure.ac (--enable-host-bind-now): New check. Add
>> > -Wl,-z,now to LD_PICFLAG if --enable-host-bind-now.
>> > * configure: Regenerate.
>> > * doc/install.texi: Document --enable-host-bind-now.
>> >
>> > lto-plugin/ChangeLog:
>> >
>> > * configure.ac (--enable-host-bind-now): New check. Link with
>> > -z,now.
>> > * configure: Regenerate.
>>
>> Our reconfiguration checking script complains about a missing hunk in
>> lto-plugin/Makefile.in:
>>
>> diff --git a/lto-plugin/Makefile.in b/lto-plugin/Makefile.in
>> index cb568e1e09f..f6f5b020ff5 100644
>> --- a/lto-plugin/Makefile.in
>> +++ b/lto-plugin/Makefile.in
>> @@ -298,6 +298,7 @@ datadir = @datadir@
>> datarootdir = @datarootdir@
>> docdir = @docdir@
>> dvidir = @dvidir@
>> +enable_host_bind_now = @enable_host_bind_now@
>> exec_prefix = @exec_prefix@
>> gcc_build_dir = @gcc_build_dir@
>> get_gcc_base_ver = @get_gcc_base_ver@
>>
>>
>> I am somewhat puzzled why the line is not missing in any of the other
>> Makefile.in files. Can you please check whether that is the only thing
>> that is missing (assuming it is actually missing)?
>
> Arg, once again, I'm sorry. I don't know how this happened. It would
> be trivial to fix it but since
>
> commit 4a48a38fa99f067b8f3a3d1a5dc7a1e602db351f
> Author: Eric Botcazou <ebotca...@adacore.com>
> Date: Wed Jun 21 18:19:36 2023 +0200
>
> ada: Fix build of GNAT tools
>
> the build with Ada included fails with --enable-host-pie. So that needs
> to be fixed first.
>
> Eric, I'm not asking you to fix that, but I'm curious, what did the
> commit above fix? The patch looks correct; I'm just puzzled why I
> hadn't seen any build failures.
>
> The --enable-host-pie patch has been a nightmare :(.
>
No worries, I can see how these things can easily get difficult.
Unfortunately I won't have time to actually look at this in the next 2-3
weeks, so I am inclined to just trust the verification script (which
essentially runs autoconf/automake everywhere and then expects no diff)
and commit the one-line change. What do you think, does that make sense
(even without looking at why other Makefile.in files did not change)?
Thanks,
Martin
