meson.build has been enabling ASLR _only_ for debug builds since commit d2147e04f95f ("configure: move Windows flags detection to meson", 2022-05-07); instead it was supposed to disable it for debug builds.
However, the flag has been enabled for DLLs upstream for roughly 2 years (https://sourceware.org/bugzilla/show_bug.cgi?id=19011), and also by some distros including Debian for 6 years even (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=836365). Enable it unconditionally; we can fix the reversed logic of commit d2147e04f95f later if there are any reports, but for now just enable the hardening. Also add -Wl,--high-entropy-va, which also controls ASLR. Signed-off-by: Paolo Bonzini <pbonz...@redhat.com> --- meson.build | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/meson.build b/meson.build index 5c6b5a1c757f..d61c7a82f112 100644 --- a/meson.build +++ b/meson.build @@ -193,10 +193,7 @@ qemu_ldflags += cc.get_supported_link_arguments('-Wl,-z,relro', '-Wl,-z,now') if targetos == 'windows' qemu_ldflags += cc.get_supported_link_arguments('-Wl,--no-seh', '-Wl,--nxcompat') - # Disable ASLR for debug builds to allow debugging with gdb - if get_option('optimization') == '0' - qemu_ldflags += cc.get_supported_link_arguments('-Wl,--dynamicbase') - endif + qemu_ldflags += cc.get_supported_link_arguments('-Wl,--dynamicbase', '-Wl,--high-entropy-va') endif if get_option('gprof') -- 2.38.1