From: Stefan Hajnoczi <stefanha@redhat.com>
To: qemu-devel@nongnu.org, Peter Maydell <peter.maydell@linaro.org>
Cc: Kevin Wolf <kwolf@redhat.com>, Fam Zheng <fam@euphon.net>,
Eduardo Habkost <ehabkost@redhat.com>,
qemu-block@nongnu.org, Max Reitz <mreitz@redhat.com>,
Stefan Hajnoczi <stefanha@redhat.com>,
Cleber Rosa <crosa@redhat.com>,
Daniele Buono <dbuono@linux.vnet.ibm.com>
Subject: [PULL 04/12] configure: add flags to support SafeStack
Date: Wed, 24 Jun 2020 11:02:02 +0100 [thread overview]
Message-ID: <20200624100210.59975-5-stefanha@redhat.com> (raw)
In-Reply-To: <20200624100210.59975-1-stefanha@redhat.com>
From: Daniele Buono <dbuono@linux.vnet.ibm.com>
This patch adds a flag to enable/disable the SafeStack instrumentation
provided by LLVM.
On enable, make sure that the compiler supports the flags, and that we
are using the proper coroutine implementation (coroutine-ucontext).
On disable, explicitly disable the option if it was enabled by default.
While SafeStack is supported only on Linux, NetBSD, FreeBSD and macOS,
we are not checking for the O.S. since this is already done by LLVM.
Signed-off-by: Daniele Buono <dbuono@linux.vnet.ibm.com>
Message-id: 20200529205122.714-4-dbuono@linux.vnet.ibm.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
---
configure | 73 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 73 insertions(+)
diff --git a/configure b/configure
index ba88fd1824..ae8737d5a2 100755
--- a/configure
+++ b/configure
@@ -307,6 +307,7 @@ audio_win_int=""
libs_qga=""
debug_info="yes"
stack_protector=""
+safe_stack=""
use_containers="yes"
gdb_bin=$(command -v "gdb-multiarch" || command -v "gdb")
@@ -1287,6 +1288,10 @@ for opt do
;;
--disable-stack-protector) stack_protector="no"
;;
+ --enable-safe-stack) safe_stack="yes"
+ ;;
+ --disable-safe-stack) safe_stack="no"
+ ;;
--disable-curses) curses="no"
;;
--enable-curses) curses="yes"
@@ -1829,6 +1834,8 @@ disabled with --disable-FEATURE, default is enabled if available:
debug-tcg TCG debugging (default is disabled)
debug-info debugging information
sparse sparse checker
+ safe-stack SafeStack Stack Smash Protection. Depends on
+ clang/llvm >= 3.7 and requires coroutine backend ucontext.
gnutls GNUTLS cryptography support
nettle nettle cryptography support
@@ -5573,6 +5580,67 @@ if test "$debug_stack_usage" = "yes"; then
fi
fi
+##################################################
+# SafeStack
+
+
+if test "$safe_stack" = "yes"; then
+cat > $TMPC << EOF
+int main(int argc, char *argv[])
+{
+#if ! __has_feature(safe_stack)
+#error SafeStack Disabled
+#endif
+ return 0;
+}
+EOF
+ flag="-fsanitize=safe-stack"
+ # Check that safe-stack is supported and enabled.
+ if compile_prog "-Werror $flag" "$flag"; then
+ # Flag needed both at compilation and at linking
+ QEMU_CFLAGS="$QEMU_CFLAGS $flag"
+ QEMU_LDFLAGS="$QEMU_LDFLAGS $flag"
+ else
+ error_exit "SafeStack not supported by your compiler"
+ fi
+ if test "$coroutine" != "ucontext"; then
+ error_exit "SafeStack is only supported by the coroutine backend ucontext"
+ fi
+else
+cat > $TMPC << EOF
+int main(int argc, char *argv[])
+{
+#if defined(__has_feature)
+#if __has_feature(safe_stack)
+#error SafeStack Enabled
+#endif
+#endif
+ return 0;
+}
+EOF
+if test "$safe_stack" = "no"; then
+ # Make sure that safe-stack is disabled
+ if ! compile_prog "-Werror" ""; then
+ # SafeStack was already enabled, try to explicitly remove the feature
+ flag="-fno-sanitize=safe-stack"
+ if ! compile_prog "-Werror $flag" "$flag"; then
+ error_exit "Configure cannot disable SafeStack"
+ fi
+ QEMU_CFLAGS="$QEMU_CFLAGS $flag"
+ QEMU_LDFLAGS="$QEMU_LDFLAGS $flag"
+ fi
+else # "$safe_stack" = ""
+ # Set safe_stack to yes or no based on pre-existing flags
+ if compile_prog "-Werror" ""; then
+ safe_stack="no"
+ else
+ safe_stack="yes"
+ if test "$coroutine" != "ucontext"; then
+ error_exit "SafeStack is only supported by the coroutine backend ucontext"
+ fi
+ fi
+fi
+fi
##########################################
# check if we have open_by_handle_at
@@ -6765,6 +6833,7 @@ echo "sparse enabled $sparse"
echo "strip binaries $strip_opt"
echo "profiler $profiler"
echo "static build $static"
+echo "safe stack $safe_stack"
if test "$darwin" = "yes" ; then
echo "Cocoa support $cocoa"
fi
@@ -8370,6 +8439,10 @@ if test "$ccache_cpp2" = "yes"; then
echo "export CCACHE_CPP2=y" >> $config_host_mak
fi
+if test "$safe_stack" = "yes"; then
+ echo "CONFIG_SAFESTACK=y" >> $config_host_mak
+fi
+
# If we're using a separate build tree, set it up now.
# DIRS are directories which we simply mkdir in the build tree;
# LINKS are things to symlink back into the source tree
--
2.26.2
next prev parent reply other threads:[~2020-06-24 10:05 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-06-24 10:01 [PULL 00/12] Block patches Stefan Hajnoczi
2020-06-24 10:01 ` [PULL 01/12] minikconf: explicitly set encoding to UTF-8 Stefan Hajnoczi
2020-06-24 10:02 ` [PULL 02/12] coroutine: support SafeStack in ucontext backend Stefan Hajnoczi
2020-06-24 10:02 ` [PULL 03/12] coroutine: add check for SafeStack in sigaltstack Stefan Hajnoczi
2020-06-24 10:02 ` Stefan Hajnoczi [this message]
2020-06-24 10:02 ` [PULL 05/12] check-block: enable iotests with SafeStack Stefan Hajnoczi
2020-06-24 10:02 ` [PULL 06/12] block/nvme: poll queues without q->lock Stefan Hajnoczi
2020-06-24 10:02 ` [PULL 07/12] block/nvme: drop tautologous assertion Stefan Hajnoczi
2020-06-24 10:02 ` [PULL 08/12] block/nvme: don't access CQE after moving cq.head Stefan Hajnoczi
2020-06-24 10:02 ` [PULL 09/12] block/nvme: switch to a NVMeRequest freelist Stefan Hajnoczi
2020-06-24 10:02 ` [PULL 10/12] block/nvme: clarify that free_req_queue is protected by q->lock Stefan Hajnoczi
2020-06-24 10:02 ` [PULL 11/12] block/nvme: keep BDRVNVMeState pointer in NVMeQueuePair Stefan Hajnoczi
2020-06-24 10:02 ` [PULL 12/12] block/nvme: support nested aio_poll() Stefan Hajnoczi
2020-06-25 13:31 ` [PULL 00/12] Block patches Peter Maydell
2020-06-26 10:25 ` Stefan Hajnoczi
2020-06-26 10:49 ` Peter Maydell
2020-06-26 13:01 ` Stefan Hajnoczi
2020-06-26 15:54 ` Peter Maydell
2020-07-07 15:28 ` Philippe Mathieu-Daudé
2020-07-07 22:05 ` Eduardo Habkost
2020-07-09 15:02 ` Kevin Wolf
2020-07-09 18:41 ` Eduardo Habkost
2020-07-10 8:36 ` Kevin Wolf
2020-07-16 12:40 ` Peter Maydell
2020-07-16 13:29 ` Kevin Wolf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200624100210.59975-5-stefanha@redhat.com \
--to=stefanha@redhat.com \
--cc=crosa@redhat.com \
--cc=dbuono@linux.vnet.ibm.com \
--cc=ehabkost@redhat.com \
--cc=fam@euphon.net \
--cc=kwolf@redhat.com \
--cc=mreitz@redhat.com \
--cc=peter.maydell@linaro.org \
--cc=qemu-block@nongnu.org \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.