Re: [PATCH v2 6/6] configure: add support for Control-Flow Integrity

[Paolo Bonzini]

On 23/10/20 22:06, Daniele Buono wrote:
> +
> +if test "$cfi" = "yes"; then
> +  # Compiler/Linker Flags that needs to be added for cfi:
> +  # -fsanitize=cfi-icall to enable control-flow integrity checks on
> +  #            indirect function calls.
> +  # -fsanitize-cfi-icall-generalize-pointers to allow indirect function calls
> +  #            with pointers of a different type (i.e. pass a void* to a
> +  #            function that expects a char*). Used in some spots in QEMU,
> +  #            with compile-time type checks done by macros
> +  # -fno-sanitize-trap=cfi-icall, when debug is enabled, to display the
> +  #            position in the code that triggered a CFI violation
> +
> +  # Make sure that LTO is enabled
> +  if test "$lto" != "true"; then
> +    error_exit "Control Flow Integrity requires Link-Time Optimization (LTO)"
> +  fi
> +
> +  test_cflag="-fsanitize=cfi-icall -fsanitize-cfi-icall-generalize-pointers"
> +  test_ldflag="-fsanitize=cfi-icall"

Can you pass both options to the linker for simplicity?

Unless you need to add the flag to CONFIGURE_CFLAGS/CONFIGURE_LDFLAGS,
please do all the tests in meson instead, it's much simpler to do
something like

if get_option('cfi')
  cfi_flags=['-fsanitize=cfi-icall',
             '-fsanitize-cfi-icall-generalize-pointers']
  if get_option('cfi_debug')
    cfi_flags += 'fno-sanitize-trap=cfi-icall'
  endif
  if cc.get_supported_arguments(cfi_flags).length() != cfi_flags.length()
    error('...')
  endif
  add_project_arguments(cfi_flags, native: false, language: ['c', 'cpp',
'objc'])
)
  add_project_link_arguments(cfi_flags, native: false, language: ['c',
'cpp', 'objc'])
)
endif

> +  if test "$cfi_debug" = "yes"; then
> +    error_exit "Cannot enable Control Flow Integrity debugging since CFI is 
> not enabled"
> +  fi
> +fi

Generally dependent options are ignored so you can remove this part.

Paolo