[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH v2 6/6] configure: add support for Control-Flow Integrity
From: |
Paolo Bonzini |
Subject: |
Re: [PATCH v2 6/6] configure: add support for Control-Flow Integrity |
Date: |
Mon, 26 Oct 2020 11:00:38 +0100 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.3.1 |
On 23/10/20 22:06, Daniele Buono wrote:
> +
> +if test "$cfi" = "yes"; then
> + # Compiler/Linker Flags that needs to be added for cfi:
> + # -fsanitize=cfi-icall to enable control-flow integrity checks on
> + # indirect function calls.
> + # -fsanitize-cfi-icall-generalize-pointers to allow indirect function calls
> + # with pointers of a different type (i.e. pass a void* to a
> + # function that expects a char*). Used in some spots in QEMU,
> + # with compile-time type checks done by macros
> + # -fno-sanitize-trap=cfi-icall, when debug is enabled, to display the
> + # position in the code that triggered a CFI violation
> +
> + # Make sure that LTO is enabled
> + if test "$lto" != "true"; then
> + error_exit "Control Flow Integrity requires Link-Time Optimization (LTO)"
> + fi
> +
> + test_cflag="-fsanitize=cfi-icall -fsanitize-cfi-icall-generalize-pointers"
> + test_ldflag="-fsanitize=cfi-icall"
Can you pass both options to the linker for simplicity?
Unless you need to add the flag to CONFIGURE_CFLAGS/CONFIGURE_LDFLAGS,
please do all the tests in meson instead, it's much simpler to do
something like
if get_option('cfi')
cfi_flags=['-fsanitize=cfi-icall',
'-fsanitize-cfi-icall-generalize-pointers']
if get_option('cfi_debug')
cfi_flags += 'fno-sanitize-trap=cfi-icall'
endif
if cc.get_supported_arguments(cfi_flags).length() != cfi_flags.length()
error('...')
endif
add_project_arguments(cfi_flags, native: false, language: ['c', 'cpp',
'objc'])
)
add_project_link_arguments(cfi_flags, native: false, language: ['c',
'cpp', 'objc'])
)
endif
> + if test "$cfi_debug" = "yes"; then
> + error_exit "Cannot enable Control Flow Integrity debugging since CFI is
> not enabled"
> + fi
> +fi
Generally dependent options are ignored so you can remove this part.
Paolo
- [PATCH v2 2/6] configure: avoid new clang 11+ warnings, (continued)
- [PATCH v2 2/6] configure: avoid new clang 11+ warnings, Daniele Buono, 2020/10/23
- [PATCH v2 3/6] configure: add option to enable LTO, Daniele Buono, 2020/10/23
- [PATCH v2 4/6] cfi: Initial support for cfi-icall in QEMU, Daniele Buono, 2020/10/23
- [PATCH v2 5/6] check-block: enable iotests with cfi-icall, Daniele Buono, 2020/10/23
- [PATCH v2 6/6] configure: add support for Control-Flow Integrity, Daniele Buono, 2020/10/23
- Re: [PATCH v2 6/6] configure: add support for Control-Flow Integrity,
Paolo Bonzini <=
- Re: [PATCH v2 0/6] Add support for Control-Flow Integrity, Eric Blake, 2020/10/23