As promised in the --enable-host-pie patch, this patch adds another
configure option, --enable-host-bind-now, which adds -z now when linking
the compiler executables in order to extend hardening. BIND_NOW with RELRO
allows the GOT to be marked RO; this prevents GOT modification attacks.
This option does not affect linking of target libraries; you can use
LDFLAGS_FOR_TARGET=-Wl,-z,relro,-z,now to enable RELRO/BIND_NOW.
c++tools/ChangeLog:
* configure.ac (--enable-host-bind-now): New check.
* configure: Regenerate.
gcc/ChangeLog:
* configure.ac (--enable-host-bind-now): New check. Add
-Wl,-z,now to LD_PICFLAG if --enable-host-bind-now.
* configure: Regenerate.
* doc/install.texi: Document --enable-host-bind-now.
lto-plugin/ChangeLog:
* configure.ac (--enable-host-bind-now): New check. Link with
-z,now.
* configure: Regenerate.
This patch implements the --enable-host-pie configure option which
makes the compiler executables PIE. This can be used to enhance
protection against ROP attacks, and can be viewed as part of a wider
trend to harden binaries.
It is similar to the option --enable-host-shared, except that --e-h-s
won't add -shared to the linker flags whereas --e-h-p will add -pie.
It is different from --enable-default-pie because that option just
adds an implicit -fPIE/-pie when the compiler is invoked, but the
compiler itself isn't PIE.
Since r12-5768-gfe7c3ecf, PCH works well with PIE, so there are no PCH
regressions.
When building the compiler, the build process may use various in-tree
libraries; these need to be built with -fPIE so that it's possible to
use them when building a PIE. For instance, when --with-included-gettext
is in effect, intl object files must be compiled with -fPIE. Similarly,
when building in-tree gmp, isl, mpfr and mpc, they must be compiled with
-fPIE.
I plan to add an option to link with -Wl,-z,now.
ChangeLog:
* Makefile.def: Pass $(PICFLAG) to AM_CFLAGS for gmp, mpfr, mpc, and
isl.
* Makefile.in: Regenerate.
* Makefile.tpl: Set PICFLAG.
* configure.ac (--enable-host-pie): New check. Set PICFLAG after this
check.
* configure: Regenerate.
c++tools/ChangeLog:
* Makefile.in: Rename PIEFLAG to PICFLAG. Set LD_PICFLAG. Use it.
Use pic/libiberty.a if PICFLAG is set.
* configure.ac (--enable-default-pie): Set PICFLAG instead of PIEFLAG.
(--enable-host-pie): New check.
* configure: Regenerate.
fixincludes/ChangeLog:
* Makefile.in: Set and use PICFLAG and LD_PICFLAG. Use the "pic"
build of libiberty if PICFLAG is set.
* configure.ac:
* configure: Regenerate.
gcc/ChangeLog:
* Makefile.in: Set LD_PICFLAG. Use it. Set enable_host_pie.
Remove NO_PIE_CFLAGS and NO_PIE_FLAG. Pass LD_PICFLAG to
ALL_LINKERFLAGS. Use the "pic" build of libiberty if --enable-host-pie.
* configure.ac (--enable-host-shared): Don't set PICFLAG here.
(--enable-host-pie): New check. Set PICFLAG and LD_PICFLAG after this
check.
* configure: Regenerate.
* doc/install.texi: Document --enable-host-pie.
gcc/d/ChangeLog:
* Make-lang.in: Remove NO_PIE_CFLAGS.
intl/ChangeLog:
* Makefile.in: Use @PICFLAG@ in COMPILE as well.
* configure.ac (--enable-host-shared): Don't set PICFLAG here.
(--enable-host-pie): New check. Set PICFLAG after this check.
* configure: Regenerate.
libcody/ChangeLog:
* Makefile.in: Pass LD_PICFLAG to LDFLAGS.
* configure.ac (--enable-host-shared): Don't set PICFLAG here.
(--enable-host-pie): New check. Set PICFLAG and LD_PICFLAG after this
check.
* configure: Regenerate.
libcpp/ChangeLog:
* configure.ac (--enable-host-shared): Don't set PICFLAG here.
(--enable-host-pie): New check. Set PICFLAG after this check.
* configure: Regenerate.
libdecnumber/ChangeLog:
* configure.ac (--enable-host-shared): Don't set PICFLAG here.
(--enable-host-pie): New check. Set PICFLAG after this check.
* configure: Regenerate.
libiberty/ChangeLog:
* configure.ac: Also set shared when enable_host_pie.
* configure: Regenerate.
zlib/ChangeLog:
* configure.ac (--enable-host-shared): Don't set PICFLAG here.
(--enable-host-pie): New check. Set PICFLAG after this check.
* configure: Regenerate.
Some versions of the BSD getaddrinfo() call do not work with the specific
input of "0" for the servname entry (a segv results). Since we are making
the call with a dummy port number, the value is actually no important, other
than it should be in range. Work around the BSD bug by using "1" instead.
Signed-off-by: Iain Sandoe <iain@sandoe.co.uk>
c++tools/ChangeLog:
* server.cc (accept_from): Use "1" as the dummy port number.
The allocated memory is not freed when returning early due to an error.
c++tools/ChangeLog:
* resolver.cc (module_resolver::read_tuple_file): Use unique_ptr
to ensure memory is freed before returning.
This just replies with "OK".
c++tools/ChangeLog:
* resolver.cc (module_resolver::ModuleCompiledRequest):
Add a simple handler.
* resolver.h: Declare handler for ModuleCompiledRequest.
The c++tools configure fragments need to be built with a C++ compiler.
In addition, the stand-alone server uses diagnostic mechanisms in common
with GCC, but needs to define implementations for gcc_assert and
supporting output functions.
Signed-off-by: Iain Sandoe <iain@sandoe.co.uk>
PR c++/98821 - modules : c++tools configures with CC but code fragments assume CXX.
PR c++/98821
c++tools/ChangeLog:
* config.h.in: Regenerate.
* configure: Regenerate.
* configure.ac: Configure using C++. Pull logic to
detect enabled checking modes; default to release
checking.
* server.cc (AI_NUMERICSERV): Define a fallback value.
(gcc_assert): New.
(gcc_unreachable): New.
(fancy_abort): Only build when checking is enabled.
Co-authored-by: Jakub Jelinek <jakub@redhat.com>
This TU uses exit, but doesn't include <stdlib.h> or <cstdlib> and relies
on some other header to include it indirectly, which apparently doesn't
happen on reporter's host.
The other <c*> headers aren't guarded either and we rely on a compiler
capable of C++11, so maybe we can rely on <cstdlib> being around
unconditionally.
2021-05-25 Jakub Jelinek <jakub@redhat.com>
PR bootstrap/100731
* server.cc: Include <cstdlib>.
While looking at PR100731, I have noticed the copyright years are 2020-ish
only. This patch adds it to update-copyright.py and updates those.
2021-05-25 Jakub Jelinek <jakub@redhat.com>
contrib/
* update-copyright.py: Add c++tools.
c++tools/
* Makefile.in: Update copyright year.
* configure.ac: Likewise.
* resolver.cc: Likewise.
* resolver.h: Likewise.
* server.cc: Likewise.
(print_version): Update copyright notice date.
c++tools/ChangeLog:
* Makefile.in: Include also ../gcc folder.
gcc/ChangeLog:
* Makefile.in: Rename gcov-iov to genversion and depend
on version.h (instead of gcov-iov.h).
* gcov-io.h: Include version.h instread of gcov-iov.h.
* gengtype-state.c (read_state_version): Likewise.
* gcov-iov.c: Moved to...
* genversion.c: ...here.
* lto-streamer.h (LTO_major_version): Define it with
GCC_major_version.
* version.c: Removed.
* version.h: Removed.
libgcc/ChangeLog:
* libgcov-driver.c (gcov_version): Use different name that does
not clash with newly introduced macro.
It appears that many targets include the map header transitively in
other std headers included from system.h. However there are some
editions of clang/libc++ in Xcode that do not, which results in a
bootstrap fail - since when resolver.h is included there is then a
conflict in declaring abort().
The fix is to ensure that map is pulled in by system.h and before
resolver.h is included. As a precautionary measure and to alert
anyone perhaps adding another header to resolver.h this patch also
gates the direct includes there on !IN_GCC.
c++tools/ChangeLog:
* resolver.h: Do not include std headers directly when
building in GCC.
gcc/cp/ChangeLog:
* mapper-client.cc (INCLUDE_MAP): New; require map to be
included from system.h.
* mapper-resolver.cc (INCLUDE_MAP): Likewise.
PR98318 also pointed out that the NETWORKING #define was being checked
with both #if and #ifdef. Let's consistently use one form.
c++tools/
* server.cc: Use #if NETWORKING not #ifdef, to be consistent
with elsewhere.
With the introduction of C++20 modules and libcody, cc1plus and
cc1objplus gained a dependency on the socket functions. Before those
were merged into libc in Solaris 11.4, one needed to link with -lsocket -lnsl
on Solaris, so that merge broke the Solaris 11.3 build.
While we already have 4 different checks for those libraries in the
tree, I decided to import autoconf-archive's AX_LIB_SOCKET_NSL macro
instead. At the same time, the patch only links libcody and the
networking libs where needed (cc1plus, cc1objplus).
Bootstrapped without regressions on i386-pc-solaris2.11 (Solaris 11.3
and 11.4), sparc-sun-solaris2.11, and x86_64-pc-linux-gnu.
2020-12-16 Rainer Orth <ro@CeBiTec.Uni-Bielefeld.DE>
c++tools:
PR c++/98316
* configure.ac: Include ../config/ax_lib_socket_nsl.m4.
(NETLIBS): Determine using AX_LIB_SOCKET_NSL.
* configure: Regenerate.
* Makefile.in (NETLIBS): Define.
(g++-mapper-server$(exeext)): Add $(NETLIBS).
gcc/objcp:
PR c++/98316
* Make-lang.in (cc1objplus$(exeext)): Add $(CODYLIB), $(NETLIBS).
gcc/cp:
PR c++/98316
* Make-lang.in (cc1plus$(exeext)): Add $(CODYLIB), $(NETLIBS).
gcc:
PR c++/98316
* configure.ac (NETLIBS): Determine using AX_LIB_SOCKET_NSL.
* aclocal.m4, configure: Regenerate.
* Makefile.in (NETLIBS): Define.
(BACKEND): Remove $(CODYLIB).
config:
PR c++/98316
* ax_lib_socket_nsl.m4: Import from autoconf-archive.
This adds --enable-default-pie support to c++tools, so that the sample
server is build -fPIE if requested.
PR bootstrap/98324
c++tools/
* Makefile.in: Add FLAGPIE.
* configure.ac: Add --enable-default-pie support.
* configure: Rebuilt.
I had a thinko about variable case, and, coupled with Make's behaviour
of just consing up variables out of nothing, and linux not having an
executable extension, didn't notice.
PR other/98409
c++tools/
* Makefile.in: Fix exeext variable case.
When breaking out the sample server from the gcc/cp directory, it lost
its check for mmap, and the sample resolver just assumed it was there.
Fixed thusly. The non-mapping paths in module.cc weren't (recently)
excercised, and led to a signedness warning. Finally I'd missed
c++tools's config.h.in in the gcc_update script. There I took the
opportunity of adding a 'tools' segment of the dependency lists.
PR bootstrap/98300
contrib/
* gcc_update: Add c++tools/config.h.in.
c++tools/
* configure.ac: Check for sys/mman.h.
* resolver.cc: Don't assume mmap, O_CLOEXEC are available. Use
xmalloc.
* config.h.in: Regenerated.
* configure: Regenerated.
gcc/cp/
* module.cc: Fix ::read, ::write result signedness comparisons.
Seems c++tools doesn't honor --with-gcc-major-version-only.
Our distro uses that flag and so everything is installed in
/usr/lib/gcc/<target>/11/...
/usr/libexec/gcc/<target>/11/...
except
/usr/libexec/gcc/<target>/11.0.0/g++-mapper-server
The following patch should fix that.
2020-12-17 Jakub Jelinek <jakub@redhat.com>
* configure.ac: Add GCC_BASE_VER.
* Makefile.in (version): Remove variable.
(gcc_version): New variable.
(libexecsubdir): Use $(gcc_version) instead of $(version).
* configure: Regenerated.
I'd missed an install-strip rule in c++tools. Here it is, cribbed
from gcc/ subdir.
c++tools/
* Makefile.in (INSTALL): Replace with ...
(INSTALL_PROGRAM): ... this.
(INSTALL_STRIP_PROGRAM): New.
(install-strip): New target.
(install): Use INSTALL_PROGRAM.
* configure.ac: Add INSTALL_PROGRAM.
* configure: Regenerated.
Part of our module implementation adds a sample mapper server, the
guts of which are used by the default in-process mapping of cc1plus.
Rather than add another executable to gcc/cp/, this creates a new
c++tools directory where this and any other c++ tools might live.
The toplevel changes are a subsequent commit, because ... git.
c++tools/ChangeLog:
* Makefile.in: New.
* config.h.in: New.
* configure: New.
* configure.ac: New.
* resolver.cc: New.
* resolver.h: New.
* server.cc: New.
