configure: add flags to support SafeStack

This patch adds a flag to enable/disable the SafeStack instrumentation
provided by LLVM.

On enable, make sure that the compiler supports the flags, and that we
are using the proper coroutine implementation (coroutine-ucontext).
On disable, explicitly disable the option if it was enabled by default.

While SafeStack is supported only on Linux, NetBSD, FreeBSD and macOS,
we are not checking for the O.S. since this is already done by LLVM.

Signed-off-by: Daniele Buono <dbuono@linux.vnet.ibm.com>
Message-id: 20200529205122.714-4-dbuono@linux.vnet.ibm.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
This commit is contained in:
Daniele Buono 2020-05-29 16:51:21 -04:00 committed by Stefan Hajnoczi
parent ff76097ad8
commit 1e4f6065da

73
configure vendored
View File

@ -307,6 +307,7 @@ audio_win_int=""
libs_qga="" libs_qga=""
debug_info="yes" debug_info="yes"
stack_protector="" stack_protector=""
safe_stack=""
use_containers="yes" use_containers="yes"
gdb_bin=$(command -v "gdb-multiarch" || command -v "gdb") gdb_bin=$(command -v "gdb-multiarch" || command -v "gdb")
@ -1287,6 +1288,10 @@ for opt do
;; ;;
--disable-stack-protector) stack_protector="no" --disable-stack-protector) stack_protector="no"
;; ;;
--enable-safe-stack) safe_stack="yes"
;;
--disable-safe-stack) safe_stack="no"
;;
--disable-curses) curses="no" --disable-curses) curses="no"
;; ;;
--enable-curses) curses="yes" --enable-curses) curses="yes"
@ -1829,6 +1834,8 @@ disabled with --disable-FEATURE, default is enabled if available:
debug-tcg TCG debugging (default is disabled) debug-tcg TCG debugging (default is disabled)
debug-info debugging information debug-info debugging information
sparse sparse checker sparse sparse checker
safe-stack SafeStack Stack Smash Protection. Depends on
clang/llvm >= 3.7 and requires coroutine backend ucontext.
gnutls GNUTLS cryptography support gnutls GNUTLS cryptography support
nettle nettle cryptography support nettle nettle cryptography support
@ -5573,6 +5580,67 @@ if test "$debug_stack_usage" = "yes"; then
fi fi
fi fi
##################################################
# SafeStack
if test "$safe_stack" = "yes"; then
cat > $TMPC << EOF
int main(int argc, char *argv[])
{
#if ! __has_feature(safe_stack)
#error SafeStack Disabled
#endif
return 0;
}
EOF
flag="-fsanitize=safe-stack"
# Check that safe-stack is supported and enabled.
if compile_prog "-Werror $flag" "$flag"; then
# Flag needed both at compilation and at linking
QEMU_CFLAGS="$QEMU_CFLAGS $flag"
QEMU_LDFLAGS="$QEMU_LDFLAGS $flag"
else
error_exit "SafeStack not supported by your compiler"
fi
if test "$coroutine" != "ucontext"; then
error_exit "SafeStack is only supported by the coroutine backend ucontext"
fi
else
cat > $TMPC << EOF
int main(int argc, char *argv[])
{
#if defined(__has_feature)
#if __has_feature(safe_stack)
#error SafeStack Enabled
#endif
#endif
return 0;
}
EOF
if test "$safe_stack" = "no"; then
# Make sure that safe-stack is disabled
if ! compile_prog "-Werror" ""; then
# SafeStack was already enabled, try to explicitly remove the feature
flag="-fno-sanitize=safe-stack"
if ! compile_prog "-Werror $flag" "$flag"; then
error_exit "Configure cannot disable SafeStack"
fi
QEMU_CFLAGS="$QEMU_CFLAGS $flag"
QEMU_LDFLAGS="$QEMU_LDFLAGS $flag"
fi
else # "$safe_stack" = ""
# Set safe_stack to yes or no based on pre-existing flags
if compile_prog "-Werror" ""; then
safe_stack="no"
else
safe_stack="yes"
if test "$coroutine" != "ucontext"; then
error_exit "SafeStack is only supported by the coroutine backend ucontext"
fi
fi
fi
fi
########################################## ##########################################
# check if we have open_by_handle_at # check if we have open_by_handle_at
@ -6765,6 +6833,7 @@ echo "sparse enabled $sparse"
echo "strip binaries $strip_opt" echo "strip binaries $strip_opt"
echo "profiler $profiler" echo "profiler $profiler"
echo "static build $static" echo "static build $static"
echo "safe stack $safe_stack"
if test "$darwin" = "yes" ; then if test "$darwin" = "yes" ; then
echo "Cocoa support $cocoa" echo "Cocoa support $cocoa"
fi fi
@ -8370,6 +8439,10 @@ if test "$ccache_cpp2" = "yes"; then
echo "export CCACHE_CPP2=y" >> $config_host_mak echo "export CCACHE_CPP2=y" >> $config_host_mak
fi fi
if test "$safe_stack" = "yes"; then
echo "CONFIG_SAFESTACK=y" >> $config_host_mak
fi
# If we're using a separate build tree, set it up now. # If we're using a separate build tree, set it up now.
# DIRS are directories which we simply mkdir in the build tree; # DIRS are directories which we simply mkdir in the build tree;
# LINKS are things to symlink back into the source tree # LINKS are things to symlink back into the source tree