This patch implements the --enable-host-pie configure option which
makes the compiler executables PIE. This can be used to enhance
protection against ROP attacks, and can be viewed as part of a wider
trend to harden binaries.
It is similar to the option --enable-host-shared, except that --e-h-s
won't add -shared to the linker flags whereas --e-h-p will add -pie.
It is different from --enable-default-pie because that option just
adds an implicit -fPIE/-pie when the compiler is invoked, but the
compiler itself isn't PIE.
Since r12-5768-gfe7c3ecf, PCH works well with PIE, so there are no PCH
regressions.
When building the compiler, the build process may use various in-tree
libraries; these need to be built with -fPIE so that it's possible to
use them when building a PIE. For instance, when --with-included-gettext
is in effect, intl object files must be compiled with -fPIE. Similarly,
when building in-tree gmp, isl, mpfr and mpc, they must be compiled with
-fPIE.
I plan to add an option to link with -Wl,-z,now.
ChangeLog:
* Makefile.def: Pass $(PICFLAG) to AM_CFLAGS for gmp, mpfr, mpc, and
isl.
* Makefile.in: Regenerate.
* Makefile.tpl: Set PICFLAG.
* configure.ac (--enable-host-pie): New check. Set PICFLAG after this
check.
* configure: Regenerate.
c++tools/ChangeLog:
* Makefile.in: Rename PIEFLAG to PICFLAG. Set LD_PICFLAG. Use it.
Use pic/libiberty.a if PICFLAG is set.
* configure.ac (--enable-default-pie): Set PICFLAG instead of PIEFLAG.
(--enable-host-pie): New check.
* configure: Regenerate.
fixincludes/ChangeLog:
* Makefile.in: Set and use PICFLAG and LD_PICFLAG. Use the "pic"
build of libiberty if PICFLAG is set.
* configure.ac:
* configure: Regenerate.
gcc/ChangeLog:
* Makefile.in: Set LD_PICFLAG. Use it. Set enable_host_pie.
Remove NO_PIE_CFLAGS and NO_PIE_FLAG. Pass LD_PICFLAG to
ALL_LINKERFLAGS. Use the "pic" build of libiberty if --enable-host-pie.
* configure.ac (--enable-host-shared): Don't set PICFLAG here.
(--enable-host-pie): New check. Set PICFLAG and LD_PICFLAG after this
check.
* configure: Regenerate.
* doc/install.texi: Document --enable-host-pie.
gcc/d/ChangeLog:
* Make-lang.in: Remove NO_PIE_CFLAGS.
intl/ChangeLog:
* Makefile.in: Use @PICFLAG@ in COMPILE as well.
* configure.ac (--enable-host-shared): Don't set PICFLAG here.
(--enable-host-pie): New check. Set PICFLAG after this check.
* configure: Regenerate.
libcody/ChangeLog:
* Makefile.in: Pass LD_PICFLAG to LDFLAGS.
* configure.ac (--enable-host-shared): Don't set PICFLAG here.
(--enable-host-pie): New check. Set PICFLAG and LD_PICFLAG after this
check.
* configure: Regenerate.
libcpp/ChangeLog:
* configure.ac (--enable-host-shared): Don't set PICFLAG here.
(--enable-host-pie): New check. Set PICFLAG after this check.
* configure: Regenerate.
libdecnumber/ChangeLog:
* configure.ac (--enable-host-shared): Don't set PICFLAG here.
(--enable-host-pie): New check. Set PICFLAG after this check.
* configure: Regenerate.
libiberty/ChangeLog:
* configure.ac: Also set shared when enable_host_pie.
* configure: Regenerate.
zlib/ChangeLog:
* configure.ac (--enable-host-shared): Don't set PICFLAG here.
(--enable-host-pie): New check. Set PICFLAG after this check.
* configure: Regenerate.
This directory contains the -liberty library of free software.
It is a collection of subroutines used by various GNU programs.
Current members include:
getopt -- get options from command line
obstack -- stacks of arbitrarily-sized objects
strerror -- error message strings corresponding to errno
strtol -- string-to-long conversion
strtoul -- string-to-unsigned-long conversion
We expect many of the GNU subroutines that are floating around to
eventually arrive here.
The library must be configured from the top source directory. Don't
try to run configure in this directory. Follow the configuration
instructions in ../README.
Please report bugs to https://gcc.gnu.org/bugzilla/ and send fixes to
"gcc-patches@gcc.gnu.org". Thank you.
ADDING A NEW FILE
=================
There are two sets of files: Those that are "required" will be
included in the library for all configurations, while those
that are "optional" will be included in the library only if "needed."
To add a new required file, edit Makefile.in to add the source file
name to CFILES and the object file to REQUIRED_OFILES.
To add a new optional file, it must provide a single function, and the
name of the function must be the same as the name of the file.
* Add the source file name to CFILES in Makefile.in and the object
file to CONFIGURED_OFILES.
* Add the function to name to the funcs shell variable in
configure.ac.
* Add the function to the AC_CHECK_FUNCS lists just after the
setting of the funcs shell variable. These AC_CHECK_FUNCS calls
are never executed; they are there to make autoheader work
better.
* Consider the special cases of building libiberty; as of this
writing, the special cases are newlib and VxWorks. If a
particular special case provides the function, you do not need
to do anything. If it does not provide the function, add the
object file to LIBOBJS, and add the function name to the case
controlling whether to define HAVE_func.
Finally, in the build directory of libiberty, configure with
"--enable-maintainer-mode", run "make maint-deps" to update
Makefile.in, and run 'make stamp-functions' to regenerate
functions.texi.
The optional file you've added (e.g. getcwd.c) should compile and work
on all hosts where it is needed. It does not have to work or even
compile on hosts where it is not needed.
ADDING A NEW CONFIGURATION
==========================
On most hosts you should be able to use the scheme for automatically
figuring out which files are needed. In that case, you probably
don't need a special Makefile stub for that configuration.
If the fully automatic scheme doesn't work, you may be able to get
by with defining EXTRA_OFILES in your Makefile stub. This is
a list of object file names that should be treated as required
for this configuration - they will be included in libiberty.a,
regardless of whatever might be in the C library.
Marek Polacek
251c72a68a