On Thu, Jun 29, 2023 at 05:58:22PM +0200, Martin Jambor wrote:
> Hi,
>
> On Tue, Jun 27 2023, Marek Polacek wrote:
> > On Tue, Jun 27, 2023 at 01:39:16PM +0200, Martin Jambor wrote:
> >> Hello,
> >>
> >> On Tue, May 16 2023, Marek Polacek via Gcc-patches wrote:
> >> > As promised in the --enable-host-pie patch, this patch adds another
> >> > configure option, --enable-host-bind-now, which adds -z now when linking
> >> > the compiler executables in order to extend hardening. BIND_NOW with
> >> > RELRO
> >> > allows the GOT to be marked RO; this prevents GOT modification attacks.
> >> >
> >> > This option does not affect linking of target libraries; you can use
> >> > LDFLAGS_FOR_TARGET=-Wl,-z,relro,-z,now to enable RELRO/BIND_NOW.
> >> >
> >> > With this patch:
> >> > $ readelf -Wd cc1{,plus} | grep FLAGS
> >> > 0x000000000000001e (FLAGS) BIND_NOW
> >> > 0x000000006ffffffb (FLAGS_1) Flags: NOW PIE
> >> > 0x000000000000001e (FLAGS) BIND_NOW
> >> > 0x000000006ffffffb (FLAGS_1) Flags: NOW PIE
> >> >
> >> > Bootstrapped/regtested on x86_64-pc-linux-gnu, ok for trunk?
> >> >
> >> > c++tools/ChangeLog:
> >> >
> >> > * configure.ac (--enable-host-bind-now): New check.
> >> > * configure: Regenerate.
> >> >
> >> > gcc/ChangeLog:
> >> >
> >> > * configure.ac (--enable-host-bind-now): New check. Add
> >> > -Wl,-z,now to LD_PICFLAG if --enable-host-bind-now.
> >> > * configure: Regenerate.
> >> > * doc/install.texi: Document --enable-host-bind-now.
> >> >
> >> > lto-plugin/ChangeLog:
> >> >
> >> > * configure.ac (--enable-host-bind-now): New check. Link with
> >> > -z,now.
> >> > * configure: Regenerate.
> >>
> >> Our reconfiguration checking script complains about a missing hunk in
> >> lto-plugin/Makefile.in:
> >>
> >> diff --git a/lto-plugin/Makefile.in b/lto-plugin/Makefile.in
> >> index cb568e1e09f..f6f5b020ff5 100644
> >> --- a/lto-plugin/Makefile.in
> >> +++ b/lto-plugin/Makefile.in
> >> @@ -298,6 +298,7 @@ datadir = @datadir@
> >> datarootdir = @datarootdir@
> >> docdir = @docdir@
> >> dvidir = @dvidir@
> >> +enable_host_bind_now = @enable_host_bind_now@
> >> exec_prefix = @exec_prefix@
> >> gcc_build_dir = @gcc_build_dir@
> >> get_gcc_base_ver = @get_gcc_base_ver@
> >>
> >>
> >> I am somewhat puzzled why the line is not missing in any of the other
> >> Makefile.in files. Can you please check whether that is the only thing
> >> that is missing (assuming it is actually missing)?
> >
> > Arg, once again, I'm sorry. I don't know how this happened. It would
> > be trivial to fix it but since
> >
> > commit 4a48a38fa99f067b8f3a3d1a5dc7a1e602db351f
> > Author: Eric Botcazou <ebotca...@adacore.com>
> > Date: Wed Jun 21 18:19:36 2023 +0200
> >
> > ada: Fix build of GNAT tools
> >
> > the build with Ada included fails with --enable-host-pie. So that needs
> > to be fixed first.
> >
> > Eric, I'm not asking you to fix that, but I'm curious, what did the
> > commit above fix? The patch looks correct; I'm just puzzled why I
> > hadn't seen any build failures.
> >
> > The --enable-host-pie patch has been a nightmare :(.
> >
>
> No worries, I can see how these things can easily get difficult.
>
> Unfortunately I won't have time to actually look at this in the next 2-3
> weeks, so I am inclined to just trust the verification script (which
> essentially runs autoconf/automake everywhere and then expects no diff)
> and commit the one-line change. What do you think, does that make sense
> (even without looking at why other Makefile.in files did not change)?
Yes please, go ahead with the one line change meanwhile. Thanks!
I've opened PR110467 for the build problem.
Marek
