From 2d09eaac15d8a3cd7a4f27fea1cf09f5dcf4f8c5 Mon Sep 17 00:00:00 2001
From: Marek Polacek <polacek@redhat.com>
Date: Thu, 10 Feb 2022 14:53:15 -0500
Subject: [PATCH] Add --enable-host-bind-now, use it
Resolves: #2044917
---
gcc.spec | 15 +-
gcc11-bind-now.patch | 333 +++++++++++++++++++++++++++++++++++++++++++
2 files changed, 343 insertions(+), 5 deletions(-)
create mode 100644 gcc11-bind-now.patch
diff --git a/gcc.spec b/gcc.spec
index 87950eb..4fdcde7 100644
--- a/gcc.spec
+++ b/gcc.spec
@@ -116,7 +116,7 @@
Summary: Various compilers (C, C++, Objective-C, ...)
Name: gcc
Version: %{gcc_version}
-Release: %{gcc_release}.3%{?dist}
+Release: %{gcc_release}.4%{?dist}
# libgcc, libgfortran, libgomp, libstdc++ and crtstuff have
# GCC Runtime Exception.
License: GPLv3+ and GPLv3+ with exceptions and GPLv2+ with exceptions and LGPLv2+ and BSD
@@ -273,6 +273,7 @@ Patch20: gcc11-relocatable-pch.patch
Patch21: gcc11-dejagnu-multiline.patch
Patch22: gcc11-libsanitizer-pthread.patch
Patch23: gcc11-pie.patch
+Patch24: gcc11-bind-now.patch
Patch100: gcc11-fortran-fdec-duplicates.patch
Patch101: gcc11-fortran-flogical-as-integer.patch
@@ -824,6 +825,7 @@ so that there cannot be any synchronization problems.
%patch21 -p1 -b .dejagnu-multiline~
%patch22 -p1 -b .libsanitizer-pthread~
%patch23 -p1 -b .pie~
+%patch24 -p1 -b .now~
%if 0%{?rhel} >= 9
%patch100 -p1 -b .fortran-fdec-duplicates~
@@ -911,7 +913,7 @@ cd nvptx-tools-%{nvptx_tools_gitrev}
rm -rf obj-%{gcc_target_platform}
mkdir obj-%{gcc_target_platform}
cd obj-%{gcc_target_platform}
-CC="$CC" CXX="$CXX" CFLAGS="%{optflags} -fPIE" CXXFLAGS="%{optflags} -fPIE" LDFLAGS="-pie" \
+CC="$CC" CXX="$CXX" CFLAGS="%{optflags} -fPIE" CXXFLAGS="%{optflags} -fPIE" LDFLAGS="-pie -Wl,-z,now" \
../configure --prefix=%{_prefix}
make %{?_smp_mflags}
make install prefix=${IROOT}%{_prefix}
@@ -933,7 +935,7 @@ CC="$CC" CXX="$CXX" CFLAGS="$OPT_FLAGS" \
--prefix=%{_prefix} --mandir=%{_mandir} --infodir=%{_infodir} \
--with-bugurl=http://bugzilla.redhat.com/bugzilla \
--enable-checking=release --with-system-zlib \
- --with-gcc-major-version-only --without-isl --enable-host-pie
+ --with-gcc-major-version-only --without-isl --enable-host-pie --enable-host-bind-now
make %{?_smp_mflags}
cd ..
rm -f newlib
@@ -1130,7 +1132,7 @@ CC="$CC" CXX="$CXX" CFLAGS="$OPT_FLAGS" \
CXXFLAGS="`echo " $OPT_FLAGS " | sed 's/ -Wall / /g;s/ -fexceptions / /g' \
| sed 's/ -Wformat-security / -Wformat -Wformat-security /'`" \
XCFLAGS="$OPT_FLAGS" TCFLAGS="$OPT_FLAGS" \
- ../configure --enable-bootstrap --enable-host-pie \
+ ../configure --enable-bootstrap --enable-host-pie --enable-host-bind-now \
--enable-languages=c,c++,fortran${enablelobjc}${enablelada}${enablelgo}${enableld},lto \
$CONFIGURE_OPTS
@@ -1151,7 +1153,7 @@ CC="$CC" CXX="$CXX" CFLAGS="$OPT_FLAGS" \
CXXFLAGS="`echo " $OPT_FLAGS " | sed 's/ -Wall / /g;s/ -fexceptions / /g' \
| sed 's/ -Wformat-security / -Wformat -Wformat-security /'`" \
XCFLAGS="$OPT_FLAGS" TCFLAGS="$OPT_FLAGS" \
- ../../configure --disable-bootstrap --enable-host-shared \
+ ../../configure --disable-bootstrap --enable-host-shared --enable-host-bind-now \
--enable-languages=jit $CONFIGURE_OPTS
make %{?_smp_mflags} BOOT_CFLAGS="$OPT_FLAGS" all-gcc
cp -a gcc/libgccjit.so* ../gcc/
@@ -3269,6 +3271,9 @@ end
%{ANNOBIN_GCC_PLUGIN_DIR}/gcc-annobin.so.0.0.0
%changelog
+* Thu Feb 10 2022 Marek Polacek <polacek@redhat.com> 11.2.1-9.4
+- add --enable-host-bind-now, use it (#2044917)
+
* Tue Feb 8 2022 Marek Polacek <polacek@redhat.com> 11.2.1-9.3
- use _thread_db_sizeof_pthread to obtain struct pthread size (#2034494)
- add --enable-host-pie, build the compilers as PIE (#2044917)
diff --git a/gcc11-bind-now.patch b/gcc11-bind-now.patch
new file mode 100644
index 0000000..8710490
--- /dev/null
+++ b/gcc11-bind-now.patch
@@ -0,0 +1,333 @@
+From 36362544fb039599c0eb58d839e90ffb5410ad27 Mon Sep 17 00:00:00 2001
+From: Marek Polacek <polacek@redhat.com>
+Date: Wed, 9 Feb 2022 15:18:43 -0500
+Subject: [PATCH] configure: Implement --enable-host-bind-now
+
+As promised in the --enable-host-pie patch, this patch adds another
+configure option, --enable-host-bind-now, which adds -z now when linking
+the compiler executables in order to extend hardening. BIND_NOW with RELRO
+allows the GOT to be marked RO; this prevents GOT modification attacks.
+
+This option does not affect linking of target libraries; you can use
+LDFLAGS_FOR_TARGET=-Wl,-z,relro,-z,now to enable RELRO/BIND_NOW.
+
+Bootstrapped/regtested on x86_64-pc-linux-gnu (with the option enabled vs
+not enabled). I suppose this is GCC 13 material, but maybe I'll get some
+comments anyway.
+
+c++tools/ChangeLog:
+
+ * configure.ac (--enable-host-bind-now): New check.
+ * configure: Regenerate.
+
+gcc/ChangeLog:
+
+ * configure.ac (--enable-host-bind-now): New check. Add
+ -Wl,-z,now to LD_PICFLAG if --enable-host-bind-now.
+ * configure: Regenerate.
+ * doc/install.texi: Document --enable-host-bind-now.
+
+lto-plugin/ChangeLog:
+
+ * configure.ac (--enable-host-bind-now): New check. Link with
+ -z,now.
+ * configure: Regenerate.
+---
+ c++tools/configure | 11 +++++++++++
+ c++tools/configure.ac | 7 +++++++
+ gcc/configure | 20 ++++++++++++++++++--
+ gcc/configure.ac | 13 ++++++++++++-
+ gcc/doc/install.texi | 6 ++++++
+ lto-plugin/configure | 20 ++++++++++++++++++--
+ lto-plugin/configure.ac | 11 +++++++++++
+ 7 files changed, 83 insertions(+), 5 deletions(-)
+
+diff --git a/c++tools/configure b/c++tools/configure
+index c1aceb8404a..25432b5040d 100755
+--- a/c++tools/configure
++++ b/c++tools/configure
+@@ -631,6 +631,7 @@ ac_ct_CC
+ CFLAGS
+ CC
+ LD_PICFLAG
++enable_host_bind_now
+ PICFLAG
+ MAINTAINER
+ CXX_AUX_TOOLS
+@@ -704,6 +705,7 @@ enable_c___tools
+ enable_maintainer_mode
+ enable_default_pie
+ enable_host_pie
++enable_host_bind_now
+ with_gcc_major_version_only
+ '
+ ac_precious_vars='build_alias
+@@ -1336,6 +1338,7 @@ Optional Features:
+ configurey bits
+ --enable-default-pie enable Position Independent Executable as default
+ --enable-host-pie build host code as PIE
++ --enable-host-bind-now link host code as BIND_NOW
+
+ Optional Packages:
+ --with-PACKAGE[=ARG] use PACKAGE [ARG=yes]
+@@ -3009,6 +3012,14 @@ fi
+
+
+
++# Enable --enable-host-bind-now
++# Check whether --enable-host-bind-now was given.
++if test "${enable_host_bind_now+set}" = set; then :
++ enableval=$enable_host_bind_now; LD_PICFLAG="$LD_PICFLAG -Wl,-z,now"
++fi
++
++
++
+
+ # Check if O_CLOEXEC is defined by fcntl
+ ac_ext=c
+diff --git a/c++tools/configure.ac b/c++tools/configure.ac
+index 1e42689f2eb..d3f23f66f00 100644
+--- a/c++tools/configure.ac
++++ b/c++tools/configure.ac
+@@ -110,6 +110,13 @@ AC_ARG_ENABLE(host-pie,
+ [build host code as PIE])],
+ [PICFLAG=-fPIE; LD_PICFLAG=-pie], [])
+ AC_SUBST(PICFLAG)
++
++# Enable --enable-host-bind-now
++AC_ARG_ENABLE(host-bind-now,
++[AS_HELP_STRING([--enable-host-bind-now],
++ [link host code as BIND_NOW])],
++[LD_PICFLAG="$LD_PICFLAG -Wl,-z,now"], [])
++AC_SUBST(enable_host_bind_now)
+ AC_SUBST(LD_PICFLAG)
+
+ # Check if O_CLOEXEC is defined by fcntl
+diff --git a/gcc/configure b/gcc/configure
+index 2ded5d4c50b..5671dc7dcf4 100755
+--- a/gcc/configure
++++ b/gcc/configure
+@@ -635,6 +635,7 @@ CET_HOST_FLAGS
+ LD_PICFLAG
+ PICFLAG
+ enable_default_pie
++enable_host_bind_now
+ enable_host_pie
+ enable_host_shared
+ enable_plugin
+@@ -1023,6 +1024,7 @@ enable_version_specific_runtime_libs
+ enable_plugin
+ enable_host_shared
+ enable_host_pie
++enable_host_bind_now
+ enable_libquadmath_support
+ with_linker_hash_style
+ with_diagnostics_color
+@@ -1786,6 +1788,7 @@ Optional Features:
+ --enable-plugin enable plugin support
+ --enable-host-shared build host code as shared libraries
+ --enable-host-pie build host code as PIE
++ --enable-host-bind-now link host code as BIND_NOW
+ --disable-libquadmath-support
+ disable libquadmath support for Fortran
+ --enable-default-pie enable Position Independent Executable as default
+@@ -19394,7 +19397,7 @@ else
+ lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
+ lt_status=$lt_dlunknown
+ cat > conftest.$ac_ext <<_LT_EOF
+-#line 19409 "configure"
++#line 19412 "configure"
+ #include "confdefs.h"
+
+ #if HAVE_DLFCN_H
+@@ -19500,7 +19503,7 @@ else
+ lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
+ lt_status=$lt_dlunknown
+ cat > conftest.$ac_ext <<_LT_EOF
+-#line 19515 "configure"
++#line 19518 "configure"
+ #include "confdefs.h"
+
+ #if HAVE_DLFCN_H
+@@ -32109,6 +32112,14 @@ fi
+
+
+
++# Enable --enable-host-bind-now
++# Check whether --enable-host-bind-now was given.
++if test "${enable_host_bind_now+set}" = set; then :
++ enableval=$enable_host_bind_now;
++fi
++
++
++
+ # Check whether --enable-libquadmath-support was given.
+ if test "${enable_libquadmath_support+set}" = set; then :
+ enableval=$enable_libquadmath_support; ENABLE_LIBQUADMATH_SUPPORT=$enableval
+@@ -32295,6 +32306,8 @@ else
+ PICFLAG=
+ fi
+
++
++
+ if test x$enable_host_pie = xyes; then
+ LD_PICFLAG=-pie
+ elif test x$gcc_cv_no_pie = xyes; then
+@@ -32303,6 +32316,9 @@ else
+ LD_PICFLAG=
+ fi
+
++if test x$enable_host_bind_now = xyes; then
++ LD_PICFLAG="$LD_PICFLAG -Wl,-z,now"
++fi
+
+
+
+diff --git a/gcc/configure.ac b/gcc/configure.ac
+index dca995aeec7..6017bcbc8c6 100644
+--- a/gcc/configure.ac
++++ b/gcc/configure.ac
+@@ -7497,6 +7497,12 @@ AC_ARG_ENABLE(host-pie,
+ [build host code as PIE])])
+ AC_SUBST(enable_host_pie)
+
++# Enable --enable-host-bind-now
++AC_ARG_ENABLE(host-bind-now,
++[AS_HELP_STRING([--enable-host-bind-now],
++ [link host code as BIND_NOW])])
++AC_SUBST(enable_host_bind_now)
++
+ AC_ARG_ENABLE(libquadmath-support,
+ [AS_HELP_STRING([--disable-libquadmath-support],
+ [disable libquadmath support for Fortran])],
+@@ -7638,6 +7644,8 @@ else
+ PICFLAG=
+ fi
+
++AC_SUBST([PICFLAG])
++
+ if test x$enable_host_pie = xyes; then
+ LD_PICFLAG=-pie
+ elif test x$gcc_cv_no_pie = xyes; then
+@@ -7646,7 +7654,10 @@ else
+ LD_PICFLAG=
+ fi
+
+-AC_SUBST([PICFLAG])
++if test x$enable_host_bind_now = xyes; then
++ LD_PICFLAG="$LD_PICFLAG -Wl,-z,now"
++fi
++
+ AC_SUBST([LD_PICFLAG])
+
+ # Enable Intel CET on Intel CET enabled host if jit is enabled.
+diff --git a/gcc/doc/install.texi b/gcc/doc/install.texi
+index 9747f832a75..b59af198d3e 100644
+--- a/gcc/doc/install.texi
++++ b/gcc/doc/install.texi
+@@ -1041,6 +1041,12 @@ protection against Return Oriented Programming (ROP) attacks.
+ in which case @option{-fPIC} is used when compiling, and @option{-pie} when
+ linking.
+
++@item --enable-host-bind-now
++Specify that the @emph{host} executables should be linked with the option
++@option{-Wl,-z,now}, which means that the dynamic linker will resolve all
++symbols when the executables are started, and that in turn allows RELRO to
++mark the GOT read-only, resulting in better security.
++
+ @item @anchor{with-gnu-as}--with-gnu-as
+ Specify that the compiler should assume that the
+ assembler it finds is the GNU assembler. However, this does not modify
+diff --git a/lto-plugin/configure b/lto-plugin/configure
+index baa84adbb6c..669ccaede52 100755
+--- a/lto-plugin/configure
++++ b/lto-plugin/configure
+@@ -656,6 +656,7 @@ accel_dir_suffix
+ gcc_build_dir
+ CET_HOST_FLAGS
+ ac_lto_plugin_ldflags
++enable_host_bind_now
+ ac_lto_plugin_warn_cflags
+ EGREP
+ GREP
+@@ -771,6 +772,7 @@ enable_maintainer_mode
+ with_libiberty
+ enable_dependency_tracking
+ enable_largefile
++enable_host_bind_now
+ enable_cet
+ with_gcc_major_version_only
+ enable_shared
+@@ -1418,6 +1420,7 @@ Optional Features:
+ --disable-dependency-tracking
+ speeds up one-time build
+ --disable-largefile omit support for large files
++ --enable-host-bind-now link host code as BIND_NOW
+ --enable-cet enable Intel CET in host libraries [default=auto]
+ --enable-shared[=PKGS] build shared libraries [default=yes]
+ --enable-static[=PKGS] build static libraries [default=yes]
+@@ -5662,6 +5665,19 @@ if test "x$have_static_libgcc" = xyes; then
+ ac_lto_plugin_ldflags="-Wc,-static-libgcc"
+ fi
+
++# Enable --enable-host-bind-now
++# Check whether --enable-host-bind-now was given.
++if test "${enable_host_bind_now+set}" = set; then :
++ enableval=$enable_host_bind_now;
++fi
++
++
++
++if test x$enable_host_bind_now = xyes; then
++ ac_lto_plugin_ldflags="$ac_lto_plugin_ldflags -Wl,-z,now"
++fi
++
++
+
+ # Check whether --enable-cet was given.
+ if test "${enable_cet+set}" = set; then :
+@@ -11950,7 +11968,7 @@ else
+ lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
+ lt_status=$lt_dlunknown
+ cat > conftest.$ac_ext <<_LT_EOF
+-#line 11963 "configure"
++#line 11983 "configure"
+ #include "confdefs.h"
+
+ #if HAVE_DLFCN_H
+@@ -12056,7 +12074,7 @@ else
+ lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
+ lt_status=$lt_dlunknown
+ cat > conftest.$ac_ext <<_LT_EOF
+-#line 12069 "configure"
++#line 12089 "configure"
+ #include "confdefs.h"
+
+ #if HAVE_DLFCN_H
+diff --git a/lto-plugin/configure.ac b/lto-plugin/configure.ac
+index 7e6f729e9dc..5d5fea8fe70 100644
+--- a/lto-plugin/configure.ac
++++ b/lto-plugin/configure.ac
+@@ -25,6 +25,17 @@ LDFLAGS="$saved_LDFLAGS"
+ if test "x$have_static_libgcc" = xyes; then
+ ac_lto_plugin_ldflags="-Wc,-static-libgcc"
+ fi
++
++# Enable --enable-host-bind-now
++AC_ARG_ENABLE(host-bind-now,
++[AS_HELP_STRING([--enable-host-bind-now],
++ [link host code as BIND_NOW])])
++AC_SUBST(enable_host_bind_now)
++
++if test x$enable_host_bind_now = xyes; then
++ ac_lto_plugin_ldflags="$ac_lto_plugin_ldflags -Wl,-z,now"
++fi
++
+ AC_SUBST(ac_lto_plugin_ldflags)
+
+ GCC_CET_HOST_FLAGS(CET_HOST_FLAGS)
+
+base-commit: bf799d3409cb9a189114a6c9ff5b7cd123915764
+--
+2.34.1
+