Enable shadow stack built-in functions if -fcf-protection compiler flag is used by patching a build script

2020-05-27 10:14:12 +02:00 · 2020-05-27 10:14:12 +02:00 · 2208fa9576
commit 2208fa9576
parent ada450ea80
3 changed files with 146 additions and 5 deletions
--- a/pcre2-10.35-Apply-H.J.-Lu-s-patch-to-pass-mshstk-to-the-compiler.patch
+++ b/pcre2-10.35-Apply-H.J.-Lu-s-patch-to-pass-mshstk-to-the-compiler.patch
@ -0,0 +1,95 @@
+From 4f0b3ea9771e49fb0d5e5c323e7966ceff2c7ec2 Mon Sep 17 00:00:00 2001
+From: ph10 <ph10@6239d852-aaf2-0410-a92c-79f79f948069>
+Date: Mon, 25 May 2020 16:03:24 +0000
+Subject: [PATCH 1/2] Apply H.J. Lu's patch to pass -mshstk to the compiler
+ when Intel CET is enabled. CMake version invented by PH, but only tested on
+ non-CET system.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+git-svn-id: svn://vcs.exim.org/pcre2/code/trunk@1256 6239d852-aaf2-0410-a92c-79f79f948069
+Petr Písař: Ported to 10.35.
+---
+ CMakeLists.txt | 19 +++++++++++++++++++
+ Makefile.am    |  1 +
+ configure.ac   | 15 +++++++++++++++
+
+diff --git a/CMakeLists.txt b/CMakeLists.txt
+index 86b8896..5e8a763 100644
+--- a/CMakeLists.txt
+++ b/CMakeLists.txt
+@@ -92,6 +92,7 @@
+ #            library versioning.
+ # 2020-04-25 Carlo added function check for mkostemp used in ProtExecAllocator
+ # 2020-04-28 PH added function check for memfd_create based on Carlo's patch
+# 2020-05-25 PH added a check for Intel CET
+ 
+ PROJECT(PCRE2 C)
+ 
+@@ -146,6 +147,24 @@ CHECK_C_SOURCE_COMPILES(
+ )
+ set(CMAKE_REQUIRED_FLAGS ${ORIG_CMAKE_REQUIRED_FLAGS})
+ 
+# Check whether Intel CET is enabled, and if so, adjust compiler flags. This
+# code was written by PH, trying to imitate the logic from the autotools 
+# configuration.
+
+CHECK_C_SOURCE_COMPILES(
+  "#ifndef __CET__
+   #error CET is not enabled
+   #endif
+   int main() { return 0; }"
+  INTEL_CET_ENABLED
+)
+
+IF (INTEL_CET_ENABLED)
+  SET(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -mshstk")
+ENDIF(INTEL_CET_ENABLED)   
+        
+
+
+ # User-configurable options
+ #
+ # Note: CMakeSetup displays these in alphabetical order, regardless of
+diff --git a/Makefile.am b/Makefile.am
+index bb888f2..af6b92b 100644
+--- a/Makefile.am
+++ b/Makefile.am
+@@ -391,6 +391,7 @@ nodist_libpcre2_8_la_SOURCES = \
+ libpcre2_8_la_CFLAGS = \
+   -DPCRE2_CODE_UNIT_WIDTH=8 \
+   $(VISIBILITY_CFLAGS) \
+  $(CET_CFLAGS) \
+   $(AM_CFLAGS)
+ libpcre2_8_la_LIBADD =
+ endif # WITH_PCRE2_8
+diff --git a/configure.ac b/configure.ac
+index 180d3dc..61b93ba 100644
+--- a/configure.ac
+++ b/configure.ac
+@@ -1006,6 +1006,21 @@ fi # enable_coverage
+ 
+ AM_CONDITIONAL([WITH_GCOV],[test "x$enable_coverage" = "xyes"])
+ 
+AC_MSG_CHECKING([whether Intel CET is enabled])
+AC_LANG_PUSH([C])
+AC_COMPILE_IFELSE([AC_LANG_PROGRAM(,
+                   [[#ifndef __CET__
+# error CET is not enabled
+#endif]])],
+                   [pcre2_cc_cv_intel_cet_enabled=yes],
+                   [pcre2_cc_cv_intel_cet_enabled=no])
+AC_MSG_RESULT([$pcre2_cc_cv_intel_cet_enabled])
+if test "$pcre2_cc_cv_intel_cet_enabled" = yes; then
+  CET_CFLAGS="-mshstk"
+  AC_SUBST([CET_CFLAGS])
+fi
+AC_LANG_POP([C])
+
+ # Produce these files, in addition to config.h.
+ AC_CONFIG_FILES(
+ 	Makefile
+-- 
+2.25.4
+
--- a/pcre2-10.35-Fix-previous-commit-include-CET_CFLAGS-in-16-bit-and.patch
+++ b/pcre2-10.35-Fix-previous-commit-include-CET_CFLAGS-in-16-bit-and.patch
@ -0,0 +1,38 @@
+From 842cc30948723f3fe3e7e71ebcb18191ae5324ed Mon Sep 17 00:00:00 2001
+From: ph10 <ph10@6239d852-aaf2-0410-a92c-79f79f948069>
+Date: Tue, 26 May 2020 15:18:35 +0000
+Subject: [PATCH 2/2] Fix previous commit: include CET_CFLAGS in 16-bit and
+ 32-bit builds under AutoTools.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+git-svn-id: svn://vcs.exim.org/pcre2/code/trunk@1257 6239d852-aaf2-0410-a92c-79f79f948069
+Signed-off-by: Petr Písař <ppisar@redhat.com>
+---
+ Makefile.am | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/Makefile.am b/Makefile.am
+index af6b92b..6a771a5 100644
+--- a/Makefile.am
+++ b/Makefile.am
+@@ -405,6 +405,7 @@ nodist_libpcre2_16_la_SOURCES = \
+ libpcre2_16_la_CFLAGS = \
+   -DPCRE2_CODE_UNIT_WIDTH=16 \
+   $(VISIBILITY_CFLAGS) \
+  $(CET_CFLAGS) \
+   $(AM_CFLAGS)
+ libpcre2_16_la_LIBADD =
+ endif # WITH_PCRE2_16
+@@ -418,6 +419,7 @@ nodist_libpcre2_32_la_SOURCES = \
+ libpcre2_32_la_CFLAGS = \
+   -DPCRE2_CODE_UNIT_WIDTH=32 \
+   $(VISIBILITY_CFLAGS) \
+  $(CET_CFLAGS) \
+   $(AM_CFLAGS)
+ libpcre2_32_la_LIBADD =
+ endif # WITH_PCRE2_32
+-- 
+2.25.4
+
--- a/pcre2.spec
+++ b/pcre2.spec
@ -9,7 +9,7 @@
 #%%global rcversion RC1
 Name:       pcre2
 Version:    10.35
-Release:    %{?rcversion:0.}1%{?rcversion:.%rcversion}%{?dist}
+Release:    %{?rcversion:0.}2%{?rcversion:.%rcversion}%{?dist}
 %global     myversion %{version}%{?rcversion:-%rcversion}
 Summary:    Perl-compatible regular expression library
 # the library:                          BSD with exceptions
@ -51,6 +51,12 @@ Source1:    https://ftp.pcre.org/pub/pcre/%{?rcversion:Testing/}%{name}-%{myvers
 Source2:    https://ftp.pcre.org/pub/pcre/Public-Key
 # Do no set RPATH if libdir is not /usr/lib
 Patch0:     pcre2-10.10-Fix-multilib.patch
+# 1/2 Enable shadow stack built-in functions if -fcf-protection compiler flag is
+# used, upstream bug #2578, in upstream after 10.35
+Patch1:     pcre2-10.35-Apply-H.J.-Lu-s-patch-to-pass-mshstk-to-the-compiler.patch
+# 2/2 Enable shadow stack built-in functions if -fcf-protection compiler flag is
+# used, upstream bug #2578, in upstream after 10.35
+Patch2:     pcre2-10.35-Fix-previous-commit-include-CET_CFLAGS-in-16-bit-and.patch
 BuildRequires:  autoconf
 BuildRequires:  automake
 BuildRequires:  coreutils
@ -142,15 +148,13 @@ Utilities demonstrating PCRE2 capabilities like pcre2grep or pcre2test.
 %{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}'
 %setup -q -n %{name}-%{myversion}
 %patch0 -p1
+%patch1 -p1
+%patch2 -p1
 # Because of multilib patch
 libtoolize --copy --force
 autoreconf -vif

 %build
-# Shadow stack built-in functions are required for -fcf-protection.
-# Checked in src/sljit/sljitConfigInternal.h, _get_ssp() is used.
-%global optflags %(printf -- '%s' '%{optflags}' | \
-    sed -E 's/(^|\\s)(-fcf-protection)($|\\s)/\\1\\2\\3 -mshstk /')
 # There is a strict-aliasing problem on PPC64, bug #881232
 %ifarch ppc64
 %global optflags %{optflags} -fno-strict-aliasing
@ -259,6 +263,10 @@ make %{?_smp_mflags} check VERBOSE=yes
 %{_mandir}/man1/pcre2test.*

 %changelog
+* Wed May 27 2020 Petr Pisar <ppisar@redhat.com> - 10.35-2
+- Enable shadow stack built-in functions if -fcf-protection compiler flag is
+  used by patching a build script (upstream bug #2578)
+
 * Mon May 11 2020 Petr Pisar <ppisar@redhat.com> - 10.35-1
 - 10.35 bump