Message ID | 20230223-nolibc-stackprotector-v2-8-4c938e098d67@weissschuh.net |
---|---|
State | New |
Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org> Delivered-To: ouuuleilei@gmail.com Received: by 2002:a5d:604a:0:0:0:0:0 with SMTP id j10csp1307023wrt; Mon, 20 Mar 2023 09:21:20 -0700 (PDT) X-Google-Smtp-Source: AK7set86QB7OhTN3oxKFeHoHKPYR9d9TTztiDYlwB9PoTBwSycyOkP6y5slKAcUMtQa6Fzi5qgfC X-Received: by 2002:a05:6a20:9307:b0:c2:f930:45e8 with SMTP id r7-20020a056a20930700b000c2f93045e8mr15555085pzh.46.1679329279832; Mon, 20 Mar 2023 09:21:19 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1679329279; cv=none; d=google.com; s=arc-20160816; b=vNTnJf9m7HNmsgp+h4ZNKQU59qsxfK/ESo3YnJxhS3ig9yMAFjF8z+hi9HjmNwXxv9 RXeq807uCGim6aGKtfS4UUe7RCrWW/sG4/UWBQbzuvf9aR89eYsM5AB+Mtdn6K43EXnH pJBMjNZFKnG8RC85HXksDrH855EhWChG3m4NoZSFqB44xPwAaiFaq6met/E3zQNYYfvH DzXNN2i7k2Q9qCeC6DfstQaybwn8uyTMuDslFamqE1z3ZPmja3igK1ugV5JHmEcjoh5Q fTtrwEbflGKHrH8gELHkGm55JQeYkSg/Ioi/Mwxk81jxNbOvac9zOlYwbUrSR1LqAj9H 3aKQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:in-reply-to:references:message-id :content-transfer-encoding:mime-version:subject:date:dkim-signature :from; bh=UH6iyJWVF557g3DlZkN924DZUTihkbxHvHIitRq/SDI=; b=oD7kEmrvZiQccCAVW8DaPIRCOkJ8M2+3me/IbKkPgR76QqxhAW7J7fuNYsuENWKYEp sH68n+/3KrDGhpYrZSe97aIYO2QQZlq1aC0+LBn2TRKSj2PhQP9KANVNTel6+0ILko1l qQahkIjogW/u8i1I5zI9PRQbvzfYg/n/1DRfhqkbIFQ1FGUHgN8zN8ZhBX0gFV7YHuVO T9ULYQGCWRffB2PpUgmpkxgwyzt64MhgRjJp/+E/I6NfN+VI5uUCdl54NZ4TFJhmA5SS uxqHZjh75BMU0qem2E+jRS9dL3LluflF4exoGakP94sM3lXxNK3e2B5tI/L6LkGytzdx XJKw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@weissschuh.net header.s=mail header.b=IEEumZMh; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id x37-20020a056a000be500b0062514cb8b77si8482789pfu.40.2023.03.20.09.21.04; Mon, 20 Mar 2023 09:21:19 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@weissschuh.net header.s=mail header.b=IEEumZMh; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232038AbjCTPvd (ORCPT <rfc822;pusanteemu@gmail.com> + 99 others); Mon, 20 Mar 2023 11:51:33 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57792 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233344AbjCTPtt (ORCPT <rfc822;linux-kernel@vger.kernel.org>); Mon, 20 Mar 2023 11:49:49 -0400 Received: from todd.t-8ch.de (todd.t-8ch.de [IPv6:2a01:4f8:c010:41de::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id DF0012B9F7; Mon, 20 Mar 2023 08:41:25 -0700 (PDT) From: =?utf-8?q?Thomas_Wei=C3=9Fschuh?= <linux@weissschuh.net> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=weissschuh.net; s=mail; t=1679326882; bh=i20Oh7UPtMkF7KR9AMHb1kh7uhEQ1eEVn8pe6hGS0IY=; h=From:Date:Subject:References:In-Reply-To:To:Cc:From; b=IEEumZMhOJj7/5fO9M78jnYjwF6vw43+TOAY/TOfIzzevHlcJgYEvXOpVK4hK6WzL DYbYEfL2viDF9VD4rWWIpw6yBSn5zYJYUlTIWXC0fgSIrv1eEYwV0CA922VvWoljCG eIoaLVFeQNfCsVOAedKa5p8UBoO3TjLpsAssyeTc= Date: Mon, 20 Mar 2023 15:41:08 +0000 Subject: [PATCH v2 8/8] tools/nolibc: x86_64: add stackprotector support MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit Message-Id: <20230223-nolibc-stackprotector-v2-8-4c938e098d67@weissschuh.net> References: <20230223-nolibc-stackprotector-v2-0-4c938e098d67@weissschuh.net> In-Reply-To: <20230223-nolibc-stackprotector-v2-0-4c938e098d67@weissschuh.net> To: Willy Tarreau <w@1wt.eu>, Shuah Khan <shuah@kernel.org> Cc: linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org, =?utf-8?q?Thomas_Wei=C3=9Fschuh?= <linux@weissschuh.net> X-Mailer: b4 0.12.1 X-Developer-Signature: v=1; a=ed25519-sha256; t=1679326878; l=1856; i=linux@weissschuh.net; s=20221212; h=from:subject:message-id; bh=i20Oh7UPtMkF7KR9AMHb1kh7uhEQ1eEVn8pe6hGS0IY=; b=yBKpZLIhD2oLBnMhKGSP33SljC5XJO6L5jLzsIMP1QRDWF8qpnRzP3lO5IRVQgThoA/S0AcOs KcMpHjuFCsHCZygA9AsMyhp/qPX/l1LhHvKCsQg759Tph36y0IVFjve X-Developer-Key: i=linux@weissschuh.net; a=ed25519; pk=KcycQgFPX2wGR5azS7RhpBqedglOZVgRPfdFSPB1LNw= X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: <linux-kernel.vger.kernel.org> X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1760904378755706284?= X-GMAIL-MSGID: =?utf-8?q?1760904378755706284?= |
Series |
tools/nolibc: add support for stack protector
|
|
Commit Message
Thomas Weißschuh
March 20, 2023, 3:41 p.m. UTC
Enable the new stackprotector support for x86_64.
Signed-off-by: Thomas Weißschuh <linux@weissschuh.net>
---
tools/include/nolibc/arch-x86_64.h | 5 +++++
tools/testing/selftests/nolibc/Makefile | 2 ++
2 files changed, 7 insertions(+)
Comments
Hi Thomas, On Mon, Mar 20, 2023 at 03:41:08PM +0000, Thomas Weißschuh wrote: > Enable the new stackprotector support for x86_64. (...) > diff --git a/tools/testing/selftests/nolibc/Makefile b/tools/testing/selftests/nolibc/Makefile > index 8f069ebdd124..543555f4cbdc 100644 > --- a/tools/testing/selftests/nolibc/Makefile > +++ b/tools/testing/selftests/nolibc/Makefile > @@ -80,6 +80,8 @@ CFLAGS_STACKPROTECTOR = -DNOLIBC_STACKPROTECTOR \ > $(call cc-option,-mstack-protector-guard=global) \ > $(call cc-option,-fstack-protector-all) > CFLAGS_i386 = $(CFLAGS_STACKPROTECTOR) > +CFLAGS_x86_64 = $(CFLAGS_STACKPROTECTOR) > +CFLAGS_x86 = $(CFLAGS_STACKPROTECTOR) > CFLAGS_s390 = -m64 > CFLAGS ?= -Os -fno-ident -fno-asynchronous-unwind-tables \ > $(call cc-option,-fno-stack-protector) \ This change is making it almost impossible for me to pass external CFLAGS without forcefully disabling the automatic detection of stackprot. I need to do it for some archs (e.g. "-march=armv5t -mthumb") or even to change optimization levels. I figured that the simplest way to recover that functionality for me consists in using a dedicated variable to assign stack protector per supported architecure and concatenating it to the per-arch CFLAGS like this: diff --git a/tools/testing/selftests/nolibc/Makefile b/tools/testing/selftests/nolibc/Makefile index 543555f4cbdc..bbce57420465 100644 --- a/tools/testing/selftests/nolibc/Makefile +++ b/tools/testing/selftests/nolibc/Makefile @@ -79,13 +79,13 @@ endif CFLAGS_STACKPROTECTOR = -DNOLIBC_STACKPROTECTOR \ $(call cc-option,-mstack-protector-guard=global) \ $(call cc-option,-fstack-protector-all) -CFLAGS_i386 = $(CFLAGS_STACKPROTECTOR) -CFLAGS_x86_64 = $(CFLAGS_STACKPROTECTOR) -CFLAGS_x86 = $(CFLAGS_STACKPROTECTOR) +CFLAGS_STKP_i386 = $(CFLAGS_STACKPROTECTOR) +CFLAGS_STKP_x86_64 = $(CFLAGS_STACKPROTECTOR) +CFLAGS_STKP_x86 = $(CFLAGS_STACKPROTECTOR) CFLAGS_s390 = -m64 CFLAGS ?= -Os -fno-ident -fno-asynchronous-unwind-tables \ $(call cc-option,-fno-stack-protector) \ - $(CFLAGS_$(ARCH)) + $(CFLAGS_STKP_$(ARCH)) $(CFLAGS_$(ARCH)) LDFLAGS := -s help: And now with this it works again for me on all archs, with all of them showing "SKIPPED" for the -fstackprotector line except i386/x86_64 which show "OK". Are you OK with this approach ? And if so, do you want to respin it or do you want me to retrofit it into your 3 patches that introduce this change (it's easy enough so I really don't care) ? Thanks! Willy
Hi Willy, On Thu, Mar 23, 2023 at 09:19:48PM +0100, Willy Tarreau wrote: > On Mon, Mar 20, 2023 at 03:41:08PM +0000, Thomas Weißschuh wrote: > > Enable the new stackprotector support for x86_64. > (...) > > diff --git a/tools/testing/selftests/nolibc/Makefile b/tools/testing/selftests/nolibc/Makefile > > index 8f069ebdd124..543555f4cbdc 100644 > > --- a/tools/testing/selftests/nolibc/Makefile > > +++ b/tools/testing/selftests/nolibc/Makefile > > @@ -80,6 +80,8 @@ CFLAGS_STACKPROTECTOR = -DNOLIBC_STACKPROTECTOR \ > > $(call cc-option,-mstack-protector-guard=global) \ > > $(call cc-option,-fstack-protector-all) > > CFLAGS_i386 = $(CFLAGS_STACKPROTECTOR) > > +CFLAGS_x86_64 = $(CFLAGS_STACKPROTECTOR) > > +CFLAGS_x86 = $(CFLAGS_STACKPROTECTOR) > > CFLAGS_s390 = -m64 > > CFLAGS ?= -Os -fno-ident -fno-asynchronous-unwind-tables \ > > $(call cc-option,-fno-stack-protector) \ > > This change is making it almost impossible for me to pass external CFLAGS > without forcefully disabling the automatic detection of stackprot. I need > to do it for some archs (e.g. "-march=armv5t -mthumb") or even to change > optimization levels. > > I figured that the simplest way to recover that functionality for me > consists in using a dedicated variable to assign stack protector per > supported architecure and concatenating it to the per-arch CFLAGS like > this: > > diff --git a/tools/testing/selftests/nolibc/Makefile b/tools/testing/selftests/nolibc/Makefile > index 543555f4cbdc..bbce57420465 100644 > --- a/tools/testing/selftests/nolibc/Makefile > +++ b/tools/testing/selftests/nolibc/Makefile > @@ -79,13 +79,13 @@ endif > CFLAGS_STACKPROTECTOR = -DNOLIBC_STACKPROTECTOR \ > $(call cc-option,-mstack-protector-guard=global) \ > $(call cc-option,-fstack-protector-all) > -CFLAGS_i386 = $(CFLAGS_STACKPROTECTOR) > -CFLAGS_x86_64 = $(CFLAGS_STACKPROTECTOR) > -CFLAGS_x86 = $(CFLAGS_STACKPROTECTOR) > +CFLAGS_STKP_i386 = $(CFLAGS_STACKPROTECTOR) > +CFLAGS_STKP_x86_64 = $(CFLAGS_STACKPROTECTOR) > +CFLAGS_STKP_x86 = $(CFLAGS_STACKPROTECTOR) > CFLAGS_s390 = -m64 > CFLAGS ?= -Os -fno-ident -fno-asynchronous-unwind-tables \ > $(call cc-option,-fno-stack-protector) \ > - $(CFLAGS_$(ARCH)) > + $(CFLAGS_STKP_$(ARCH)) $(CFLAGS_$(ARCH)) > LDFLAGS := -s > > help: > > And now with this it works again for me on all archs, with all of them > showing "SKIPPED" for the -fstackprotector line except i386/x86_64 which > show "OK". > > Are you OK with this approach ? And if so, do you want to respin it or > do you want me to retrofit it into your 3 patches that introduce this > change (it's easy enough so I really don't care) ? Looks good to me. If nothing else needs to be changed feel free to fix it up on your side. Thanks, Thomas
On Thu, Mar 23, 2023 at 11:44:15PM +0000, Thomas Weißschuh wrote: > Hi Willy, > > On Thu, Mar 23, 2023 at 09:19:48PM +0100, Willy Tarreau wrote: > > On Mon, Mar 20, 2023 at 03:41:08PM +0000, Thomas Weißschuh wrote: > > > Enable the new stackprotector support for x86_64. > > (...) > > > diff --git a/tools/testing/selftests/nolibc/Makefile b/tools/testing/selftests/nolibc/Makefile > > > index 8f069ebdd124..543555f4cbdc 100644 > > > --- a/tools/testing/selftests/nolibc/Makefile > > > +++ b/tools/testing/selftests/nolibc/Makefile > > > @@ -80,6 +80,8 @@ CFLAGS_STACKPROTECTOR = -DNOLIBC_STACKPROTECTOR \ > > > $(call cc-option,-mstack-protector-guard=global) \ > > > $(call cc-option,-fstack-protector-all) > > > CFLAGS_i386 = $(CFLAGS_STACKPROTECTOR) > > > +CFLAGS_x86_64 = $(CFLAGS_STACKPROTECTOR) > > > +CFLAGS_x86 = $(CFLAGS_STACKPROTECTOR) > > > CFLAGS_s390 = -m64 > > > CFLAGS ?= -Os -fno-ident -fno-asynchronous-unwind-tables \ > > > $(call cc-option,-fno-stack-protector) \ > > > > This change is making it almost impossible for me to pass external CFLAGS > > without forcefully disabling the automatic detection of stackprot. I need > > to do it for some archs (e.g. "-march=armv5t -mthumb") or even to change > > optimization levels. > > > > I figured that the simplest way to recover that functionality for me > > consists in using a dedicated variable to assign stack protector per > > supported architecure and concatenating it to the per-arch CFLAGS like > > this: > > > > diff --git a/tools/testing/selftests/nolibc/Makefile b/tools/testing/selftests/nolibc/Makefile > > index 543555f4cbdc..bbce57420465 100644 > > --- a/tools/testing/selftests/nolibc/Makefile > > +++ b/tools/testing/selftests/nolibc/Makefile > > @@ -79,13 +79,13 @@ endif > > CFLAGS_STACKPROTECTOR = -DNOLIBC_STACKPROTECTOR \ > > $(call cc-option,-mstack-protector-guard=global) \ > > $(call cc-option,-fstack-protector-all) > > -CFLAGS_i386 = $(CFLAGS_STACKPROTECTOR) > > -CFLAGS_x86_64 = $(CFLAGS_STACKPROTECTOR) > > -CFLAGS_x86 = $(CFLAGS_STACKPROTECTOR) > > +CFLAGS_STKP_i386 = $(CFLAGS_STACKPROTECTOR) > > +CFLAGS_STKP_x86_64 = $(CFLAGS_STACKPROTECTOR) > > +CFLAGS_STKP_x86 = $(CFLAGS_STACKPROTECTOR) > > CFLAGS_s390 = -m64 > > CFLAGS ?= -Os -fno-ident -fno-asynchronous-unwind-tables \ > > $(call cc-option,-fno-stack-protector) \ > > - $(CFLAGS_$(ARCH)) > > + $(CFLAGS_STKP_$(ARCH)) $(CFLAGS_$(ARCH)) > > LDFLAGS := -s > > > > help: > > > > And now with this it works again for me on all archs, with all of them > > showing "SKIPPED" for the -fstackprotector line except i386/x86_64 which > > show "OK". > > > > Are you OK with this approach ? And if so, do you want to respin it or > > do you want me to retrofit it into your 3 patches that introduce this > > change (it's easy enough so I really don't care) ? > > Looks good to me. > > If nothing else needs to be changed feel free to fix it up on your side. Perfect, will do it then. Thanks! Willy
diff --git a/tools/include/nolibc/arch-x86_64.h b/tools/include/nolibc/arch-x86_64.h index 17f6751208e7..f7f2a11d4c3b 100644 --- a/tools/include/nolibc/arch-x86_64.h +++ b/tools/include/nolibc/arch-x86_64.h @@ -181,6 +181,8 @@ struct sys_stat_struct { char **environ __attribute__((weak)); const unsigned long *_auxv __attribute__((weak)); +#define __ARCH_SUPPORTS_STACK_PROTECTOR + /* startup code */ /* * x86-64 System V ABI mandates: @@ -191,6 +193,9 @@ const unsigned long *_auxv __attribute__((weak)); void __attribute__((weak,noreturn,optimize("omit-frame-pointer"))) _start(void) { __asm__ volatile ( +#ifdef NOLIBC_STACKPROTECTOR + "call __stack_chk_init\n" // initialize stack protector +#endif "pop %rdi\n" // argc (first arg, %rdi) "mov %rsp, %rsi\n" // argv[] (second arg, %rsi) "lea 8(%rsi,%rdi,8),%rdx\n" // then a NULL then envp (third arg, %rdx) diff --git a/tools/testing/selftests/nolibc/Makefile b/tools/testing/selftests/nolibc/Makefile index 8f069ebdd124..543555f4cbdc 100644 --- a/tools/testing/selftests/nolibc/Makefile +++ b/tools/testing/selftests/nolibc/Makefile @@ -80,6 +80,8 @@ CFLAGS_STACKPROTECTOR = -DNOLIBC_STACKPROTECTOR \ $(call cc-option,-mstack-protector-guard=global) \ $(call cc-option,-fstack-protector-all) CFLAGS_i386 = $(CFLAGS_STACKPROTECTOR) +CFLAGS_x86_64 = $(CFLAGS_STACKPROTECTOR) +CFLAGS_x86 = $(CFLAGS_STACKPROTECTOR) CFLAGS_s390 = -m64 CFLAGS ?= -Os -fno-ident -fno-asynchronous-unwind-tables \ $(call cc-option,-fno-stack-protector) \