From patchwork Wed Oct 18 10:44:49 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Nick Clifton X-Patchwork-Id: 154802 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a05:612c:2908:b0:403:3b70:6f57 with SMTP id ib8csp4698543vqb; Wed, 18 Oct 2023 03:45:21 -0700 (PDT) X-Google-Smtp-Source: AGHT+IFSr6RDBujAMjB+ibIUB5PrDlAGD1BjQUe9MOWiSccqOLx+VpnTmvi/0fpIzC7n5OOy47qx X-Received: by 2002:a05:6214:250f:b0:66d:11fd:c9c2 with SMTP id gf15-20020a056214250f00b0066d11fdc9c2mr5311272qvb.17.1697625921162; Wed, 18 Oct 2023 03:45:21 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1697625921; cv=pass; d=google.com; s=arc-20160816; b=CCN5Vd6RXqSa1M1NHOBc1jk9jxCiUlntcg2g+le0/FZMS3fogH6pUpJP+rVBkC7wy4 DaTeBVRUtsJqFSK4Iz//qqqTbvM/eK82JzUUiKYhozvzGlTVrbjVfqSvTBUYxQIoiEpr +DPPtiWQ++PhRmUg0ta1QV6Ps7cMWlj3jPOpRZkC5HPJdHmTtNAAP6F+CFkge9W9jec1 5s7pkYMAYFPusmO7Lb0tmfZvN/Z32X6wLlSOStw8+c0w5+RLenWdlAQ1CTMBznSzuGnU mPau3pA0H5mkvaz41fiy8PieSea5++7Y06f8nlwluLeNjg1GDIzfXG8bHgrqC0OjtKA+ v4Hw== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:mime-version:message-id:date :subject:to:from:dkim-signature:arc-filter:dmarc-filter:delivered-to; bh=30aMd8AGZ/stsphvlprw/E29czc/uitx+O3mjLK31nQ=; fh=NLxAvL/bDfPg4AGOtxqvQlND8vazkZrNzKLY8+LAbBY=; b=yHn0jirJZyfGSlZLQEPsx3HHoVlnpRk3QJWOxUxau1baP47xn1DnvAmSyrebwNNbqI TPqZ7iSCndJzEbMvW8FzbD0dOxgP9zul2W4MEAFGyMNkvwMB2fmJcPpNGoggjpoRgIyK Cp3M+IOBxDNMDKjXNuUMgJh+r3hfKetCo3D7CIQLfAEAdBbt1vcLuhnhxZYpiId3mBHk N3AkvB3riSbH9XFE8I5kdY3i/cKJ5RyN+sTCAezM/SLRasbE16E/hGTGi85YwAz7nK8H +E6c0z0EImLTxXqVOVOy2n0PzFOvhDhEsHRVH9ik3ySUZZn+yuQ6VLQRYWi5V7GVx5AM XOoQ== ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=cHlkNYoo; arc=pass (i=1); spf=pass (google.com: domain of binutils-bounces+ouuuleilei=gmail.com@sourceware.org designates 8.43.85.97 as permitted sender) smtp.mailfrom="binutils-bounces+ouuuleilei=gmail.com@sourceware.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: from server2.sourceware.org (ip-8-43-85-97.sourceware.org. [8.43.85.97]) by mx.google.com with ESMTPS id s5-20020a0cf785000000b006592a95dde8si2398664qvn.87.2023.10.18.03.45.21 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 18 Oct 2023 03:45:21 -0700 (PDT) Received-SPF: pass (google.com: domain of binutils-bounces+ouuuleilei=gmail.com@sourceware.org designates 8.43.85.97 as permitted sender) client-ip=8.43.85.97; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=cHlkNYoo; arc=pass (i=1); spf=pass (google.com: domain of binutils-bounces+ouuuleilei=gmail.com@sourceware.org designates 8.43.85.97 as permitted sender) smtp.mailfrom="binutils-bounces+ouuuleilei=gmail.com@sourceware.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id E320E3857027 for ; Wed, 18 Oct 2023 10:45:20 +0000 (GMT) X-Original-To: binutils@sourceware.org Delivered-To: binutils@sourceware.org Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by sourceware.org (Postfix) with ESMTPS id BCB793858C30 for ; Wed, 18 Oct 2023 10:45:09 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org BCB793858C30 Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=redhat.com Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=redhat.com ARC-Filter: OpenARC Filter v1.0.0 sourceware.org BCB793858C30 Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=170.10.129.124 ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1697625915; cv=none; b=NhXSveC3W0UWeyIW/JR5Ymrooi0vKDtnltjwZto/uNOAw0HAz9RzxcIHLQpxJch0iFR43ow1NKlEr2y0V+gz7FZvPCJP2yF0iZlZulA9PIU4cGdiaCEHvyHKnkt4N97/PrONQvpSh6CgQtYXsEOrLuq+JLfVU8qwYfJKzIoyCwY= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1697625915; c=relaxed/simple; bh=tV8NoXJYUs2qpwBwrGKBUYgLfP30xjaqpTKf4TWzeN4=; h=DKIM-Signature:From:To:Subject:Date:Message-ID:MIME-Version; b=nracHt9J1JUFXf50d+CEhmZS3OWy/0Nji6IMjFeImn96NC/Mv/6/aY0bkmx6Fol+EIH4o1Ys3y5IGNWLmRkDN33BeHNChHbpiBOVdKrGPlunIR/1FOLXOyvtJpN2Rdpi+cYCvlmWG+Al0Ii5bHL7nljgpIDITvlaKaSDs/G2w5I= ARC-Authentication-Results: i=1; server2.sourceware.org DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1697625909; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type; bh=30aMd8AGZ/stsphvlprw/E29czc/uitx+O3mjLK31nQ=; b=cHlkNYoo1+UBAJ3P8d5yzAWiXFZVGPJ9yliDY4vO49WHGz6qQLslw+i2cxSYLgSr9hX0sx 7sMj8iQcWhli+Hs7QNXrqdhPBqgnFiLA2L2yfErrd8LzJfv2b0kWFkhzWl/LnFzbIcC/EF 4/dxd41EyqU3ECEwOuzW4dfrDp1rZ9w= Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-493-CwpfDgV7MniyEoJmifrCyQ-1; Wed, 18 Oct 2023 06:44:52 -0400 X-MC-Unique: CwpfDgV7MniyEoJmifrCyQ-1 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com [10.11.54.3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 45C9688B771 for ; Wed, 18 Oct 2023 10:44:52 +0000 (UTC) Received: from prancer.redhat.com (unknown [10.42.28.74]) by smtp.corp.redhat.com (Postfix) with ESMTPS id BC2C21121314 for ; Wed, 18 Oct 2023 10:44:50 +0000 (UTC) From: Nick Clifton To: binutils@sourceware.org Subject: RFC: Turning executable stack warnings into errors Date: Wed, 18 Oct 2023 11:44:49 +0100 Message-ID: <87jzrkjjku.fsf@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.3 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com X-Spam-Status: No, score=-9.6 required=5.0 tests=BAYES_00, DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0, RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H4, RCVD_IN_MSPIKE_WL, SPF_HELO_NONE, SPF_NONE, TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org X-BeenThere: binutils@sourceware.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: Binutils mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: binutils-bounces+ouuuleilei=gmail.com@sourceware.org X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1780089797940382697 X-GMAIL-MSGID: 1780089797940382697 Hi Guys, I am working on a patch to turn the linker's warning messages about executable stacks into errors. My intent is to use this to force programs that currently do have an executable stack to either change or deliberately disable the errors from the linker. The plan is to then use this feature to help improve the security of Fedora binaries. I realise that the --fatal-warnings option could basically do the same thing, but that might be problematic for builds where some linker warnings are inevitable and can be safely ignored. Hence I decided on a new command line option instead. The patch currently has these features: * The change is configurable, but not on by default. * There are new command line options to turn the future on and off as well as an option to only generate warnings (or errors) if an object file requests an executable stack, and not if one is requested via the '-z execstack' command line option. * A similar change is also made for the executable segments warning, creating the ability to turn it into an error as well. * Since linker errors cannot be ignored when running the linker testsuite the patch also needs to enhance a fair number of tests so that they do not fail if run with a linker configured to generate errors by default. Patch attached below. Any comments ? Cheers Nick diff --git a/bfd/elf.c b/bfd/elf.c index b5b0c69e097..bca7654053a 100644 --- a/bfd/elf.c +++ b/bfd/elf.c @@ -7010,6 +7010,9 @@ assign_file_positions_except_relocs (bfd *abfd, { if (link_info != NULL && ! link_info->no_warn_rwx_segments) { + bool warned_tls = false; + bool warned_rwx = false; + /* Memory resident segments with non-zero size and RWX permissions are a security risk, so we generate a warning here if we are creating any. */ @@ -7022,16 +7025,47 @@ assign_file_positions_except_relocs (bfd *abfd, if (phdr->p_memsz == 0) continue; - if (phdr->p_type == PT_TLS && (phdr->p_flags & PF_X)) - _bfd_error_handler (_("warning: %pB has a TLS segment" - " with execute permission"), - abfd); - else if (phdr->p_type == PT_LOAD + if (! warned_tls + && phdr->p_type == PT_TLS + && (phdr->p_flags & PF_X)) + { + if (link_info->warn_is_error_for_rwx_segments) + { + _bfd_error_handler (_("\ +error: %pB has a TLS segment with execute permission"), + abfd); + return false; + } + + _bfd_error_handler (_("\ +warning: %pB has a TLS segment with execute permission"), + abfd); + if (warned_rwx) + break; + + warned_tls = true; + } + else if (! warned_rwx + && phdr->p_type == PT_LOAD && ((phdr->p_flags & (PF_R | PF_W | PF_X)) == (PF_R | PF_W | PF_X))) - _bfd_error_handler (_("warning: %pB has a LOAD segment" - " with RWX permissions"), - abfd); + { + if (link_info->warn_is_error_for_rwx_segments) + { + _bfd_error_handler (_("\ +error: %pB has a LOAD segment with RWX permissions"), + abfd); + return false; + } + + _bfd_error_handler (_("\ +warning: %pB has a LOAD segment with RWX permissions"), + abfd); + if (warned_tls) + break; + + warned_rwx = true; + } } } diff --git a/bfd/elflink.c b/bfd/elflink.c index 99f4cdd5527..49ea222ec77 100644 --- a/bfd/elflink.c +++ b/bfd/elflink.c @@ -7152,9 +7152,20 @@ bfd_elf_size_dynamic_sections (bfd *output_bfd, /* If the user has explicitly requested warnings, then generate one even though the choice is the result of another command line option. */ if (info->warn_execstack == 1) - _bfd_error_handler - (_("\ + { + if (info->error_execstack) + { + _bfd_error_handler + (_("\ +error: creating an executable stack because of -z execstack command line option")); + return false; + } + + _bfd_error_handler + (_("\ warning: enabling an executable stack because of -z execstack command line option")); + } + elf_stack_flags (output_bfd) = PF_R | PF_W | PF_X; } else if (info->noexecstack) @@ -7210,11 +7221,29 @@ warning: enabling an executable stack because of -z execstack command line optio being enabled despite the fact that it was not requested on the command line. */ if (noteobj) - _bfd_error_handler (_("\ + { + if (info->error_execstack) + { + _bfd_error_handler (_("\ +error: %s: is triggering the generation of an executable stack (because it has an executable .note.GNU-stack section)"), + bfd_get_filename (noteobj)); + return false; + } + + _bfd_error_handler (_("\ warning: %s: requires executable stack (because the .note.GNU-stack section is executable)"), bfd_get_filename (noteobj)); + } else if (emptyobj) { + if (info->error_execstack) + { + _bfd_error_handler (_("\ +error: %s: is triggering the generation of an executable stack because it does not have a .note.GNU-stack section"), + bfd_get_filename (emptyobj)); + return false; + } + _bfd_error_handler (_("\ warning: %s: missing .note.GNU-stack section implies executable stack"), bfd_get_filename (emptyobj)); diff --git a/include/bfdlink.h b/include/bfdlink.h index 840790a298c..8882257c632 100644 --- a/include/bfdlink.h +++ b/include/bfdlink.h @@ -484,26 +484,49 @@ struct bfd_link_info --dynamic-list command line options. */ unsigned int dynamic: 1; - /* TRUE if PT_GNU_STACK segment should be created with PF_R|PF_W|PF_X - flags. */ + /* Set if the "-z execstack" option has been used to request that a + PT_GNU_STACK segment should be created with PF_R, PF_W and PF_X + flags set. + + Note - if performing a relocatable link then a .note.GNU-stack + section will be created instead, if one does not exist already. + The section will have the SHF_EXECINSTR flag bit set. */ unsigned int execstack: 1; - /* TRUE if PT_GNU_STACK segment should be created with PF_R|PF_W - flags. */ + /* Set if the "-z noexecstack" option has been used to request that a + PT_GNU_STACK segment should be created with PF_R and PF_W flags. Or + a non-executable .note.GNU-stack section for relocateable links. + + Note - this flag is not quite orthogonal to execstack, since both + of these flags can be 0. In this case a stack segment can still + be created, but it will only have the PF_X flag bit set if one or + more of the input files contains a .note.GNU-stack section with the + SHF_EXECINSTR flag bit set, or if the default behaviour for the + architecture is to create executable stacks. + + The execstack and noexecstack flags should never both be 1. */ unsigned int noexecstack: 1; /* Tri-state variable: 0 => do not warn when creating an executable stack. - 1 => always warn when creating an executable stack. - >1 => warn when creating an executable stack if execstack is 0. */ + 1 => always warn when creating an executable stack (for any reason). + 2 => only warn when an executable stack has been requested an object + file and execstack is 0 or noexecstack is 1. + 3 => not used. */ unsigned int warn_execstack: 2; + /* TRUE if a warning generated because of warn_execstack should be instead + be treated as an error. */ + unsigned int error_execstack: 1; - /* TRUE if warnings should not be generated for TLS segments with eXecute + /* TRUE if warnings should NOT be generated for TLS segments with eXecute permission or LOAD segments with RWX permissions. */ unsigned int no_warn_rwx_segments: 1; /* TRUE if the user gave either --warn-rwx-segments or - --no-warn-rwx-segments. */ + --no-warn-rwx-segments on the linker command line. */ unsigned int user_warn_rwx_segments: 1; + /* TRUE if warnings generated when no_warn_rwx_segements is 0 should + instead be treated as errors. */ + unsigned int warn_is_error_for_rwx_segments: 1; /* TRUE if the stack can be made executable because of the absence of a .note.GNU-stack section in an input file. Note - even if this field diff --git a/ld/NEWS b/ld/NEWS index 4b990c755f4..6671b65c27b 100644 --- a/ld/NEWS +++ b/ld/NEWS @@ -1,5 +1,14 @@ -*- text -*- +* Added --warn-execstack-objects to warn about executable stacks only when an + input object file requests one. Also added --error-execstack and + --error-rxw-segments options to convert warnings about executable stacks and + segments into errors. + + Also added --enable-error-execstack=[yes|no] and + --enable-error-rwx-segments=[yes|no] configure options to set the default for + converting warnings into errors. + Changes in 2.41: * Add support for the KVX instruction set. diff --git a/ld/config.in b/ld/config.in index a453c7f7241..e3a983fe3b0 100644 --- a/ld/config.in +++ b/ld/config.in @@ -19,6 +19,14 @@ /* Define if you want compressed debug sections by default. */ #undef DEFAULT_FLAG_COMPRESS_DEBUG +/* Define to 1 if you want to turn executable stack warnings into errors by + default. */ +#undef DEFAULT_LD_ERROR_EXECSTACK + +/* Define to 1 if you want to turn executable segment warnings into errors by + default. */ +#undef DEFAULT_LD_ERROR_RWX_SEGMENTS + /* Define to 0 if you want to disable the generation of an executable stack when a .note-GNU-stack section is missing. */ #undef DEFAULT_LD_EXECSTACK diff --git a/ld/configure b/ld/configure index d2cdf256b89..46d9f3c7111 100755 --- a/ld/configure +++ b/ld/configure @@ -847,7 +847,9 @@ enable_relro enable_textrel_check enable_separate_code enable_warn_execstack +enable_error_execstack enable_warn_rwx_segments +enable_error_rwx_segments enable_default_execstack enable_error_handling_script enable_default_hash_style @@ -1534,9 +1536,13 @@ Optional Features: enable DT_TEXTREL check in ELF linker --enable-separate-code enable -z separate-code in ELF linker by default --enable-warn-execstack enable warnings when creating an executable stack + --enable-error-execstack + turn executable stack warnings into errors --enable-warn-rwx-segments enable warnings when creating segments with RWX permissions + --enable-error-rwx-segments + turn executable segment warnings into errors --enable-default-execstack create an executable stack if an input file is missing a .note.GNU-stack section @@ -11655,7 +11661,7 @@ else lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 lt_status=$lt_dlunknown cat > conftest.$ac_ext <<_LT_EOF -#line 11658 "configure" +#line 11664 "configure" #include "confdefs.h" #if HAVE_DLFCN_H @@ -11761,7 +11767,7 @@ else lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 lt_status=$lt_dlunknown cat > conftest.$ac_ext <<_LT_EOF -#line 11764 "configure" +#line 11770 "configure" #include "confdefs.h" #if HAVE_DLFCN_H @@ -15669,6 +15675,16 @@ esac fi +ac_default_ld_error_execstack=0 +# Check whether --enable-error-execstack was given. +if test "${enable_error_execstack+set}" = set; then : + enableval=$enable_error_execstack; case "${enableval}" in + yes) ac_default_ld_error_execstack=1 ;; + no) ac_default_ld_error_execstack=0 ;; +esac +fi + + ac_default_ld_warn_rwx_segments=unset # Check whether --enable-warn-rwx-segments was given. if test "${enable_warn_rwx_segments+set}" = set; then : @@ -15679,6 +15695,16 @@ esac fi +ac_default_ld_error_rwx_segments=0 +# Check whether --enable-error-rwx-segments was given. +if test "${enable_error_rwx_segments+set}" = set; then : + enableval=$enable_error_rwx_segments; case "${enableval}" in + yes) ac_default_ld_error_rwx_segments=1 ;; + no) ac_default_ld_error_rwx_segments=0 ;; +esac +fi + + ac_default_ld_default_execstack=unset # Check whether --enable-default-execstack was given. if test "${enable_default_execstack+set}" = set; then : @@ -17444,6 +17470,12 @@ cat >>confdefs.h <<_ACEOF _ACEOF + +cat >>confdefs.h <<_ACEOF +#define DEFAULT_LD_ERROR_EXECSTACK $ac_default_ld_error_execstack +_ACEOF + + if test "${ac_default_ld_warn_rwx_segments}" = unset; then ac_default_ld_warn_rwx_segments=1 fi @@ -17453,6 +17485,12 @@ cat >>confdefs.h <<_ACEOF _ACEOF + +cat >>confdefs.h <<_ACEOF +#define DEFAULT_LD_ERROR_RWX_SEGMENTS $ac_default_ld_error_rwx_segments +_ACEOF + + if test "${ac_default_ld_default_execstack}" = unset; then ac_default_ld_default_execstack=1 fi diff --git a/ld/configure.ac b/ld/configure.ac index c3ebd3ec7e4..cdac7bb0d74 100644 --- a/ld/configure.ac +++ b/ld/configure.ac @@ -225,6 +225,15 @@ AC_ARG_ENABLE(warn-execstack, no) ac_default_ld_warn_execstack=0 ;; esac]) +ac_default_ld_error_execstack=0 +AC_ARG_ENABLE(error-execstack, + AS_HELP_STRING([--enable-error-execstack], + [turn executable stack warnings into errors]), +[case "${enableval}" in + yes) ac_default_ld_error_execstack=1 ;; + no) ac_default_ld_error_execstack=0 ;; +esac]) + ac_default_ld_warn_rwx_segments=unset AC_ARG_ENABLE(warn-rwx-segments, AS_HELP_STRING([--enable-warn-rwx-segments], @@ -234,6 +243,15 @@ AC_ARG_ENABLE(warn-rwx-segments, no) ac_default_ld_warn_rwx_segments=0 ;; esac]) +ac_default_ld_error_rwx_segments=0 +AC_ARG_ENABLE(error-rwx-segments, + AS_HELP_STRING([--enable-error-rwx-segments], + [turn executable segment warnings into errors]), +[case "${enableval}" in + yes) ac_default_ld_error_rwx_segments=1 ;; + no) ac_default_ld_error_rwx_segments=0 ;; +esac]) + ac_default_ld_default_execstack=unset AC_ARG_ENABLE(default-execstack, AS_HELP_STRING([--enable-default-execstack], @@ -549,6 +567,10 @@ AC_DEFINE_UNQUOTED(DEFAULT_LD_WARN_EXECSTACK, $ac_default_ld_warn_execstack, [Define to 1 if you want to enable --warn-execstack in ELF linker by default.]) +AC_DEFINE_UNQUOTED(DEFAULT_LD_ERROR_EXECSTACK, + $ac_default_ld_error_execstack, + [Define to 1 if you want to turn executable stack warnings into errors by default.]) + if test "${ac_default_ld_warn_rwx_segments}" = unset; then ac_default_ld_warn_rwx_segments=1 fi @@ -556,6 +578,10 @@ AC_DEFINE_UNQUOTED(DEFAULT_LD_WARN_RWX_SEGMENTS, $ac_default_ld_warn_rwx_segments, [Define to 0 if you want to disable --warn-rwx-segments in ELF linker by default.]) +AC_DEFINE_UNQUOTED(DEFAULT_LD_ERROR_RWX_SEGMENTS, + $ac_default_ld_error_rwx_segments, + [Define to 1 if you want to turn executable segment warnings into errors by default.]) + if test "${ac_default_ld_default_execstack}" = unset; then ac_default_ld_default_execstack=1 fi diff --git a/ld/emultempl/elf.em b/ld/emultempl/elf.em index 1c5030d5e1c..0fb6226787f 100644 --- a/ld/emultempl/elf.em +++ b/ld/emultempl/elf.em @@ -95,6 +95,8 @@ fragment <