[Buildroot] [PATCH 2/5] toolchain/toolchain-wrapper: add BR2_RELRO_FULL support

Matt Weber matthew.weber at rockwellcollins.com
Wed Aug 29 21:20:52 UTC 2018 

Signed-off-by: Matthew Weber <matthew.weber at rockwellcollins.com>
---
 package/Makefile.in                  |  5 +++--
 toolchain/toolchain-wrapper-linker.c | 22 +++++++++++++++++++-
 toolchain/toolchain-wrapper.c        | 40 +++++++++++++++++++++++++++++++++++-
 toolchain/toolchain-wrapper.mk       |  4 ++++
 4 files changed, 67 insertions(+), 4 deletions(-)

diff --git a/package/Makefile.in b/package/Makefile.in
index 14b3bbd..2e885bf 100644
--- a/package/Makefile.in
+++ b/package/Makefile.in
@@ -158,8 +158,9 @@ ifeq ($(BR2_RELRO_PARTIAL),y)
 TARGET_HARDENED += $(TARGET_CFLAGS_RELRO)
 TARGET_LDFLAGS += $(TARGET_CFLAGS_RELRO)
 else ifeq ($(BR2_RELRO_FULL),y)
-TARGET_HARDENED += -fPIE $(TARGET_CFLAGS_RELRO_FULL)
-TARGET_LDFLAGS += -pie $(TARGET_CFLAGS_RELRO_FULL)
+TARGET_HARDENED += $(TARGET_CFLAGS_RELRO_FULL)
+# -DBR_SET_PIE is used by the GCC wrapper to tell when linking
+TARGET_LDFLAGS += $(TARGET_CFLAGS_RELRO_FULL) -DBR_SET_PIE
 endif
 
 ifeq ($(BR2_FORTIFY_SOURCE_1),y)
diff --git a/toolchain/toolchain-wrapper-linker.c b/toolchain/toolchain-wrapper-linker.c
index b587fea..5e94e11 100644
--- a/toolchain/toolchain-wrapper-linker.c
+++ b/toolchain/toolchain-wrapper-linker.c
@@ -33,8 +33,10 @@ static char path[PATH_MAX];
  * one to the real compiler if the inverse option isn't in the argument list.
  * This specifies the worst case number of extra arguments we might pass
  * Currently, we may have:
+ * 	-pie
+ * 	-shared
  */
-#define EXCLUSIVE_ARGS	0
+#define EXCLUSIVE_ARGS	2
 
 static char *predef_args[] = {
 	path
@@ -185,6 +187,24 @@ int main(int argc, char **argv)
 	memcpy(cur, predef_args, sizeof(predef_args));
 	cur += sizeof(predef_args) / sizeof(predef_args[0]);
 
+#ifdef BR2_RELRO_FULL
+	for (i = 1; i < argc; i++) {
+		if (!strcmp(argv[i], "-static") ||
+		    !strcmp(argv[i], "-r"))
+			break;
+
+		if( !strcmp(argv[i], "-shared") ) {
+                    /* Setting the value to something so that the compiler
+                       doesn't error on a empty '' when -share is removed */
+		    argv[i] = "-DBR_moved_shared_before_pie";
+                    *cur++ = "-shared";
+                }
+	}
+
+	if (i == argc)
+		*cur++ = "-pie";
+#endif
+
 	paranoid_wrapper = getenv("BR_COMPILER_PARANOID_UNSAFE_PATH");
 	if (paranoid_wrapper && strlen(paranoid_wrapper) > 0)
 		paranoid = 1;
diff --git a/toolchain/toolchain-wrapper.c b/toolchain/toolchain-wrapper.c
index c5eb813..6bea545 100644
--- a/toolchain/toolchain-wrapper.c
+++ b/toolchain/toolchain-wrapper.c
@@ -49,8 +49,11 @@ static char _date_[sizeof("-D__DATE__=\"MMM DD YYYY\"")];
  * 	-D__TIME__=
  * 	-D__DATE__=
  * 	-Wno-builtin-macro-redefined
+ * 	-fPIE
+ * 	-shared (if linking)
+ * 	-pie  (if linking)
  */
-#define EXCLUSIVE_ARGS	6
+#define EXCLUSIVE_ARGS	9
 
 static char *predef_args[] = {
 #ifdef BR_CCACHE
@@ -237,6 +240,7 @@ int main(int argc, char **argv)
 	char *paranoid_wrapper;
 	int paranoid;
 	int ret, i, count = 0, debug;
+        unsigned int gcc_using_link_flags = 0;
 
 	/* Calculate the relative paths */
 	basename = strrchr(progpath, '/');
@@ -363,6 +367,40 @@ int main(int argc, char **argv)
 		*cur++ = "-Wno-builtin-macro-redefined";
 	}
 
+#ifdef BR2_RELRO_FULL
+	/* Must handle combinations of compiler/link options */
+	for (i = 1; i < argc; i++) {
+		if (!strcmp(argv[i], "-r") ||
+		    !strcmp(argv[i], "-static") ||
+		    !strcmp(argv[i], "-fpie") ||
+		    !strcmp(argv[i], "-fPIE") ||
+		    !strcmp(argv[i], "-fpic") ||
+		    !strcmp(argv[i], "-fPIC") ||
+		    !strcmp(argv[i], "-fno-pic"))
+			break;
+
+                /* Find our define identifing LDFLAGS were provided */
+		if( !strcmp(argv[i], "-DBR_SET_PIE") )
+                    gcc_using_link_flags = 1;
+
+		if( !strcmp(argv[i], "-shared") ) {
+                    /* Setting the value to something so that the compiler
+                       doesn't error on a empty '' when -share is removed */
+		    argv[i] = "-DBR_moved_shared_before_pie";
+                    *cur++ = "-shared";
+                }
+
+	}
+
+	if (i == argc) {
+		*cur++ = "-fPIE";
+
+                /* Handle case where gcc is linking with LDFlags */
+		if( gcc_using_link_flags )
+                    *cur++ = "-pie";
+        }
+#endif
+
 	paranoid_wrapper = getenv("BR_COMPILER_PARANOID_UNSAFE_PATH");
 	if (paranoid_wrapper && strlen(paranoid_wrapper) > 0)
 		paranoid = 1;
diff --git a/toolchain/toolchain-wrapper.mk b/toolchain/toolchain-wrapper.mk
index 3a4cbcd..b0e44b3 100644
--- a/toolchain/toolchain-wrapper.mk
+++ b/toolchain/toolchain-wrapper.mk
@@ -45,6 +45,10 @@ ifeq ($(BR2_CCACHE_USE_BASEDIR),y)
 TOOLCHAIN_WRAPPER_ARGS += -DBR_CCACHE_BASEDIR='"$(BASE_DIR)"'
 endif
 
+ifeq ($(BR2_RELRO_FULL),y)
+TOOLCHAIN_WRAPPER_ARGS += -DBR2_RELRO_FULL
+endif
+
 define TOOLCHAIN_WRAPPER_BUILD
 	$(HOSTCC) $(HOST_CFLAGS) $(TOOLCHAIN_WRAPPER_ARGS) \
 		-s -Wl,--hash-style=$(TOOLCHAIN_WRAPPER_HASH_STYLE) \
-- 
1.9.1

More information about the buildroot mailing list