ossf lazy

gcc.yaml

@@ -1,7 +1,7 @@
 package:
   name: gcc
   version: 14.2.0
-  epoch: 6
+  epoch: 7
   description: "the GNU compiler collection"
   copyright:
     - license: GPL-3.0-or-later WITH GCC-exception-3.1
@@ -50,6 +50,10 @@ pipeline:
       uri: https://ftp.gnu.org/gnu/gcc/gcc-${{package.version}}/gcc-${{package.version}}.tar.xz
       expected-sha512: 932bdef0cda94bacedf452ab17f103c0cb511ff2cec55e9112fc0328cbf1d803b42595728ea7b200e0a057c03e85626f937012e49a7515bc5dd256b2bf4bc396
 
+  - uses: patch
+    with:
+      patches: pr117739.patch
+
   - name: 'Set up build directory'
     runs: |
       mkdir build

gcc/pr117739.patch

@@ -0,0 +1,209 @@
+From: Marek Polacek <[email protected]>
+To: GCC Patches <[email protected]>
+Subject: [PATCH] driver: -fhardened and -z lazy/-z norelro [PR117739]
+Date: Tue, 26 Nov 2024 17:35:50 -0500
+Message-ID: <[email protected]>
+Content-Transfer-Encoding: 8bit
+content-type: text/plain; charset="US-ASCII"; x-default=true
+List-Id: Gcc-patches mailing list <gcc-patches.gcc.gnu.org>
+List-Archive: <https://gcc.gnu.org/pipermail/gcc-patches/>
+List-Post: <mailto:[email protected]>
+
+As the manual states, using "-fhardened -fstack-protector" will produce
+a warning because -fhardened wants to enable -fstack-protector-strong,
+but it can't since it's been overriden by the weaker -fstack-protector.
+
+-fhardened also attempts to enable -Wl,-z,relro,-z,now.  By the same
+logic as above, "-fhardened -z norelro" or "-fhardened -z lazy" should
+produce the same warning.  But we don't detect this combination, so
+this patch fixes it.  I also renamed a variable to better reflect its
+purpose.
+
+Also don't check warn_hardened in process_command, since it's always
+true there.
+
+Also tweak wording in the manual as Jon Wakely suggested on IRC.
+
+	PR driver/117739
+
+gcc/ChangeLog:
+
+	* doc/invoke.texi: Tweak wording for -Whardened.
+	* gcc.cc (driver_handle_option): If -z lazy or -z norelro was
+	specified, don't enable linker hardening.
+	(process_command): Don't check warn_hardened.
+
+gcc/testsuite/ChangeLog:
+
+	* c-c++-common/fhardened-16.c: New test.
+	* c-c++-common/fhardened-17.c: New test.
+	* c-c++-common/fhardened-18.c: New test.
+	* c-c++-common/fhardened-19.c: New test.
+	* c-c++-common/fhardened-20.c: New test.
+	* c-c++-common/fhardened-21.c: New test.
+---
+ gcc/doc/invoke.texi                       |  4 ++--
+ gcc/gcc.cc                                | 20 ++++++++++++++------
+ gcc/testsuite/c-c++-common/fhardened-16.c |  5 +++++
+ gcc/testsuite/c-c++-common/fhardened-17.c |  5 +++++
+ gcc/testsuite/c-c++-common/fhardened-18.c |  5 +++++
+ gcc/testsuite/c-c++-common/fhardened-19.c |  5 +++++
+ gcc/testsuite/c-c++-common/fhardened-20.c |  5 +++++
+ gcc/testsuite/c-c++-common/fhardened-21.c |  5 +++++
+ 8 files changed, 46 insertions(+), 8 deletions(-)
+ create mode 100644 gcc/testsuite/c-c++-common/fhardened-16.c
+ create mode 100644 gcc/testsuite/c-c++-common/fhardened-17.c
+ create mode 100644 gcc/testsuite/c-c++-common/fhardened-18.c
+ create mode 100644 gcc/testsuite/c-c++-common/fhardened-19.c
+ create mode 100644 gcc/testsuite/c-c++-common/fhardened-20.c
+ create mode 100644 gcc/testsuite/c-c++-common/fhardened-21.c
+
+diff --git a/gcc/doc/invoke.texi b/gcc/doc/invoke.texi
+index 346ac1369b8..371f723539c 100644
+--- a/gcc/doc/invoke.texi
++++ b/gcc/doc/invoke.texi
+@@ -7012,8 +7012,8 @@ This warning is enabled by @option{-Wall}.
+ Warn when @option{-fhardened} did not enable an option from its set (for
+ which see @option{-fhardened}).  For instance, using @option{-fhardened}
+ and @option{-fstack-protector} at the same time on the command line causes
+-@option{-Whardened} to warn because @option{-fstack-protector-strong} is
+-not enabled by @option{-fhardened}.
++@option{-Whardened} to warn because @option{-fstack-protector-strong} will
++not be enabled by @option{-fhardened}.
+
+ This warning is enabled by default and has effect only when @option{-fhardened}
+ is enabled.
+diff --git a/gcc/gcc.cc b/gcc/gcc.cc
+index 92c92996401..d2718d263bb 100644
+--- a/gcc/gcc.cc
++++ b/gcc/gcc.cc
+@@ -305,9 +305,10 @@ static size_t dumpdir_length = 0;
+    driver added to dumpdir after dumpbase or linker output name.  */
+ static bool dumpdir_trailing_dash_added = false;
+
+-/* True if -r, -shared, -pie, or -no-pie were specified on the command
+-   line.  */
+-static bool any_link_options_p;
++/* True if -r, -shared, -pie, -no-pie, -z lazy, or -z norelro were
++   specified on the command line, and therefore -fhardened should not
++   add -z now/relro.  */
++static bool avoid_linker_hardening_p;
+
+ /* True if -static was specified on the command line.  */
+ static bool static_p;
+@@ -4434,10 +4435,17 @@ driver_handle_option (struct gcc_options *opts,
+ 	    }
+ 	/* Record the part after the last comma.  */
+ 	add_infile (arg + prev, "*");
++	if (strcmp (arg, "-z,lazy") == 0 || strcmp (arg, "-z,norelro") == 0)
++	  avoid_linker_hardening_p = true;
+       }
+       do_save = false;
+       break;
+
++    case OPT_z:
++      if (strcmp (arg, "lazy") == 0 || strcmp (arg, "norelro") == 0)
++	avoid_linker_hardening_p = true;
++      break;
++
+     case OPT_Xlinker:
+       add_infile (arg, "*");
+       do_save = false;
+@@ -4642,7 +4650,7 @@ driver_handle_option (struct gcc_options *opts,
+     case OPT_r:
+     case OPT_shared:
+     case OPT_no_pie:
+-      any_link_options_p = true;
++      avoid_linker_hardening_p = true;
+       break;
+
+     case OPT_static:
+@@ -5026,7 +5034,7 @@ process_command (unsigned int decoded_options_count,
+   /* TODO: check if -static -pie works and maybe use it.  */
+   if (flag_hardened)
+     {
+-      if (!any_link_options_p && !static_p)
++      if (!avoid_linker_hardening_p && !static_p)
+ 	{
+ #if defined HAVE_LD_PIE && defined LD_PIE_SPEC
+ 	  save_switch (LD_PIE_SPEC, 0, NULL, /*validated=*/true, /*known=*/false);
+@@ -5045,7 +5053,7 @@ process_command (unsigned int decoded_options_count,
+ 	    }
+ 	}
+       /* We can't use OPT_Whardened yet.  Sigh.  */
+-      else if (warn_hardened)
++      else
+ 	warning_at (UNKNOWN_LOCATION, 0,
+ 		    "linker hardening options not enabled by %<-fhardened%> "
+ 		    "because other link options were specified on the command "
+diff --git a/gcc/testsuite/c-c++-common/fhardened-16.c b/gcc/testsuite/c-c++-common/fhardened-16.c
+new file mode 100644
+index 00000000000..7a50ad03e17
+--- /dev/null
++++ b/gcc/testsuite/c-c++-common/fhardened-16.c
+@@ -0,0 +1,5 @@
++/* PR driver/117739 */
++/* { dg-do compile { target *-*-linux* *-*-gnu* } } */
++/* { dg-options "-fhardened -O -Wl,-z,lazy -Whardened" } */
++
++/* { dg-warning "linker hardening options not enabled" "" { target *-*-* } 0 } */
+diff --git a/gcc/testsuite/c-c++-common/fhardened-17.c b/gcc/testsuite/c-c++-common/fhardened-17.c
+new file mode 100644
+index 00000000000..acef8c64a9f
+--- /dev/null
++++ b/gcc/testsuite/c-c++-common/fhardened-17.c
+@@ -0,0 +1,5 @@
++/* PR driver/117739 */
++/* { dg-do compile { target *-*-linux* *-*-gnu* } } */
++/* { dg-options "-fhardened -O -z lazy -Whardened" } */
++
++/* { dg-warning "linker hardening options not enabled" "" { target *-*-* } 0 } */
+diff --git a/gcc/testsuite/c-c++-common/fhardened-18.c b/gcc/testsuite/c-c++-common/fhardened-18.c
+new file mode 100644
+index 00000000000..1a9a34bd7d8
+--- /dev/null
++++ b/gcc/testsuite/c-c++-common/fhardened-18.c
+@@ -0,0 +1,5 @@
++/* PR driver/117739 */
++/* { dg-do compile { target *-*-linux* *-*-gnu* } } */
++/* { dg-options "-Wl,-z,lazy -fhardened -O -Whardened" } */
++
++/* { dg-warning "linker hardening options not enabled" "" { target *-*-* } 0 } */
+diff --git a/gcc/testsuite/c-c++-common/fhardened-19.c b/gcc/testsuite/c-c++-common/fhardened-19.c
+new file mode 100644
+index 00000000000..a871702fd2d
+--- /dev/null
++++ b/gcc/testsuite/c-c++-common/fhardened-19.c
+@@ -0,0 +1,5 @@
++/* PR driver/117739 */
++/* { dg-do compile { target *-*-linux* *-*-gnu* } } */
++/* { dg-options "-z lazy -fhardened -O -Whardened" } */
++
++/* { dg-warning "linker hardening options not enabled" "" { target *-*-* } 0 } */
+diff --git a/gcc/testsuite/c-c++-common/fhardened-20.c b/gcc/testsuite/c-c++-common/fhardened-20.c
+new file mode 100644
+index 00000000000..c9f2d89e653
+--- /dev/null
++++ b/gcc/testsuite/c-c++-common/fhardened-20.c
+@@ -0,0 +1,5 @@
++/* PR driver/117739 */
++/* { dg-do compile { target *-*-linux* *-*-gnu* } } */
++/* { dg-options "-fhardened -O -Wl,-z,norelro -Whardened" } */
++
++/* { dg-warning "linker hardening options not enabled" "" { target *-*-* } 0 } */
+diff --git a/gcc/testsuite/c-c++-common/fhardened-21.c b/gcc/testsuite/c-c++-common/fhardened-21.c
+new file mode 100644
+index 00000000000..07b7ee10e04
+--- /dev/null
++++ b/gcc/testsuite/c-c++-common/fhardened-21.c
+@@ -0,0 +1,5 @@
++/* PR driver/117739 */
++/* { dg-do compile { target *-*-linux* *-*-gnu* } } */
++/* { dg-options "-fhardened -O -z norelro -Whardened" } */
++
++/* { dg-warning "linker hardening options not enabled" "" { target *-*-* } 0 } */
+
+base-commit: 3e2a1b268cf1f8994a63c85412154f01e1a8c7d8
+-- 
+2.47.0
+

pipelines/test/compiler-hardening-check.yaml

@@ -45,6 +45,11 @@ pipeline:
       out=$(./hello-disabled 1 || true)
       [ "$out" = "hello-c" ]
 
+      # Compile without bind now (gcc 14+ specific test)
+      GCC_SPEC_FILE=/dev/null ${{inputs.cc}} -fhardened -Wl,-z,lazy -v -o hello-lazy hello.c || cp hello-disabled hello-lazy
+      out=$(./hello-lazy 1 || true)
+      [ "$out" = "hello-c" ]
+
       arch_skip=
       # full cfprotection is x86 only for now
       if [ "${{build.arch}}" = "aarch64" ]; then
@@ -54,5 +59,8 @@ pipeline:
       # Test disabling hardening flags
       hardening-check --nostackprotector $arch_skip ${{inputs.args}} --color hello-disabled && exit 1
 
+      # Test disabling bindnow
+      hardening-check --nostackprotector $arch_skip ${{inputs.args}} --color hello-lazy && exit 1
+
       # Test default build
       hardening-check --nostackprotector $arch_skip ${{inputs.args}} --color hello-default