From 103c00c8d74a1cd87686850212bd93c0e4d59fc9 Mon Sep 17 00:00:00 2001 From: Fabrice Fontaine Date: Wed, 11 Aug 2021 21:34:59 +0200 Subject: [PATCH] Add MEDIA_BUILD_HARDENING option Add MEDIA_BUILD_HARDENING option to allow the user to disable hardening options such as stack-protector-all or FORTIFY SOURCE 2 which are not always available (e.g. fortify source 2 is only available on glibc >= 6 and not musl/uclibc-ng) Patch sent upstream: https://github.com/intel/media-driver/pull/1242 Signed-off-by: Fabrice Fontaine Signed-off-by: Bernd Kuhls [Bernd: rebased for version 21.4.1] --- cmrtlib/linux/CMakeLists.txt | 14 ++++++++++---- .../cmake/linux/media_compile_flags_linux.cmake | 12 ++++++++++-- media_driver/media_top_cmake.cmake | 8 +++++++- 3 files changed, 27 insertions(+), 7 deletions(-) diff --git a/cmrtlib/linux/CMakeLists.txt b/cmrtlib/linux/CMakeLists.txt index 65f71ceef..b066138d9 100644 --- a/cmrtlib/linux/CMakeLists.txt +++ b/cmrtlib/linux/CMakeLists.txt @@ -32,12 +32,18 @@ else() endif() # Set up compile options that will be used for the Linux build -set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} ${CPP_STANDARD_OPTION} -fPIC -fpermissive -fstack-protector-all") -set(CMAKE_CXX_FLAGS_RELEASE "${CMAKE_CXX_FLAGS_RELEASE} -fno-strict-aliasing -D_FORTIFY_SOURCE=2") +set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} ${CPP_STANDARD_OPTION} -fPIC -fpermissive") +set(CMAKE_CXX_FLAGS_RELEASE "${CMAKE_CXX_FLAGS_RELEASE} -fno-strict-aliasing") set(CMAKE_CXX_FLAGS_DEBUG "${CMAKE_CXX_FLAGS_DEBUG} -D_DEBUG -D__DEBUG -O0") -set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} ${CPP_STANDARD_OPTION} -fPIC -fpermissive -fstack-protector-all") -set(CMAKE_C_FLAGS_RELEASE "${CMAKE_C_FLAGS_RELEASE} -fno-strict-aliasing -D_FORTIFY_SOURCE=2") +set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} ${CPP_STANDARD_OPTION} -fPIC -fpermissive") +set(CMAKE_C_FLAGS_RELEASE "${CMAKE_C_FLAGS_RELEASE} -fno-strict-aliasing") set(CMAKE_C_FLAGS_DEBUG "${CMAKE_C_FLAGS_DEBUG} -D_DEBUG -D__DEBUG -O0") +if(MEDIA_BUILD_HARDENING) + set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} ${CMAKE_CXX_FLAGS} -fstack-protector-all") + set(CMAKE_CXX_FLAGS_RELEASE "${CMAKE_CXX_FLAGS_RELEASE} -D_FORTIFY_SOURCE=2") + set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} ${CMAKE_C_FLAGS} -fstack-protector-all") + set(CMAKE_C_FLAGS_RELEASE "${CMAKE_C_FLAGS_RELEASE} -D_FORTIFY_SOURCE=2") +endif() if(MEDIA_BUILD_FATAL_WARNINGS) set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} ${CMAKE_CXX_FLAGS} -Werror") set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} ${CMAKE_C_FLAGS} -Werror") diff --git a/media_driver/cmake/linux/media_compile_flags_linux.cmake b/media_driver/cmake/linux/media_compile_flags_linux.cmake index 7a2bd64b6..98896b131 100755 --- a/media_driver/cmake/linux/media_compile_flags_linux.cmake +++ b/media_driver/cmake/linux/media_compile_flags_linux.cmake @@ -47,7 +47,6 @@ set(MEDIA_COMPILER_FLAGS_COMMON # Other common flags -fmessage-length=0 -fvisibility=hidden - -fstack-protector -fdata-sections -ffunction-sections -Wl,--gc-sections @@ -64,6 +63,11 @@ set(MEDIA_COMPILER_FLAGS_COMMON -g ) +if(MEDIA_BUILD_HARDENING) + set(MEDIA_COMPILER_FLAGS_COMMON + ${MEDIA_COMPILER_FLAGS_COMMON} + -fstack-protector) +endif() if(${UFO_MARCH} STREQUAL "slm") set(MEDIA_COMPILER_FLAGS_COMMON @@ -119,9 +123,13 @@ if(${UFO_VARIANT} STREQUAL "default") set(MEDIA_COMPILER_FLAGS_RELEASE ${MEDIA_COMPILER_FLAGS_RELEASE} -O2 - -D_FORTIFY_SOURCE=2 -fno-omit-frame-pointer ) + if(MEDIA_BUILD_HARDENING) + set(MEDIA_COMPILER_FLAGS_RELEASE + ${MEDIA_COMPILER_FLAGS_RELEASE} + -D_FORTIFY_SOURCE=2) + endif() endif() if(NOT ${PLATFORM} STREQUAL "android") diff --git a/media_driver/media_top_cmake.cmake b/media_driver/media_top_cmake.cmake index f089ea45f..b0b428914 100755 --- a/media_driver/media_top_cmake.cmake +++ b/media_driver/media_top_cmake.cmake @@ -113,7 +113,13 @@ if(MEDIA_BUILD_FATAL_WARNINGS) set_target_properties(${LIB_NAME_OBJ} PROPERTIES COMPILE_FLAGS "-Werror") endif() -set_target_properties(${LIB_NAME} PROPERTIES LINK_FLAGS "-Wl,--no-as-needed -Wl,--gc-sections -z relro -z now -fstack-protector -fPIC") +set(MEDIA_LINK_FLAGS "-Wl,--no-as-needed -Wl,--gc-sections -z relro -z now -fPIC") +option(MEDIA_BUILD_HARDENING "Enable hardening (stack-protector, fortify source)" ON) +if(MEDIA_BUILD_HARDENING) + set(MEDIA_LINK_FLAGS "${MEDIA_LINK_FLAGS} -fstack-protector") +endif() +set_target_properties(${LIB_NAME} PROPERTIES LINK_FLAGS ${MEDIA_LINK_FLAGS}) + set_target_properties(${LIB_NAME} PROPERTIES PREFIX "") set_target_properties(${LIB_NAME_STATIC} PROPERTIES PREFIX "")