[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-changelog] [xen master] tools: work around collision of -O0 and -D_FORTIFY_SOURCE



commit 001324547356af86875fad5003f679571a6b8f1c
Author:     Ian Jackson <ian.jackson@xxxxxxxxxxxxx>
AuthorDate: Thu Feb 5 16:28:56 2015 +0000
Commit:     Ian Jackson <Ian.Jackson@xxxxxxxxxxxxx>
CommitDate: Fri Feb 6 17:26:30 2015 +0000

    tools: work around collision of -O0 and -D_FORTIFY_SOURCE
    
    Some systems have python-config include -D_FORTIFY_SOURCE in the
    CFLAGS.  But -D_FORTIFY_SOURCE does not (currently) work with -O0, and
    -O0 is enabled in debug builds (since 1166ecf781).  As a result, on
    those systems, debug builds fail.
    
    Work around this problem as follows:
     * In configure, detect -D_FORTIFY_SOURCE in $(python-config --cflags)
     * If detected, set the new autoconf substitution and make variable
       PY_NOOPT_CFLAGS to -O1.
     * In tools/Rules.mk, where we add -O0, also add PY_NOOPT_CFLAGS
       (which will override the -O0 with -O1 if required).
    
    Overriding the -O0 is better than disabling Fortify because the
    latter might have an adverse security impact.  A user who wants to
    disable optimisation completely even for Python and also disable
    Fortify can set the environment variable
        EXTRA_CFLAGS_XEN_TOOLS='-U_FORTIFY_SOURCE -O0'
    
    Signed-off-by: Ian Jackson <Ian.Jackson@xxxxxxxxxxxxx>
    Reported-by: Jan Beulich <JBeulich@xxxxxxxx>
    Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
    CC: Jan Beulich <JBeulich@xxxxxxxx>
    CC: Ian Campbell <Ian.Campbell@xxxxxxxxxx>
    CC: Euan Harris <euan.harris@xxxxxxxxxx>
    CC: Wei Liu <wei.liu2@xxxxxxxxxx>
    CC: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>
    Tested-by: Don Slutz <dslutz@xxxxxxxxxxx>
---
 config/Tools.mk.in         |    1 +
 m4/python_fortify_noopt.m4 |   31 +++++++++++++++++++++++++++++++
 tools/Rules.mk             |    2 ++
 tools/configure            |   39 +++++++++++++++++++++++++++++++++++++++
 tools/configure.ac         |    2 ++
 tools/pygrub/Makefile      |    6 ++++--
 tools/python/Makefile      |    6 ++++--
 7 files changed, 83 insertions(+), 4 deletions(-)

diff --git a/config/Tools.mk.in b/config/Tools.mk.in
index 30267fa..e7da99d 100644
--- a/config/Tools.mk.in
+++ b/config/Tools.mk.in
@@ -13,6 +13,7 @@ BISON               := @BISON@
 FLEX                := @FLEX@
 PYTHON              := @PYTHON@
 PYTHON_PATH         := @PYTHONPATH@
+PY_NOOPT_CFLAGS     := @PY_NOOPT_CFLAGS@
 PERL                := @PERL@
 CURL_CONFIG         := @CURL@
 XML2_CONFIG         := @XML@
diff --git a/m4/python_fortify_noopt.m4 b/m4/python_fortify_noopt.m4
new file mode 100644
index 0000000..f9cb52b
--- /dev/null
+++ b/m4/python_fortify_noopt.m4
@@ -0,0 +1,31 @@
+dnl Defines PY_NOOPT_CFLAGS to either '' or -O1
+dnl
+
+dnl This is necessary because on some systems setup.py includes
+dnl -D_FORTIFY_SOURCE but have a -D_FORTIFY_SOURCE which breaks
+dnl with -O0.  On those systems we arrange to use -O1 for debug
+dnl builds instead.
+
+AC_DEFUN([AX_CHECK_PYTHON_FORTIFY_NOOPT], [
+    AC_CACHE_CHECK([whether Python setup.py brokenly enables 
-D_FORTIFY_SOURCE],
+                   [ax_cv_python_fortify],[
+        ax_cv_python_fortify=no
+        for arg in $($PYTHON-config --cflags); do
+            case "$arg" in
+            -D_FORTIFY_SOURCE=0) ax_cv_python_fortify=no ;;
+            -D_FORTIFY_SOURCE=*) ax_cv_python_fortify=yes ;;
+            -Wp,-D_FORTIFY_SOURCE=0) ax_cv_python_fortify=no ;;
+            -Wp,-D_FORTIFY_SOURCE=*) ax_cv_python_fortify=yes ;;
+            *) ;;
+            esac
+        done
+    ])
+
+    AS_IF([test x$ax_cv_python_fortify = xyes],[
+        PY_NOOPT_CFLAGS=-O1
+    ], [
+        PY_NOOPT_CFLAGS=''
+    ])
+
+    AC_SUBST(PY_NOOPT_CFLAGS)
+])
diff --git a/tools/Rules.mk b/tools/Rules.mk
index 74cf37e..3c29d07 100644
--- a/tools/Rules.mk
+++ b/tools/Rules.mk
@@ -57,6 +57,8 @@ SHLIB_libxenvchan  = -Wl,-rpath-link=$(XEN_LIBVCHAN)
 ifeq ($(debug),y)
 # Disable optimizations and enable debugging information for macros
 CFLAGS += -O0 -g3
+# But allow an override to -O0 in case Python enforces -D_FORTIFY_SOURCE=<n>.
+PY_CFLAGS += $(PY_NOOPT_CFLAGS)
 endif
 
 LIBXL_BLKTAP ?= $(CONFIG_BLKTAP2)
diff --git a/tools/configure b/tools/configure
index ab04e8c..e7dac75 100755
--- a/tools/configure
+++ b/tools/configure
@@ -652,6 +652,7 @@ PKG_CONFIG_LIBDIR
 PKG_CONFIG_PATH
 PKG_CONFIG
 CURSES_LIBS
+PY_NOOPT_CFLAGS
 EGREP
 GREP
 CPP
@@ -3453,6 +3454,10 @@ esac
 
 
 
+
+
+
+
 # pkg.m4 - Macros to locate and utilise pkg-config.            -*- Autoconf -*-
 # serial 1 (pkg-config-0.24)
 #
@@ -7043,6 +7048,40 @@ CPPFLAGS=$ac_previous_cppflags
 LDLFAGS=$ac_previous_ldflags
 
 
+    { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether Python setup.py 
brokenly enables -D_FORTIFY_SOURCE" >&5
+$as_echo_n "checking whether Python setup.py brokenly enables 
-D_FORTIFY_SOURCE... " >&6; }
+if ${ax_cv_python_fortify+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+
+        ax_cv_python_fortify=no
+        for arg in $($PYTHON-config --cflags); do
+            case "$arg" in
+            -D_FORTIFY_SOURCE=0) ax_cv_python_fortify=no ;;
+            -D_FORTIFY_SOURCE=*) ax_cv_python_fortify=yes ;;
+            -Wp,-D_FORTIFY_SOURCE=0) ax_cv_python_fortify=no ;;
+            -Wp,-D_FORTIFY_SOURCE=*) ax_cv_python_fortify=yes ;;
+            *) ;;
+            esac
+        done
+
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_python_fortify" >&5
+$as_echo "$ax_cv_python_fortify" >&6; }
+
+    if test x$ax_cv_python_fortify = xyes; then :
+
+        PY_NOOPT_CFLAGS=-O1
+
+else
+
+        PY_NOOPT_CFLAGS=''
+
+fi
+
+
+
+
 fi
 
 if ! $rump; then
diff --git a/tools/configure.ac b/tools/configure.ac
index d9cbf1f..03dadd7 100644
--- a/tools/configure.ac
+++ b/tools/configure.ac
@@ -58,6 +58,7 @@ m4_include([../m4/checkpolicy.m4])
 m4_include([../m4/set_cflags_ldflags.m4])
 m4_include([../m4/python_version.m4])
 m4_include([../m4/python_devel.m4])
+m4_include([../m4/python_fortify_noopt.m4])
 m4_include([../m4/ocaml.m4])
 m4_include([../m4/uuid.m4])
 m4_include([../m4/pkg.m4])
@@ -295,6 +296,7 @@ AX_CHECK_PYTHON_VERSION([2], [3])
 
 AS_IF([test "$cross_compiling" != yes], [
     AX_CHECK_PYTHON_DEVEL()
+    AX_CHECK_PYTHON_FORTIFY_NOOPT()
 ])
 
 if ! $rump; then
diff --git a/tools/pygrub/Makefile b/tools/pygrub/Makefile
index 6fd194c..00e654a 100644
--- a/tools/pygrub/Makefile
+++ b/tools/pygrub/Makefile
@@ -2,15 +2,17 @@
 XEN_ROOT = $(CURDIR)/../..
 include $(XEN_ROOT)/tools/Rules.mk
 
+PY_CFLAGS = $(CFLAGS) $(PY_NOOPT_CFLAGS) $(APPEND_LDFLAGS)
+
 .PHONY: all
 all: build
 .PHONY: build
 build:
-       CC="$(CC)" CFLAGS="$(CFLAGS) $(APPEND_LDFLAGS)" $(PYTHON) setup.py build
+       CC="$(CC)" CFLAGS="$(PY_CFLAGS)" $(PYTHON) setup.py build
 
 .PHONY: install
 install: all
-       CC="$(CC)" CFLAGS="$(CFLAGS) $(APPEND_LDFLAGS)" $(PYTHON) setup.py 
install \
+       CC="$(CC)" CFLAGS="$(PY_CFLAGS)" $(PYTHON) setup.py install \
                $(PYTHON_PREFIX_ARG) --root="$(DESTDIR)" \
                --install-scripts=$(LIBEXEC_BIN) --force
        set -e; if [ $(BINDIR) != $(LIBEXEC_BIN) -a \
diff --git a/tools/python/Makefile b/tools/python/Makefile
index af95119..e933be8 100644
--- a/tools/python/Makefile
+++ b/tools/python/Makefile
@@ -4,6 +4,8 @@ include $(XEN_ROOT)/tools/Rules.mk
 .PHONY: all
 all: build
 
+PY_CFLAGS = $(CFLAGS) $(PY_NOOPT_CFLAGS) $(LDFLAGS) $(APPEND_LDFLAGS)
+
 .PHONY: build
 build: genwrap.py $(XEN_ROOT)/tools/libxl/libxl_types.idl \
                $(XEN_ROOT)/tools/libxl/idl.py
@@ -11,11 +13,11 @@ build: genwrap.py $(XEN_ROOT)/tools/libxl/libxl_types.idl \
                $(XEN_ROOT)/tools/libxl/libxl_types.idl \
                xen/lowlevel/xl/_pyxl_types.h \
                xen/lowlevel/xl/_pyxl_types.c
-       CC="$(CC)" CFLAGS="$(CFLAGS) $(LDFLAGS) $(APPEND_LDFLAGS)" $(PYTHON) 
setup.py build
+       CC="$(CC)" CFLAGS="$(PY_CFLAGS)" $(PYTHON) setup.py build
 
 .PHONY: install
 install:
-       CC="$(CC)" CFLAGS="$(CFLAGS) $(LDFLAGS) $(APPEND_LDFLAGS)" $(PYTHON) 
setup.py install \
+       CC="$(CC)" CFLAGS="$(PY_CFLAGS)" $(PYTHON) setup.py install \
                $(PYTHON_PREFIX_ARG) --root="$(DESTDIR)" --force
 
 .PHONY: test
--
generated by git-patchbot for /home/xen/git/xen.git#master

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.