Re: [PATCH 5/7] configure: Unnest detection of -z,relro and -z,now

[Thomas Huth]

On 18/12/2019 04.19, Richard Henderson wrote:
> There is nothing about these options that is related to PIE.
> Nor is there anything that specifically ties them to each other.
> Use them unconditionally.
> 
> Signed-off-by: Richard Henderson <address@hidden>
> ---
>  configure | 13 ++++++++++---
>  1 file changed, 10 insertions(+), 3 deletions(-)
> 
> diff --git a/configure b/configure
> index 972ce7396f..f8981eec15 100755
> --- a/configure
> +++ b/configure
> @@ -2034,9 +2034,6 @@ if test "$pie" != "no" ; then
>      QEMU_CFLAGS="-fPIE -DPIE $QEMU_CFLAGS"
>      LDFLAGS="-pie $LDFLAGS"
>      pie="yes"
> -    if compile_prog "" "-Wl,-z,relro -Wl,-z,now" ; then
> -      LDFLAGS="-Wl,-z,relro -Wl,-z,now $LDFLAGS"
> -    fi
>    else
>      if test "$pie" = "yes"; then
>        error_exit "PIE not available due to missing toolchain support"
> @@ -2047,6 +2044,16 @@ if test "$pie" != "no" ; then
>    fi
>  fi
>  
> +# Detect support for DT_BIND_NOW.
> +if compile_prog "" "-Wl,-z,now" ; then
> +  LDFLAGS="-Wl,-z,now $LDFLAGS"
> +fi
> +
> +# Detect support for PT_GNU_RELRO.
> +if compile_prog "" "-Wl,-z,relro" ; then
> +  LDFLAGS="-Wl,-z,relro $LDFLAGS"
> +fi

Looking at
https://mudongliang.github.io/2016/07/11/relro-a-not-so-well-known-memory-corruption-mitigation-technique.html
the idea of specifying these two options together was likely to get
"Full RELRO" instead of only "Partial RELRO".
Thus, does it make sense to have "-Wl,-z,now" without "-Wl,-z,relro" in
QEMU? Or should this rather check whether both are possible, then use
both, otherwise just try to use "relro" alone?

 Thomas