This brings more compiler hardening flags to the default QEMU build process. The proposed flags have already been adopted by default in the kernel build process. At some point it is hoped that distros might enable them globally, as they've done in the past with things like _FORTIFY_SOURCE. Meanwhile they are easy things to enable in QEMU which have negligible cost and clear benefits to hardening. Considering QEMU shows no signs of stoppping the flow of guest triggerable CVEs, investing in hardening is worthwhile. See the respective commit messages for details
I also tested enabling -ftrapv, to change signed integer overflow from wrapping, to trapping instead. This exposed a bug in the string-input-visitor which overflows when parsing ranges, and exposed the test-int128 code as (harmlessly) overflowing during its testing. Both can be fixed, but I'm not entirely sure whether -ftrapv is viable or not. I was wondering about TCG and whether it has a need to intentionally allow integer overflow for any of its instruction emulation requirements ? "make check" passes qtest but that's not sufficiently broad to make me comfortable. Thus I've not included an -ftrapv patch here. Daniel P. Berrangé (2): meson: mitigate against ROP exploits with -fzero-call-used-regs meson: mitigate against use of uninitialize stack for exploits meson.build | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) -- 2.41.0
