Consolidate security-related compiler flags (#9672)

Summary:
Update and extend the list of hardening-related compiler flags used by HHVM to better represent modern distro defaults.

* Convert the existing `ENABLE_SSP` build option into a new `ENABLE_HARDENING` option and put an updated list of security flags behind it. Both clang and GCC have been supporting these options for a while now, so we can set them irrespective of the compiler.
* Put PIE-related options behind a separate `ENABLE_PIE` build option so that we can produce and compare non-PIE and PIE builds once we fix compatibility with PIE.
* Forward `CMAKE_BUILD_TYPE` to vendored subprojects. Lack of this was causing the projects to be built without compiler optimizations, which doesn't play well with `FORTIFY_SOURCE`.

On systems with glibc >= 2.40, facebook/folly#2519 is needed for this option to work.

The overhead from these flags is likely to be limited, as many of them have been set by default for distribution packages for several years now.[1]

[1] https://github.com/jvoisin/compiler-flags-distro

Pull Request resolved: #9672

Reviewed By: Wilfred

Differential Revision: D87347762

fbshipit-source-id: cdfbf29184e6022999e89258d7fa3475c971e01a

Author: mszabo-wikia

CMake/HPHPCompiler.cmake

@@ -83,13 +83,45 @@ if (${CMAKE_CXX_COMPILER_ID} STREQUAL "Clang" OR ${CMAKE_CXX_COMPILER_ID} STREQU
   set(GDB_SUBOPTION)
 
   # Enable GCC/LLVM stack-smashing protection
-  if(ENABLE_SSP)
+  if(ENABLE_HARDENING)
     list(APPEND GENERAL_OPTIONS
+      # Enable stack protection and stack-clash protection.
       # This needs two dashes in the name, so put one here.
       "-param=ssp-buffer-size=4"
-      "pie"
-      "fPIC"
+      "fstack-protector-strong"
+      "fstack-clash-protection"
+
+      # Use hardened equivalents of various glibc functions
+      # to guard against buffer overflows.
+      "D_FORTIFY_SOURCE=3"
+
+      # https://isisblogs.poly.edu/2011/06/01/relro-relocation-read-only/
+      "Wl,-z,relro,-z,now"
+      # Mark stack as non-executable.
+      "Wl,-z,noexecstack"
+      # Separate ELF code into its own segment.
+      "Wl,-z,separate-code"
     )
+
+    # Enable control-flow / branch protection.
+    if (IS_X64)
+      list(APPEND GENERAL_OPTIONS "fcf-protection")
+    elseif (IS_AARCH64)
+      list(APPEND GENERAL_OPTIONS "mbranch-protection=standard")
+    endif()
+
+    # Enable C++ standard library assertions.
+    if (CLANG_FORCE_LIBCPP)
+      list(APPEND GENERAL_CXX_OPTIONS "D_LIBCPP_HARDENING_MODE=_LIBCPP_HARDENING_MODE_EXTENSIVE")
+    else()
+      list(APPEND GENERAL_CXX_OPTIONS "D_GLIBCXX_ASSERTIONS")
+    endif()
+  endif()
+
+  if (ENABLE_PIE)
+    list(APPEND GENERAL_OPTIONS "pie" "fPIC")
+  else()
+    list(APPEND GENERAL_OPTIONS "no-pie")
   endif()
 
   if (IS_X64)
@@ -110,13 +142,6 @@ if (${CMAKE_CXX_COMPILER_ID} STREQUAL "Clang" OR ${CMAKE_CXX_COMPILER_ID} STREQU
       "unused-command-line-argument"
     )
 
-    # Enabled GCC/LLVM stack-smashing protection
-    if(ENABLE_SSP)
-      list(APPEND GENERAL_OPTIONS "fstack-protector-strong")
-    else()
-      list(APPEND GENERAL_OPTIONS "no-pie")
-    endif()
-
     if(CLANG_FORCE_LIBCPP)
       list(APPEND GENERAL_CXX_OPTIONS "stdlib=libc++")
     endif()
@@ -150,15 +175,6 @@ if (${CMAKE_CXX_COMPILER_ID} STREQUAL "Clang" OR ${CMAKE_CXX_COMPILER_ID} STREQU
       "-param=large-unit-insns=10000"
     )
 
-    # Enabled GCC/LLVM stack-smashing protection
-    if(ENABLE_SSP)
-      if(LINUX)
-        # https://isisblogs.poly.edu/2011/06/01/relro-relocation-read-only/
-        list(APPEND GENERAL_OPTIONS "Wl,-z,relro,-z,now")
-      endif()
-      list(APPEND GENERAL_OPTIONS "fstack-protector-strong")
-    endif()
-
     # X64
     if(IS_X64)
       list(APPEND GENERAL_CXX_OPTIONS "mcrc32")

CMake/Options.cmake

@@ -1,7 +1,8 @@
 #set(CMAKE_BUILD_TYPE Debug)
 
 option(ALWAYS_ASSERT "Enabled asserts in a release build" OFF)
-option(ENABLE_SSP "Enabled GCC/LLVM stack-smashing protection" OFF)
+option(ENABLE_HARDENING "Set hardening flags and definitions, e.g. stack-smashing protection" OFF)
+option(ENABLE_PIE "Produce position-independent executables" OFF)
 option(STATIC_CXX_LIB "Statically link libstd++ and libgcc." OFF)
 option(ENABLE_AARCH64_CRC "Enable the use of CRC instructions" OFF)
 option(ENABLE_FASTCGI "Enable the FastCGI interface." ON)

third-party/brotli/CMakeLists.txt

@@ -15,6 +15,7 @@ ExternalProject_Add(
   bundled_brotli
   ${BROTLI_SOURCE_ARGS}
   CMAKE_ARGS
+    -DCMAKE_BUILD_TYPE=${CMAKE_BUILD_TYPE}
     -DCMAKE_INSTALL_PREFIX=<INSTALL_DIR>
     -DCMAKE_INSTALL_INCLUDEDIR=include
     -DCMAKE_INSTALL_LIBDIR=lib

third-party/libzip/CMakeLists.txt

@@ -46,6 +46,7 @@ ExternalProject_Add(
   -DBUILD_EXAMPLES=FALSE
   -DBUILD_DOC=FALSE
   -DBUILD_SHARED_LIBS=FALSE
+  -DCMAKE_BUILD_TYPE=${CMAKE_BUILD_TYPE}
   -DCMAKE_C_FLAGS=${CMAKE_C_FLAGS}
   -DCMAKE_C_COMPILER=${CMAKE_C_COMPILER}
   -DCMAKE_INSTALL_PREFIX=<INSTALL_DIR>

third-party/mcrouter/CMakeLists.txt

@@ -47,6 +47,7 @@ ExternalProject_Add(
     -DCMAKE_OSX_SYSROOT=${CMAKE_OSX_SYSROOT}
     -DCMAKE_C_FLAGS=${CMAKE_C_FLAGS}
     -DCMAKE_CXX_FLAGS=${CMAKE_CXX_FLAGS}
+    -DCMAKE_BUILD_TYPE=${CMAKE_BUILD_TYPE}
 
     "-DCMAKE_OSX_DEPLOYMENT_TARGET=${CMAKE_OSX_DEPLOYMENT_TARGET}"
     "-DBOOST_INCLUDE_DIR=$<TARGET_PROPERTY:boost,INTERFACE_INCLUDE_DIRECTORIES>"

third-party/timelib/CMakeLists.txt

@@ -34,6 +34,7 @@ ExternalProject_Add(
     -DCMAKE_INSTALL_INCLUDEDIR=include
     -DCMAKE_INSTALL_LIBDIR=lib
 
+    -DCMAKE_BUILD_TYPE=${CMAKE_BUILD_TYPE}
     -DCMAKE_C_COMPILER=${CMAKE_C_COMPILER}
     -DCMAKE_CXX_COMPILER=${CMAKE_CXX_COMPILER}
     -DCMAKE_OSX_SYSROOT=${CMAKE_OSX_SYSROOT}

third-party/watchman/CMakeLists.txt

@@ -26,6 +26,7 @@ ExternalProject_Add(
     -DCMAKE_INSTALL_INCLUDEDIR=include
     -DCMAKE_INSTALL_LIBDIR=lib
 
+    -DCMAKE_BUILD_TYPE=${CMAKE_BUILD_TYPE}
     -DCMAKE_C_COMPILER=${CMAKE_C_COMPILER}
     -DCMAKE_CXX_COMPILER=${CMAKE_CXX_COMPILER}
     -DCMAKE_OSX_SYSROOT=${CMAKE_OSX_SYSROOT}