From 029f1b451e976f145fb4574225172b7f1701fc17 Mon Sep 17 00:00:00 2001 From: ohair Date: Wed, 16 Feb 2011 14:33:48 -0800 Subject: [PATCH] 7010594: Add /SAFESEH to links on windows to verify safe exceptions Reviewed-by: alanb --- make/common/Defs-windows.gmk | 8 ++++- make/common/shared/Defs-windows.gmk | 50 +++++++++++++++++++++++++++-- 2 files changed, 54 insertions(+), 4 deletions(-) diff --git a/make/common/Defs-windows.gmk b/make/common/Defs-windows.gmk index 7899b0e66..87bc79359 100644 --- a/make/common/Defs-windows.gmk +++ b/make/common/Defs-windows.gmk @@ -359,7 +359,13 @@ ifeq ($(CC_VERSION),msvc) # VS2008 has bufferoverflow baked in: LFLAGS_VS2008 = - LFLAGS_VS2010 = + + # VS2010, always need safe exception handlers, not needed on 64bit + ifeq ($(ARCH_DATA_MODEL), 32) + LFLAGS_VS2010 = -SAFESEH + else + LFLAGS_VS2010 = + endif # LFLAGS are the flags given to $(LINK) and used to build the actual DLL file BASELFLAGS = -nologo /opt:REF /incremental:no diff --git a/make/common/shared/Defs-windows.gmk b/make/common/shared/Defs-windows.gmk index 461913ac9..d928448b4 100644 --- a/make/common/shared/Defs-windows.gmk +++ b/make/common/shared/Defs-windows.gmk @@ -772,9 +772,20 @@ else BANNED_DLLS=msvcp100[.]dll|msvcr100d[.]dll|msvcrtd[.]dll endif -# Macro to check it's input file for banned dependencies and verify the -# binary was built properly. Relies on process exit code. -define binary_file_verification # binary_file +# Check for /safeseh (only used on 32bit) +define binary_file_safeseh_verification # binary_file +( \ + $(ECHO) "Checking for /SAFESEH usage in: $1" && \ + if [ "`$(DUMPBIN) /loadconfig $1 | $(EGREP) -i 'Safe Exception Handler Table'`" = "" ] ; then \ + $(ECHO) "ERROR: Did not find 'Safe Exception Handler Table' in loadconfig: $1" ; \ + $(DUMPBIN) /loadconfig $1 ; \ + exit 6 ; \ + fi ; \ +) +endef + +# Check for /NXCOMPAT usage +define binary_file_nxcompat_verification # binary_file ( \ $(ECHO) "Checking for /NXCOMPAT usage in: $1" && \ if [ "`$(DUMPBIN) /headers $1 | $(EGREP) -i 'NX compatible'`" = "" ] ; then \ @@ -782,12 +793,24 @@ define binary_file_verification # binary_file $(DUMPBIN) /headers $1 ; \ exit 7 ; \ fi ; \ +) +endef + +# Check for /DYNAMICBASE usage +define binary_file_dynamicbase_verification # binary_file +( \ $(ECHO) "Checking for /DYNAMICBASE usage in: $1" && \ if [ "`$(DUMPBIN) /headers $1 | $(EGREP) -i 'Dynamic base'`" = "" ] ; then \ $(ECHO) "ERROR: Did not find 'Dynamic base' in headers: $1" ; \ $(DUMPBIN) /headers $1 ; \ exit 8 ; \ fi ; \ +) +endef + +# Check for banned dll usage +define binary_file_dll_verification # binary_file +( \ $(ECHO) "Checking for banned dependencies in: $1" && \ if [ "`$(DUMPBIN) /dependents $1 | $(EGREP) -i '$(BANNED_DLLS)'`" != "" ] ; then \ $(ECHO) "ERROR: Found use of $(BANNED_DLLS)"; \ @@ -797,6 +820,27 @@ define binary_file_verification # binary_file ) endef +# Macro to check it's input file for properly built executables. +# Relies on process exit code. Different for 32bit vs 64bit. +ifeq ($(ARCH_DATA_MODEL),32) +define binary_file_verification # binary_file +( \ + $(call binary_file_safeseh_verification,$1); \ + $(call binary_file_nxcompat_verification,$1); \ + $(call binary_file_dynamicbase_verification,$1); \ + $(call binary_file_dll_verification,$1); \ +) +endef +else +define binary_file_verification # binary_file +( \ + $(call binary_file_nxcompat_verification,$1); \ + $(call binary_file_dynamicbase_verification,$1); \ + $(call binary_file_dll_verification,$1); \ +) +endef +endif + else # Macro to check it's input file for banned dependencies and verify the -- GitLab