knochenreiter-buildroot/toolchain/toolchain-wrapper.c

/**
 * Buildroot wrapper for toolchains. This simply executes the real toolchain
 * with a number of arguments (sysroot/arch/..) hardcoded, to ensure the
 * toolchain uses the correct configuration.
 * The hardcoded path arguments are defined relative to the actual location
 * of the binary.
 *
 * (C) 2011 Peter Korsgaard <jacmet@sunsite.dk>
 * (C) 2011 Daniel Nyström <daniel.nystrom@timeterminal.se>
 * (C) 2012 Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
 * (C) 2013 Spenser Gilliland <spenser@gillilanding.com>
 *
 * This file is licensed under the terms of the GNU General Public License
 * version 2.  This program is licensed "as is" without any warranty of any
 * kind, whether express or implied.
 */

#define _GNU_SOURCE
#include <stdio.h>
#include <string.h>
#include <limits.h>
#include <unistd.h>
#include <stdlib.h>
#include <errno.h>
#include <time.h>
#include <stdbool.h>

#ifdef BR_CCACHE
static char ccache_path[PATH_MAX];
#endif
static char path[PATH_MAX];
static char sysroot[PATH_MAX];
/* As would be defined by gcc:
 *   https://gcc.gnu.org/onlinedocs/cpp/Standard-Predefined-Macros.html
 * sizeof() on string literals includes the terminating \0. */
static char _time_[sizeof("-D__TIME__=\"HH:MM:SS\"")];
static char _date_[sizeof("-D__DATE__=\"MMM DD YYYY\"")];

/**
 * GCC errors out with certain combinations of arguments (examples are
 * -mfloat-abi={hard|soft} and -m{little|big}-endian), so we have to ensure
 * that we only pass the predefined one to the real compiler if the inverse
 * option isn't in the argument list.
 * This specifies the worst case number of extra arguments we might pass
 * Currently, we may have:
 * 	-mfloat-abi=
 * 	-march=
 * 	-mcpu=
 * 	-D__TIME__=
 * 	-D__DATE__=
 * 	-Wno-builtin-macro-redefined
 * 	-Wl,-z,now
 * 	-Wl,-z,relro
 * 	-fPIE
 * 	-pie
 */
#define EXCLUSIVE_ARGS	10

static char *predef_args[] = {
#ifdef BR_CCACHE
	ccache_path,
#endif
	path,
	"--sysroot", sysroot,
#ifdef BR_ABI
	"-mabi=" BR_ABI,
#endif
#ifdef BR_NAN
	"-mnan=" BR_NAN,
#endif
#ifdef BR_FPU
	"-mfpu=" BR_FPU,
#endif
#ifdef BR_SOFTFLOAT
	"-msoft-float",
#endif /* BR_SOFTFLOAT */
#ifdef BR_MODE
	"-m" BR_MODE,
#endif
#ifdef BR_64
	"-m64",
#endif
#ifdef BR_OMIT_LOCK_PREFIX
	"-Wa,-momit-lock-prefix=yes",
#endif
#ifdef BR_NO_FUSED_MADD
	"-mno-fused-madd",
#endif
#ifdef BR_FP_CONTRACT_OFF
	"-ffp-contract=off",
#endif
#ifdef BR_BINFMT_FLAT
	"-Wl,-elf2flt",
#endif
#ifdef BR_MIPS_TARGET_LITTLE_ENDIAN
	"-EL",
#endif
#if defined(BR_MIPS_TARGET_BIG_ENDIAN) || defined(BR_ARC_TARGET_BIG_ENDIAN)
	"-EB",
#endif
#ifdef BR_SSP_REGULAR
	"-fstack-protector",
#endif
#ifdef BR_SSP_STRONG
	"-fstack-protector-strong",
#endif
#ifdef BR_SSP_ALL
	"-fstack-protector-all",
#endif
#ifdef BR_ADDITIONAL_CFLAGS
	BR_ADDITIONAL_CFLAGS
#endif
};

/* A {string,length} tuple, to avoid computing strlen() on constants.
 *  - str must be a \0-terminated string
 *  - len does not account for the terminating '\0'
 */
struct str_len_s {
	const char *str;
	size_t     len;
};

/* Define a {string,length} tuple. Takes an unquoted constant string as
 * parameter. sizeof() on a string literal includes the terminating \0,
 * but we don't want to count it.
 */
#define STR_LEN(s) { #s, sizeof(#s)-1 }

/* List of paths considered unsafe for cross-compilation.
 *
 * An unsafe path is one that points to a directory with libraries or
 * headers for the build machine, which are not suitable for the target.
 */
static const struct str_len_s unsafe_paths[] = {
	STR_LEN(/lib),
	STR_LEN(/usr/include),
	STR_LEN(/usr/lib),
	STR_LEN(/usr/local/include),
	STR_LEN(/usr/local/lib),
	{ NULL, 0 },
};

/* Unsafe options are options that specify a potentialy unsafe path,
 * that will be checked by check_unsafe_path(), below.
 */
static const struct str_len_s unsafe_opts[] = {
	STR_LEN(-I),
	STR_LEN(-idirafter),
	STR_LEN(-iquote),
	STR_LEN(-isystem),
	STR_LEN(-L),
	{ NULL, 0 },
};

/* Check if path is unsafe for cross-compilation. Unsafe paths are those
 * pointing to the standard native include or library paths.
 *
 * We print the arguments leading to the failure. For some options, gcc
 * accepts the path to be concatenated to the argument (e.g. -I/foo/bar)
 * or separated (e.g. -I /foo/bar). In the first case, we need only print
 * the argument as it already contains the path (arg_has_path), while in
 * the second case we need to print both (!arg_has_path).
 *
 * If paranoid, exit in error instead of just printing a warning.
 */
static void check_unsafe_path(const char *arg,
			      const char *path,
			      int paranoid,
			      int arg_has_path)
{
	const struct str_len_s *p;

	for (p=unsafe_paths; p->str; p++) {
		if (strncmp(path, p->str, p->len))
			continue;
		fprintf(stderr,
			"%s: %s: unsafe header/library path used in cross-compilation: '%s%s%s'\n",
			program_invocation_short_name,
			paranoid ? "ERROR" : "WARNING",
			arg,
			arg_has_path ? "" : "' '", /* close single-quote, space, open single-quote */
			arg_has_path ? "" : path); /* so that arg and path are properly quoted. */
		if (paranoid)
			exit(1);
	}
}

/* Returns false if SOURCE_DATE_EPOCH was not defined in the environment.
 *
 * Returns true if SOURCE_DATE_EPOCH is in the environment and represent
 * a valid timestamp, in which case the timestamp is formatted into the
 * global variables _date_ and _time_.
 *
 * Aborts if SOURCE_DATE_EPOCH was set in the environment but did not
 * contain a valid timestamp.
 *
 * Valid values are defined in the spec:
 *     https://reproducible-builds.org/specs/source-date-epoch/
 * but we further restrict them to be positive or null.
 */
bool parse_source_date_epoch_from_env(void)
{
	char *epoch_env, *endptr;
	time_t epoch;
	struct tm epoch_tm;

	if ((epoch_env = getenv("SOURCE_DATE_EPOCH")) == NULL)
		return false;
	errno = 0;
	epoch = (time_t) strtoll(epoch_env, &endptr, 10);
	/* We just need to test if it is incorrect, but we do not
	 * care why it is incorrect.
	 */
	if ((errno != 0) || !*epoch_env || *endptr || (epoch < 0)) {
		fprintf(stderr, "%s: invalid SOURCE_DATE_EPOCH='%s'\n",
			program_invocation_short_name,
			epoch_env);
		exit(1);
	}
	tzset(); /* For localtime_r(), below. */
	if (localtime_r(&epoch, &epoch_tm) == NULL) {
		fprintf(stderr, "%s: cannot parse SOURCE_DATE_EPOCH=%s\n",
				program_invocation_short_name,
				getenv("SOURCE_DATE_EPOCH"));
		exit(1);
	}
	if (!strftime(_time_, sizeof(_time_), "-D__TIME__=\"%T\"", &epoch_tm)) {
		fprintf(stderr, "%s: cannot set time from SOURCE_DATE_EPOCH=%s\n",
				program_invocation_short_name,
				getenv("SOURCE_DATE_EPOCH"));
		exit(1);
	}
	if (!strftime(_date_, sizeof(_date_), "-D__DATE__=\"%b %e %Y\"", &epoch_tm)) {
		fprintf(stderr, "%s: cannot set date from SOURCE_DATE_EPOCH=%s\n",
				program_invocation_short_name,
				getenv("SOURCE_DATE_EPOCH"));
		exit(1);
	}
	return true;
}

int main(int argc, char **argv)
{
	char **args, **cur, **exec_args;
	char *relbasedir, *absbasedir;
	char *progpath = argv[0];
	char *basename;
	char *env_debug;
	char *paranoid_wrapper;
	int paranoid;
	int ret, i, count = 0, debug, found_shared = 0;

	/* Calculate the relative paths */
	basename = strrchr(progpath, '/');
	if (basename) {
		*basename = '\0';
		basename++;
		relbasedir = malloc(strlen(progpath) + 7);
		if (relbasedir == NULL) {
			perror(__FILE__ ": malloc");
			return 2;
		}
		sprintf(relbasedir, "%s/..", argv[0]);
		absbasedir = realpath(relbasedir, NULL);
	} else {
		basename = progpath;
		absbasedir = malloc(PATH_MAX + 1);
		ret = readlink("/proc/self/exe", absbasedir, PATH_MAX);
		if (ret < 0) {
			perror(__FILE__ ": readlink");
			return 2;
		}
		absbasedir[ret] = '\0';
		for (i = ret; i > 0; i--) {
			if (absbasedir[i] == '/') {
				absbasedir[i] = '\0';
				if (++count == 2)
					break;
			}
		}
	}
	if (absbasedir == NULL) {
		perror(__FILE__ ": realpath");
		return 2;
	}

	/* Fill in the relative paths */
#ifdef BR_CROSS_PATH_REL
	ret = snprintf(path, sizeof(path), "%s/" BR_CROSS_PATH_REL "/%s" BR_CROSS_PATH_SUFFIX, absbasedir, basename);
#elif defined(BR_CROSS_PATH_ABS)
	ret = snprintf(path, sizeof(path), BR_CROSS_PATH_ABS "/%s" BR_CROSS_PATH_SUFFIX, basename);
#else
	ret = snprintf(path, sizeof(path), "%s/bin/%s" BR_CROSS_PATH_SUFFIX, absbasedir, basename);
#endif
	if (ret >= sizeof(path)) {
		perror(__FILE__ ": overflow");
		return 3;
	}
#ifdef BR_CCACHE
	ret = snprintf(ccache_path, sizeof(ccache_path), "%s/bin/ccache", absbasedir);
	if (ret >= sizeof(ccache_path)) {
		perror(__FILE__ ": overflow");
		return 3;
	}
#endif
	ret = snprintf(sysroot, sizeof(sysroot), "%s/" BR_SYSROOT, absbasedir);
	if (ret >= sizeof(sysroot)) {
		perror(__FILE__ ": overflow");
		return 3;
	}

	cur = args = malloc(sizeof(predef_args) +
			    (sizeof(char *) * (argc + EXCLUSIVE_ARGS)));
	if (args == NULL) {
		perror(__FILE__ ": malloc");
		return 2;
	}

	/* start with predefined args */
	memcpy(cur, predef_args, sizeof(predef_args));
	cur += sizeof(predef_args) / sizeof(predef_args[0]);

#ifdef BR_FLOAT_ABI
	/* add float abi if not overridden in args */
	for (i = 1; i < argc; i++) {
		if (!strncmp(argv[i], "-mfloat-abi=", strlen("-mfloat-abi=")) ||
		    !strcmp(argv[i], "-msoft-float") ||
		    !strcmp(argv[i], "-mhard-float"))
			break;
	}

	if (i == argc)
		*cur++ = "-mfloat-abi=" BR_FLOAT_ABI;
#endif

#ifdef BR_FP32_MODE
	/* add fp32 mode if soft-float is not args or hard-float overrides soft-float */
	int add_fp32_mode = 1;
	for (i = 1; i < argc; i++) {
		if (!strcmp(argv[i], "-msoft-float"))
			add_fp32_mode = 0;
		else if (!strcmp(argv[i], "-mhard-float"))
			add_fp32_mode = 1;
	}

	if (add_fp32_mode == 1)
		*cur++ = "-mfp" BR_FP32_MODE;
#endif

#if defined(BR_ARCH) || \
    defined(BR_CPU)
	/* Add our -march/cpu flags, but only if none of
	 * -march/mtune/mcpu are already specified on the commandline
	 */
	for (i = 1; i < argc; i++) {
		if (!strncmp(argv[i], "-march=", strlen("-march=")) ||
		    !strncmp(argv[i], "-mtune=", strlen("-mtune=")) ||
		    !strncmp(argv[i], "-mcpu=",  strlen("-mcpu=" )))
			break;
	}
	if (i == argc) {
#ifdef BR_ARCH
		*cur++ = "-march=" BR_ARCH;
#endif
#ifdef BR_CPU
		*cur++ = "-mcpu=" BR_CPU;
#endif
	}
#endif /* ARCH || CPU */

	if (parse_source_date_epoch_from_env()) {
		*cur++ = _time_;
		*cur++ = _date_;
		/* This has existed since gcc-4.4.0. */
		*cur++ = "-Wno-builtin-macro-redefined";
	}

#ifdef BR2_RELRO_FULL
	/* Patterned after Fedora/Gentoo hardening approaches.
	 * https://fedoraproject.org/wiki/Changes/Harden_All_Packages
	 * https://wiki.gentoo.org/wiki/Hardened/Toolchain#Position_Independent_Executables_.28PIEs.29
	 *
	 * A few checks are added to allow disabling of PIE
	 * 1) -fno-pie and -no-pie are used by other distros to disable PIE in
	 *    cases where the compiler enables it by default. The logic below
	 *    maintains that behavior.
	 *         Ref: https://wiki.ubuntu.com/SecurityTeam/PIE
	 * 2) A check for -fno-PIE has been used in older Linux Kernel builds
	 *    in a similar way to -fno-pie or -no-pie.
	 * 3) A check is added for Kernel and U-boot defines
	 *    (-D__KERNEL__ and -D__UBOOT__).
	 */
	for (i = 1; i < argc; i++) {
		/* Apply all incompatible link flag and disable checks first */
		if (!strcmp(argv[i], "-r") ||
		    !strcmp(argv[i], "-Wl,-r") ||
		    !strcmp(argv[i], "-static") ||
		    !strcmp(argv[i], "-D__KERNEL__") ||
		    !strcmp(argv[i], "-D__UBOOT__") ||
		    !strcmp(argv[i], "-fno-pie") ||
		    !strcmp(argv[i], "-fno-PIE") ||
		    !strcmp(argv[i], "-no-pie"))
			break;
		/* Record that shared was present which disables -pie but don't
		 * break out of loop as a check needs to occur that possibly
		 * still allows -fPIE to be set
		 */
		if (!strcmp(argv[i], "-shared"))
			found_shared = 1;
	}

	if (i == argc) {
		/* Compile and link condition checking have been kept split
		 * between these two loops, as there maybe already are valid
		 * compile flags set for position independence. In that case
		 * the wrapper just adds the -pie for link.
		 */
		for (i = 1; i < argc; i++) {
			if (!strcmp(argv[i], "-fpie") ||
			    !strcmp(argv[i], "-fPIE") ||
			    !strcmp(argv[i], "-fpic") ||
			    !strcmp(argv[i], "-fPIC"))
				break;
		}
		/* Both args below can be set at compile/link time
		 * and are ignored correctly when not used
		 */
		if(i == argc)
			*cur++ = "-fPIE";

		if (!found_shared)
			*cur++ = "-pie";
	}
#endif
	/* Are we building the Linux Kernel or U-Boot? */
	for (i = 1; i < argc; i++) {
		if (!strcmp(argv[i], "-D__KERNEL__") ||
		    !strcmp(argv[i], "-D__UBOOT__"))
			break;
	}
	if (i == argc) {
		/* https://wiki.gentoo.org/wiki/Hardened/Toolchain#Mark_Read-Only_Appropriate_Sections */
#ifdef BR2_RELRO_PARTIAL
		*cur++ = "-Wl,-z,relro";
#endif
#ifdef BR2_RELRO_FULL
		*cur++ = "-Wl,-z,now";
		*cur++ = "-Wl,-z,relro";
#endif
	}

	paranoid_wrapper = getenv("BR_COMPILER_PARANOID_UNSAFE_PATH");
	if (paranoid_wrapper && strlen(paranoid_wrapper) > 0)
		paranoid = 1;
	else
		paranoid = 0;

	/* Check for unsafe library and header paths */
	for (i = 1; i < argc; i++) {
		const struct str_len_s *opt;
		for (opt=unsafe_opts; opt->str; opt++ ) {
			/* Skip any non-unsafe option. */
			if (strncmp(argv[i], opt->str, opt->len))
				continue;

			/* Handle both cases:
			 *  - path is a separate argument,
			 *  - path is concatenated with option.
			 */
			if (argv[i][opt->len] == '\0') {
				i++;
				if (i == argc)
					break;
				check_unsafe_path(argv[i-1], argv[i], paranoid, 0);
			} else
				check_unsafe_path(argv[i], argv[i] + opt->len, paranoid, 1);
		}
	}

	/* append forward args */
	memcpy(cur, &argv[1], sizeof(char *) * (argc - 1));
	cur += argc - 1;

	/* finish with NULL termination */
	*cur = NULL;

	exec_args = args;
#ifdef BR_CCACHE
	if (getenv("BR_NO_CCACHE"))
		/* Skip the ccache call */
		exec_args++;
#endif

	/* Debug the wrapper to see actual arguments passed to
	 * the compiler:
	 * unset, empty, or 0: do not trace
	 * set to 1          : trace all arguments on a single line
	 * set to 2          : trace one argument per line
	 */
	if ((env_debug = getenv("BR2_DEBUG_WRAPPER"))) {
		debug = atoi(env_debug);
		if (debug > 0) {
			fprintf(stderr, "Toolchain wrapper executing:");
#ifdef BR_CCACHE_HASH
			fprintf(stderr, "%sCCACHE_COMPILERCHECK='string:" BR_CCACHE_HASH "'",
				(debug == 2) ? "\n    " : " ");
#endif
#ifdef BR_CCACHE_BASEDIR
			fprintf(stderr, "%sCCACHE_BASEDIR='" BR_CCACHE_BASEDIR "'",
				(debug == 2) ? "\n    " : " ");
#endif
			for (i = 0; exec_args[i]; i++)
				fprintf(stderr, "%s'%s'",
					(debug == 2) ? "\n    " : " ", exec_args[i]);
			fprintf(stderr, "\n");
		}
	}

#ifdef BR_CCACHE_HASH
	/* Allow compilercheck to be overridden through the environment */
	if (setenv("CCACHE_COMPILERCHECK", "string:" BR_CCACHE_HASH, 0)) {
		perror(__FILE__ ": Failed to set CCACHE_COMPILERCHECK");
		return 3;
	}
#endif
#ifdef BR_CCACHE_BASEDIR
	/* Allow compilercheck to be overridden through the environment */
	if (setenv("CCACHE_BASEDIR", BR_CCACHE_BASEDIR, 0)) {
		perror(__FILE__ ": Failed to set CCACHE_BASEDIR");
		return 3;
	}
#endif

	if (execv(exec_args[0], exec_args))
		perror(path);

	free(args);

	return 2;
}