From 2b05626f065509aa9e0cd52eef43c669d3cb62c5 Mon Sep 17 00:00:00 2001 From: Corey Richardson Date: Sat, 6 Sep 2014 02:44:32 -0400 Subject: [PATCH 1/3] Build with -fPIC by default Can be disabled with GLFW_FORCE_NOFPIC=YES. This can be important on 32-bit systems, where position independant code is more expensive. On 64-bit systems, there is no meaningful performance impact. Closes #199 --- CMakeLists.txt | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/CMakeLists.txt b/CMakeLists.txt index bc338bc4a..bfc5510d6 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -11,6 +11,7 @@ set(GLFW_VERSION_FULL "${GLFW_VERSION}.${GLFW_VERSION_PATCH}${GLFW_VERSION_EXTRA set(LIB_SUFFIX "" CACHE STRING "Takes an empty string or 64. Directory where lib will be installed: lib or lib64") option(BUILD_SHARED_LIBS "Build shared libraries" OFF) +option(GLFW_FORCE_NOFPIC "Don't build with -fPIC" OFF) option(GLFW_BUILD_EXAMPLES "Build the GLFW example programs" ON) option(GLFW_BUILD_TESTS "Build the GLFW test programs" ON) option(GLFW_BUILD_DOCS "Build the GLFW documentation" ON) @@ -22,6 +23,10 @@ if (WIN32) option(GLFW_USE_OPTIMUS_HPG "Force use of high-performance GPU on Optimus systems" OFF) endif() +if (UNIX AND NOT GLFW_FORCE_NOFPIC) + set(CMAKE_C_FLAGS "-fPIC ${CMAKE_C_FLAGS}") +endif() + if (APPLE) option(GLFW_BUILD_UNIVERSAL "Build GLFW as a Universal Binary" OFF) option(GLFW_USE_CHDIR "Make glfwInit chdir to Contents/Resources" ON) From ec001a021613f4903ba7602e3bba3ca26150ecc3 Mon Sep 17 00:00:00 2001 From: Corey Richardson Date: Sat, 6 Sep 2014 14:39:39 -0400 Subject: [PATCH 2/3] mingw/msvc support for enabling aslr/dep --- CMakeLists.txt | 36 ++++++++++++++++++++++++++++++++++-- 1 file changed, 34 insertions(+), 2 deletions(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index bfc5510d6..9bb89c9c9 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -11,7 +11,7 @@ set(GLFW_VERSION_FULL "${GLFW_VERSION}.${GLFW_VERSION_PATCH}${GLFW_VERSION_EXTRA set(LIB_SUFFIX "" CACHE STRING "Takes an empty string or 64. Directory where lib will be installed: lib or lib64") option(BUILD_SHARED_LIBS "Build shared libraries" OFF) -option(GLFW_FORCE_NOFPIC "Don't build with -fPIC" OFF) +option(GLFW_FORCE_INSECURE "Don't build with -fPIC on UNIX, or ASLR/DEP support on Windows. On Windows, a single insecure DLL will disable security for the entire executable. Use this lightly." OFF) option(GLFW_BUILD_EXAMPLES "Build the GLFW example programs" ON) option(GLFW_BUILD_TESTS "Build the GLFW test programs" ON) option(GLFW_BUILD_DOCS "Build the GLFW documentation" ON) @@ -23,8 +23,40 @@ if (WIN32) option(GLFW_USE_OPTIMUS_HPG "Force use of high-performance GPU on Optimus systems" OFF) endif() -if (UNIX AND NOT GLFW_FORCE_NOFPIC) +if (UNIX AND NOT GLFW_FORCE_INSECURE) set(CMAKE_C_FLAGS "-fPIC ${CMAKE_C_FLAGS}") +elseif(MINGW AND NOT GLFW_FORCE_INSECURE) + include(CheckCCompilerFlag) + + # These default to on in MSVC, when available, but not with MinGW. + # Only needed for DLLs. + + # Vista+ + set(CMAKE_REQUIRED_FLAGS "-Wl,--nxcompat") + check_c_compiler_flag("" _DEP_AVAIL) + + # XP SP2+ + set(CMAKE_REQUIRED_FLAGS "-Wl,--dynamicbase") + check_c_compiler_flag("" _ASLR_AVAIL) + + # 64-bit ASLR + set(CMAKE_REQUIRED_FLAGS "-Wl,--high-entropy-va") + check_c_compiler_flag("" _64ASLR_AVAIL) + + if(_DEP_AVAIL) + set(CMAKE_SHARED_LINKER_FLAGS "-Wl,--nxcompat ${CMAKE_SHARED_LINKER_FLAGS}") + endif() + + if(_ASLR_AVAIL) + set(CMAKE_SHARED_LINKER_FLAGS "-Wl,--dynamicbase ${CMAKE_SHARED_LINKER_FLAGS}") + endif() + + if(_64ASLR_AVAIL) + set(CMAKE_SHARED_LINKER_FLAGS "-Wl,--high-entropy-va ${CMAKE_SHARED_LINKER_FLAGS}") + endif() +elseif(MSVC AND GLFW_FORCE_INSECURE) + # HIGHENTROPYVA will be NO if DYNAMICBASE is. + set(CMAKE_SHARED_LINKER_FLAGS "/DYNAMICBASE:NO /NXCOMPAT:NO ${CMAKE_SHARED_LINKER_FLAGS}") endif() if (APPLE) From 9265eb181bffc9384a6cb835247b857db8fada90 Mon Sep 17 00:00:00 2001 From: Corey Richardson Date: Sat, 6 Sep 2014 14:39:50 -0400 Subject: [PATCH 3/3] Document GLFW_FORCE_INSECURE --- docs/compile.dox | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/docs/compile.dox b/docs/compile.dox index ef53e54c2..8a6dd640a 100644 --- a/docs/compile.dox +++ b/docs/compile.dox @@ -147,6 +147,13 @@ library is used, or if set to `glesv2` the OpenGL ES 2.0 library is used. The selected library and its header files must be present on the system for this to work. +`GLFW_FORCE_INSECURE` will disable ASLR and, on Windows, DEP. On non-Windows +systems, this just means not compiling with `-fPIC`. On 32-bit systems, +position independant code has a performance penalty, and might be reasonably +disabled. On 64-bit systems, there is no penalty. On Windows, disabling +ASLR/DEP for any DLL linked in an executable to be unable to use ASLR/DEP, +which can cause security issues. Use this lightly. + `GLFW_BUILD_EXAMPLES` determines whether the GLFW examples are built along with the library.