From e39ba8a7977f886375db1ef2a98c5329595811e8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?M=C3=A1t=C3=A9=20Szab=C3=B3?= <mszabo@slack-corp.com>
Date: Fri, 10 Oct 2025 03:10:11 -0400
Subject: [PATCH] Consolidate security-related compiler flags

Update and extend the list of hardening-related compiler flags
used by HHVM to better represent modern distro defaults.

* Convert the existing `ENABLE_SSP` build option into a new
  `ENABLE_HARDENING` option and put an updated list of security flags behind it.
  Both clang and GCC have been supporting these options for a while now,
  so we can set them irrespective of the compiler.
* Put PIE-related options behind a separate `ENABLE_PIE` build option
  so that we can produce and compare non-PIE and PIE builds once we fix
  compatibility with PIE.
* Forward `CMAKE_BUILD_TYPE` to vendored subprojects. Lack of this
  was causing the projects to be built without compiler optimizations,
  which doesn't play well with `FORTIFY_SOURCE`.

On systems with glibc >= 2.40, https://github.com/facebook/folly/pull/2519
is needed for this option to work.

The overhead from these flags is likely to be limited, as many of them
have been set by default for distribution packages for several years now.[1]

[1] https://github.com/jvoisin/compiler-flags-distro
---
 CMake/HPHPCompiler.cmake            | 54 +++++++++++++++++++----------
 CMake/Options.cmake                 |  3 +-
 third-party/brotli/CMakeLists.txt   |  1 +
 third-party/libzip/CMakeLists.txt   |  1 +
 third-party/mcrouter/CMakeLists.txt |  1 +
 third-party/timelib/CMakeLists.txt  |  1 +
 third-party/watchman/CMakeLists.txt |  1 +
 7 files changed, 42 insertions(+), 20 deletions(-)

diff --git a/CMake/HPHPCompiler.cmake b/CMake/HPHPCompiler.cmake
index a59c705ade7d16..a09223632107a9 100644
--- a/CMake/HPHPCompiler.cmake
+++ b/CMake/HPHPCompiler.cmake
@@ -83,13 +83,45 @@ if (${CMAKE_CXX_COMPILER_ID} STREQUAL "Clang" OR ${CMAKE_CXX_COMPILER_ID} STREQU
   set(GDB_SUBOPTION)
 
   # Enable GCC/LLVM stack-smashing protection
-  if(ENABLE_SSP)
+  if(ENABLE_HARDENING)
     list(APPEND GENERAL_OPTIONS
+      # Enable stack protection and stack-clash protection.
       # This needs two dashes in the name, so put one here.
       "-param=ssp-buffer-size=4"
-      "pie"
-      "fPIC"
+      "fstack-protector-strong"
+      "fstack-clash-protection"
+
+      # Use hardened equivalents of various glibc functions
+      # to guard against buffer overflows.
+      "D_FORTIFY_SOURCE=3"
+
+      # https://isisblogs.poly.edu/2011/06/01/relro-relocation-read-only/
+      "Wl,-z,relro,-z,now"
+      # Mark stack as non-executable.
+      "Wl,-z,noexecstack"
+      # Separate ELF code into its own segment.
+      "Wl,-z,separate-code"
     )
+
+    # Enable control-flow / branch protection.
+    if (IS_X64)
+      list(APPEND GENERAL_OPTIONS "fcf-protection")
+    elseif (IS_AARCH64)
+      list(APPEND GENERAL_OPTIONS "mbranch-protection=standard")
+    endif()
+
+    # Enable C++ standard library assertions.
+    if (CLANG_FORCE_LIBCPP)
+      list(APPEND GENERAL_CXX_OPTIONS "D_LIBCPP_HARDENING_MODE=_LIBCPP_HARDENING_MODE_EXTENSIVE")
+    else()
+      list(APPEND GENERAL_CXX_OPTIONS "D_GLIBCXX_ASSERTIONS")
+    endif()
+  endif()
+
+  if (ENABLE_PIE)
+    list(APPEND GENERAL_OPTIONS "pie" "fPIC")
+  else()
+    list(APPEND GENERAL_OPTIONS "no-pie")
   endif()
 
   if (IS_X64)
@@ -110,13 +142,6 @@ if (${CMAKE_CXX_COMPILER_ID} STREQUAL "Clang" OR ${CMAKE_CXX_COMPILER_ID} STREQU
       "unused-command-line-argument"
     )
 
-    # Enabled GCC/LLVM stack-smashing protection
-    if(ENABLE_SSP)
-      list(APPEND GENERAL_OPTIONS "fstack-protector-strong")
-    else()
-      list(APPEND GENERAL_OPTIONS "no-pie")
-    endif()
-
     if(CLANG_FORCE_LIBCPP)
       list(APPEND GENERAL_CXX_OPTIONS "stdlib=libc++")
     endif()
@@ -150,15 +175,6 @@ if (${CMAKE_CXX_COMPILER_ID} STREQUAL "Clang" OR ${CMAKE_CXX_COMPILER_ID} STREQU
       "-param=large-unit-insns=10000"
     )
 
-    # Enabled GCC/LLVM stack-smashing protection
-    if(ENABLE_SSP)
-      if(LINUX)
-        # https://isisblogs.poly.edu/2011/06/01/relro-relocation-read-only/
-        list(APPEND GENERAL_OPTIONS "Wl,-z,relro,-z,now")
-      endif()
-      list(APPEND GENERAL_OPTIONS "fstack-protector-strong")
-    endif()
-
     # X64
     if(IS_X64)
       list(APPEND GENERAL_CXX_OPTIONS "mcrc32")
diff --git a/CMake/Options.cmake b/CMake/Options.cmake
index e07edc2e1b171a..b1f6a68fb79fee 100644
--- a/CMake/Options.cmake
+++ b/CMake/Options.cmake
@@ -1,7 +1,8 @@
 #set(CMAKE_BUILD_TYPE Debug)
 
 option(ALWAYS_ASSERT "Enabled asserts in a release build" OFF)
-option(ENABLE_SSP "Enabled GCC/LLVM stack-smashing protection" OFF)
+option(ENABLE_HARDENING "Set hardening flags and definitions, e.g. stack-smashing protection" OFF)
+option(ENABLE_PIE "Produce position-independent executables" OFF)
 option(STATIC_CXX_LIB "Statically link libstd++ and libgcc." OFF)
 option(ENABLE_AARCH64_CRC "Enable the use of CRC instructions" OFF)
 option(ENABLE_FASTCGI "Enable the FastCGI interface." ON)
diff --git a/third-party/brotli/CMakeLists.txt b/third-party/brotli/CMakeLists.txt
index 8e652e55a65c92..f5c10a9f655f90 100644
--- a/third-party/brotli/CMakeLists.txt
+++ b/third-party/brotli/CMakeLists.txt
@@ -15,6 +15,7 @@ ExternalProject_Add(
   bundled_brotli
   ${BROTLI_SOURCE_ARGS}
   CMAKE_ARGS
+    -DCMAKE_BUILD_TYPE=${CMAKE_BUILD_TYPE}
     -DCMAKE_INSTALL_PREFIX=<INSTALL_DIR>
     -DCMAKE_INSTALL_INCLUDEDIR=include
     -DCMAKE_INSTALL_LIBDIR=lib
diff --git a/third-party/libzip/CMakeLists.txt b/third-party/libzip/CMakeLists.txt
index 9e3ea12c7d96ca..12454ae1521148 100644
--- a/third-party/libzip/CMakeLists.txt
+++ b/third-party/libzip/CMakeLists.txt
@@ -46,6 +46,7 @@ ExternalProject_Add(
   -DBUILD_EXAMPLES=FALSE
   -DBUILD_DOC=FALSE
   -DBUILD_SHARED_LIBS=FALSE
+  -DCMAKE_BUILD_TYPE=${CMAKE_BUILD_TYPE}
   -DCMAKE_C_FLAGS=${CMAKE_C_FLAGS}
   -DCMAKE_C_COMPILER=${CMAKE_C_COMPILER}
   -DCMAKE_INSTALL_PREFIX=<INSTALL_DIR>
diff --git a/third-party/mcrouter/CMakeLists.txt b/third-party/mcrouter/CMakeLists.txt
index 1490d93c0daeb9..4d4134332a6ea0 100644
--- a/third-party/mcrouter/CMakeLists.txt
+++ b/third-party/mcrouter/CMakeLists.txt
@@ -47,6 +47,7 @@ ExternalProject_Add(
     -DCMAKE_OSX_SYSROOT=${CMAKE_OSX_SYSROOT}
     -DCMAKE_C_FLAGS=${CMAKE_C_FLAGS}
     -DCMAKE_CXX_FLAGS=${CMAKE_CXX_FLAGS}
+    -DCMAKE_BUILD_TYPE=${CMAKE_BUILD_TYPE}
 
     "-DCMAKE_OSX_DEPLOYMENT_TARGET=${CMAKE_OSX_DEPLOYMENT_TARGET}"
     "-DBOOST_INCLUDE_DIR=$<TARGET_PROPERTY:boost,INTERFACE_INCLUDE_DIRECTORIES>"
diff --git a/third-party/timelib/CMakeLists.txt b/third-party/timelib/CMakeLists.txt
index 35aa03df215fd3..bf3754a9ac9047 100644
--- a/third-party/timelib/CMakeLists.txt
+++ b/third-party/timelib/CMakeLists.txt
@@ -34,6 +34,7 @@ ExternalProject_Add(
     -DCMAKE_INSTALL_INCLUDEDIR=include
     -DCMAKE_INSTALL_LIBDIR=lib
 
+    -DCMAKE_BUILD_TYPE=${CMAKE_BUILD_TYPE}
     -DCMAKE_C_COMPILER=${CMAKE_C_COMPILER}
     -DCMAKE_CXX_COMPILER=${CMAKE_CXX_COMPILER}
     -DCMAKE_OSX_SYSROOT=${CMAKE_OSX_SYSROOT}
diff --git a/third-party/watchman/CMakeLists.txt b/third-party/watchman/CMakeLists.txt
index 81e5836f295712..c96c3a2afe569a 100644
--- a/third-party/watchman/CMakeLists.txt
+++ b/third-party/watchman/CMakeLists.txt
@@ -26,6 +26,7 @@ ExternalProject_Add(
     -DCMAKE_INSTALL_INCLUDEDIR=include
     -DCMAKE_INSTALL_LIBDIR=lib
 
+    -DCMAKE_BUILD_TYPE=${CMAKE_BUILD_TYPE}
     -DCMAKE_C_COMPILER=${CMAKE_C_COMPILER}
     -DCMAKE_CXX_COMPILER=${CMAKE_CXX_COMPILER}
     -DCMAKE_OSX_SYSROOT=${CMAKE_OSX_SYSROOT}