build: Enable control flow guard on Windows

This enables the 'Control Flow Guard' security feature, which
prevents memory corruption vulnerabilites by placing a restriction
on where application can execute from.

The change is applied to both VulkanRT and it's NSIS installer.

WARN:  This change requires re-patching and rebuillding NSIS with
attached patch.
WARN#2: This change requires Visual Studion 2015 or vs140 toolset to
take effect.

Control Flow Guard documentation:
https://msdn.microsoft.com/en-us/library/windows/desktop/mt637065(v=vs.85).aspx

Change-Id: I7683c0570087d994961c79fb64419509f83536a8

4 files changed, 29 insertions, 7 deletions

diff --git a/CMakeLists.txt b/CMakeLists.txt
index b4b7d54f..ce10e9cd 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -77,6 +77,14 @@ if(WIN32)
     # Warn about potentially uninitialized variables
     add_compile_options("$<$<CXX_COMPILER_ID:MSVC>:/w34701>")
     add_compile_options("$<$<CXX_COMPILER_ID:MSVC>:/w34703>")
+
+    if (NOT MSVC_VERSION LESS 1900)
+        # Enable control flow guard
+        message(STATUS "Building with control flow guard")
+        add_compile_options("$<$<CXX_COMPILER_ID:MSVC>:/guard:cf>")
+        set(CMAKE_SHARED_LINKER_FLAGS "${CMAKE_SHARED_LINKER_FLAGS} /guard:cf")
+        set(CMAKE_EXE_LINKER_FLAGS "${CMAKE_EXE_LINKER_FLAGS} /guard:cf")
+    endif()
 endif()
 
 if(NOT WIN32)
diff --git a/windowsRuntimeInstaller/ConfigureRT.vcxproj b/windowsRuntimeInstaller/ConfigureRT.vcxproj
index 2627b179..a7181a0c 100644
--- a/windowsRuntimeInstaller/ConfigureRT.vcxproj
+++ b/windowsRuntimeInstaller/ConfigureRT.vcxproj
@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="utf-8"?>

-<Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">

+<Project DefaultTargets="Build" ToolsVersion="14.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">

   <ItemGroup Label="ProjectConfigurations">

     <ProjectConfiguration Include="Debug|Win32">

       <Configuration>Debug</Configuration>

@@ -18,13 +18,13 @@
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">

     <ConfigurationType>Application</ConfigurationType>

     <UseDebugLibraries>true</UseDebugLibraries>

-    <PlatformToolset>v120</PlatformToolset>

+    <PlatformToolset>v140</PlatformToolset>

     <CharacterSet>MultiByte</CharacterSet>

   </PropertyGroup>

   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">

     <ConfigurationType>Application</ConfigurationType>

     <UseDebugLibraries>false</UseDebugLibraries>

-    <PlatformToolset>v120</PlatformToolset>

+    <PlatformToolset>v140</PlatformToolset>

     <WholeProgramOptimization>true</WholeProgramOptimization>

     <CharacterSet>MultiByte</CharacterSet>

   </PropertyGroup>

@@ -45,6 +45,7 @@
       <Optimization>Disabled</Optimization>

       <SDLCheck>false</SDLCheck>

       <RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>

+      <ControlFlowGuard>Guard</ControlFlowGuard>

     </ClCompile>

     <Link>

       <GenerateDebugInformation>true</GenerateDebugInformation>

@@ -60,6 +61,7 @@
       <IntrinsicFunctions>true</IntrinsicFunctions>

       <SDLCheck>false</SDLCheck>

       <RuntimeLibrary>MultiThreaded</RuntimeLibrary>

+      <ControlFlowGuard>Guard</ControlFlowGuard>

     </ClCompile>

     <Link>

       <GenerateDebugInformation>true</GenerateDebugInformation>

diff --git a/windowsRuntimeInstaller/NSIS_Security.patch b/windowsRuntimeInstaller/NSIS_Security.patch
index 87bf7e6b..b275aae0 100644
--- a/windowsRuntimeInstaller/NSIS_Security.patch
+++ b/windowsRuntimeInstaller/NSIS_Security.patch
@@ -20,7 +20,18 @@ index 32d3d33..d2c4d25 100644
  	defenv.Append(CPPDEFINES = ['_CRT_SECURE_NO_WARNINGS', '_CRT_NONSTDC_NO_WARNINGS', '_CRT_SECURE_NO_DEPRECATE', '_CRT_NON_CONFORMING_SWPRINTFS'])
  	defenv['MSVCRT_FLAG'] = '/MT' # Avoid msvcr?0.dll dependency
  else:
-@@ -143,9 +143,9 @@ stub_env.Append(CCFLAGS = ['/Fa${TARGET}.lst'])    # listing file name
+@@ -43,6 +43,10 @@ if msvs_version >= 11.0:
+ 	defenv['SUBSYS_CON'] = '/subsystem:console,5.01' # support windows xp
+ 	defenv['SUBSYS_WIN'] = '/subsystem:windows,5.01' # support windows xp
+ 
++if msvs_version >= 14.0:
++	defenv.Append(CCFLAGS = ['/guard:cf'])
++	defenv.Append(LINKFLAGS = ['/guard:cf'])
++
+ ### defines
+ 
+ defenv.Append(CPPDEFINES = [('NSISCALL', '$STDCALL')])
+@@ -143,9 +147,9 @@ stub_env.Append(CCFLAGS = ['/Fa${TARGET}.lst'])    # listing file name
  stub_env.Append(LINKFLAGS = ['$NODEFLIBS_FLAG'])   # no default libraries
  stub_env.Append(LINKFLAGS = ['$MAP_FLAG'])         # generate map file
  
diff --git a/windowsRuntimeInstaller/README.txt b/windowsRuntimeInstaller/README.txt
index 2653414d..c9863322 100644
--- a/windowsRuntimeInstaller/README.txt
+++ b/windowsRuntimeInstaller/README.txt
@@ -21,9 +21,10 @@ To build the Vulkan Runtime Installer:
        Instructions for building NSIS are available at

        http://nsis//sourceforge.net/Docs/AppendixG.html.

 

-       The security changes to NSIS involve adding the /DYMANICBASE and /GS options

-       to the NSIS compile/link steps, so that the Runtime Installer and Uninstaller

-       are built with address space layout randomization and buffer overrun checks.

+       The security changes to NSIS involve adding the /DYMANICBASE, /GS and

+       /guard:cf options to the NSIS compile/link steps, so that the Runtime

+       Installer and Uninstaller are built with address space layout randomization,

+       buffer overrun checks and control flow guard.

 

        The security changes to NSIS can be made by applying the patch in the

        NSIS_Security.patch file in this folder.