From 1ef324febd501175476be53851fa462ef8d540f2 Mon Sep 17 00:00:00 2001
From: Slawomir Cygan <slawomir.cygan@intel.com>
Date: Wed, 14 Jun 2017 19:15:31 +0200
Subject: build: Enable control flow guard on Windows

This enables the 'Control Flow Guard' security feature, which
prevents memory corruption vulnerabilites by placing a restriction
on where application can execute from.

The change is applied to both VulkanRT and it's NSIS installer.

WARN:  This change requires re-patching and rebuillding NSIS with
attached patch.
WARN#2: This change requires Visual Studion 2015 or vs140 toolset to
take effect.

Control Flow Guard documentation:
https://msdn.microsoft.com/en-us/library/windows/desktop/mt637065(v=vs.85).aspx

Change-Id: I7683c0570087d994961c79fb64419509f83536a8
---
 CMakeLists.txt                              |  8 ++++++++
 windowsRuntimeInstaller/ConfigureRT.vcxproj |  8 +++++---
 windowsRuntimeInstaller/NSIS_Security.patch | 13 ++++++++++++-
 windowsRuntimeInstaller/README.txt          |  7 ++++---
 4 files changed, 29 insertions(+), 7 deletions(-)

diff --git a/CMakeLists.txt b/CMakeLists.txt
index b4b7d54f..ce10e9cd 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -77,6 +77,14 @@ if(WIN32)
     # Warn about potentially uninitialized variables
     add_compile_options("$<$<CXX_COMPILER_ID:MSVC>:/w34701>")
     add_compile_options("$<$<CXX_COMPILER_ID:MSVC>:/w34703>")
+
+    if (NOT MSVC_VERSION LESS 1900)
+        # Enable control flow guard
+        message(STATUS "Building with control flow guard")
+        add_compile_options("$<$<CXX_COMPILER_ID:MSVC>:/guard:cf>")
+        set(CMAKE_SHARED_LINKER_FLAGS "${CMAKE_SHARED_LINKER_FLAGS} /guard:cf")
+        set(CMAKE_EXE_LINKER_FLAGS "${CMAKE_EXE_LINKER_FLAGS} /guard:cf")
+    endif()
 endif()
 
 if(NOT WIN32)
diff --git a/windowsRuntimeInstaller/ConfigureRT.vcxproj b/windowsRuntimeInstaller/ConfigureRT.vcxproj
index 2627b179..a7181a0c 100644
--- a/windowsRuntimeInstaller/ConfigureRT.vcxproj
+++ b/windowsRuntimeInstaller/ConfigureRT.vcxproj
@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="utf-8"?>
-<Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+<Project DefaultTargets="Build" ToolsVersion="14.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
   <ItemGroup Label="ProjectConfigurations">
     <ProjectConfiguration Include="Debug|Win32">
       <Configuration>Debug</Configuration>
@@ -18,13 +18,13 @@
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
     <ConfigurationType>Application</ConfigurationType>
     <UseDebugLibraries>true</UseDebugLibraries>
-    <PlatformToolset>v120</PlatformToolset>
+    <PlatformToolset>v140</PlatformToolset>
     <CharacterSet>MultiByte</CharacterSet>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
     <ConfigurationType>Application</ConfigurationType>
     <UseDebugLibraries>false</UseDebugLibraries>
-    <PlatformToolset>v120</PlatformToolset>
+    <PlatformToolset>v140</PlatformToolset>
     <WholeProgramOptimization>true</WholeProgramOptimization>
     <CharacterSet>MultiByte</CharacterSet>
   </PropertyGroup>
@@ -45,6 +45,7 @@
       <Optimization>Disabled</Optimization>
       <SDLCheck>false</SDLCheck>
       <RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
+      <ControlFlowGuard>Guard</ControlFlowGuard>
     </ClCompile>
     <Link>
       <GenerateDebugInformation>true</GenerateDebugInformation>
@@ -60,6 +61,7 @@
       <IntrinsicFunctions>true</IntrinsicFunctions>
       <SDLCheck>false</SDLCheck>
       <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
+      <ControlFlowGuard>Guard</ControlFlowGuard>
     </ClCompile>
     <Link>
       <GenerateDebugInformation>true</GenerateDebugInformation>
diff --git a/windowsRuntimeInstaller/NSIS_Security.patch b/windowsRuntimeInstaller/NSIS_Security.patch
index 87bf7e6b..b275aae0 100644
--- a/windowsRuntimeInstaller/NSIS_Security.patch
+++ b/windowsRuntimeInstaller/NSIS_Security.patch
@@ -20,7 +20,18 @@ index 32d3d33..d2c4d25 100644
  	defenv.Append(CPPDEFINES = ['_CRT_SECURE_NO_WARNINGS', '_CRT_NONSTDC_NO_WARNINGS', '_CRT_SECURE_NO_DEPRECATE', '_CRT_NON_CONFORMING_SWPRINTFS'])
  	defenv['MSVCRT_FLAG'] = '/MT' # Avoid msvcr?0.dll dependency
  else:
-@@ -143,9 +143,9 @@ stub_env.Append(CCFLAGS = ['/Fa${TARGET}.lst'])    # listing file name
+@@ -43,6 +43,10 @@ if msvs_version >= 11.0:
+ 	defenv['SUBSYS_CON'] = '/subsystem:console,5.01' # support windows xp
+ 	defenv['SUBSYS_WIN'] = '/subsystem:windows,5.01' # support windows xp
+ 
++if msvs_version >= 14.0:
++	defenv.Append(CCFLAGS = ['/guard:cf'])
++	defenv.Append(LINKFLAGS = ['/guard:cf'])
++
+ ### defines
+ 
+ defenv.Append(CPPDEFINES = [('NSISCALL', '$STDCALL')])
+@@ -143,9 +147,9 @@ stub_env.Append(CCFLAGS = ['/Fa${TARGET}.lst'])    # listing file name
  stub_env.Append(LINKFLAGS = ['$NODEFLIBS_FLAG'])   # no default libraries
  stub_env.Append(LINKFLAGS = ['$MAP_FLAG'])         # generate map file
  
diff --git a/windowsRuntimeInstaller/README.txt b/windowsRuntimeInstaller/README.txt
index 2653414d..c9863322 100644
--- a/windowsRuntimeInstaller/README.txt
+++ b/windowsRuntimeInstaller/README.txt
@@ -21,9 +21,10 @@ To build the Vulkan Runtime Installer:
        Instructions for building NSIS are available at
        http://nsis//sourceforge.net/Docs/AppendixG.html.
 
-       The security changes to NSIS involve adding the /DYMANICBASE and /GS options
-       to the NSIS compile/link steps, so that the Runtime Installer and Uninstaller
-       are built with address space layout randomization and buffer overrun checks.
+       The security changes to NSIS involve adding the /DYMANICBASE, /GS and
+       /guard:cf options to the NSIS compile/link steps, so that the Runtime
+       Installer and Uninstaller are built with address space layout randomization,
+       buffer overrun checks and control flow guard.
 
        The security changes to NSIS can be made by applying the patch in the
        NSIS_Security.patch file in this folder.
-- 
cgit v1.2.3