diff options
author | Franz Pletz <fpletz@fnordicwalking.de> | 2017-06-21 19:11:41 +0200 |
---|---|---|
committer | Franz Pletz <fpletz@fnordicwalking.de> | 2017-06-22 00:41:53 +0200 |
commit | 4150f5e8ba650416dcb8956c9835885cc6a2a80d (patch) | |
tree | 1797eeff5b62bfb3d9c2a808b03e3f1223f43107 /pkgs/build-support | |
parent | 6338c50a84a4ac64262c3a39d9464df35e9bce87 (diff) | |
download | nixlib-4150f5e8ba650416dcb8956c9835885cc6a2a80d.tar nixlib-4150f5e8ba650416dcb8956c9835885cc6a2a80d.tar.gz nixlib-4150f5e8ba650416dcb8956c9835885cc6a2a80d.tar.bz2 nixlib-4150f5e8ba650416dcb8956c9835885cc6a2a80d.tar.lz nixlib-4150f5e8ba650416dcb8956c9835885cc6a2a80d.tar.xz nixlib-4150f5e8ba650416dcb8956c9835885cc6a2a80d.tar.zst nixlib-4150f5e8ba650416dcb8956c9835885cc6a2a80d.zip |
cc-wrapper: add stackcheck hardening (stack clash)
This fixes the Stack Clash issue rediscovered by Qualys. See https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt for more information on the topic, specifically section III. We don't have the kernel mitigation available because it is a Grsecurity feature which we don't support anymore. Other distributions like Gentoo Hardened and Arch already have `-fstack-check` enabled by default. See the Gentoo page on Stack Clash for more information on this solution: https://wiki.gentoo.org/wiki/Hardened/Gentoo_Hardened_and_Stack_Clash This unfortunately doesn't apply to clang because `-fstack-check` is a noop there. Note that the GCC implementation also has problems that could be exploited to circumvent these checks but it is still better than keeping it disabled.
Diffstat (limited to 'pkgs/build-support')
-rw-r--r-- | pkgs/build-support/cc-wrapper/add-hardening.sh | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/pkgs/build-support/cc-wrapper/add-hardening.sh b/pkgs/build-support/cc-wrapper/add-hardening.sh index b98833b3513b..2419b567d57d 100644 --- a/pkgs/build-support/cc-wrapper/add-hardening.sh +++ b/pkgs/build-support/cc-wrapper/add-hardening.sh @@ -1,4 +1,4 @@ -hardeningFlags=(fortify stackprotector pic strictoverflow format relro bindnow) +hardeningFlags=(fortify stackprotector pic strictoverflow format relro bindnow stackcheck) hardeningFlags+=("${hardeningEnable[@]}") hardeningCFlags=() hardeningLDFlags=() @@ -50,7 +50,11 @@ if [[ ! $hardeningDisable =~ "all" ]]; then if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling bindnow >&2; fi hardeningLDFlags+=('-z' 'now') ;; - *) + stackcheck) + if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling stackcheck >&2; fi + hardeningCFlags+=('-fstack-check=specific') + ;; + *) echo "Hardening flag unknown: $flag" >&2 ;; esac |