cc-wrapper: add stackcheck hardening (stack clash) - nixlib - Alyssa's collection of Nix expressions

diff options

author	Franz Pletz <fpletz@fnordicwalking.de>	2017-06-21 19:11:41 +0200
committer	Franz Pletz <fpletz@fnordicwalking.de>	2017-06-22 00:41:53 +0200
commit	4150f5e8ba650416dcb8956c9835885cc6a2a80d (patch)
tree	1797eeff5b62bfb3d9c2a808b03e3f1223f43107 /pkgs/tools/misc
parent	6338c50a84a4ac64262c3a39d9464df35e9bce87 (diff)
download	nixlib-4150f5e8ba650416dcb8956c9835885cc6a2a80d.tar nixlib-4150f5e8ba650416dcb8956c9835885cc6a2a80d.tar.gz nixlib-4150f5e8ba650416dcb8956c9835885cc6a2a80d.tar.bz2 nixlib-4150f5e8ba650416dcb8956c9835885cc6a2a80d.tar.lz nixlib-4150f5e8ba650416dcb8956c9835885cc6a2a80d.tar.xz nixlib-4150f5e8ba650416dcb8956c9835885cc6a2a80d.tar.zst nixlib-4150f5e8ba650416dcb8956c9835885cc6a2a80d.zip

cc-wrapper: add stackcheck hardening (stack clash)

This fixes the Stack Clash issue rediscovered by Qualys. See
https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt
for more information on the topic, specifically section III.

We don't have the kernel mitigation available because it is a Grsecurity
feature which we don't support anymore. Other distributions like Gentoo
Hardened and Arch already have `-fstack-check` enabled by default.

See the Gentoo page on Stack Clash for more information on this solution:
https://wiki.gentoo.org/wiki/Hardened/Gentoo_Hardened_and_Stack_Clash

This unfortunately doesn't apply to clang because `-fstack-check` is a
noop there. Note that the GCC implementation also has problems that could
be exploited to circumvent these checks but it is still better than
keeping it disabled.

Diffstat (limited to 'pkgs/tools/misc')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: