diff options
author | Franz Pletz <fpletz@fnordicwalking.de> | 2017-06-21 19:11:41 +0200 |
---|---|---|
committer | Franz Pletz <fpletz@fnordicwalking.de> | 2017-06-22 00:41:53 +0200 |
commit | 4150f5e8ba650416dcb8956c9835885cc6a2a80d (patch) | |
tree | 1797eeff5b62bfb3d9c2a808b03e3f1223f43107 /pkgs/tools/misc | |
parent | 6338c50a84a4ac64262c3a39d9464df35e9bce87 (diff) | |
download | nixlib-4150f5e8ba650416dcb8956c9835885cc6a2a80d.tar nixlib-4150f5e8ba650416dcb8956c9835885cc6a2a80d.tar.gz nixlib-4150f5e8ba650416dcb8956c9835885cc6a2a80d.tar.bz2 nixlib-4150f5e8ba650416dcb8956c9835885cc6a2a80d.tar.lz nixlib-4150f5e8ba650416dcb8956c9835885cc6a2a80d.tar.xz nixlib-4150f5e8ba650416dcb8956c9835885cc6a2a80d.tar.zst nixlib-4150f5e8ba650416dcb8956c9835885cc6a2a80d.zip |
cc-wrapper: add stackcheck hardening (stack clash)
This fixes the Stack Clash issue rediscovered by Qualys. See https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt for more information on the topic, specifically section III. We don't have the kernel mitigation available because it is a Grsecurity feature which we don't support anymore. Other distributions like Gentoo Hardened and Arch already have `-fstack-check` enabled by default. See the Gentoo page on Stack Clash for more information on this solution: https://wiki.gentoo.org/wiki/Hardened/Gentoo_Hardened_and_Stack_Clash This unfortunately doesn't apply to clang because `-fstack-check` is a noop there. Note that the GCC implementation also has problems that could be exploited to circumvent these checks but it is still better than keeping it disabled.
Diffstat (limited to 'pkgs/tools/misc')
0 files changed, 0 insertions, 0 deletions