commit 4150f5e8ba650416dcb8956c9835885cc6a2a80d · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs

lol

cc-wrapper: add stackcheck hardening (stack clash)

This fixes the Stack Clash issue rediscovered by Qualys. See
https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt
for more information on the topic, specifically section III.

We don't have the kernel mitigation available because it is a Grsecurity
feature which we don't support anymore. Other distributions like Gentoo
Hardened and Arch already have `-fstack-check` enabled by default.

See the Gentoo page on Stack Clash for more information on this solution:
https://wiki.gentoo.org/wiki/Hardened/Gentoo_Hardened_and_Stack_Clash

This unfortunately doesn't apply to clang because `-fstack-check` is a
noop there. Note that the GCC implementation also has problems that could
be exploited to circumvent these checks but it is still better than
keeping it disabled.

Franz Pletz 8 years ago 4150f5e8 6338c50a

+6 -2

1 changed file

expand all

unified split

pkgs

build-support

cc-wrapper

add-hardening.sh

+6 -2

pkgs/build-support/cc-wrapper/add-hardening.sh

··· 1 - hardeningFlags=(fortify stackprotector pic strictoverflow format relro bindnow) 1 + hardeningFlags=(fortify stackprotector pic strictoverflow format relro bindnow stackcheck) 2 2 hardeningFlags+=("${hardeningEnable[@]}") 3 3 hardeningCFlags=() 4 4 hardeningLDFlags=() ··· 50 50 if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling bindnow >&2; fi 51 51 hardeningLDFlags+=('-z' 'now') 52 52 ;; 53 - *) 53 + stackcheck) 54 + if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling stackcheck >&2; fi 55 + hardeningCFlags+=('-fstack-check=specific') 56 + ;; 57 + *) 54 58 echo "Hardening flag unknown: $flag" >&2 55 59 ;; 56 60 esac