From patchwork Sun Aug 16 10:29:46 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Tremer X-Patchwork-Id: 3361 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4BTtmH6DCWz3x0m for ; Sun, 16 Aug 2020 10:32:47 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4BTtk157NtzvR; Sun, 16 Aug 2020 10:30:49 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4BTtk14VvRz2yDc; Sun, 16 Aug 2020 10:30:49 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4BTtjz6m6yz2xq4 for ; Sun, 16 Aug 2020 10:30:47 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPSA id 4BTtjv1LmKz10n; Sun, 16 Aug 2020 10:30:43 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1597573843; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=gBaG8lz1jKENnFwlJNg8Ethb2bRYcjF5D0ttocOCgBg=; b=ErcadTdQdxT0hrn7comWWfGJ28hojTE3CRA4Yp9UtshbKPZuipqQy/3v9Fip7R3nkp7/c6 HiK3uWKCWsJ2jaBA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1597573843; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=gBaG8lz1jKENnFwlJNg8Ethb2bRYcjF5D0ttocOCgBg=; b=PrwwQFnxdXFT7IwR+zEWJX6LZ5l9Aer2SSib+URG9YApGXrvjcDPBeKBCu6yNmxvTyQIcF KuyyEUHD8RNpzDnhidKHPw3QFJHNHc3Da/ngiU70qD1YREw93kFbo6tHPpNg/SpSGq9KGu l9tkp4VZngpBEwSp/Q7IO2oyssIjQjiQ78GoAnT6gZ76zF8TKuHI0su8J8/un3CNlrQ3Bv jcY3E8bToo679ardwy4SZuxKDHH0uVbrb+p4bzjmm2d5+3DxsasZMXNT7ILZ2p6UirB9m5 /l5qJUU++B8jf5DQ/0Up3eB2O6SQngps3lyJgEvzX3d7eKnnAgwqgWTyl4y0NQ== From: Michael Tremer To: development@lists.ipfire.org Subject: [PATCH 55/62] make.sh: Enable -fstack-clash-protection for x86_64/aarch64 Date: Sun, 16 Aug 2020 10:29:46 +0000 Message-Id: <20200816102953.3881-55-michael.tremer@ipfire.org> In-Reply-To: <20200816102953.3881-1-michael.tremer@ipfire.org> References: <20200816102953.3881-1-michael.tremer@ipfire.org> MIME-Version: 1.0 X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Michael Tremer Errors-To: development-bounces@lists.ipfire.org Sender: "Development" This patch turns on instrumentation to avoid skipping the guard page in large stack frames. Without this flag, vulnerabilities can result in where the stack overlaps with the heap, or thread stacks spill into other regions of memory. This flag in only available on x86_64 and aarch64. Signed-off-by: Michael Tremer --- make.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/make.sh b/make.sh index 0f3917adf..fae75fdc9 100755 --- a/make.sh +++ b/make.sh @@ -146,7 +146,7 @@ configure_build() { BUILDTARGET="${build_arch}-unknown-linux-gnu" CROSSTARGET="${build_arch}-cross-linux-gnu" BUILD_PLATFORM="x86" - CFLAGS_ARCH="-m64 -mtune=generic" + CFLAGS_ARCH="-m64 -mtune=generic -fstack-clash-protection" ;; i586) @@ -160,7 +160,7 @@ configure_build() { BUILDTARGET="${build_arch}-unknown-linux-gnu" CROSSTARGET="${build_arch}-cross-linux-gnu" BUILD_PLATFORM="arm" - CFLAGS_ARCH="" + CFLAGS_ARCH="-fstack-clash-protection" ;; armv7hl)