Verified Commit d1cf7187 authored by Levente Polyak's avatar Levente Polyak 🚀
Browse files

buildflags: adding stack-clash-protection and cf-protection

Both flags should be safe for use, on top fairly widely used nowadays
as they are enabled on latest Fedora and Ubuntu 19.10.
parent 42b9152b
......@@ -31,7 +31,8 @@ We will change the distributed makepkg.conf to the following:
#CPPFLAGS=""
CFLAGS="-march=x86-64 -mtune=generic -O2 -pipe -fno-plt -fexceptions \
-Wp,-D_FORTIFY_SOURCE=2,-D_GLIBCXX_ASSERTIONS -Werror=format-security"
-Wp,-D_FORTIFY_SOURCE=2,-D_GLIBCXX_ASSERTIONS -Werror=format-security \
-fstack-clash-protection -fcf-protection"
CXXFLAGS="$CFLAGS"
LDFLAGS="-Wl,-O1,--sort-common,--as-needed,-z,relro,-z,now"
DEBUG_CFLAGS="-g -fvar-tracking-assignments"
......@@ -75,6 +76,23 @@ This is the default in GCC.
This is the default in GCC, at least for x86_64.
* Add ``-fstack-clash-protection``
Ensures all variable length memory allocated from the stack (via alloca() or
gcc variable length arrays etc) are probed at the time they are allocated. This
mitigates stack-clash attacks by ensuring all stack memory allocations are
valid (or by raising a segmentation fault if they are not, and turning a
possible code-execution attack into a denial of service). Without this flag,
vulnerabilities can result where the stack overlaps with the heap, or thread
stacks spill into other regions of memory.
* Add ``-fcf-protection``
Generates instructions to support Intel's Control-flow Enforcement Technology
(CET). Instrument binaries to guard against ROP/JOP attacks. Used on i686 and
x86_64.
Drawbacks
---------
......@@ -84,11 +102,17 @@ Adding ``-Werror=format-security`` may cause limited build issues, but patches a
readily available.
There is a minimal performance overhead of adding ``-Wp,-D_GLIBCXX_ASSERTIONS``,
though many of the added checks are optimised away by the compiler.
though many of the added checks are optimised away by the compiler. Adding
-fstack-clash-protection also has very little run-time overhead.
Adding ``-fexceptions`` can produce some data size overhead in C programs, though
does not affect execution. GCC enables it by default for C++.
Using -fcf-protection is incompatible with -mindirect-branch (which is used
to implement retpoline). In such cases it is recommended to disable
-fcf-protection. Disabled with -fcf-protection=none in CFLAGS / CXXFLAGS.
Unresolved Questions
--------------------
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment