[PATCH 55/62] make.sh: Enable -fstack-clash-protection for x86_64/aarch64

public inbox for development@lists.ipfire.org
 help / color / mirror / Atom feed

From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: [PATCH 55/62] make.sh: Enable -fstack-clash-protection for x86_64/aarch64
Date: Sun, 16 Aug 2020 10:29:46 +0000	[thread overview]
Message-ID: <20200816102953.3881-55-michael.tremer@ipfire.org> (raw)
In-Reply-To: <20200816102953.3881-1-michael.tremer@ipfire.org>

[-- Attachment #1: Type: text/plain, Size: 1053 bytes --]

This patch turns on instrumentation to avoid skipping the guard page
in large stack frames.

Without this flag, vulnerabilities can result in where the stack
overlaps with the heap, or thread stacks spill into other regions
of memory.

This flag in only available on x86_64 and aarch64.

Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
---
 make.sh | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/make.sh b/make.sh
index 0f3917adf..fae75fdc9 100755
--- a/make.sh
+++ b/make.sh
@@ -146,7 +146,7 @@ configure_build() {
 			BUILDTARGET="${build_arch}-unknown-linux-gnu"
 			CROSSTARGET="${build_arch}-cross-linux-gnu"
 			BUILD_PLATFORM="x86"
-			CFLAGS_ARCH="-m64 -mtune=generic"
+			CFLAGS_ARCH="-m64 -mtune=generic -fstack-clash-protection"
 			;;
 
 		i586)
@@ -160,7 +160,7 @@ configure_build() {
 			BUILDTARGET="${build_arch}-unknown-linux-gnu"
 			CROSSTARGET="${build_arch}-cross-linux-gnu"
 			BUILD_PLATFORM="arm"
-			CFLAGS_ARCH=""
+			CFLAGS_ARCH="-fstack-clash-protection"
 			;;
 
 		armv7hl)
-- 
2.20.1

next prev parent reply	other threads:[~2020-08-16 10:29 UTC|newest]

Thread overview: 61+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-08-16 10:28 [PATCH 01/62] bison: Update to 3.7.1 Michael Tremer
2020-08-16 10:28 ` [PATCH 02/62] minicom: Update to 2.7.1 Michael Tremer
2020-08-16 10:28 ` [PATCH 03/62] fping: Update to 5.0 Michael Tremer
2020-08-16 10:28 ` [PATCH 04/62] xfsprogs: Update to 5.7.0 Michael Tremer
2020-08-16 10:28 ` [PATCH 05/62] lsof: Update to 4.91 Michael Tremer
2020-08-16 10:28 ` [PATCH 06/62] dnsdist: Update to 1.5.0 Michael Tremer
2020-08-16 10:28 ` [PATCH 07/62] spandsp: Update to 0.0.6 Michael Tremer
2020-08-16 10:28 ` [PATCH 08/62] watchdog: Update to 5.16 Michael Tremer
2020-08-16 10:29 ` [PATCH 09/62] cpio: Package won't build with GCC 10 without -fcommon Michael Tremer
2020-08-16 10:29 ` [PATCH 10/62] dhcp: Fix compiling with GCC 10 Michael Tremer
2020-08-16 10:29 ` [PATCH 11/62] efivar: Fix build " Michael Tremer
2020-08-16 10:29 ` [PATCH 12/62] linux-atm: " Michael Tremer
2020-08-16 10:29 ` [PATCH 13/62] gnupg: Fix building " Michael Tremer
2020-08-16 10:29 ` [PATCH 14/62] cdrkit: Fix build " Michael Tremer
2020-08-16 10:29 ` [PATCH 15/62] logrotate: " Michael Tremer
2020-08-16 10:29 ` [PATCH 16/62] libtirpc: " Michael Tremer
2020-08-16 10:29 ` [PATCH 17/62] sysfsutils: " Michael Tremer
2020-08-16 10:29 ` [PATCH 18/62] cups-filters: " Michael Tremer
2020-08-16 10:29 ` [PATCH 19/62] foomatic: " Michael Tremer
2020-08-16 10:29 ` [PATCH 20/62] htop: " Michael Tremer
2020-08-16 10:29 ` [PATCH 21/62] squidguard: " Michael Tremer
2020-08-16 10:29 ` [PATCH 22/62] netatalk: " Michael Tremer
2020-08-16 10:29 ` [PATCH 23/62] 7zip: Fix build against " Michael Tremer
2020-08-16 10:29 ` [PATCH 24/62] collectd: Fix build with " Michael Tremer
2020-08-16 10:29 ` [PATCH 25/62] icinga: " Michael Tremer
2020-08-16 10:29 ` [PATCH 26/62] openvmtools: Update to 11.1.0 Michael Tremer
2020-08-16 10:29 ` [PATCH 27/62] motion: Fix build with GCC 10 Michael Tremer
2020-08-16 10:29 ` [PATCH 28/62] tftpd: " Michael Tremer
2020-08-16 10:29 ` [PATCH 29/62] w_scan: " Michael Tremer
2020-08-16 10:29 ` [PATCH 30/62] minidlna: " Michael Tremer
2020-08-16 10:29 ` [PATCH 31/62] sarg: " Michael Tremer
2020-08-16 10:29 ` [PATCH 32/62] bird: " Michael Tremer
2020-08-16 10:29 ` [PATCH 33/62] frr: " Michael Tremer
2020-08-16 10:29 ` [PATCH 34/62] iftop: " Michael Tremer
2020-08-16 10:29 ` [PATCH 35/62] lcdproc: " Michael Tremer
2020-08-16 10:29 ` [PATCH 36/62] ipfire-netboot: " Michael Tremer
2020-08-16 10:29 ` [PATCH 37/62] syslinux: " Michael Tremer
2020-08-16 10:29 ` [PATCH 38/62] u-boot: " Michael Tremer
2020-08-16 10:29 ` [PATCH 39/62] kbd: Update to 2.2.0 Michael Tremer
2020-08-16 10:29 ` [PATCH 40/62] bacula: Fix build with GCC 10 Michael Tremer
2020-08-16 10:29 ` [PATCH 42/62] make.sh: Remove -mindirect-branch=thunk and -mfunction-return=thunk as default Michael Tremer
2020-08-16 10:29 ` [PATCH 43/62] Update glibc to 2.32 Michael Tremer
2020-08-16 10:29 ` [PATCH 44/62] rpcsvc-proto: New package Michael Tremer
2020-08-16 10:29 ` [PATCH 45/62] Build libtirpc earlier because RPC does not come with glibc any more Michael Tremer
2020-08-16 10:29 ` [PATCH 46/62] python(2/3): Remove nis module Michael Tremer
2020-08-16 10:29 ` [PATCH 47/62] squid: Remove basic_nis_auth Michael Tremer
2020-08-16 10:29 ` [PATCH 48/62] conntrack-tools: Fix build against libtirpc Michael Tremer
2020-08-16 10:29 ` [PATCH 49/62] xinetd: Fix build against glibc 2.32 (without RPC) Michael Tremer
2020-08-16 10:29 ` [PATCH 50/62] libnfsidmap: Split into a separate package Michael Tremer
2020-08-16 10:29 ` [PATCH 51/62] nfs: Update to 2.5.1 and remove bundled libnfsidmap Michael Tremer
2020-08-16 10:29 ` [PATCH 52/62] cmake: Do not limit compile processes to only two Michael Tremer
2020-08-16 10:29 ` [PATCH 53/62] mpfr: Update to 4.1.0 Michael Tremer
2020-08-16 10:29 ` [PATCH 54/62] gcc: Bundle against OS versions of gmp/mpfr Michael Tremer
2020-08-16 10:29 ` Michael Tremer [this message]
2020-08-16 10:29 ` [PATCH 56/62] make.sh: Add -fcf-protection for x86_64/i586 Michael Tremer
2020-08-16 10:29 ` [PATCH 57/62] make.sh: Bump toolchain version Michael Tremer
2020-08-16 10:29 ` [PATCH 58/62] glibc: Drop any custom CFLAGS Michael Tremer
2020-08-16 10:29 ` [PATCH 59/62] glibc: Pass -Wno-error=maybe-uninitialized Michael Tremer
2020-08-16 10:29 ` [PATCH 60/62] make: Run autoreconf after applying patches Michael Tremer
2020-08-16 10:29 ` [PATCH 61/62] perl: Fix build in toolchain stage Michael Tremer
2020-08-16 10:29 ` [PATCH 62/62] make.sh: Increase maximum size of ramdisk to 8GB Michael Tremer

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20200816102953.3881-55-michael.tremer@ipfire.org \
    --to=michael.tremer@ipfire.org \
    --cc=development@lists.ipfire.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox