This patch turns on instrumentation to avoid skipping the guard page in large stack frames.
Without this flag, vulnerabilities can result in where the stack overlaps with the heap, or thread stacks spill into other regions of memory.
This flag in only available on x86_64 and aarch64.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org --- make.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/make.sh b/make.sh index 0f3917adf..fae75fdc9 100755 --- a/make.sh +++ b/make.sh @@ -146,7 +146,7 @@ configure_build() { BUILDTARGET="${build_arch}-unknown-linux-gnu" CROSSTARGET="${build_arch}-cross-linux-gnu" BUILD_PLATFORM="x86" - CFLAGS_ARCH="-m64 -mtune=generic" + CFLAGS_ARCH="-m64 -mtune=generic -fstack-clash-protection" ;;
i586) @@ -160,7 +160,7 @@ configure_build() { BUILDTARGET="${build_arch}-unknown-linux-gnu" CROSSTARGET="${build_arch}-cross-linux-gnu" BUILD_PLATFORM="arm" - CFLAGS_ARCH="" + CFLAGS_ARCH="-fstack-clash-protection" ;;
armv7hl)