Re: Additional hardening options


Paul Eggleton
 

On Wednesday, 26 January 2022 14:39:39 NZDT Paul Eggleton wrote:
Hi folks

I've been looking into a couple of compiler flags for hardening that I think
we might want to consider enabling by default in security-flags.inc:


1) -fstack-clash-protection

This option was introduced to gcc 8.x and provides protection against the
stack clash vulnerability:

https://securingsoftware.blogspot.com/2017/12/stack-clash-vulnerability.html

It has been enabled in some Linux distributions already (e.g. Ubuntu,
Fedora).
Another quirk of this - with dunfell, the buildepoxy SDK test fails on Ubuntu
18.04 with -fstack-clash-protection because the version of meson in dunfell
uses the same LDFLAGS value for both host and target, and host gcc doesn't
support that option. Not sure what to do other than just filtering out the
option from LDFLAGS in the test.

Cheers
Paul

Join yocto@lists.yoctoproject.org to automatically receive all group messages.