On Wed, 2022-01-26 at 14:39 +1300, Paul Eggleton wrote:

Hi folks

I've been looking into a couple of compiler flags for hardening that I think we
might want to consider enabling by default in security-flags.inc:


1) -fstack-clash-protection

This option was introduced to gcc 8.x and provides protection against the
stack clash vulnerability:

https://securingsoftware.blogspot.com/2017/12/stack-clash-vulnerability.html

It has been enabled in some Linux distributions already (e.g. Ubuntu, Fedora).


2) -z noexecstack (or alternative mitigations)

gcc will enable an executable stack under a few different circumstances - see
here for details

https://wiki.gentoo.org/wiki/Hardened/GNU_stack_quickstart

I've written a check that we could add to insane.bbclass that warns/errors on
binaries with an executable stack. Does this seem reasonable to have?
The other possibility is we add -Wl,-z,noexecstack to LDFLAGS and then see
what breaks, but unfortunately issues are likely only going to show up when
the program crashes at runtime, and also it will stop the aforementioned check
from working.


Any opinions?

These seem like reasonable things to do, are there any downsides to them?

I'd be happy to test some patches, see if they do cause issues...

Cheers,

Richard