From 4150f5e8ba650416dcb8956c9835885cc6a2a80d Mon Sep 17 00:00:00 2001 From: Franz Pletz Date: Wed, 21 Jun 2017 19:11:41 +0200 Subject: [PATCH] cc-wrapper: add stackcheck hardening (stack clash) This fixes the Stack Clash issue rediscovered by Qualys. See https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt for more information on the topic, specifically section III. We don't have the kernel mitigation available because it is a Grsecurity feature which we don't support anymore. Other distributions like Gentoo Hardened and Arch already have `-fstack-check` enabled by default. See the Gentoo page on Stack Clash for more information on this solution: https://wiki.gentoo.org/wiki/Hardened/Gentoo_Hardened_and_Stack_Clash This unfortunately doesn't apply to clang because `-fstack-check` is a noop there. Note that the GCC implementation also has problems that could be exploited to circumvent these checks but it is still better than keeping it disabled. --- pkgs/build-support/cc-wrapper/add-hardening.sh | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/pkgs/build-support/cc-wrapper/add-hardening.sh b/pkgs/build-support/cc-wrapper/add-hardening.sh index b98833b3513..2419b567d57 100644 --- a/pkgs/build-support/cc-wrapper/add-hardening.sh +++ b/pkgs/build-support/cc-wrapper/add-hardening.sh @@ -1,4 +1,4 @@ -hardeningFlags=(fortify stackprotector pic strictoverflow format relro bindnow) +hardeningFlags=(fortify stackprotector pic strictoverflow format relro bindnow stackcheck) hardeningFlags+=("${hardeningEnable[@]}") hardeningCFlags=() hardeningLDFlags=() @@ -50,7 +50,11 @@ if [[ ! $hardeningDisable =~ "all" ]]; then if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling bindnow >&2; fi hardeningLDFlags+=('-z' 'now') ;; - *) + stackcheck) + if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling stackcheck >&2; fi + hardeningCFlags+=('-fstack-check=specific') + ;; + *) echo "Hardening flag unknown: $flag" >&2 ;; esac