BoomMicrophone/nixpkgs-suyu
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
nixpkgs-suyu/pkgs/build-support/cc-wrapper
History
Franz Pletz 4150f5e8ba
cc-wrapper: add stackcheck hardening (stack clash) 
This fixes the Stack Clash issue rediscovered by Qualys. See
https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt
for more information on the topic, specifically section III.

We don't have the kernel mitigation available because it is a Grsecurity
feature which we don't support anymore. Other distributions like Gentoo
Hardened and Arch already have `-fstack-check` enabled by default.

See the Gentoo page on Stack Clash for more information on this solution:
https://wiki.gentoo.org/wiki/Hardened/Gentoo_Hardened_and_Stack_Clash

This unfortunately doesn't apply to clang because `-fstack-check` is a
noop there. Note that the GCC implementation also has problems that could
be exploited to circumvent these checks but it is still better than
keeping it disabled.
2017-06-22 00:41:53 +02:00
..
add-flags.sh cc-wrapper: add-{flags,hardening} -> add-{flags,hardening}.sh 2016-08-23 15:27:51 +00:00
add-hardening.sh cc-wrapper: add stackcheck hardening (stack clash) 2017-06-22 00:41:53 +02:00
cc-wrapper.sh Merge branch 'response-files' of git://github.com/corngood/nixpkgs into staging 2016-10-31 10:07:30 -04:00
default.nix cc-wrapper: externalize default_cxx_stdlib_compile 2017-06-08 19:50:40 +01:00
gnat-wrapper.sh Merge branch 'master' into closure-size 2016-04-01 10:06:01 +02:00
gnatlink-wrapper.sh
ld-solaris-wrapper.sh Replace hard coded /bin/bash occurrences 2016-10-04 20:15:37 +02:00
ld-wrapper.sh Merge branch 'response-files' of git://github.com/corngood/nixpkgs into staging 2016-10-31 10:07:30 -04:00
setup-hook.sh Merge branch 'master' into closure-size 2016-04-01 10:06:01 +02:00
utils.sh Speed up parsing @args.rsp compiler arguments 2017-06-14 18:56:44 +00:00