about summary refs log tree commit diff
path: root/pkgs/stdenv
diff options
context:
space:
mode:
authorFranz Pletz <fpletz@fnordicwalking.de>2024-02-14 09:30:45 +0100
committerRobert Scott <code@humanleg.org.uk>2024-06-07 20:23:46 +0100
commit3db93c351d221365556200d48d318a6f89c4339f (patch)
tree34c1f0aa10b710384ba2d67f29e374cd9ed93a2a /pkgs/stdenv
parent4f7faf6b88aaf27b7f75079fb70cdb60d86cfe01 (diff)
cc-wrapper: add stack clash protection hardening flag
Most Linux distributions are enabling this these days and it does
protect against real world vulnerabilities as demonstrated by
CVE-2018-16864 and CVE-2018-16865.

Fix #53753.

Information on llvm version support gleaned from
https://github.com/llvm/llvm-project/commit/6609892a2dcdd1a4f6adefe191b55524861f020c
https://github.com/llvm/llvm-project/commit/68e07da3e5d5175e24caa309e2b13cb333365c8c
https://github.com/llvm/llvm-project/commit/092507a730fa4fad6dbe544cd139cfb7e8179aa4

Information on gcc version support a lot harder to gather,
but both 32bit and 64bit arm do appear to be supported
based on the test suite.
Diffstat (limited to 'pkgs/stdenv')
-rw-r--r--pkgs/stdenv/darwin/default.nix6
-rw-r--r--pkgs/stdenv/generic/make-derivation.nix1
-rw-r--r--pkgs/stdenv/linux/bootstrap-tools/default.nix7
3 files changed, 12 insertions, 2 deletions
diff --git a/pkgs/stdenv/darwin/default.nix b/pkgs/stdenv/darwin/default.nix
index 45cc6742c7205..787c48898ac60 100644
--- a/pkgs/stdenv/darwin/default.nix
+++ b/pkgs/stdenv/darwin/default.nix
@@ -327,7 +327,11 @@ in
               '';
               passthru = {
                 isFromBootstrapFiles = true;
-                hardeningUnsupportedFlags = [ "fortify3" "zerocallusedregs" ];
+                hardeningUnsupportedFlags = [
+                  "fortify3"
+                  "stackclashprotection"
+                  "zerocallusedregs"
+                ];
               };
             };
             clang-unwrapped = selfTools.libclang;
diff --git a/pkgs/stdenv/generic/make-derivation.nix b/pkgs/stdenv/generic/make-derivation.nix
index af68bf890ed29..f03c68a4c5cb0 100644
--- a/pkgs/stdenv/generic/make-derivation.nix
+++ b/pkgs/stdenv/generic/make-derivation.nix
@@ -119,6 +119,7 @@ let
     "pie"
     "relro"
     "stackprotector"
+    "stackclashprotection"
     "strictoverflow"
     "trivialautovarinit"
     "zerocallusedregs"
diff --git a/pkgs/stdenv/linux/bootstrap-tools/default.nix b/pkgs/stdenv/linux/bootstrap-tools/default.nix
index 6d2490acfa477..4450679983ff2 100644
--- a/pkgs/stdenv/linux/bootstrap-tools/default.nix
+++ b/pkgs/stdenv/linux/bootstrap-tools/default.nix
@@ -15,5 +15,10 @@ derivation ({
   langC = true;
   langCC = true;
   isGNU = true;
-  hardeningUnsupportedFlags = [ "fortify3" "zerocallusedregs" "trivialautovarinit" ];
+  hardeningUnsupportedFlags = [
+    "fortify3"
+    "stackclashprotection"
+    "trivialautovarinit"
+    "zerocallusedregs"
+  ];
 } // extraAttrs)
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-07-05 10:16:10 +0000