#5 Enable -fstack-clash-protection flag globally (#1515865)
Closed 2 years ago by fweimer. Opened 2 years ago by fweimer.
rpms/ fweimer/redhat-rpm-config master  into  master

file modified
+1 -1

@@ -155,7 +155,7 @@ 

  %_annotated_build	1

  %_annotated_cflags	%{?_annotated_build:%{_annobin_cflags}}


- %__global_compiler_flags	-O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches %{_hardened_cflags} %{_annotated_cflags}

+ %__global_compiler_flags	-O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -fstack-clash-protection -grecord-gcc-switches %{_hardened_cflags} %{_annotated_cflags}


  %__global_cflags	%{optflags}

  %__global_cxxflags	%{optflags}

file modified
+4 -1

@@ -6,7 +6,7 @@ 


  Summary: Red Hat specific rpm configuration files

  Name: redhat-rpm-config

- Version: 69

+ Version: 70

  Release: 1%{?dist}

  # No version specified.

  License: GPL+

@@ -150,6 +150,9 @@ 




+ * Wed Nov 29 2017 Florian Weimer <fweimer@redhat.com> - 70-1

+ - Enable -fstack-clash-protection flag globally (#1515865)


  * Wed Nov 22 2017 Nick Clifton <nickc@redhat.com> - 69-1

  - Enable binary annotations in compiler flags


Enable -fstack-clash-protection globally, now that GCC has support for it.

As far as hardening goes, -fstack-clash-protection is extremely lightweight, so we can make it part of the default flags.

There was some discussion on-list about this but one comment about not being able to use -f-stack-clash-protection on all architectures is troubling, because this PR seems to turn it on for everything.

Maybe I'm misunderstanding and gcc simply ignores the flag on those architectures. Still, it seems like it's worth asking.

Pull-Request has been closed by fweimer

2 years ago

Canceling the pull request. We'll discuss this on the bug.