cc-wrapper: add stack clash protection hardening flag

Most Linux distributions are enabling this these days and it does protect against real world vulnerabilities as demonstrated by CVE-2018-16864 and CVE-2018-16865. Fix #53753. Information on llvm version support gleaned from https://github.com/llvm/llvm-project/commit/6609892a2dcdd1a4f6adefe191b55524861f020c https://github.com/llvm/llvm-project/commit/68e07da3e5d5175e24caa309e2b13cb333365c8c https://github.com/llvm/llvm-project/commit/092507a730fa4fad6dbe544cd139cfb7e8179aa4 Information on gcc version support a lot harder to gather, but both 32bit and 64bit arm do appear to be supported based on the test suite.
author: Franz Pletz <fpletz@fnordicwalking.de> 2024-02-14 09:30:45 +0100
committer: Robert Scott <code@humanleg.org.uk> 2024-06-07 20:23:46 +0100
commit: 3db93c351d221365556200d48d318a6f89c4339f (patch)
tree: 34c1f0aa10b710384ba2d67f29e374cd9ed93a2a /pkgs/top-level/stage.nix
parent: 4f7faf6b88aaf27b7f75079fb70cdb60d86cfe01 (diff)
1 files changed, 1 insertions, 0 deletions
diff --git a/pkgs/top-level/stage.nix b/pkgs/top-level/stage.nix
index 390aa36db03b..b0c7ec03827b 100644
--- a/pkgs/top-level/stage.nix
+++ b/pkgs/top-level/stage.nix
@@ -292,6 +292,7 @@ let
           pkgsExtraHardening = super';
           stdenv = super'.withDefaultHardeningFlags (
             super'.stdenv.cc.defaultHardeningFlags ++ [
+              "stackclashprotection"
               "trivialautovarinit"
             ]
           ) super'.stdenv;
author	Franz Pletz <fpletz@fnordicwalking.de>	2024-02-14 09:30:45 +0100
committer	Robert Scott <code@humanleg.org.uk>	2024-06-07 20:23:46 +0100
commit	3db93c351d221365556200d48d318a6f89c4339f (patch)
tree	34c1f0aa10b710384ba2d67f29e374cd9ed93a2a /pkgs/top-level/stage.nix
parent	4f7faf6b88aaf27b7f75079fb70cdb60d86cfe01 (diff)