diff options
author | Franz Pletz <fpletz@fnordicwalking.de> | 2024-02-14 09:30:45 +0100 |
---|---|---|
committer | Robert Scott <code@humanleg.org.uk> | 2024-06-07 20:23:46 +0100 |
commit | 3db93c351d221365556200d48d318a6f89c4339f (patch) | |
tree | 34c1f0aa10b710384ba2d67f29e374cd9ed93a2a /pkgs/top-level/stage.nix | |
parent | 4f7faf6b88aaf27b7f75079fb70cdb60d86cfe01 (diff) |
cc-wrapper: add stack clash protection hardening flag
Most Linux distributions are enabling this these days and it does
protect against real world vulnerabilities as demonstrated by
CVE-2018-16864 and CVE-2018-16865.
Fix #53753.
Information on llvm version support gleaned from
https://github.com/llvm/llvm-project/commit/6609892a2dcdd1a4f6adefe191b55524861f020c
https://github.com/llvm/llvm-project/commit/68e07da3e5d5175e24caa309e2b13cb333365c8c
https://github.com/llvm/llvm-project/commit/092507a730fa4fad6dbe544cd139cfb7e8179aa4
Information on gcc version support a lot harder to gather,
but both 32bit and 64bit arm do appear to be supported
based on the test suite.
Diffstat (limited to 'pkgs/top-level/stage.nix')
-rw-r--r-- | pkgs/top-level/stage.nix | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/pkgs/top-level/stage.nix b/pkgs/top-level/stage.nix index 390aa36db03b..b0c7ec03827b 100644 --- a/pkgs/top-level/stage.nix +++ b/pkgs/top-level/stage.nix @@ -292,6 +292,7 @@ let pkgsExtraHardening = super'; stdenv = super'.withDefaultHardeningFlags ( super'.stdenv.cc.defaultHardeningFlags ++ [ + "stackclashprotection" "trivialautovarinit" ] ) super'.stdenv; |