diff options
| author | Alexander Leidinger <netchild@FreeBSD.org> | 2025-01-25 12:43:39 +0000 |
|---|---|---|
| committer | Alexander Leidinger <netchild@FreeBSD.org> | 2025-01-25 12:45:53 +0000 |
| commit | f934e629dc22b859efabd3cdebc23b63b04fa2bb (patch) | |
| tree | 5fe497dc8b1b62cc4a4d0f693942430157a8d60b | |
| parent | 7bb9ba61d35703c8a819c3745b8a2b1feb56923d (diff) | |
Add stack clash protection to the WITH_SSP flag
Some background info availabe in:
https://best.openssf.org/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.html
https://developers.redhat.com/blog/2020/05/22/stack-clash-mitigation-in-gcc-part-3
https://blog.llvm.org/posts/2021-01-05-stack-clash-protection/
Reviewed by: emaste
Differential Revision: https://reviews.freebsd.org/D48651
| -rw-r--r-- | share/man/man7/mitigations.7 | 14 | ||||
| -rw-r--r-- | share/mk/bsd.sys.mk | 2 |
2 files changed, 11 insertions, 5 deletions
diff --git a/share/man/man7/mitigations.7 b/share/man/man7/mitigations.7 index c487e4e1000b..4db6589cdcf1 100644 --- a/share/man/man7/mitigations.7 +++ b/share/man/man7/mitigations.7 @@ -28,7 +28,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.Dd July 23, 2024 +.Dd January 25, 2025 .Dt MITIGATIONS 7 .Os .Sh NAME @@ -244,9 +244,13 @@ and it is possible that some applications may not function correctly. .Fx supports stack overflow protection using the Stack Smashing Protector .Pq SSP -compiler feature. +compiler feature, +and stack clash protection. In userland, SSP adds a per-process randomized canary at the end of every stack -frame which is checked for corruption upon return from the function. +frame which is checked for corruption upon return from the function, +and stack probing in +.Dv PAGE_SIZE +chunks. In the kernel, a single randomized canary is used globally except on aarch64, which has a .Dv PERTHREAD_SSP @@ -264,7 +268,9 @@ When .Va WITH_SSP is enabled, which is the default, world is built with the .Fl fstack-protector-strong -compiler option. +and +.Fl fstack-clash-protection +compiler options. The kernel is built with the .Fl fstack-protector option. diff --git a/share/mk/bsd.sys.mk b/share/mk/bsd.sys.mk index 63774e857167..06f8e6e9fe78 100644 --- a/share/mk/bsd.sys.mk +++ b/share/mk/bsd.sys.mk @@ -304,7 +304,7 @@ CXXFLAGS.clang+= -Wno-c++11-extensions FORTIFY_SOURCE?= 0 .if ${MK_SSP} != "no" # Don't use -Wstack-protector as it breaks world with -Werror. -SSP_CFLAGS?= -fstack-protector-strong +SSP_CFLAGS?= -fstack-protector-strong -fstack-clash-protection CFLAGS+= ${SSP_CFLAGS} .endif # SSP .if ${FORTIFY_SOURCE} > 0 |