mirror of
https://github.com/SebastianWendel/nixpkgs.git
synced 2024-09-30 09:00:19 +02:00
4150f5e8ba
This fixes the Stack Clash issue rediscovered by Qualys. See https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt for more information on the topic, specifically section III. We don't have the kernel mitigation available because it is a Grsecurity feature which we don't support anymore. Other distributions like Gentoo Hardened and Arch already have `-fstack-check` enabled by default. See the Gentoo page on Stack Clash for more information on this solution: https://wiki.gentoo.org/wiki/Hardened/Gentoo_Hardened_and_Stack_Clash This unfortunately doesn't apply to clang because `-fstack-check` is a noop there. Note that the GCC implementation also has problems that could be exploited to circumvent these checks but it is still better than keeping it disabled. |
||
|---|---|---|
| .. | ||
| add-flags.sh | ||
| add-hardening.sh | ||
| cc-wrapper.sh | ||
| default.nix | ||
| gnat-wrapper.sh | ||
| gnatlink-wrapper.sh | ||
| ld-solaris-wrapper.sh | ||
| ld-wrapper.sh | ||
| setup-hook.sh | ||
| utils.sh | ||