From 7e8a27748537b191f9ea819e09bc3b8252ac382b Mon Sep 17 00:00:00 2001 From: Florian Weimer Date: Mon, 15 Nov 2021 15:51:29 +0100 Subject: [PATCH] buildflags.md: Treat -fstack-clash-protection as a generic flag Based on Fedora commit a3cf0d66a765313af4c5fa9b071a548eac2592a9. Adjusted for the lack of armhfp downstream. Related: #2005080 --- buildflags.md | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/buildflags.md b/buildflags.md index 50855f8..483c81b 100644 --- a/buildflags.md +++ b/buildflags.md @@ -270,6 +270,12 @@ The general (architecture-independent) build flags are: variables. (If the address of a variable is never taken, it is not possible that a buffer overflow is caused by incorrect pointer arithmetic involving a pointer to that variable.) +* `-fstack-clash-protection`: Turn on instrumentation to avoid + skipping the guard page in large stack frames. (Without this flag, + vulnerabilities can result where the stack overlaps with the heap, + or thread stacks spill into other regions of memory.) This flag is + fully ABI-compatible and has adds very little run-time overhead. + This flag is currently not available on aarch64 with the `clang` toolchain. * `-flto=auto`: Enable link-time optimization (LTO), using `make` job server integration for parallel processing. (`gcc` toolchain only) * `-ffat-lto-objects`: Generate EFL object files which contain both @@ -315,13 +321,6 @@ added by default. This can be switched off by undefining the These compiler flags are enabled for all builds (hardened/annotated or not), but their selection depends on the architecture: -* `-fstack-clash-protection`: Turn on instrumentation to avoid - skipping the guard page in large stack frames. (Without this flag, - vulnerabilities can result where the stack overlaps with the heap, - or thread stacks spill into other regions of memory.) This flag is - fully ABI-compatible and has adds very little run-time overhead, but - is only available on certain architectures (currently aarch64, i386, - ppc64le, s390x, x86_64). * `-fcf-protection`: Instrument binaries to guard against ROP/JOP attacks. Used on i686 and x86_64. * `-m64` and `-m32`: Some GCC builds support both 32-bit and 64-bit in