From: Michael Tremer <michael.tremer@ipfire.org>
Date: Fri, 14 Aug 2020 16:22:55 +0000 (+0000)
Subject: make.sh: Enable -fstack-clash-protection for x86_64/aarch64
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=87f3b1e5682dbf13c9e2203ade95b55cbc91c626;p=people%2Fstevee%2Fipfire-2.x.git

make.sh: Enable -fstack-clash-protection for x86_64/aarch64

This patch turns on instrumentation to avoid skipping the guard page
in large stack frames.

Without this flag, vulnerabilities can result in where the stack
overlaps with the heap, or thread stacks spill into other regions
of memory.

This flag in only available on x86_64 and aarch64.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---

diff --git a/make.sh b/make.sh
index 0f3917adf7..fae75fdc99 100755
--- a/make.sh
+++ b/make.sh
@@ -146,7 +146,7 @@ configure_build() {
 			BUILDTARGET="${build_arch}-unknown-linux-gnu"
 			CROSSTARGET="${build_arch}-cross-linux-gnu"
 			BUILD_PLATFORM="x86"
-			CFLAGS_ARCH="-m64 -mtune=generic"
+			CFLAGS_ARCH="-m64 -mtune=generic -fstack-clash-protection"
 			;;
 
 		i586)
@@ -160,7 +160,7 @@ configure_build() {
 			BUILDTARGET="${build_arch}-unknown-linux-gnu"
 			CROSSTARGET="${build_arch}-cross-linux-gnu"
 			BUILD_PLATFORM="arm"
-			CFLAGS_ARCH=""
+			CFLAGS_ARCH="-fstack-clash-protection"
 			;;
 
 		armv7hl)