From 87f3b1e5682dbf13c9e2203ade95b55cbc91c626 Mon Sep 17 00:00:00 2001
From: Michael Tremer <michael.tremer@ipfire.org>
Date: Fri, 14 Aug 2020 16:22:55 +0000
Subject: [PATCH] make.sh: Enable -fstack-clash-protection for x86_64/aarch64

This patch turns on instrumentation to avoid skipping the guard page
in large stack frames.

Without this flag, vulnerabilities can result in where the stack
overlaps with the heap, or thread stacks spill into other regions
of memory.

This flag in only available on x86_64 and aarch64.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
 make.sh | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/make.sh b/make.sh
index 0f3917adf7..fae75fdc99 100755
--- a/make.sh
+++ b/make.sh
@@ -146,7 +146,7 @@ configure_build() {
 			BUILDTARGET="${build_arch}-unknown-linux-gnu"
 			CROSSTARGET="${build_arch}-cross-linux-gnu"
 			BUILD_PLATFORM="x86"
-			CFLAGS_ARCH="-m64 -mtune=generic"
+			CFLAGS_ARCH="-m64 -mtune=generic -fstack-clash-protection"
 			;;
 
 		i586)
@@ -160,7 +160,7 @@ configure_build() {
 			BUILDTARGET="${build_arch}-unknown-linux-gnu"
 			CROSSTARGET="${build_arch}-cross-linux-gnu"
 			BUILD_PLATFORM="arm"
-			CFLAGS_ARCH=""
+			CFLAGS_ARCH="-fstack-clash-protection"
 			;;
 
 		armv7hl)
-- 
2.39.5