make.sh: Enable -fstack-clash-protection for x86_64/aarch64

This patch turns on instrumentation to avoid skipping the guard page
in large stack frames.

Without this flag, vulnerabilities can result in where the stack
overlaps with the heap, or thread stacks spill into other regions
of memory.

This flag in only available on x86_64 and aarch64.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

diff --git a/make.sh b/make.sh
index 0f3917adf723ad3e77adbef8cdc1f22d784a5d34..fae75fdc99416fb71cc2f32fdaf956039fe49bfa 100755 (executable)
--- a/make.sh
+++ b/make.sh
@@ -146,7 +146,7 @@ configure_build() {
                        BUILDTARGET="${build_arch}-unknown-linux-gnu"
                        CROSSTARGET="${build_arch}-cross-linux-gnu"
                        BUILD_PLATFORM="x86"
-                       CFLAGS_ARCH="-m64 -mtune=generic"
+                       CFLAGS_ARCH="-m64 -mtune=generic -fstack-clash-protection"
                        ;;
 
                i586)
@@ -160,7 +160,7 @@ configure_build() {
                        BUILDTARGET="${build_arch}-unknown-linux-gnu"
                        CROSSTARGET="${build_arch}-cross-linux-gnu"
                        BUILD_PLATFORM="arm"
-                       CFLAGS_ARCH=""
+                       CFLAGS_ARCH="-fstack-clash-protection"
                        ;;
 
                armv7hl)