tech-pkg archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: -fstack-check vs -fstack-clash-protection
On Sat, Jul 30, 2022 at 12:20:53PM +1200, Lloyd Parkes wrote:
> I had a bit of read of our documentation and the NetBSD documentation.
>
> The name PKGSRC_USE_STACK_CHECK, the option -fstack-check, the usage of
> PKGSRC_USE_STACK_CHECK in pksgrc and all the various bits of documentation
> seem to line up fairly well. I don't think it's worth changing any of it. We
> risk having inconsistent documentation if we don't find all the references.
>
> I can see value in adding a new pkgsrc setting. I'm not in love with the
> length of the name PKGSRC_USE_STACK_CLASH_PROTECTION but maybe we could have
> PKGSRC_PROTECT_STACK_CLASH? Then we would just need to add a section B.1.2.3
> to https://www.netbsd.org/docs/pkgsrc/hardening.html and call the
> documentation done.
The -fstack-check and -fstack-clash-protection flags conflict (sorry,
didn't mention that), so perhaps we add a new value to the existing
variable, e.g.
PKGSRC_USE_STACK_CHECK=clash-protection
?
> I don't know what GCC means by "fully support stack clash protection", but
> the original discoverers of the stack clash attack think that NetBSD is
> protected from it as well as anyone else is. I can see that my NetSBD/amd64
> 9.2_STABLE system says "vm.guard_size = 1048576", so that's good. It may
> well be that "[m]ost targets" simply acknowledges the very many strange and
> wonderful targets that GCC has.
Thanks for clarifying that!
Thomas
> Cheers,
> Lloyd
>
> On 24/07/22 05:20, Thomas Klausner wrote:
> > Hi!
> >
> > pkgsrc's PKGSRC_USE_STACK_CHECK setting adds -fstack-check to the
> > compiler flags.
> >
> > Corresponding about a build failure with an upstream, it was pointed
> > out to me that even the gcc man page documents this as:
> >
> > -fstack-check= is designed for Ada's needs to detect
> > infinite recursion and stack overflows. specific is an
> > excellent choice when compiling Ada code. It is not
> > generally sufficient to protect against stack-clash
> > attacks. To protect against those you want
> > -fstack-clash-protection.
> >
> > The documentation for that says:
> >
> > Most targets do not fully support stack clash protection.
> >
> > Does anyone know the state of -fstack-clash-protection on NetBSD?
> >
> > Should we switch from -fstack-check to -fstack-clash-protection in
> > pkgsrc, when PKGSRC_USE_STACK_CHECK is set?
> >
> > Cheers,
> > Thomas
Home |
Main Index |
Thread Index |
Old Index