Discussion:
Enabling -fstack-clash-protection for trixie
(too old to reply)
Moritz Mühlenhoff
2023-08-06 21:30:01 UTC
Permalink
Following the procedure to modify default dpkg-buildflags I propose to
enable -fstack-clash-protection on amd64. The bug for dpkg tracking this
is #918914.

| -fstack-clash-protection
| Generate code to prevent stack clash style attacks. When this option
| is enabled, the compiler will only allocate one page of stack space
| at a time and each page is accessed immediately after allocation.
| Thus, it prevents allocations from jumping over any stack guard page
| provided by the operating system.

This has been enabled on other distros for many years already (e.g.
Fedora since 27, RHEL since 8, OpenSUSE since 15.1, Ubuntu since 19.10).

I worked with Lucas a while back and he made an archive rebuild on amd64,
only a minimal list of packages will need to be adapted:
http://qa-logs.debian.net/2023/05/24/

The open question is whether to also enable this for arm64, mips64el,
ppc64el, riscv and s390x. I'm adding the respective porter lists, if there's
consensus among porters of a given arch other than amd64 to also add
the flag, please post a followup to #918914.

Cheers,
Moritz
Guillem Jover
2023-08-28 04:20:01 UTC
Permalink
Hi!
Post by Moritz Mühlenhoff
Following the procedure to modify default dpkg-buildflags I propose to
enable -fstack-clash-protection on amd64. The bug for dpkg tracking this
is #918914.
| -fstack-clash-protection
| Generate code to prevent stack clash style attacks. When this option
| is enabled, the compiler will only allocate one page of stack space
| at a time and each page is accessed immediately after allocation.
| Thus, it prevents allocations from jumping over any stack guard page
| provided by the operating system.
This has been enabled on other distros for many years already (e.g.
Fedora since 27, RHEL since 8, OpenSUSE since 15.1, Ubuntu since 19.10).
I worked with Lucas a while back and he made an archive rebuild on amd64,
http://qa-logs.debian.net/2023/05/24/
The open question is whether to also enable this for arm64, mips64el,
ppc64el, riscv and s390x. I'm adding the respective porter lists, if there's
consensus among porters of a given arch other than amd64 to also add
the flag, please post a followup to #918914.
Given the results from the rebuilds for amd64 and arm64 with minimal
fallout, and no complaints, I'm going to enable this for amd64 and the
three arm arches (arm64, armhf and armel) with dpkg 1.22.0, to be
uploaded later today. We can later on modify the set of architectures
(by request from porters) or tune them if it ends up causing problems.

Thanks,
Guillem

Loading...