-fstack-clash-check is a gcc flag that adds protection for stack overflow / stack/heap-clash attacks to executables. It's available since gcc 8 (currently not stable). There was a previous flag -fstack=check with an older implementation of this. We enable -fstack=check in hardened, but from what I read this is no longer recommended. We have an open tracker for -fstack=check related problems (#637152). In response to the Qualys research on stack clash attacks [1] this new flag was developed to avoid problems with the old flag. Here's some info from Red Hat: https://developers.redhat.com/blog/2018/03/21/compiler-and-linker-flags-gcc/ This reads like on mainstream architectures this should work well ("For the architectures supported by Red Hat Enterprise Linux, improved architecture-specific versions are available"), yet it may be problematic on less common architectures. I guess moving forward we should consider: * Moving from -fstack=check to -fstack-clash-check in hardened. * Later consider moving it to standard profiles. Open question is if there are transitioning issues, i.e. if moving from a system compiled with -fstack=check to -fstack-clash-check will cause trouble. [1] https://www.google.de/search?q=stack+clash+qualys&oq=stack+clash+qualys&aqs=chrome..69i57j69i65.2565j0j7&sourceid=chrome&ie=UTF-8
Is allready enable on hardened gcc 8.X
