Bug 670136

Summary:	Consider adding -fstack-clash-check hardening in future profiles
Product:	Gentoo Linux	Reporter:	Hanno Böck <hanno>
Component:	Hardened	Assignee:	The Gentoo Linux Hardened Team <hardened>
Status:	RESOLVED WORKSFORME
Severity:	normal
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://gitweb.gentoo.org/proj/gcc-patches.git/tree/8.2.0/gentoo/55_all_extra-options.patch
Whiteboard:
Package list:		Runtime testing required:	---

Description Hanno Böck gentoo-dev

2018-11-02 08:45:11 UTC

-fstack-clash-check is a gcc flag that adds protection for stack overflow / stack/heap-clash attacks to executables. It's available since gcc 8 (currently not stable).

There was a previous flag -fstack=check with an older implementation of this. We enable -fstack=check in hardened, but from what I read this is no longer recommended. We have an open tracker for -fstack=check related problems (#637152). In response to the Qualys research on stack clash attacks [1] this new flag was developed to avoid problems with the old flag.

Here's some info from Red Hat:
https://developers.redhat.com/blog/2018/03/21/compiler-and-linker-flags-gcc/

This reads like on mainstream architectures this should work well ("For the architectures supported by Red Hat Enterprise Linux, improved architecture-specific versions are available"), yet it may be problematic on less common architectures.

I guess moving forward we should consider:

* Moving from -fstack=check to -fstack-clash-check in hardened.

* Later consider moving it to standard profiles.

Open question is if there are transitioning issues, i.e. if moving from a system compiled with -fstack=check to -fstack-clash-check will cause trouble.


[1] https://www.google.de/search?q=stack+clash+qualys&oq=stack+clash+qualys&aqs=chrome..69i57j69i65.2565j0j7&sourceid=chrome&ie=UTF-8

Comment 1 Magnus Granberg gentoo-dev

2018-11-02 11:30:30 UTC

Is allready enable on hardened gcc 8.X