glibc: enable stackprotection hardening

Enables previously manually disabled stackprotector and stackguard
randomization.

From https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=511811:

    If glibc is built with the --enable-stackguard-randomization option,
    each application gets a random canary value (at runtime) from /dev/urandom.
    If --enable-stackguard-randomization is absent, applications get a static
    canary value of "0xff0a0000". This is very unfortunate, because the
    attacker may be able to bypass the stack protection mechanism, by placing
    those 4 bytes in the canary word, before the actual canary check is
    performed (for example in memcpy-based buffer overflows).

2 files changed, 4 insertions, 1 deletions

diff --git a/pkgs/development/libraries/glibc/common.nix b/pkgs/development/libraries/glibc/common.nix
index 15c455b7afb..4e03293fdf9 100644
--- a/pkgs/development/libraries/glibc/common.nix
+++ b/pkgs/development/libraries/glibc/common.nix
@@ -82,7 +82,7 @@ stdenv.mkDerivation ({
       "--enable-add-ons"
       "--enable-obsolete-rpc"
       "--sysconfdir=/etc"
-      "libc_cv_ssp=no"
+      "--enable-stackguard-randomization"
       (if linuxHeaders != null
        then "--with-headers=${linuxHeaders}/include"
        else "--without-headers")
diff --git a/pkgs/development/libraries/glibc/default.nix b/pkgs/development/libraries/glibc/default.nix
index 1c116c8d987..d6c496819da 100644
--- a/pkgs/development/libraries/glibc/default.nix
+++ b/pkgs/development/libraries/glibc/default.nix
@@ -33,6 +33,9 @@ in
       makeFlagsArray+=("bindir=$bin/bin" "sbindir=$bin/sbin" "rootsbindir=$bin/sbin")
     '';
 
+    # The stackprotector and fortify hardening flags are autodetected by glibc
+    # and enabled by default if supported. Setting it for every gcc invocation
+    # does not work.
     hardeningDisable = [ "stackprotector" "fortify" ];
 
     # When building glibc from bootstrap-tools, we need libgcc_s at RPATH for