diff options
author | Franz Pletz <fpletz@fnordicwalking.de> | 2016-09-12 02:28:26 +0200 |
---|---|---|
committer | Franz Pletz <fpletz@fnordicwalking.de> | 2016-09-12 02:36:11 +0200 |
commit | 3ba99f83a7acd8644880b62aea5e3b31e1f1b57a (patch) | |
tree | db0c92eb72ada47b31b01bba43dbe107ddef5db0 /pkgs/development/libraries | |
parent | e0b5eef4e7d21d0a914e248635f1f9360772a6d9 (diff) | |
download | nixpkgs-3ba99f83a7acd8644880b62aea5e3b31e1f1b57a.tar nixpkgs-3ba99f83a7acd8644880b62aea5e3b31e1f1b57a.tar.gz nixpkgs-3ba99f83a7acd8644880b62aea5e3b31e1f1b57a.tar.bz2 nixpkgs-3ba99f83a7acd8644880b62aea5e3b31e1f1b57a.tar.lz nixpkgs-3ba99f83a7acd8644880b62aea5e3b31e1f1b57a.tar.xz nixpkgs-3ba99f83a7acd8644880b62aea5e3b31e1f1b57a.tar.zst nixpkgs-3ba99f83a7acd8644880b62aea5e3b31e1f1b57a.zip |
glibc: enable stackprotection hardening
Enables previously manually disabled stackprotector and stackguard randomization. From https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=511811: If glibc is built with the --enable-stackguard-randomization option, each application gets a random canary value (at runtime) from /dev/urandom. If --enable-stackguard-randomization is absent, applications get a static canary value of "0xff0a0000". This is very unfortunate, because the attacker may be able to bypass the stack protection mechanism, by placing those 4 bytes in the canary word, before the actual canary check is performed (for example in memcpy-based buffer overflows).
Diffstat (limited to 'pkgs/development/libraries')
-rw-r--r-- | pkgs/development/libraries/glibc/common.nix | 2 | ||||
-rw-r--r-- | pkgs/development/libraries/glibc/default.nix | 3 |
2 files changed, 4 insertions, 1 deletions
diff --git a/pkgs/development/libraries/glibc/common.nix b/pkgs/development/libraries/glibc/common.nix index 15c455b7afb..4e03293fdf9 100644 --- a/pkgs/development/libraries/glibc/common.nix +++ b/pkgs/development/libraries/glibc/common.nix @@ -82,7 +82,7 @@ stdenv.mkDerivation ({ "--enable-add-ons" "--enable-obsolete-rpc" "--sysconfdir=/etc" - "libc_cv_ssp=no" + "--enable-stackguard-randomization" (if linuxHeaders != null then "--with-headers=${linuxHeaders}/include" else "--without-headers") diff --git a/pkgs/development/libraries/glibc/default.nix b/pkgs/development/libraries/glibc/default.nix index 1c116c8d987..d6c496819da 100644 --- a/pkgs/development/libraries/glibc/default.nix +++ b/pkgs/development/libraries/glibc/default.nix @@ -33,6 +33,9 @@ in makeFlagsArray+=("bindir=$bin/bin" "sbindir=$bin/sbin" "rootsbindir=$bin/sbin") ''; + # The stackprotector and fortify hardening flags are autodetected by glibc + # and enabled by default if supported. Setting it for every gcc invocation + # does not work. hardeningDisable = [ "stackprotector" "fortify" ]; # When building glibc from bootstrap-tools, we need libgcc_s at RPATH for |