kernel: Enable -fstack-protector-strong by default

This extends stack canary use to all functions which define arrays on
the stack, not just those which operate on byte buffers.  This option
would have made it harder to exploit SA-26:18.setcred and
SA-26:08.rpcsec_gss.

The change bloats the amd64 kernel text by about 350KB and increases the
number of covered functions from ~1500 to ~9000 (within the kernel
itself, i.e., not counting kernel modules).

Reviewed by:	olce, olivier, emaste
MFC after:	2 weeks
Differential Revision:	https://reviews.freebsd.org/D56870
This commit is contained in:
Mark Johnston
2026-05-22 14:45:52 +00:00
parent 6ab30433a7
commit 8deebce931
+1 -1
View File
@@ -235,7 +235,7 @@ CFLAGS+= -fwrapv
# Stack Smashing Protection (SSP) support
#
.if ${MK_SSP} != "no"
CFLAGS+= -fstack-protector
CFLAGS+= -fstack-protector-strong
.endif
#