kernel: Enable -fstack-protector-strong by default
This extends stack canary use to all functions which define arrays on the stack, not just those which operate on byte buffers. This option would have made it harder to exploit SA-26:18.setcred and SA-26:08.rpcsec_gss. The change bloats the amd64 kernel text by about 350KB and increases the number of covered functions from ~1500 to ~9000 (within the kernel itself, i.e., not counting kernel modules). Reviewed by: olce, olivier, emaste MFC after: 2 weeks Differential Revision: https://reviews.freebsd.org/D56870
This commit is contained in:
+1
-1
@@ -235,7 +235,7 @@ CFLAGS+= -fwrapv
|
||||
# Stack Smashing Protection (SSP) support
|
||||
#
|
||||
.if ${MK_SSP} != "no"
|
||||
CFLAGS+= -fstack-protector
|
||||
CFLAGS+= -fstack-protector-strong
|
||||
.endif
|
||||
|
||||
#
|
||||
|
||||
Reference in New Issue
Block a user