Date: Fri, 22 May 2026 14:54:45 +0000 From: Mark Johnston <markj@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org Subject: git: 8deebce931fa - main - kernel: Enable -fstack-protector-strong by default Message-ID: <6a106e35.1de09.3dc6a77e@gitrepo.freebsd.org>
index | next in thread | raw e-mail
The branch main has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=8deebce931fa9b469cf28a082038a64caf972602 commit 8deebce931fa9b469cf28a082038a64caf972602 Author: Mark Johnston <markj@FreeBSD.org> AuthorDate: 2026-05-22 14:45:52 +0000 Commit: Mark Johnston <markj@FreeBSD.org> CommitDate: 2026-05-22 14:45:52 +0000 kernel: Enable -fstack-protector-strong by default This extends stack canary use to all functions which define arrays on the stack, not just those which operate on byte buffers. This option would have made it harder to exploit SA-26:18.setcred and SA-26:08.rpcsec_gss. The change bloats the amd64 kernel text by about 350KB and increases the number of covered functions from ~1500 to ~9000 (within the kernel itself, i.e., not counting kernel modules). Reviewed by: olce, olivier, emaste MFC after: 2 weeks Differential Revision: https://reviews.freebsd.org/D56870 --- sys/conf/kern.mk | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sys/conf/kern.mk b/sys/conf/kern.mk index af7b1589c5cd..b87583db21c5 100644 --- a/sys/conf/kern.mk +++ b/sys/conf/kern.mk @@ -235,7 +235,7 @@ CFLAGS+= -fwrapv # Stack Smashing Protection (SSP) support # .if ${MK_SSP} != "no" -CFLAGS+= -fstack-protector +CFLAGS+= -fstack-protector-strong .endif #home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6a106e35.1de09.3dc6a77e>