From nobody Fri May 22 14:54:45 2026
X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gMSx15Gt1z6dwf0
	for <dev-commits-src-all@mlmmj.nyi.freebsd.org>; Fri, 22 May 2026 14:54:45 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4gMSx11GT0z3SqH
	for <dev-commits-src-all@FreeBSD.org>; Fri, 22 May 2026 14:54:45 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1779461685;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=EbMQsQfMlXaLCaVDjhNlkcX7JTsO5u9BxBQ93F4zu0k=;
	b=tHs8rRbGBggzoPSrDL5el/gzd/QggBDagw1G5Isbvsoj1VoFBRHVywfRXyzU7nQDYBLzGW
	6f1ffFlBegAVqHlTOL2RQrRXIoz03o2ae3vApOx/8l8BcDoKJxLFHeussGTfMD8FNky3l1
	otdk6Rysp6F3Qt0Dhxypk45tvpcEGA23VA9CoW3q3c3PWCJjMGviZXjRiYucWMsVuD5xwI
	5W4SXRdaG6oVaix0nO6nMl8sGsfZFK5n/eYJJmUzxGr/gx3dm7VcUgUmWBcTz4ENhpMBh6
	blCmAuI45HL/btcY0fl4hsusn6KC8O94fuW/mQ7Ttmf0Bh7PQpeYwsm0VCiafA==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1779461685; a=rsa-sha256; cv=none;
	b=ApLZB3tZ1UBt+TbfPOgzJDUz7q3YOnrGTlqqLEmrwNKOZwFfmu/hlTvJoVROf7SAEFC7D2
	47SD9eg9M/l+Af8kazuoN/Ieql84huHMbMiptpPcWW4kqkHWYPwR8MIIy7iuNRRHY58yFC
	kBrRLAaML0uxptYhI+oHG2CHT2VfYyJDV7ETCMKnMBWMlzJOcVHewEyXRn3J4jGjxjNNC6
	qsub6Qkqdr8THvBIeeY7slK3MdIvq2EzwF5+iMicYXrZayuzDV2Q27lLjnZo7Vjgjj+BtG
	ZyEn2nfJS/D4z61Nu2IqgaMZc4RGxej1cXtkqrePiX/fGApmpFXtzobYk1wK9w==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1779461685;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=EbMQsQfMlXaLCaVDjhNlkcX7JTsO5u9BxBQ93F4zu0k=;
	b=RuMwoNfREQXk8s6cCvLYNvGNuxPhDqueOWCpCL6Qpmb4Sn1i5zeyjyYJIB85sXbLd8/rya
	ucsM0lmuSX7s8ay5uZ5EJIGd3VoczfDBslvxhIgOfmwZ1cIwHY06NAboWoUBMQs0VA8aiX
	lOyt0pZSHicSs7eFPEtICY0ZYM9BTTH+sAiYqsfmrZZsksgLhQCGPZt72HAjoTv7MDww0D
	F/ZfxzTfOChlCMCp75IbXcgM8zDFXN6xWZsC17a7Eg6nMvyPvZsoNW4sq4VIraNUbw7g8/
	qwnPYp71zfzAnilUkrXri1DaG4zmby/wdkYLCfSTuYfZGOYTlmbWqPyytarWxQ==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gMSx10qRcz9Vf
	for <dev-commits-src-all@FreeBSD.org>; Fri, 22 May 2026 14:54:45 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from git (uid 1279)
	(envelope-from git@FreeBSD.org)
	id 1de09
	by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org);
	Fri, 22 May 2026 14:54:45 +0000
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org
From: Mark Johnston <markj@FreeBSD.org>
Subject: git: 8deebce931fa - main - kernel: Enable -fstack-protector-strong by default
List-Id: Commit messages for all branches of the src repository <dev-commits-src-all.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all
List-Help: <mailto:dev-commits-src-all+help@freebsd.org>
List-Post: <mailto:dev-commits-src-all@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-all+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-all+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-all@freebsd.org
Sender: owner-dev-commits-src-all@FreeBSD.org
List-Id: <dev-commits-src-all.FreeBSD.org>
List-Post: <mailto:dev-commits-src-all@FreeBSD.org>
List-Help: <mailto:dev-commits-src-all+help@FreeBSD.org>
List-Subscribe: <mailto:dev-commits-src-all+subscribe@FreeBSD.org>
List-Unsubscribe: <mailto:dev-commits-src-all+unsubscribe@FreeBSD.org>
List-Owner: <mailto:postmaster@FreeBSD.org>
Precedence: list
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: markj
X-Git-Repository: src
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: 8deebce931fa9b469cf28a082038a64caf972602
Auto-Submitted: auto-generated
Date: Fri, 22 May 2026 14:54:45 +0000
Message-Id: <6a106e35.1de09.3dc6a77e@gitrepo.freebsd.org>

The branch main has been updated by markj:

URL: https://cgit.FreeBSD.org/src/commit/?id=8deebce931fa9b469cf28a082038a64caf972602

commit 8deebce931fa9b469cf28a082038a64caf972602
Author:     Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2026-05-22 14:45:52 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2026-05-22 14:45:52 +0000

    kernel: Enable -fstack-protector-strong by default
    
    This extends stack canary use to all functions which define arrays on
    the stack, not just those which operate on byte buffers.  This option
    would have made it harder to exploit SA-26:18.setcred and
    SA-26:08.rpcsec_gss.
    
    The change bloats the amd64 kernel text by about 350KB and increases the
    number of covered functions from ~1500 to ~9000 (within the kernel
    itself, i.e., not counting kernel modules).
    
    Reviewed by:    olce, olivier, emaste
    MFC after:      2 weeks
    Differential Revision:  https://reviews.freebsd.org/D56870
---
 sys/conf/kern.mk | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sys/conf/kern.mk b/sys/conf/kern.mk
index af7b1589c5cd..b87583db21c5 100644
--- a/sys/conf/kern.mk
+++ b/sys/conf/kern.mk
@@ -235,7 +235,7 @@ CFLAGS+=	-fwrapv
 # Stack Smashing Protection (SSP) support
 #
 .if ${MK_SSP} != "no"
-CFLAGS+=	-fstack-protector
+CFLAGS+=	-fstack-protector-strong
 .endif
 
 #