Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 22 May 2026 11:30:57 -0400
From:      Mark Johnston <markj@freebsd.org>
To:        Konstantin Belousov <kostikbel@gmail.com>
Cc:        src-committers@freebsd.org, dev-commits-src-all@freebsd.org, dev-commits-src-main@freebsd.org
Subject:   Re: git: 8deebce931fa - main - kernel: Enable -fstack-protector-strong by default
Message-ID:  <ahB2sb7hSmxYsiF-@nuc>
In-Reply-To: <ahB0ojMfpsKZ073l@kib.kiev.ua>
References:  <6a106e35.1de09.3dc6a77e@gitrepo.freebsd.org> <ahB0ojMfpsKZ073l@kib.kiev.ua>
index | next in thread | previous in thread | raw e-mail 

On Fri, May 22, 2026 at 06:22:10PM +0300, Konstantin Belousov wrote:
> On Fri, May 22, 2026 at 02:54:45PM +0000, Mark Johnston wrote:
> > The branch main has been updated by markj:
> > 
> > URL: https://cgit.FreeBSD.org/src/commit/?id=8deebce931fa9b469cf28a082038a64caf972602
> > 
> > commit 8deebce931fa9b469cf28a082038a64caf972602
> > Author:     Mark Johnston <markj@FreeBSD.org>
> > AuthorDate: 2026-05-22 14:45:52 +0000
> > Commit:     Mark Johnston <markj@FreeBSD.org>
> > CommitDate: 2026-05-22 14:45:52 +0000
> > 
> >     kernel: Enable -fstack-protector-strong by default
> >     
> >     This extends stack canary use to all functions which define arrays on
> >     the stack, not just those which operate on byte buffers.  This option
> >     would have made it harder to exploit SA-26:18.setcred and
> >     SA-26:08.rpcsec_gss.
> >     
> >     The change bloats the amd64 kernel text by about 350KB and increases the
> >     number of covered functions from ~1500 to ~9000 (within the kernel
> >     itself, i.e., not counting kernel modules).
> >     
> >     Reviewed by:    olce, olivier, emaste
> >     MFC after:      2 weeks
> >     Differential Revision:  https://reviews.freebsd.org/D56870
> > ---
> >  sys/conf/kern.mk | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> > 
> > diff --git a/sys/conf/kern.mk b/sys/conf/kern.mk
> > index af7b1589c5cd..b87583db21c5 100644
> > --- a/sys/conf/kern.mk
> > +++ b/sys/conf/kern.mk
> > @@ -235,7 +235,7 @@ CFLAGS+=	-fwrapv
> >  # Stack Smashing Protection (SSP) support
> >  #
> >  .if ${MK_SSP} != "no"
> > -CFLAGS+=	-fstack-protector
> > +CFLAGS+=	-fstack-protector-strong
> >  .endif
> 
> Can ssp turned off from the kernel config?

Yes, add "makeoptions WITHOUT_SSP=1".  Of course, that disables SSP
entirely.
home | help

Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?ahB2sb7hSmxYsiF->