From nobody Mon Jun 15 18:01:46 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gfHxk3hxzz6hhPK for ; Mon, 15 Jun 2026 18:01:46 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gfHxk0Wyxz4F8p for ; Mon, 15 Jun 2026 18:01:46 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781546506; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=mLn3pqs4P1YrkeGYk3C3ad/4UJ6mQRFi8SG+Cs+fQ7U=; b=CH8JB/ZSkIHVqdwZHaVnZJ/OS5IC3KHumiDT9lJ+pcFLNbyGBSeB1xAT5y2NgznftmB2vQ /dODOneESUkTUgOLMfPsqI/DqNYiXSyj5mVA6qKch48UoaWXCKUd23T4E0vE4BMPgW07P3 VpOEaSXn9QjeIuSrOZMiso4nsWKDvosPzTro3wfjE1BRTN0KI++5PNldg4DTM4uZN99ZDs 0q4tvmOnOAmMi6HUMm0abomvWKrS1bb0YCxRz9LCNQXA1sCySgekOoGz2qAtzTASaKompS XmyxSoL1Xr0ZbsFJD4pgn+VE6sxb4pHobg75y3t79msFA2YNJr3TI0I1mJxtKg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781546506; a=rsa-sha256; cv=none; b=CHt+pXHV7w0DazmCvQo3x/kKfI9pytOfz5ncoCkBEH7t5NALdPrZFUfy/97Sivqdozgf/w EeXe98A8UlG/5X9mNG365aJiCAsXI7KXRvsFy3uVxWhwPOnOgW0UNJ0QHIo8ox45T+X6f/ dCe6ojWWr2oPhjczGSwExeg0i+M88P5h1F1BLFCIsh8cdRixuWoypmPh6cRZNUjDzuMIh0 vHH4M7HOZg9Aq6HjZ9RAKO8z5ooh/yFXL3CEf9yDgrmBzHADNZ9oN5cNgQz0P57hPTloEF ceFwdLemZLdlOJTEw9jXBzKvmRiNR34zNyjCzWkoqVqiIfIFdYjtQZ5lxMz9Iw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781546506; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=mLn3pqs4P1YrkeGYk3C3ad/4UJ6mQRFi8SG+Cs+fQ7U=; b=YbNuKm+G1S4pQxWBjJqahO+Gx0z6HYUIQXtAGGuhC+5Htff2svZ1n/gQQoHRNtd3TqePYB DPYmGCoPGDJdDyUhc50xJIBnsbp6vXOB4VvKBWsFu6TWuUxvKgfTibvotPBORTPdzUtghC /f3gGP960vlBw0ZmdXSEGG6+xGNst5TvNyoFpyyWOFxY2o1mCwqlTEkIpGF1C1N/uajumM K8vGiKtRU4ZKs3d42Na8hiy2nOeRTgPhmNMmN75l7ZBfJRcWPcUsBnUUHPnCBAyxsF3hRV rVRPZTjmf4gyjnL0wFnzTWJe6sr8AKcuzMeDTxmgZvNmD7p7gLxfYo0XVJdK2Q== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gfHxk04tSz15Vy for ; Mon, 15 Jun 2026 18:01:46 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 1d277 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Mon, 15 Jun 2026 18:01:46 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Mark Johnston Subject: git: 7dc01dec4c3a - stable/15 - kernel: Enable -fstack-protector-strong by default List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/stable/15 X-Git-Reftype: branch X-Git-Commit: 7dc01dec4c3ac1e452b3f277d980258315dab8b0 Auto-Submitted: auto-generated Date: Mon, 15 Jun 2026 18:01:46 +0000 Message-Id: <6a303e0a.1d277.78a19356@gitrepo.freebsd.org> The branch stable/15 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=7dc01dec4c3ac1e452b3f277d980258315dab8b0 commit 7dc01dec4c3ac1e452b3f277d980258315dab8b0 Author: Mark Johnston AuthorDate: 2026-05-22 14:45:52 +0000 Commit: Mark Johnston CommitDate: 2026-06-15 16:00:04 +0000 kernel: Enable -fstack-protector-strong by default This extends stack canary use to all functions which define arrays on the stack, not just those which operate on byte buffers. This option would have made it harder to exploit SA-26:18.setcred and SA-26:08.rpcsec_gss. The change bloats the amd64 kernel text by about 350KB and increases the number of covered functions from ~1500 to ~9000 (within the kernel itself, i.e., not counting kernel modules). Reviewed by: olce, olivier, emaste MFC after: 2 weeks Differential Revision: https://reviews.freebsd.org/D56870 (cherry picked from commit 8deebce931fa9b469cf28a082038a64caf972602) --- sys/conf/kern.mk | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sys/conf/kern.mk b/sys/conf/kern.mk index 958203c3dedd..6ae940be9a47 100644 --- a/sys/conf/kern.mk +++ b/sys/conf/kern.mk @@ -239,7 +239,7 @@ CFLAGS+= -fwrapv # Stack Smashing Protection (SSP) support # .if ${MK_SSP} != "no" -CFLAGS+= -fstack-protector +CFLAGS+= -fstack-protector-strong .endif #