Hi, On 2026-03-05 14:25, Jann Horn wrote: > Package: libc6 > Version: 2.42-13 > > My understanding is that dpkg-buildflags defaults include > -fstack-clash-protection (see > https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=11efff1bf), but > somehow Debian's glibc appears to not be built with > -fstack-clash-protection; there are unprotected large stack > allocations in functions like ____strtold_l_internal, > ____strtof128_l_internal, tempnam, tmpfile64, and more:
Good catch. Indeed glibc does not uses build flags from dpkg for multiple reasons: - Some flags set by dpkg-buildflags are not compatible with glibc and cause build failure of ld.so - On many architectures the glibc source package builds also build biarch packages (e.g. libc6-i386:amd64) which do not necessarily support the same flags as the main build - To add some complexity the main multiarch build and the biarch builds (e.g. libc6:i386 and libc6-i386:amd64) should be built with consistent flags to avoid issues when the two are mixed at runtime. > Can you please also build glibc with -fstack-clash-protection? Yep. I'll think if I can find a way for glibc to partly use dpkg-buildflags, otherwise I'll just hardcode that on amd64, just like it's already done for arm64. Regards Aurelien -- Aurelien Jarno GPG: 4096R/1DDD8C9B [email protected] http://aurel32.net
