This is an automated email from the git hooks/post-receive script. guillem pushed a commit to branch main in repository dpkg.
View the commit online: https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=11efff1bf404705573d0f2e1308c86f3d1e109fd commit 11efff1bf404705573d0f2e1308c86f3d1e109fd Author: Guillem Jover <[email protected]> AuthorDate: Mon Aug 28 12:38:19 2023 +0200 Dpkg::Vendor::Debian: Add support for new stackclash hardening feature Closes: #918914 --- man/dpkg-buildflags.pod | 8 ++++++++ scripts/Dpkg/Vendor/Debian.pm | 11 +++++++++++ scripts/t/Dpkg_BuildFlags.t | 1 + 3 files changed, 20 insertions(+) diff --git a/man/dpkg-buildflags.pod b/man/dpkg-buildflags.pod index 24625fb89..a8bdee8de 100644 --- a/man/dpkg-buildflags.pod +++ b/man/dpkg-buildflags.pod @@ -536,6 +536,14 @@ Disabling B<stackprotector> will also disable this setting. This feature has the same requirements as B<stackprotector>, and in addition also requires gcc 4.9 and later. +=item B<stackclask> + +This setting (since dpkg 1.22.0; enabled by default) adds +B<-fstack-clash-protection> on B<amd64>, B<arm64>, B<armhf> and B<armel> to +B<CFLAGS>, B<CXXFLAGS>, B<OBJCFLAGS>, B<OBJCXXFLAGS>, +B<GCJFLAGS>, B<FFLAGS> and B<FCFLAGS>. +This adds code to prevent stack clash style attacks. + =item B<branch> This setting (since dpkg 1.22.0; enabled by default) adds B<-fcf-protection> diff --git a/scripts/Dpkg/Vendor/Debian.pm b/scripts/Dpkg/Vendor/Debian.pm index 8d0023aa1..1cc2393d6 100644 --- a/scripts/Dpkg/Vendor/Debian.pm +++ b/scripts/Dpkg/Vendor/Debian.pm @@ -139,6 +139,7 @@ sub set_build_features { pie => undef, stackprotector => 1, stackprotectorstrong => 1, + stackclash => 1, fortify => 1, format => 1, relro => 1, @@ -335,6 +336,10 @@ sub set_build_features { # compiler supports it incorrectly (leads to SEGV) $use_feature{hardening}{stackprotector} = 0; } + if (none { $cpu eq $_ } qw(amd64 arm64 armhf armel)) { + # Stack clash protector only available on amd64 and arm. + $use_feature{hardening}{stackclash} = 0; + } if (any { $cpu eq $_ } qw(ia64 hppa)) { # relro not implemented on ia64, hppa. $use_feature{hardening}{relro} = 0; @@ -538,6 +543,12 @@ sub _add_build_flags { $flags->append($_, $flag) foreach @compile_flags; } + # Stack clash + if ($flags->use_feature('hardening', 'stackclash')) { + my $flag = '-fstack-clash-protection'; + $flags->append($_, $flag) foreach @compile_flags; + } + # Fortify Source if ($flags->use_feature('hardening', 'fortify')) { $flags->append('CPPFLAGS', '-D_FORTIFY_SOURCE=2'); diff --git a/scripts/t/Dpkg_BuildFlags.t b/scripts/t/Dpkg_BuildFlags.t index d9234a9f1..6cec9321b 100644 --- a/scripts/t/Dpkg_BuildFlags.t +++ b/scripts/t/Dpkg_BuildFlags.t @@ -114,6 +114,7 @@ my %known_features = ( fortify pie relro + stackclash stackprotector stackprotectorstrong ) ], -- Dpkg.Org's dpkg
