cc-wrapper: add stack clash protection hardening flag

Most Linux distributions are enabling this these days and it does protect against real world vulnerabilities as demonstrated by CVE-2018-16864 and CVE-2018-16865. Fix #53753. Information on llvm version support gleaned from 6609892a2d 68e07da3e5 092507a730 Information on gcc version support a lot harder to gather, but both 32bit and 64bit arm do appear to be supported based on the test suite.
2024-11-22 06:53:01 +00:00 · 2024-02-14 09:30:45 +01:00 · 2024-02-14 09:30:45 +01:00 · 3db93c351d
commit 3db93c351d
parent 4f7faf6b88
7 changed files with 40 additions and 12 deletions
--- a/pkgs/build-support/cc-wrapper/add-hardening.sh
+++ b/pkgs/build-support/cc-wrapper/add-hardening.sh
@ -32,7 +32,7 @@ if [[ -n "${hardeningEnableMap[fortify3]-}" ]]; then
 fi

 if (( "${NIX_DEBUG:-0}" >= 1 )); then
-  declare -a allHardeningFlags=(fortify fortify3 stackprotector pie pic strictoverflow format trivialautovarinit zerocallusedregs)
+  declare -a allHardeningFlags=(fortify fortify3 stackprotector stackclashprotection pie pic strictoverflow format trivialautovarinit zerocallusedregs)
  declare -A hardeningDisableMap=()

  # Determine which flags were effectively disabled so we can report below.
@ -79,6 +79,10 @@ for flag in "${!hardeningEnableMap[@]}"; do
      if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling stackprotector >&2; fi
      hardeningCFlagsBefore+=('-fstack-protector-strong' '--param' 'ssp-buffer-size=4')
      ;;
+    stackclashprotection)
+      if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling stack-clash-protection >&2; fi
+      hardeningCFlagsBefore+=('-fstack-clash-protection')
+      ;;
    pie)
      # NB: we do not use `+=` here, because PIE flags must occur before any PIC flags
      if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling CFlags -fPIE >&2; fi
--- a/pkgs/development/compilers/gcc/default.nix
+++ b/pkgs/development/compilers/gcc/default.nix
@ -280,7 +280,7 @@ pipe ((callFile ./common/builder.nix {}) ({

  libc_dev = stdenv.cc.libc_dev;

-  hardeningDisable = [ "format" "pie" ]
+  hardeningDisable = [ "format" "pie" "stackclashprotection" ]
  ++ optionals (is11 && langAda) [ "fortify3" ];

  postPatch = optionalString atLeast7 ''
@ -425,6 +425,9 @@ pipe ((callFile ./common/builder.nix {}) ({
    inherit langC langCC langObjC langObjCpp langAda langFortran langGo langD langJava version;
    isGNU = true;
    hardeningUnsupportedFlags = optional is48 "stackprotector"
+      ++ optional (
+        (targetPlatform.isAarch64 && !atLeast9) || !atLeast8
+      ) "stackclashprotection"
      ++ optional (!atLeast11) "zerocallusedregs"
      ++ optionals (!atLeast12) [ "fortify3" "trivialautovarinit" ]
      ++ optionals (langFortran) [ "fortify" "format" ];
--- a/pkgs/development/compilers/llvm/common/clang/default.nix
+++ b/pkgs/development/compilers/llvm/common/clang/default.nix
@ -134,16 +134,26 @@ let
    passthru = {
      inherit libllvm;
      isClang = true;
-    } // (lib.optionalAttrs (lib.versionAtLeast release_version "15") {
-      hardeningUnsupportedFlags = [
-        "fortify3"
-      ];
      hardeningUnsupportedFlagsByTargetPlatform = targetPlatform:
-        lib.optional (!(targetPlatform.isx86_64 || targetPlatform.isAarch64)) "zerocallusedregs"
+        [ "fortify3" ]
+        ++ lib.optional (
+          (lib.versionOlder release_version "11")
+          || (targetPlatform.isAarch64 && (lib.versionOlder release_version "18.1"))
+          || (targetPlatform.isFreeBSD && (lib.versionOlder release_version "15"))
+          || !(targetPlatform.isLinux || targetPlatform.isFreeBSD)
+          || !(
+            targetPlatform.isx86
+            || targetPlatform.isPower64
+            || targetPlatform.isS390x
+            || targetPlatform.isAarch64
+          )
+        ) "stackclashprotection"
+        ++ lib.optional (
+          (lib.versionOlder release_version "15")
+          || !(targetPlatform.isx86_64 || targetPlatform.isAarch64)
+        ) "zerocallusedregs"
        ++ (finalAttrs.passthru.hardeningUnsupportedFlags or []);
-    }) // (lib.optionalAttrs (lib.versionOlder release_version "15") {
-      hardeningUnsupportedFlags = [ "fortify3" "zerocallusedregs" ];
-    });
+    };

    meta = llvm_meta // {
      homepage = "https://clang.llvm.org/";
--- a/pkgs/stdenv/darwin/default.nix
+++ b/pkgs/stdenv/darwin/default.nix
@ -327,7 +327,11 @@ in
              '';
              passthru = {
                isFromBootstrapFiles = true;
-                hardeningUnsupportedFlags = [ "fortify3" "zerocallusedregs" ];
+                hardeningUnsupportedFlags = [
+                  "fortify3"
+                  "stackclashprotection"
+                  "zerocallusedregs"
+                ];
              };
            };
            clang-unwrapped = selfTools.libclang;
--- a/pkgs/stdenv/generic/make-derivation.nix
+++ b/pkgs/stdenv/generic/make-derivation.nix
@ -119,6 +119,7 @@ let
    "pie"
    "relro"
    "stackprotector"
+    "stackclashprotection"
    "strictoverflow"
    "trivialautovarinit"
    "zerocallusedregs"
--- a/pkgs/stdenv/linux/bootstrap-tools/default.nix
+++ b/pkgs/stdenv/linux/bootstrap-tools/default.nix
@ -15,5 +15,10 @@ derivation ({
  langC = true;
  langCC = true;
  isGNU = true;
-  hardeningUnsupportedFlags = [ "fortify3" "zerocallusedregs" "trivialautovarinit" ];
+  hardeningUnsupportedFlags = [
+    "fortify3"
+    "stackclashprotection"
+    "trivialautovarinit"
+    "zerocallusedregs"
+  ];
 } // extraAttrs)
--- a/pkgs/top-level/stage.nix
+++ b/pkgs/top-level/stage.nix
@ -292,6 +292,7 @@ let
          pkgsExtraHardening = super';
          stdenv = super'.withDefaultHardeningFlags (
            super'.stdenv.cc.defaultHardeningFlags ++ [
+              "stackclashprotection"
              "trivialautovarinit"
            ]
          ) super'.stdenv;