Commit Graph

10 Commits

Author SHA1 Message Date
Franz Pletz
3db93c351d cc-wrapper: add stack clash protection hardening flag
Most Linux distributions are enabling this these days and it does
protect against real world vulnerabilities as demonstrated by
CVE-2018-16864 and CVE-2018-16865.

Fix #53753.

Information on llvm version support gleaned from
6609892a2d
68e07da3e5
092507a730

Information on gcc version support a lot harder to gather,
but both 32bit and 64bit arm do appear to be supported
based on the test suite.
2024-06-07 20:23:46 +01:00
Robert Scott
4a91b3e798 cc-wrapper: add trivialautovarinit hardening flag support
this equates to -ftrivial-auto-var-init=pattern

clang has removed support for -ftrivial-auto-var-init=zero and
are unlikely to re-add it, so use -ftrivial-auto-var-init=pattern
on both compilers if only to make behaviour more consistent
between the two.

add to pkgsExtraHardening's defaultHardeningFlags.
2024-02-24 12:00:09 +00:00
Robert Scott
40868719b0 cc-wrapper: add zerocallusedregs hardening flag
this uses the value `used-gpr` which seems to be a commonly
chosen value for general use
2024-01-20 13:48:33 +00:00
Adam Joseph
fed2300bea unpack-bootstrap-tools.sh: patchelf libgcc_s.so.1 2023-04-02 13:49:53 -07:00
Robert Scott
c09e1fa406 gcc: mark hardeningUnsupportedFlags fortify3 for all but gcc 12 2023-01-24 21:52:12 +00:00
Sergei Trofimovich
b470a6b212 linux/bootstrap-tools: move libstdc++ out of default library search path
This change allows building new gcc during bootstrap without fear of
pulling in outdated libstdc++.so after g++ switched from bootstrapTools
to freshly built g++.

Noticed when tried to add early bootstrap stage to rebuild `gcc` before
`glibc` is fully untangled from `bootstrapTools` as a failure to built
`binutils`:

    ld: dwp.o: in function `__gnu_cxx::new_allocator<gold::Dwp_output_file::Contribution>::allocate(unsigned long, void const*)':
    /nix/store/...-gcc-11.3.0/include/c++/11.3.0/ext/new_allocator.h:116: undefined reference to `std::__throw_bad_array_new_length()'

The change survives existing bootstrap and unblockes early `gcc` bootstrap.
2023-01-04 16:02:22 +00:00
regnat
14f66d60a7 Make the bootsrap respect the contentAddressedByDefault setting
Patch every `derivation` call in the bootsrap process to add it a
conditional `__contentAddressed` parameter.

That way, passing `contentAddressedByDefault` means that the entire
build closure of a system can be content addressed
2021-04-28 10:25:49 +02:00
Ben Wolsieffer
05fc2a3524 unpack-bootstrap-tools: remove obsolete linker script patching
The linker scripts no longer contain store paths, so this does nothing. More
importantly, libpthread.so is not longer a linker script on ARM, so the patching
would corrupt it.
2020-03-06 06:58:20 +01:00
CrystalGamma
72d161f548 [RFC] ppc64le enablement (#45340)
* ppc64le enablement

* gcc, glibc: properly handle __float128

* lib/systems, stdenv: syntax cleanup

* gcc7: remove ugly hack

* gcc: add/update __float128 flags

* stdenv: add another pair of quotes for consistency

* gcc: move __float128 flag for ppc64le-glibc into common/platform-flags.nix
2018-08-21 15:31:34 -04:00
John Ericson
7960a1b1b8 linux stdenv: Avoid assert false
On one hand, don't want to pass garbage that affects hash, on the other
hand footguns are bad.

Now, factored out the derivation so only need to pass in what is used.
2016-12-15 17:09:29 -05:00