Am 2025-01-25 19:32, schrieb Jessica Clarke:
On 25 Jan 2025, at 13:08, Alexander Leidinger <netch...@freebsd.org> wrote:The branch main has been updated by netchild:URL: https://cgit.FreeBSD.org/src/commit/?id=f934e629dc22b859efabd3cdebc23b63b04fa2bbcommit f934e629dc22b859efabd3cdebc23b63b04fa2bb Author: Alexander Leidinger <netch...@freebsd.org> AuthorDate: 2025-01-25 12:43:39 +0000 Commit: Alexander Leidinger <netch...@freebsd.org> CommitDate: 2025-01-25 12:45:53 +0000 Add stack clash protection to the WITH_SSP flag Some background info availabe in:https://best.openssf.org/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.html https://developers.redhat.com/blog/2020/05/22/stack-clash-mitigation-in-gcc-part-3https://blog.llvm.org/posts/2021-01-05-stack-clash-protection/ Reviewed by: emaste Differential Revision: https://reviews.freebsd.org/D48651Uh, it does require architecture-specific compiler support, which isn’t implemented for all architectures in LLVM at least. RISC-V has only recently (as in 1.5 months ago so not even released yet) gained support, for example. So this is just going to spew out -Wunused-command-line-argument warnings, and errors with -Werror, no?
The online docs for gcc (https://gcc.gnu.org/onlinedocs/gcc//Instrumentation-Options.html) tell this:
---snip---Most targets do not fully support stack clash protection. However, on those targets -fstack-clash-protection will protect dynamic stack allocations. -fstack-clash-protection may also provide limited protection for static stack allocations if the target supports -fstack-check=specific.
---snip---I read this as it should not spill such warnings. Additionally other options there are listed as limited to some architectures, but this one is not listed as such.
The online docs of clang (https://clang.llvm.org/docs/ClangCommandLineReference.html) do not limit this option for some architectures while for other options (e.g. -fzero-call-used-regs) it tells about architecture limits.
In a discussion on -current in November there was the opinion it may depend on run time support, as I've searched but I've read only that this option depends on stack guard pages in the kernel. I have not found info about any required run-time support in e.g. libc or such (like for -fstack-protector(-strong)).
If those docs are missing listing limits for this option, we can off course enable this with a little bit of code in bsd.compiler.mk only for those architectures where we do not get such warnings.
Bye, Alexander. -- http://www.Leidinger.net alexan...@leidinger.net: PGP 0x8F31830F9F2772BF http://www.FreeBSD.org netch...@freebsd.org : PGP 0x8F31830F9F2772BF
signature.asc
Description: OpenPGP digital signature
