Hi, The security and foundations teams have been working to enable a couple new hardening options in GCC as default for eoan / 19.10. These are -fstack-clash-protection and -fcf-protection.
-fstack-clash-protection causes GCC to instrument variable-length stack allocations so that each page is probed at allocation time to turn possible code-execution "stack clash" attacks (via jumping stack guard pages) into just a segmentation fault / denial of service. -fcf-protection adds support for Intel's control-flow enforcement technology (CET) instructions (these require hardware support but on older hardware which does not support these new instructions these are just no-ops). These are not enabled on all architectures, in particular -fstack-clash-protection is not enabled on 32-bit ARM archs (as this is buggy) and -fcf-protection is only enabled on x86 archs (amd64/i386/x32) as this is only available on this hardware. These options can be disabled by using -fno-stack-clash-protection and -fcf-protection=none respectively in CFLAGS / CPPFLAGS as documented at [1]. Results from a test rebuild with these new options enabled _and using gcc-9_ is at [2] and help would be appreciated in fixing any build failures. Thanks in particular to Matthias (doko) on the Foundations team for his help with this. Cheers, Alex [1] https://wiki.ubuntu.com/ToolChain/CompilerFlags#A-fstack-clash-protection [2] https://people.canonical.com/~doko/ftbfs-report/test-rebuild-20190614-eoan.html -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
