git: 7dc01dec4c3a - stable/15 - kernel: Enable -fstack-protector-strong by default
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Mon, 15 Jun 2026 18:01:46 UTC
The branch stable/15 has been updated by markj:
URL: https://cgit.FreeBSD.org/src/commit/?id=7dc01dec4c3ac1e452b3f277d980258315dab8b0
commit 7dc01dec4c3ac1e452b3f277d980258315dab8b0
Author: Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2026-05-22 14:45:52 +0000
Commit: Mark Johnston <markj@FreeBSD.org>
CommitDate: 2026-06-15 16:00:04 +0000
kernel: Enable -fstack-protector-strong by default
This extends stack canary use to all functions which define arrays on
the stack, not just those which operate on byte buffers. This option
would have made it harder to exploit SA-26:18.setcred and
SA-26:08.rpcsec_gss.
The change bloats the amd64 kernel text by about 350KB and increases the
number of covered functions from ~1500 to ~9000 (within the kernel
itself, i.e., not counting kernel modules).
Reviewed by: olce, olivier, emaste
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D56870
(cherry picked from commit 8deebce931fa9b469cf28a082038a64caf972602)
---
sys/conf/kern.mk | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sys/conf/kern.mk b/sys/conf/kern.mk
index 958203c3dedd..6ae940be9a47 100644
--- a/sys/conf/kern.mk
+++ b/sys/conf/kern.mk
@@ -239,7 +239,7 @@ CFLAGS+= -fwrapv
# Stack Smashing Protection (SSP) support
#
.if ${MK_SSP} != "no"
-CFLAGS+= -fstack-protector
+CFLAGS+= -fstack-protector-strong
.endif
#