Re: git: 8deebce931fa - main - kernel: Enable -fstack-protector-strong by default
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Fri, 22 May 2026 15:30:57 UTC
On Fri, May 22, 2026 at 06:22:10PM +0300, Konstantin Belousov wrote:
> On Fri, May 22, 2026 at 02:54:45PM +0000, Mark Johnston wrote:
> > The branch main has been updated by markj:
> >
> > URL: https://cgit.FreeBSD.org/src/commit/?id=8deebce931fa9b469cf28a082038a64caf972602
> >
> > commit 8deebce931fa9b469cf28a082038a64caf972602
> > Author: Mark Johnston <markj@FreeBSD.org>
> > AuthorDate: 2026-05-22 14:45:52 +0000
> > Commit: Mark Johnston <markj@FreeBSD.org>
> > CommitDate: 2026-05-22 14:45:52 +0000
> >
> > kernel: Enable -fstack-protector-strong by default
> >
> > This extends stack canary use to all functions which define arrays on
> > the stack, not just those which operate on byte buffers. This option
> > would have made it harder to exploit SA-26:18.setcred and
> > SA-26:08.rpcsec_gss.
> >
> > The change bloats the amd64 kernel text by about 350KB and increases the
> > number of covered functions from ~1500 to ~9000 (within the kernel
> > itself, i.e., not counting kernel modules).
> >
> > Reviewed by: olce, olivier, emaste
> > MFC after: 2 weeks
> > Differential Revision: https://reviews.freebsd.org/D56870
> > ---
> > sys/conf/kern.mk | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/sys/conf/kern.mk b/sys/conf/kern.mk
> > index af7b1589c5cd..b87583db21c5 100644
> > --- a/sys/conf/kern.mk
> > +++ b/sys/conf/kern.mk
> > @@ -235,7 +235,7 @@ CFLAGS+= -fwrapv
> > # Stack Smashing Protection (SSP) support
> > #
> > .if ${MK_SSP} != "no"
> > -CFLAGS+= -fstack-protector
> > +CFLAGS+= -fstack-protector-strong
> > .endif
>
> Can ssp turned off from the kernel config?
Yes, add "makeoptions WITHOUT_SSP=1". Of course, that disables SSP
entirely.