Enabling -fstack-clash-protection for trixie
Following the procedure to modify default dpkg-buildflags I propose to
enable -fstack-clash-protection on amd64. The bug for dpkg tracking this
is #918914.
| -fstack-clash-protection
| Generate code to prevent stack clash style attacks. When this option
| is enabled, the compiler will only allocate one page of stack space
| at a time and each page is accessed immediately after allocation.
| Thus, it prevents allocations from jumping over any stack guard page
| provided by the operating system.
This has been enabled on other distros for many years already (e.g.
Fedora since 27, RHEL since 8, OpenSUSE since 15.1, Ubuntu since 19.10).
I worked with Lucas a while back and he made an archive rebuild on amd64,
only a minimal list of packages will need to be adapted:
http://qa-logs.debian.net/2023/05/24/
The open question is whether to also enable this for arm64, mips64el,
ppc64el, riscv and s390x. I'm adding the respective porter lists, if there's
consensus among porters of a given arch other than amd64 to also add
the flag, please post a followup to #918914.
Cheers,
Moritz
Reply to: