make.sh: Enable -fstack-clash-protection for x86_64/aarch64

This patch turns on instrumentation to avoid skipping the guard page in large stack frames. Without this flag, vulnerabilities can result in where the stack overlaps with the heap, or thread stacks spill into other regions of memory. This flag in only available on x86_64 and aarch64. Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2026-04-13 04:22:58 +02:00 · 2020-08-14 16:22:55 +00:00
parent 854df4df81
commit 87f3b1e568
1 changed files with 2 additions and 2 deletions
--- a/make.sh
+++ b/make.sh
@@ -146,7 +146,7 @@ configure_build() {
 			BUILDTARGET="${build_arch}-unknown-linux-gnu"
 			CROSSTARGET="${build_arch}-cross-linux-gnu"
 			BUILD_PLATFORM="x86"
-			CFLAGS_ARCH="-m64 -mtune=generic"
+			CFLAGS_ARCH="-m64 -mtune=generic -fstack-clash-protection"
 			;;

 		i586)
@@ -160,7 +160,7 @@ configure_build() {
 			BUILDTARGET="${build_arch}-unknown-linux-gnu"
 			CROSSTARGET="${build_arch}-cross-linux-gnu"
 			BUILD_PLATFORM="arm"
-			CFLAGS_ARCH=""
+			CFLAGS_ARCH="-fstack-clash-protection"
 			;;

 		armv7hl)