Userland hardening with GCC -fstack-clash-protection


#1

Two memory corruptions and one information leak have recently been discovered in systemd-journald.

From their summary:

To the best of our knowledge, all systemd-based Linux distributions are
vulnerable, but SUSE Linux Enterprise 15, openSUSE Leap 15.0, and Fedora
28 and 29 are not exploitable because their user space is compiled with
GCC’s -fstack-clash-protection.

At least after a first glimpse NixOS doesn’t utilize that compiler flag yet. So should we aim for enabling that in NixOS as well?
What other hardening flags does NixOS use so far (PIE, stack canaries, …)?

Here’s the related Gentoo bug for reference: https://bugs.gentoo.org/show_bug.cgi?id=675050


#2

That is correct. I’m currently working on bumping our default GCC to version 8.2.0 to get support for -fstack-clash-protection. I will add this in a second step and also evaluate what flags other distributions are adding these days.

We support these hardening flags since a few NixOS versions: https://github.com/NixOS/nixpkgs/blob/3e950d584c8186239809e4d101e70e083ea9e9e0/pkgs/build-support/cc-wrapper/add-hardening.sh#L37

Here is the WIP gcc8 PR: https://github.com/NixOS/nixpkgs/pull/53760