-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enable stack protection (CI release executables) #2801
Conversation
e80829a
to
dc49d0d
Compare
|
@@ -158,7 +159,8 @@ jobs: | |||
--disable-valgrind \ | |||
--with-oniguruma=builtin \ | |||
--enable-static \ | |||
--enable-all-static | |||
--enable-all-static \ | |||
CFLAGS="-O2 -pthread -fstack-protector-all" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Doh i somehow assumed -fsanitize=safe-stack
was clang's versions of -fstack-protector-all
but seems to be two different stack protection techniques.
I still haven't managed to get -fsanitize=safe-stack
to work for darwin x86, but do seems to work on linux 🤷
I think this is good enough for 1.7. It would be great post 1.7 to provide these things using configure options somehow. |
Did you check the executables built on CI to make sure hardening-check? |
Not yet. Though, hmm, how would I? Use a debugger to try to force a buffer overflow? |
Seems like hardened-check should be able to detect it heuristically for ELF at least:
|
@nicowilliams noticed a fixup commit slipped in |
Think this https://github.com/jqlang/jq/blob/master/.github/workflows/ci.yml#L74 probably? |
Ay, yes. Well, I suppose I could build jq twice, once w/o stripping, to check if it has stack protection. Or maybe just punt. I'm doing a build without |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍 I think we can makes this nicer after 1.7
I wonder if we could have a command-line option to indicate whether jq was built with any stack protection features. Or maybe we could have a command-line option that shows the build options used to build jq, just like many programs have. |
Yeap that feels like quite neat solution. I poked around a bit with harden-checker and noticed that with static builds the |
With |
Resolves #1514.