D48651.id149866.diff
No OneTemporary
Actions

Size

1 KB

Referenced Files

None

Subscribers

None

D48651.id149866.diff
View Options

	diff --git a/share/man/man7/mitigations.7 b/man/man7/mitigations.7
	--- a/share/man/man7/mitigations.7
	+++ b/man/man7/mitigations.7
	@@ -28,7 +28,7 @@
	.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
	.\" SUCH DAMAGE.
	.\"
	-.Dd July 23, 2024
	+.Dd January 24, 2025
	.Dt MITIGATIONS 7
	.Os
	.Sh NAME
	@@ -244,9 +244,13 @@
	.Fx
	supports stack overflow protection using the Stack Smashing Protector
	.Pq SSP
	-compiler feature.
	+compiler feature,
	+and stack clash protection.
	In userland, SSP adds a per-process randomized canary at the end of every stack
	-frame which is checked for corruption upon return from the function.
	+frame which is checked for corruption upon return from the function,
	+and a guard page every
	+.Dv PAGE_SIZE
	+chunks.
	In the kernel, a single randomized canary is used globally except on aarch64,
	which has a
	.Dv PERTHREAD_SSP
	@@ -264,7 +268,9 @@
	.Va WITH_SSP
	is enabled, which is the default, world is built with the
	.Fl fstack-protector-strong
	-compiler option.
	+and
	+.Fl fstack-clash-protection
	+compiler options.
	The kernel is built with the
	.Fl fstack-protector
	option.
	diff --git a/share/mk/bsd.sys.mk b/mk/bsd.sys.mk
	--- a/share/mk/bsd.sys.mk
	+++ b/mk/bsd.sys.mk
	@@ -304,7 +304,7 @@
	FORTIFY_SOURCE?= 0
	.if ${MK_SSP} != "no"
	# Don't use -Wstack-protector as it breaks world with -Werror.
	-SSP_CFLAGS?= -fstack-protector-strong
	+SSP_CFLAGS?= -fstack-protector-strong -fstack-clash-protection
	CFLAGS+= ${SSP_CFLAGS}
	.endif # SSP
	.if ${FORTIFY_SOURCE} > 0