Add `-fstack-clash-protection` hardening (and enable by default?)

NixOS / nixpkgs

Nix Packages collection & NixOS

MIT License

18.21k stars 14.2k forks source link

Add `-fstack-clash-protection` hardening (and enable by default?) #53753

Open wizeman opened 5 years ago

wizeman commented 5 years ago

Issue description

It would be good for the security of NixOS to compile user-space with -fstack-clash-protection. It should probably be added either as a new hardening flag or perhaps included as part of the stackprotector flag.

Motivation

CVE-2018-16864 and CVE-2018-16865 describe new vulnerabilities and exploits in systemd which -fstack-clash-protection can mitigate, according to the linked advisory:

SUSE Linux Enterprise 15, openSUSE Leap 15.0, and Fedora 28 and 29 are not exploitable because their user space is compiled with GCC's -fstack-clash-protection

However, since NixOS doesn't compile user-space with -fstack-clash-protection, it's likely to be vulnerable.

schmittlauch commented 5 years ago

@wizeman Are you going to open an issue about actually patching systemd to fix the vulnerabilities, or shall I do it?

wizeman commented 5 years ago

@schmittlauch Please go ahead. I can't tell which systemd version has fixed those vulnerabilities from reading the advisory.

globin commented 5 years ago

@fpletz is actively working on this

mkg20001 commented 4 years ago

@fpletz Any updates?

Et7f3 commented 2 years ago

Do you see otherspot than this that need to be updated ?

wizeman commented 2 years ago

Do you see otherspot than this that need to be updated ?

I would imagine there could be some fallout from adding the flag, i.e., it may break some packages, which would need to be fixed, updated or have the flag be removed from it.

Assuming my initial comment is still accurate as of today, then SUSE and Fedora have been using this flag for years already, so presumably the vast majority of packages should keep working fine.

aikooo7 commented 9 months ago

Is this still needing to be fixed?

wizeman commented 9 months ago

Is this still needing to be fixed?

Yes.

tomodachi94 commented 1 month ago

Removing the 23.11 milestone since we've passed it. Pinging 24.11 release manager @RossComputerGuy, since I'm hesitant to add this to the 24.11 milestone.

RossComputerGuy commented 1 month ago

Yeah, I'm a little hesitant since we're passed the first point of blocking updates so we might be too far in the release cycle right now. However, I think we can tackle this post release.

RossComputerGuy commented 1 month ago

Was told to talk to @risicle. Any idea if what sort of build failure impact we could see if we do make this the default?

risicle commented 4 weeks ago

I think the impact is probably quite minimal among core packages. I'm guessing this from the fact that we disable it for wine, which implies that people have built wine on a stdenv with stack clash protection enabled (perhaps via pkgsExtraHardening), and wine has an absurd dependency footprint. So I would guess all those dependencies build successfully with protection enabled (or have exceptions).

As for leaf-y packages, I can't say - it's generally difficult to say anything about that until we just try it.

Though I will say that I tend not to introduce a hardening flag and enable it by default in one NixOS release, so I'd only suggest enabling it by default after november.