git@vger.kernel.org mailing list mirror (one of many)
 help / color / mirror / code / Atom feed
From: "İsmail Dönmez via GitGitGadget" <gitgitgadget@gmail.com>
To: git@vger.kernel.org
Cc: "Junio C Hamano" <gitster@pobox.com>, "İsmail Dönmez" <ismail@i10z.com>
Subject: [PATCH 2/2] mingw: enable DEP and ASLR
Date: Mon, 29 Apr 2019 14:56:58 -0700 (PDT)	[thread overview]
Message-ID: <e142c1396ec3541486317819e885cf42be24af34.1556575015.git.gitgitgadget@gmail.com> (raw)
In-Reply-To: <pull.134.git.gitgitgadget@gmail.com>

From: =?UTF-8?q?=C4=B0smail=20D=C3=B6nmez?= <ismail@i10z.com>

Enable DEP (Data Execution Prevention) and ASLR (Address Space Layout
Randomization) support. This applies to both 32bit and 64bit builds
and makes it substantially harder to exploit security holes in Git by
offering a much more unpredictable attack surface.

ASLR interferes with GDB's ability to set breakpoints. A similar issue
holds true when compiling with -O2 (in which case single-stepping is
messed up because GDB cannot map the code back to the original source
code properly). Therefore we simply enable ASLR only when an
optimization flag is present in the CFLAGS, using it as an indicator
that the developer does not want to debug in GDB anyway.

Signed-off-by: İsmail Dönmez <ismail@i10z.com>
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
---
 config.mak.uname | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/config.mak.uname b/config.mak.uname
index e7c7d14e5f..a9edcc5f0b 100644
--- a/config.mak.uname
+++ b/config.mak.uname
@@ -570,6 +570,12 @@ else
 	ifeq ($(shell expr "$(uname_R)" : '2\.'),2)
 		# MSys2
 		prefix = /usr/
+		# Enable DEP
+		BASIC_LDFLAGS += -Wl,--nxcompat
+		# Enable ASLR (unless debugging)
+		ifneq (,$(findstring -O,$(CFLAGS)))
+			BASIC_LDFLAGS += -Wl,--dynamicbase
+		endif
 		ifeq (MINGW32,$(MSYSTEM))
 			prefix = /mingw32
 			HOST_CPU = i686
-- 
gitgitgadget

  parent reply	other threads:[~2019-04-29 21:57 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-04-29 21:56 [PATCH 0/2] Enable Data Execution Protection and Address Space Layout Randomization on Windows Johannes Schindelin via GitGitGadget
2019-04-29 21:56 ` [PATCH 1/2] mingw: do not let ld strip relocations İsmail Dönmez via GitGitGadget
2019-04-29 21:56 ` İsmail Dönmez via GitGitGadget [this message]
2019-04-30  6:26   ` [PATCH 2/2] mingw: enable DEP and ASLR Johannes Sixt
2019-04-30 22:41     ` Johannes Schindelin
2019-04-30 22:59       ` Johannes Sixt
2019-05-01 18:39       ` Alban Gruin
2019-05-01 23:36         ` brian m. carlson
2019-05-08 11:33           ` Johannes Schindelin
2019-05-08 11:33         ` Johannes Schindelin
2019-05-01 20:46       ` Jeff King
2019-05-01 22:02         ` Jonathan Nieder
2019-05-08 11:27           ` Johannes Schindelin
2019-05-08 11:30 ` [PATCH v2 0/2] Enable Data Execution Protection and Address Space Layout Randomization on Windows Johannes Schindelin via GitGitGadget
2019-05-08 11:30   ` [PATCH v2 1/2] mingw: do not let ld strip relocations İsmail Dönmez via GitGitGadget
2019-05-08 11:30   ` [PATCH v2 2/2] mingw: enable DEP and ASLR İsmail Dönmez via GitGitGadget

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: http://vger.kernel.org/majordomo-info.html

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=e142c1396ec3541486317819e885cf42be24af34.1556575015.git.gitgitgadget@gmail.com \
    --to=gitgitgadget@gmail.com \
    --cc=git@vger.kernel.org \
    --cc=gitster@pobox.com \
    --cc=ismail@i10z.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
Code repositories for project(s) associated with this public inbox

	https://80x24.org/mirrors/git.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).