* [PATCH 0/1] mingw: enable GCC's stack smashing protector
@ 2019-06-27 9:29 Johannes Schindelin via GitGitGadget
2019-06-27 9:29 ` [PATCH 1/1] mingw: enable " Johannes Schindelin via GitGitGadget
0 siblings, 1 reply; 2+ messages in thread
From: Johannes Schindelin via GitGitGadget @ 2019-06-27 9:29 UTC (permalink / raw)
To: git; +Cc: Junio C Hamano
Recently, I managed to upstream the Data Execution Prevention/Address Space
Layout Randomization patches of Git for Windows. Now it is time to add to
that by also enabling GCC's augmenting feature which reduces the attack
surface even further.
Johannes Schindelin (1):
mingw: enable stack smashing protector
config.mak.uname | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
base-commit: aa25c82427ae70aebf3b8f970f2afd54e9a2a8c6
Published-As: https://github.com/gitgitgadget/git/releases/tag/pr-215%2Fdscho%2Fmingw-stack-smashing-protector-v1
Fetch-It-Via: git fetch https://github.com/gitgitgadget/git pr-215/dscho/mingw-stack-smashing-protector-v1
Pull-Request: https://github.com/gitgitgadget/git/pull/215
--
gitgitgadget
^ permalink raw reply [flat|nested] 2+ messages in thread
* [PATCH 1/1] mingw: enable stack smashing protector
2019-06-27 9:29 [PATCH 0/1] mingw: enable GCC's stack smashing protector Johannes Schindelin via GitGitGadget
@ 2019-06-27 9:29 ` Johannes Schindelin via GitGitGadget
0 siblings, 0 replies; 2+ messages in thread
From: Johannes Schindelin via GitGitGadget @ 2019-06-27 9:29 UTC (permalink / raw)
To: git; +Cc: Junio C Hamano, Johannes Schindelin
From: Johannes Schindelin <johannes.schindelin@gmx.de>
To reduce Git for Windows' attack surface, we started using the Address
Space Layout Randomization and Data Execution Prevention features in
ce6a158561f9 (mingw: enable DEP and ASLR, 2019-05-08).
To remove yet another attack vector, let's make use of gcc's stack
smashing protector that helps detect stack buffer overruns early.
Rather than using -fstack-protector, we use -fstack-protector-strong
because on Windows: The latter appears to strike a better balance
between the performance impact and the provided safety.
In a non-scientific test (time git log --grep=is -p), best of 5 timings
went from 23.009s to 22.997s, i.e. the performance impact was *well*
lost in the noise.
This fixes https://github.com/git-for-windows/git/issues/501
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
---
config.mak.uname | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/config.mak.uname b/config.mak.uname
index b71688eeb7..2400e7879c 100644
--- a/config.mak.uname
+++ b/config.mak.uname
@@ -596,7 +596,8 @@ else
BASIC_LDFLAGS += -Wl,--large-address-aware
endif
CC = gcc
- COMPAT_CFLAGS += -D__USE_MINGW_ANSI_STDIO=0 -DDETECT_MSYS_TTY
+ COMPAT_CFLAGS += -D__USE_MINGW_ANSI_STDIO=0 -DDETECT_MSYS_TTY \
+ -fstack-protector-strong
EXTLIBS += -lntdll
INSTALL = /bin/install
NO_R_TO_GCC_LINKER = YesPlease
--
gitgitgadget
^ permalink raw reply related [flat|nested] 2+ messages in thread
end of thread, other threads:[~2019-06-27 9:29 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-06-27 9:29 [PATCH 0/1] mingw: enable GCC's stack smashing protector Johannes Schindelin via GitGitGadget
2019-06-27 9:29 ` [PATCH 1/1] mingw: enable " Johannes Schindelin via GitGitGadget
Code repositories for project(s) associated with this public inbox
https://80x24.org/mirrors/git.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).