CMake: Add hardening flags

- `-fstack-protection-strong` enables stack canaries for functions where addresses of local variables are taken or arrays/structures containing arrays are allocated on the stack. - `-fstrict-flex-arrays=2` causes the compiler to only treat arrays with unknown bounds (`[]`) or zero-length-arrays (`[0]`) as *flexible array members*, allowing the sanitizers to emit bounds checks for structs with proper arrays as their last member. More rigorous options (such as AArch64 pointer authentication, Control Flow Integrity, _FORTIFY_SOURCE) should be investigated in the future, however this is a good baseline.
Author: https://github.com/BertalanD Commit: https://github.com/LadybirdBrowser/ladybird/commit/a4645060e64 Pull-request: https://github.com/LadybirdBrowser/ladybird/pull/626 Reviewed-by: https://github.com/ADKaster ✅ Reviewed-by: https://github.com/trflynn89
2025-04-22 04:25:13 +00:00 · 2024-07-14 19:06:09 +02:00 · 2024-07-14 19:06:09 +02:00 · a4645060e6 · 2024-07-18 08:27:11 +09:00
commit a4645060e6
parent c62240aa80
1 changed files with 7 additions and 0 deletions
--- a/Meta/CMake/common_compile_options.cmake
+++ b/Meta/CMake/common_compile_options.cmake
@ -69,3 +69,10 @@ if (UNIX AND NOT APPLE AND NOT ENABLE_FUZZERS)
    add_compile_options(-fno-semantic-interposition)
    add_compile_options(-fvisibility-inlines-hidden)
 endif()
+
+if (NOT WIN32)
+    add_compile_options(-fstack-protector-strong)
+    add_link_options(-fstack-protector-strong)
+endif()
+
+add_compile_options(-fstrict-flex-arrays=2)