From a4645060e6442d57d71630d324167c8d78a1f061 Mon Sep 17 00:00:00 2001 From: Daniel Bertalan Date: Sun, 14 Jul 2024 19:06:09 +0200 Subject: [PATCH] CMake: Add hardening flags - `-fstack-protection-strong` enables stack canaries for functions where addresses of local variables are taken or arrays/structures containing arrays are allocated on the stack. - `-fstrict-flex-arrays=2` causes the compiler to only treat arrays with unknown bounds (`[]`) or zero-length-arrays (`[0]`) as *flexible array members*, allowing the sanitizers to emit bounds checks for structs with proper arrays as their last member. More rigorous options (such as AArch64 pointer authentication, Control Flow Integrity, _FORTIFY_SOURCE) should be investigated in the future, however this is a good baseline. --- Meta/CMake/common_compile_options.cmake | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/Meta/CMake/common_compile_options.cmake b/Meta/CMake/common_compile_options.cmake index 5dbe15ed898..1b87923fd0e 100644 --- a/Meta/CMake/common_compile_options.cmake +++ b/Meta/CMake/common_compile_options.cmake @@ -69,3 +69,10 @@ if (UNIX AND NOT APPLE AND NOT ENABLE_FUZZERS) add_compile_options(-fno-semantic-interposition) add_compile_options(-fvisibility-inlines-hidden) endif() + +if (NOT WIN32) + add_compile_options(-fstack-protector-strong) + add_link_options(-fstack-protector-strong) +endif() + +add_compile_options(-fstrict-flex-arrays=2)