New gcc hardening defaults in eoan (-fstack-clash-protection + -fcf-protection)

Alex Murray alex.murray at
Wed Jun 19 07:07:51 UTC 2019


The security and foundations teams have been working to enable a couple
new hardening options in GCC as default for eoan / 19.10. These are
-fstack-clash-protection and -fcf-protection.

-fstack-clash-protection causes GCC to instrument variable-length stack
allocations so that each page is probed at allocation time to turn
possible code-execution "stack clash" attacks (via jumping stack guard
pages) into just a segmentation fault / denial of
service. -fcf-protection adds support for Intel's control-flow
enforcement technology (CET) instructions (these require hardware
support but on older hardware which does not support these new
instructions these are just no-ops).

These are not enabled on all architectures, in particular
-fstack-clash-protection is not enabled on 32-bit ARM archs (as this is
buggy) and -fcf-protection is only enabled on x86 archs (amd64/i386/x32)
as this is only available on this hardware.

These options can be disabled by using -fno-stack-clash-protection and
-fcf-protection=none respectively in CFLAGS / CPPFLAGS as documented at

Results from a test rebuild with these new options enabled _and using
gcc-9_ is at [2] and help would be appreciated in fixing any build

Thanks in particular to Matthias (doko) on the Foundations team for his
help with this.



More information about the ubuntu-devel mailing list