diff options
| author | Johannes Schindelin <johannes.schindelin@gmx.de> | 2019-06-27 09:29:02 (GMT) |
|---|---|---|
| committer | Junio C Hamano <gitster@pobox.com> | 2019-06-27 19:53:45 (GMT) |
| commit | a1c5e906c8bab294f380151f59e552766fdf32b7 (patch) | |
| tree | cbb0992d4b9b6dd1b2e3c5b93dfd6e38a15e015a /config.mak.uname | |
| parent | 8dca754b1e874719a732bc9ab7b0e14b21b1bc10 (diff) | |
| download | git-a1c5e906c8bab294f380151f59e552766fdf32b7.zip git-a1c5e906c8bab294f380151f59e552766fdf32b7.tar.gz git-a1c5e906c8bab294f380151f59e552766fdf32b7.tar.bz2 | |
mingw: enable stack smashing protector
To reduce Git for Windows' attack surface, we started using the Address
Space Layout Randomization and Data Execution Prevention features in
ce6a158561f9 (mingw: enable DEP and ASLR, 2019-05-08).
To remove yet another attack vector, let's make use of gcc's stack
smashing protector that helps detect stack buffer overruns early.
Rather than using -fstack-protector, we use -fstack-protector-strong
because on Windows: The latter appears to strike a better balance
between the performance impact and the provided safety.
In a non-scientific test (time git log --grep=is -p), best of 5 timings
went from 23.009s to 22.997s, i.e. the performance impact was *well*
lost in the noise.
This fixes https://github.com/git-for-windows/git/issues/501
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
Diffstat (limited to 'config.mak.uname')
| -rw-r--r-- | config.mak.uname | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/config.mak.uname b/config.mak.uname index b71688e..2400e78 100644 --- a/config.mak.uname +++ b/config.mak.uname @@ -596,7 +596,8 @@ else BASIC_LDFLAGS += -Wl,--large-address-aware endif CC = gcc - COMPAT_CFLAGS += -D__USE_MINGW_ANSI_STDIO=0 -DDETECT_MSYS_TTY + COMPAT_CFLAGS += -D__USE_MINGW_ANSI_STDIO=0 -DDETECT_MSYS_TTY \ + -fstack-protector-strong EXTLIBS += -lntdll INSTALL = /bin/install NO_R_TO_GCC_LINKER = YesPlease |