diff options
author | Johannes Schindelin <johannes.schindelin@gmx.de> | 2019-06-27 02:29:02 -0700 |
---|---|---|
committer | Junio C Hamano <gitster@pobox.com> | 2019-06-27 12:53:45 -0700 |
commit | a1c5e906c8bab294f380151f59e552766fdf32b7 (patch) | |
tree | cbb0992d4b9b6dd1b2e3c5b93dfd6e38a15e015a | |
parent | The third batch (diff) | |
download | tgif-a1c5e906c8bab294f380151f59e552766fdf32b7.tar.xz |
mingw: enable stack smashing protector
To reduce Git for Windows' attack surface, we started using the Address
Space Layout Randomization and Data Execution Prevention features in
ce6a158561f9 (mingw: enable DEP and ASLR, 2019-05-08).
To remove yet another attack vector, let's make use of gcc's stack
smashing protector that helps detect stack buffer overruns early.
Rather than using -fstack-protector, we use -fstack-protector-strong
because on Windows: The latter appears to strike a better balance
between the performance impact and the provided safety.
In a non-scientific test (time git log --grep=is -p), best of 5 timings
went from 23.009s to 22.997s, i.e. the performance impact was *well*
lost in the noise.
This fixes https://github.com/git-for-windows/git/issues/501
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
-rw-r--r-- | config.mak.uname | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/config.mak.uname b/config.mak.uname index b71688eeb7..2400e7879c 100644 --- a/config.mak.uname +++ b/config.mak.uname @@ -596,7 +596,8 @@ else BASIC_LDFLAGS += -Wl,--large-address-aware endif CC = gcc - COMPAT_CFLAGS += -D__USE_MINGW_ANSI_STDIO=0 -DDETECT_MSYS_TTY + COMPAT_CFLAGS += -D__USE_MINGW_ANSI_STDIO=0 -DDETECT_MSYS_TTY \ + -fstack-protector-strong EXTLIBS += -lntdll INSTALL = /bin/install NO_R_TO_GCC_LINKER = YesPlease |