Home Explore Blog Models CI



nixpkgs
32th chunk of `doc/stdenv/stdenv.chapter.md`
17d19e7667fd8c65019669f4f2ebc529adc72c0ea752407a0000000100000a65
This flag adds the `-fstrict-flex-arrays=1` compiler option, which reduces the cases the compiler treats as "flexible arrays" to those declared with length `[1]`, `[0]` or (the correct) `[]`. This increases the coverage of fortify checks, because such arrays declared as the trailing element of a structure can normally not have their intended length determined by the compiler.

Enabling this flag on packages that still use length declarations of flexible arrays >1 may cause the package to fail to compile citing accesses beyond the bounds of an array or even crash at runtime by detecting an array access as an "overrun". Few projects still use length declarations of flexible arrays >1.

Disabling `strictflexarrays1` implies disablement of `strictflexarrays3`.

#### `strictflexarrays3` {#strictflexarrays3}

This flag adds the `-fstrict-flex-arrays=3` compiler option, which reduces the cases the compiler treats as "flexible arrays" to only those declared with length as (the correct) `[]`. This increases the coverage of fortify checks, because such arrays declared as the trailing element of a structure can normally not have their intended length determined by the compiler.

Enabling this flag on packages that still use non-empty length declarations for flexible arrays may cause the package to fail to compile citing accesses beyond the bounds of an array or even crash at runtime by detecting an array access as an "overrun". Many projects still use such non-empty length declarations for flexible arrays.

Enabling this flag implies enablement of `strictflexarrays1`. Disabling this flag does not imply disablement of `strictflexarrays1`.

#### `shadowstack` {#shadowstack}

Adds the `-fcf-protection=return` compiler option. This enables the Shadow Stack feature supported by some newer processors, which maintains a user-inaccessible copy of the program's stack containing only return-addresses. When returning from a function, the processor compares the return-address value on the two stacks and throws an error if they do not match, considering it a sign of corruption and possible tampering. This should significantly increase the difficulty of ROP attacks.

For the Shadow Stack to be enabled at runtime, all code linked into a process must be built with Shadow Stack enabled, so this is probably only useful to enable on a wide scale, so that all of a packages dependencies also have the feature enabled.

This is currently only supported on some newer Intel and AMD processors as part of the Intel CET set of features. However, the generated code should continue to work on older processors which will simply omit any of this checking.
Title: Compiler and Linker Hardening Flags: Flexible Arrays and Shadow Stack
Summary
This section details several compiler flags aimed at hardening software against various attacks. The `strictflexarrays1` flag adds `-fstrict-flex-arrays=1`, narrowing the definition of flexible arrays to `[1]`, `[0]`, or `[]` to improve 'fortify checks'. `strictflexarrays3`, enabled by `strictflexarrays1`, further restricts flexible arrays to only `[]` via `-fstrict-flex-arrays=3`, also enhancing 'fortify checks' but potentially causing more compilation or runtime issues for older codebases. Finally, `shadowstack` introduces `-fcf-protection=return`, enabling a Shadow Stack feature on supported processors. This feature maintains a separate, secure copy of return addresses to detect stack corruption and mitigate ROP attacks, requiring all linked code to be built with this feature for full effectiveness.