Contributed by tbert on 2014-05-07 from the doing the fstack shuffle dept.

Martynas Venckus (martynas@) has committed a pair of security-related enhancements to OpenBSD's gcc(1), improving the bug- and exploit-resistance of the entire system.

The first, a new -fstack-shuffle option, hopes to find bugs that were slipping through due to the ordering of variables on the stack.

CVSROOT: /cvs Module name: src Changes by: martynas@cvs.openbsd.org 2014/05/06 17:22:33 Modified files: gnu/gcc/gcc : cfgexpand.c common.opt Log message: Introduce -fstack-shuffle, which randomizes local stack variables. This will make the environment more hostile and help detect bugs that depend on overrunning one variable into another, with almost no performance cost. Discussed with Theo at m2k14 hackathon. "oh god yes" tedu@, "oh nice" djm@

The next is an extension of the existing stack protector to cases where it previously wasn't in effect:

CVSROOT: /cvs Module name: src Changes by: martynas@cvs.openbsd.org 2014/05/06 17:32:34 Modified files: gnu/gcc/gcc : cfgexpand.c Log message: When the stack protector heuristics doesn't cover a function, leave a little pointer-sized gap before the return value. This protects from common off-by-one type of bugs and costs nothing: the attacker won't be able to overwrite return pointer. Developed at m2k14, thanks for the hackathon!

Thanks, Martynas, for the great work! Now to recompile tetris(6) for extra-secure network tests...