Problem: Attackers exploiting stack overrun bugs can gain control of an application Fix By: Compiling with -fstack-clash-protection Waive If: Don't Example: FAIL: stack-clash test because -fstack-clash-protection not enabled
This test checks that the application has been compiled with stack clash protection enabled (either gcc’s -fstack-clash-protection or LLVM’s SafeStack attribute. If this feature is not enabled then an attacker could trick the application into overlapping its heap and stack, allowing them to alter both.
Note - if LTO compilation is enabled then this option needs to be provided both when the object files are built and when they are linked together.
For a full explanation of this topic see these blogs:
https://developers.redhat.com/blog/2017/09/25/stack-clash-mitigation-gcc-background
https://developers.redhat.com/blog/2020/05/22/stack-clash-mitigation-in-gcc-part-3
Note - this test is automatically disabled if the --profile=el7 option is used.
If necessary the test can be disabled via the --skip-stack-clash option and re-enabled via the --test-stack-clash option.