Many of the makefiles have repeated the following check:
CC_BELOW_4_9 := $(shell expr "`$(CC) -dumpversion`" \< "4.9")
which is then used to select stack protection flags
ifeq ($(CC_BELOW_4_9), 1)
COMMON_FLAGS += -fstack-protector
else
COMMON_FLAGS += -fstack-protector-strong
endif
This expr command is broken when the GCC version is 10 or larger.
The presence of the '.' character in the expr comparison appears to make it perform a string comparison, instead of a numeric comparison. This only works as long as all parts of the version number are single digits. As soon as you have two digits it breaks.
As a result, with GCC >= 10, builds are getting weaker stack protection than expected - they're built with -fstack-protector instead of -fstack-protector-strong
Fortunately the NixOS build env for the enclaves only has GCC 9.5.0, so the AE builds have not been weakened, but anyone building non-enclave code on a modern Linux OS is using sub-optimal build args
Many of the makefiles have repeated the following check:
which is then used to select stack protection flags
This
exprcommand is broken when the GCC version is 10 or larger.The presence of the '.' character in the
exprcomparison appears to make it perform a string comparison, instead of a numeric comparison. This only works as long as all parts of the version number are single digits. As soon as you have two digits it breaks.As a result, with GCC >= 10, builds are getting weaker stack protection than expected - they're built with
-fstack-protectorinstead of-fstack-protector-strongFortunately the NixOS build env for the enclaves only has GCC 9.5.0, so the AE builds have not been weakened, but anyone building non-enclave code on a modern Linux OS is using sub-optimal build args