| From: | Peter Eisentraut <peter(at)eisentraut(dot)org> |
|---|---|
| To: | Hans Buschmann <buschmann(at)nidsa(dot)net>, "pgsql-hackers(at)postgresql(dot)org" <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Increased SECURITY RISCS from omitting some compikler options when building PG with meson; e.g. -fcf-protection=full |
| Date: | 2026-07-07 12:25:49 |
| Message-ID: | bef61bf1-ba50-420e-a94e-564663f0a0f2@eisentraut.org |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On 07.07.26 11:59, Hans Buschmann wrote:
> Some days ago I stumbled over the following Phoronix article with a
> proposal for Fedora 45:
>
> Fedora 45 Considering x86_64 Shadow Stack Usage By Default <https://
> www.phoronix.com/news/Fedora-45-Consider-Shadow-Stack>
> I exemplary checked both the Fedora provided packages and the PGDG
> provided packages of pg18 that they are build with Schadow Stack
> (SHSTK) and Indirect Branch Tracking (IBT) activated which is true.
> It may sometimes be necessary that a quick fix of an apparent bug
> encourages the user to recomple the specific component of postgres. The
> different compile options result in that the operating system provided
> protection can not be guaranteed.
>
> I have discovered this case on x86_64 pg18 on linux built with meson but
> I don't know if other architectures have similar mitigations enabled in
> the distributed binaries.
>
> As I am not an experienced C-Programmer, there may be other compile
> options for other vulnerabilities.
>
> I propose to activate all compiler options as default that are used in
> the binary releases of postgres, preferrably in both built systems
> (autoconfigure and meson)
>
> Please consider different operating systems (red hat, debian etc), all
> supported pg versions, different architectures, different compilers,
> different built systems etc.
I don't think this would be a good direction. Distributions are in many
cases better placed to decide when and how to activate certain
protections. The case you point out here is a good example. The
-fcf-protection option was already activated in Fedora 28, but it is
only now that they are considering switching over the base layers of the
OS to activate this facility. It would be unreasonable to expect
PostgreSQL and any other open-source project to track this and sync up
with this. Consider this to see the amount of information that would
need to be tracked and implemented:
https://github.com/jvoisin/compiler-flags-distro
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Peter Eisentraut | 2026-07-07 12:39:02 | Re: Mark class_descr strings for translation |
| Previous Message | Robert Haas | 2026-07-07 12:07:14 | Re: implement CAST(expr AS type FORMAT 'template') |