Enable DEP and ASLR

Enable DEP (Data Execution Prevention) and ASLR (Address Space Layout Randomization) support. This applies to both 32bit and 64bit builds and makes it substantially harder to exploit security holes in Git by offering a much more unpredictable attack surface. ASLR interferes with GDB's ability to set breakpoints. A similar issue holds true when compiling with -O2 (in which case single-stepping is messed up because GDB cannot map the code back to the original source code properly). Therefore we simply enable ASLR only when an optimization flag is present in the CFLAGS, using it as an indicator that the developer does not want to debug in GDB anyway. Signed-off-by: İsmail Dönmez <ismail@i10z.com> Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
git-for-windows · Jun 9, 2016 · 4e3f6ef · 4e3f6ef
1 parent 6637a1c
commit 4e3f6ef
Showing 1 changed file with 6 additions and 0 deletions.
diff --git a/config.mak.uname b/config.mak.uname
@@ -547,6 +547,12 @@ else
 	ifeq ($(shell expr "$(uname_R)" : '2\.'),2)
 		# MSys2
 		prefix = /usr/
+		# Enable DEP
+		BASIC_LDFLAGS += -Wl,--nxcompat
+		# Enable ASLR (unless debugging)
+		ifneq (,$(findstring -O,$(CFLAGS)))
+			BASIC_LDFLAGS += -Wl,--dynamicbase
+		endif
 		ifeq (MINGW32,$(MSYSTEM))
 			prefix = /mingw32
 			BASIC_LDFLAGS += -Wl,--pic-executable,-e,_mainCRTStartup