public inbox for [email protected]  
help / color / mirror / Atom feed
From: Hans Buschmann <[email protected]>
To: [email protected] <[email protected]>
Subject: Increased SECURITY RISCS from omitting some compikler options when building PG with meson; e.g.  -fcf-protection=full
Date: Tue, 7 Jul 2026 09:59:35 +0000
Message-ID: <[email protected]> (raw)

Some days ago I stumbled over the following Phoronix article with a proposal for Fedora 45:


Fedora 45 Considering x86_64 Shadow Stack Usage By Default<https://www.phoronix.com/news/Fedora-45-Consider-Shadow-Stack;


https://www.phoronix.com/news/Fedora-45-Consider-Shadow-Stack


The background is being discussed in Fedora Wiki:


https://fedoraproject.org/wiki/Changes/ShadowStack


(Fedora 45 is the upcomning release scheduled for fall 2026 short after pg19,, probably carrying GCC 17.x and Postgres 19 with it.)


I exemplary checked both the Fedora provided packages and the PGDG provided packages  of pg18 that they are build with Schadow Stack (SHSTK) and Indirect Branch Tracking  (IBT) activated which is true.


It easily can be checked  (for any image,library,object) with


readelf -n postgres | grep 'IBT\|SHSTK'


BUT:

For a self-compiled version of postgres (e.g. for a different blocksize) these options are not set by default (built with meson on current fedora 44).


To my little understanding of this topic a library missing the compile options disables the checks for all processes loading it.


It may sometimes be necessary that a quick fix of an apparent bug encourages the user to recomple the specific component of postgres. The different compile options result in  that the operating system provided protection can not be guaranteed.


I have discovered this case on x86_64 pg18 on linux built with meson but I don't know if other architectures have similar mitigations enabled in the distributed binaries.


As I am not an experienced C-Programmer, there may be other compile options for other vulnerabilities.


I propose to activate all compiler options as default that are used in the binary releases of postgres, preferrably in both built systems (autoconfigure and meson)


Please consider different operating systems (red hat, debian etc), all supported pg versions, different architectures, different compilers, different built systems etc.



This is also important for a reproducability of the build process.


It is not clearly visible, with which options the releases are build by PGDG. In the course of strict reproducability by the end user (some debian efforts) these options should be documented with every release and activated accordingly in all supported buid systems.


Thank you for investigating!


Hans Buschmann



view thread (6+ messages)  latest in thread

reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Reply to all the recipients using the --to and --cc options:
  reply via email

  To: [email protected]
  Cc: [email protected]
  Subject: Re: Increased SECURITY RISCS from omitting some compikler options when building PG with meson; e.g.  -fcf-protection=full
  In-Reply-To: <[email protected]>

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox