Enable FORTIFY and SP for native builds#9537
Merged
thebentern merged 10 commits intomeshtastic:developfrom Feb 9, 2026
Merged
Conversation
meshtasticd does have an executable stack and is not built with fortify, which makes exploitation of memory corruption bugs easier than it has to be. This enables fortify and a non-executable stack. This gives the following improvements on Debian Trixie: $ checksec --file=./.pio/build/native/meshtasticd RELRO STACK CANARY NX PIE RPATH RUNPATH Symbols FORTIFY Fortified Fortifiable FILE Partial RELRO No canary found NX enabled PIE enabled No RPATH No RUNPATH 13516 Symbols No 0 17 ./.pio/build/native/meshtasticd $ checksec --file=./.pio/build/native/meshtasticd RELRO STACK CANARY NX PIE RPATH RUNPATH Symbols FORTIFY Fortified Fortifiable FILE Partial RELRO Canary found NX enabled PIE enabled No RPATH No RUNPATH 13519 Symbols Yes 12 20 ./.pio/build/native/meshtasticd Tested with --sim mode I do not get any crashes or similar.
github-actions
bot
added
needs-review
Contributor
There was a problem hiding this comment.
Pull request overview
This PR adds security hardening flags to native Linux builds (meshtasticd) to make exploitation of memory corruption bugs more difficult. The changes enable FORTIFY_SOURCE level 2 and comprehensive stack protection with canaries.
Changes:
- Added
-D_FORTIFY_SOURCE=2to enable buffer overflow detection at compile-time and runtime - Added
-fstack-protector-all -Wstack-protector --param ssp-buffer-size=4to enable stack canaries on all functions with aggressive 4-byte threshold
meshtasticd does have an executable stack and is not built with fortify, which makes exploitation of memory corruption bugs easier than it has to be. This enables fortify and a non-executable stack. This gives the following improvements on Debian Trixie: $ checksec --file=./.pio/build/native/meshtasticd RELRO STACK CANARY NX PIE RPATH RUNPATH Symbols FORTIFY Fortified Fortifiable FILE Partial RELRO No canary found NX enabled PIE enabled No RPATH No RUNPATH 13516 Symbols No 0 17 ./.pio/build/native/meshtasticd $ checksec --file=./.pio/build/native/meshtasticd RELRO STACK CANARY NX PIE RPATH RUNPATH Symbols FORTIFY Fortified Fortifiable FILE Partial RELRO Canary found NX enabled PIE enabled No RPATH No RUNPATH 13519 Symbols Yes 12 20 ./.pio/build/native/meshtasticd Tested with --sim mode I do not get any crashes or similar.
…htastic-firmware into enablefortifyandnx
Jorropo
changed the title
Jorropo
approved these changes
Feb 5, 2026
Member
Jorropo
left a comment
Jorropo
left a comment
There was a problem hiding this comment.
The title looks wrong, NX should be enabled by default.
I think stack-protector-all enables stack cookies.
This has a CPU performance hit altho meshtastic isn't a performance heavy app.
Imo theses are pretty lame compared to using a memory safe language, but I don't really see a reason to not enable them.
It will cause more crashes, but that in situations where we are doing something bad, and users will hopefully report bugs to us rather than them going unnoticed.
Contributor
Author
|
Sorry yes, my morning brain confused NX and SP. Should I create a new PR? |
Member
|
No need, you can change the title by clicking the edit button to the right of the PR title. 🙂 |
Contributor
Author
|
I think that is no longer possible due to the merge with the current upstream branch. |
Member
|
? shouldn't Do you mean |
meshtasticd does have a stack canaries and is not built with fortify, which makes exploitation of memory corruption bugs easier than it has to be. This enables fortify and stack canaries. This gives the following improvements on Debian Trixie: $ checksec --file=./.pio/build/native/meshtasticd RELRO STACK CANARY NX PIE RPATH RUNPATH Symbols FORTIFY Fortified Fortifiable FILE Partial RELRO No canary found NX enabled PIE enabled No RPATH No RUNPATH 13516 Symbols No 0 17 ./.pio/build/native/meshtasticd $ checksec --file=./.pio/build/native/meshtasticd RELRO STACK CANARY NX PIE RPATH RUNPATH Symbols FORTIFY Fortified Fortifiable FILE Partial RELRO Canary found NX enabled PIE enabled No RPATH No RUNPATH 13519 Symbols Yes 12 20 ./.pio/build/native/meshtasticd Tested with --sim mode I do not get any crashes or similar.
…htastic-firmware into enablefortifyandnx
Jorropo
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
meshtasticd does have an executable stack and is not built with fortify, which makes exploitation of memory corruption bugs easier than it has to be. This enables fortify and a non-executable stack.
This gives the following improvements on Debian Trixie:
$ checksec --file=./.pio/build/native/meshtasticd
RELRO STACK CANARY NX PIE RPATH RUNPATH Symbols FORTIFY Fortified Fortifiable FILE
Partial RELRO No canary found NX enabled PIE enabled No RPATH No RUNPATH 13516 Symbols No 0 17 ./.pio/build/native/meshtasticd
$ checksec --file=./.pio/build/native/meshtasticd
RELRO STACK CANARY NX PIE RPATH RUNPATH Symbols FORTIFY Fortified Fortifiable FILE
Partial RELRO Canary found NX enabled PIE enabled No RPATH No RUNPATH 13519 Symbols Yes 12 20 ./.pio/build/native/meshtasticd
Tested with --sim mode I do not get any crashes or similar.
🤝 Attestations