-
-
Notifications
You must be signed in to change notification settings - Fork 14.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
R: disable stack protector on aarch64-darwin #158992
Conversation
The correct fix for this is #151983, since it is a |
@collares this does fixes the issue I was running into -- what are the possible repercussions of disabling stack protector hardening? |
Disabling the stack protector is a bad idea If you run R on malicious inputs that could cause buffer/stack overflows through exploiting R security bugs. If you're not worried about R security bugs (because you only run code you trust, say), you should be good. See https://gcc.gnu.org/onlinedocs/gcc/Instrumentation-Options.html for more details. |
Isn't malicious R code a problem on its own without sack smashing? I guess there could be about maliciously crafted input data to attack the standard library functions or something like that. |
This builds and runs fine on x86_darwin. |
Some derivations, like `rPackages.KernSmooth`, fail to build on `aarch64-darwin` because `stackprotector` is enabled. This is similar to the fix required to get R itself working on `aarch64-darwin`: NixOS#158992.
Motivation for this change
An attempt at fixing #158730, copied from #128606. I don't have an aarch64-darwin machine to test it on, but ofBorg seems happy.
cc @ConnorBaker
Things done
sandbox = true
set innix.conf
? (See Nix manual)nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD"
. Note: all changes have to be committed, also see nixpkgs-review usage./result/bin/
)nixos/doc/manual/md-to-db.sh
to update generated release notes