From fda63b8b579aff758ae92e7e1a65a5a480231c6b Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Mon, 22 Feb 2016 00:33:01 +0000
Subject: [PATCH] nixpkgs docs: stackprotector hardening

---
 doc/stdenv.xml | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/doc/stdenv.xml b/doc/stdenv.xml
index 0c2bb0339578..51a27dcdbc08 100644
--- a/doc/stdenv.xml
+++ b/doc/stdenv.xml
@@ -1342,6 +1342,22 @@ in the default system locations.</para>
 cc1plus: some warnings being treated as errors
     </programlisting></listitem>
   </varlistentry>
+
+  <varlistentry>
+    <term><varname>hardening_stackprotector</varname></term>
+    <listitem><para>Adds the <option>-fstack-protector-strong</option>
+    compiler options. This adds safety checks against stack overwrites
+    rendering many potential code injection attacks into aborting situations.
+    In the best case this turns code injection vulnerabilities into denial
+    of service or into non-issues (depending on the application).</para>
+
+    <para>This needs to be turned off or fixed for errors similar to:</para>
+
+    <programlisting>
+bin/blib.a(bios_console.o): In function `bios_handle_cup':
+/tmp/nix-build-ipxe-20141124-5cbdc41.drv-0/ipxe-5cbdc41/src/arch/i386/firmware/pcbios/bios_console.c:86: undefined reference to `__stack_chk_fail'
+    </programlisting></listitem>
+  </varlistentry>
 </variablelist>
 </section>