NixOS · philiptaron · May 26, 2025 · Apr 7, 2025 · Apr 13, 2025 · Apr 20, 2025
diff --git a/doc/release-notes/rl-2511.section.md b/doc/release-notes/rl-2511.section.md
@@ -15,7 +15,7 @@
 
 <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
 
-- Create the first release note entry in this section!
+- New hardening flags, `strictflexarrays1` and `strictflexarrays3` were made available, corresponding to the gcc/clang options `-fstrict-flex-arrays=1` and `-fstrict-flex-arrays=3` respectively.
 
 ## Nixpkgs Library {#sec-nixpkgs-release-25.11-lib}
 

diff --git a/doc/stdenv/stdenv.chapter.md b/doc/stdenv/stdenv.chapter.md
@@ -1620,6 +1620,22 @@ Adds the `-fPIE` compiler and `-pie` linker options. Position Independent Execut
 Static libraries need to be compiled with `-fPIE` so that executables can link them in with the `-pie` linker option.
 If the libraries lack `-fPIE`, you will get the error `recompile with -fPIE`.
 
+#### `strictflexarrays1` {#strictflexarrays1}
+
+This flag adds the `-fstrict-flex-arrays=1` compiler option, which reduces the cases the compiler treats as "flexible arrays" to those declared with length `[1]`, `[0]` or (the correct) `[]`. This increases the coverage of fortify checks, because such arrays declared as the trailing element of a structure can normally not have their intended length determined by the compiler.
+
+Enabling this flag on packages that still use length declarations of flexible arrays >1 may cause the package to fail to compile citing accesses beyond the bounds of an array or even crash at runtime by detecting an array access as an "overrun". Few projects still use length declarations of flexible arrays >1.
+
+Disabling `strictflexarrays1` implies disablement of `strictflexarrays3`.
+
+#### `strictflexarrays3` {#strictflexarrays3}
+
+This flag adds the `-fstrict-flex-arrays=3` compiler option, which reduces the cases the compiler treats as "flexible arrays" to only those declared with length as (the correct) `[]`. This increases the coverage of fortify checks, because such arrays declared as the trailing element of a structure can normally not have their intended length determined by the compiler.
+
+Enabling this flag on packages that still use non-empty length declarations for flexible arrays may cause the package to fail to compile citing accesses beyond the bounds of an array or even crash at runtime by detecting an array access as an "overrun". Many projects still use such non-empty length declarations for flexible arrays.
+
+Enabling this flag implies enablement of `strictflexarrays1`. Disabling this flag does not imply disablement of `strictflexarrays1`.
+
 #### `shadowstack` {#shadowstack}
 
 Adds the `-fcf-protection=return` compiler option. This enables the Shadow Stack feature supported by some newer processors, which maintains a user-inaccessible copy of the program's stack containing only return-addresses. When returning from a function, the processor compares the return-address value on the two stacks and throws an error if they do not match, considering it a sign of corruption and possible tampering. This should significantly increase the difficulty of ROP attacks.

diff --git a/pkgs/build-support/cc-wrapper/add-hardening.sh b/pkgs/build-support/cc-wrapper/add-hardening.sh
@@ -10,6 +10,7 @@ for flag in ${NIX_HARDENING_ENABLE_@suffixSalt@-}; do
   hardeningEnableMap["$flag"]=1
 done
 
+
 # fortify3 implies fortify enablement - make explicit before
 # we filter unsupported flags because unsupporting fortify3
 # doesn't mean we should unsupport fortify too
@@ -31,8 +32,31 @@ if [[ -n "${hardeningEnableMap[fortify3]-}" ]]; then
   unset -v "hardeningEnableMap['fortify']"
 fi
 
+
+# strictflexarrays3 implies strictflexarrays1 enablement - make explicit before
+# we filter unsupported flags because unsupporting strictflexarrays3
+# doesn't mean we should unsupport strictflexarrays1 too
+if [[ -n "${hardeningEnableMap[strictflexarrays3]-}" ]]; then
+  hardeningEnableMap["strictflexarrays1"]=1
+fi
+
+# Remove unsupported flags.
+for flag in @hardening_unsupported_flags@; do
+  unset -v "hardeningEnableMap[$flag]"
+  # strictflexarrays1 being unsupported implies strictflexarrays3 is unsupported
+  if [[ "$flag" = 'strictflexarrays1' ]] ; then
+    unset -v "hardeningEnableMap['strictflexarrays3']"
+  fi
+done
+
+# now make strictflexarrays1 and strictflexarrays3 mutually exclusive
+if [[ -n "${hardeningEnableMap[strictflexarrays3]-}" ]]; then
+  unset -v "hardeningEnableMap['strictflexarrays1']"
+fi
+
+
 if (( "${NIX_DEBUG:-0}" >= 1 )); then
-  declare -a allHardeningFlags=(fortify fortify3 shadowstack stackprotector stackclashprotection nostrictaliasing pacret pie pic strictoverflow format trivialautovarinit zerocallusedregs)
+  declare -a allHardeningFlags=(fortify fortify3 shadowstack stackprotector stackclashprotection nostrictaliasing pacret strictflexarrays1 strictflexarrays3 pie pic strictoverflow format trivialautovarinit zerocallusedregs)
   declare -A hardeningDisableMap=()
 
   # Determine which flags were effectively disabled so we can report below.
@@ -79,6 +103,14 @@ for flag in "${!hardeningEnableMap[@]}"; do
       if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling shadowstack >&2; fi
       hardeningCFlagsBefore+=('-fcf-protection=return')
       ;;
+    strictflexarrays1)
+      if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling strictflexarrays1 >&2; fi
+      hardeningCFlagsBefore+=('-fstrict-flex-arrays=1')
+      ;;
+    strictflexarrays3)
+      if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling strictflexarrays3 >&2; fi
+      hardeningCFlagsBefore+=('-fstrict-flex-arrays=3')
+      ;;
     pacret)
       if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling pacret >&2; fi
       hardeningCFlagsBefore+=('-mbranch-protection=pac-ret')

diff --git a/pkgs/by-name/da/dash/package.nix b/pkgs/by-name/da/dash/package.nix
@@ -25,6 +25,8 @@ stdenv.mkDerivation (finalAttrs: {
   depsBuildBuild = [ buildPackages.stdenv.cc ];
   buildInputs = [ libedit ];
 
+  hardeningDisable = [ "strictflexarrays3" ];
+
   configureFlags = [ "--with-libedit" ];
   preConfigure = lib.optional stdenv.hostPlatform.isStatic ''
     export LIBS="$(''${PKG_CONFIG:-pkg-config} --libs --static libedit)"

diff --git a/pkgs/by-name/el/elfutils/package.nix b/pkgs/by-name/el/elfutils/package.nix
@@ -117,6 +117,8 @@ stdenv.mkDerivation rec {
 
   propagatedNativeBuildInputs = [ setupDebugInfoDirs ];
 
+  hardeningDisable = [ "strictflexarrays3" ];
+
   configureFlags =
     [
       "--program-prefix=eu-" # prevent collisions with binutils

diff --git a/pkgs/by-name/gd/gdbm/package.nix b/pkgs/by-name/gd/gdbm/package.nix
@@ -24,6 +24,8 @@ stdenv.mkDerivation (finalAttrs: {
 
   nativeBuildInputs = [ updateAutotoolsGnuConfigScriptsHook ];
 
+  hardeningDisable = [ "strictflexarrays3" ];
+
   configureFlags = [ (lib.enableFeature true "libgdbm-compat") ];
 
   outputs = [

diff --git a/pkgs/by-name/li/libarchive/package.nix b/pkgs/by-name/li/libarchive/package.nix
@@ -123,6 +123,8 @@ stdenv.mkDerivation (finalAttrs: {
     acl
   ];
 
+  hardeningDisable = [ "strictflexarrays3" ];
+
   configureFlags = lib.optional (!xarSupport) "--without-xml2";
 
   preBuild = lib.optionalString stdenv.hostPlatform.isCygwin ''

diff --git a/pkgs/by-name/li/libgcrypt/package.nix b/pkgs/by-name/li/libgcrypt/package.nix
@@ -32,10 +32,16 @@ stdenv.mkDerivation rec {
     "out"
   ];
 
-  # The CPU Jitter random number generator must not be compiled with
-  # optimizations and the optimize -O0 pragma only works for gcc.
-  # The build enables -O2 by default for everything else.
-  hardeningDisable = lib.optional stdenv.cc.isClang "fortify";
+  hardeningDisable =
+    [
+      "strictflexarrays3"
+    ]
+    ++ lib.optionals stdenv.cc.isClang [
+      # The CPU Jitter random number generator must not be compiled with
+      # optimizations and the optimize -O0 pragma only works for gcc.
+      # The build enables -O2 by default for everything else.
+      "fortify"
+    ];
 
   depsBuildBuild = [ buildPackages.stdenv.cc ];
 

diff --git a/pkgs/by-name/li/libgpg-error/package.nix b/pkgs/by-name/li/libgpg-error/package.nix
@@ -36,6 +36,8 @@ stdenv.mkDerivation (
       sed '/BUILD_TIMESTAMP=/s/=.*/=1970-01-01T00:01+0000/' -i ./configure
     '';
 
+    hardeningDisable = [ "strictflexarrays3" ];
+
     configureFlags = [
       # See https://dev.gnupg.org/T6257#164567
       "--enable-install-gpg-error-config"

diff --git a/pkgs/by-name/li/libksba/package.nix b/pkgs/by-name/li/libksba/package.nix
@@ -26,6 +26,8 @@ stdenv.mkDerivation rec {
   propagatedBuildInputs = [ libgpg-error ];
   depsBuildBuild = [ buildPackages.stdenv.cc ];
 
+  hardeningDisable = [ "strictflexarrays3" ];
+
   configureFlags = [ "--with-libgpg-error-prefix=${libgpg-error.dev}" ];
 
   postInstall = ''

diff --git a/pkgs/by-name/li/libtpms/package.nix b/pkgs/by-name/li/libtpms/package.nix
@@ -19,6 +19,8 @@ stdenv.mkDerivation rec {
     sha256 = "sha256-YKs/XYJ8UItOtSinl28/G9XFVzobFd4ZDKtClQDLXFk=";
   };
 
+  hardeningDisable = [ "strictflexarrays3" ];
+
   nativeBuildInputs = [
     autoreconfHook
     pkg-config

diff --git a/pkgs/by-name/un/unzip/package.nix b/pkgs/by-name/un/unzip/package.nix
@@ -16,7 +16,10 @@ stdenv.mkDerivation rec {
     sha256 = "0dxx11knh3nk95p2gg2ak777dd11pr7jx5das2g49l262scrcv83";
   };
 
-  hardeningDisable = [ "format" ];
+  hardeningDisable = [
+    "format"
+    "strictflexarrays3"
+  ];
 
   patchFlags = [
     "-p1"

diff --git a/pkgs/development/compilers/gcc/default.nix b/pkgs/development/compilers/gcc/default.nix
@@ -428,6 +428,10 @@ pipe
             "fortify3"
             "trivialautovarinit"
           ]
+          ++ optionals (!atLeast13) [
+            "strictflexarrays1"
+            "strictflexarrays3"
+          ]
           ++ optional (
             !(targetPlatform.isLinux && targetPlatform.isx86_64 && targetPlatform.libc == "glibc")
           ) "shadowstack"

diff --git a/pkgs/development/compilers/llvm/common/clang/default.nix b/pkgs/development/compilers/llvm/common/clang/default.nix
@@ -299,6 +299,8 @@ stdenv.mkDerivation (
         ++ lib.optional (
           (lib.versionOlder release_version "15") || !(targetPlatform.isx86_64 || targetPlatform.isAarch64)
         ) "zerocallusedregs"
+        ++ lib.optional (lib.versionOlder release_version "15") "strictflexarrays1"
+        ++ lib.optional (lib.versionOlder release_version "16") "strictflexarrays3"
         ++ (finalAttrs.passthru.hardeningUnsupportedFlags or [ ]);
     };
 

diff --git a/pkgs/development/libraries/glibc/default.nix b/pkgs/development/libraries/glibc/default.nix
@@ -64,6 +64,7 @@ in
       "fortify"
       "pie"
       "stackprotector"
+      "strictflexarrays3"
     ];
 
     env = (previousAttrs.env or { }) // {

diff --git a/pkgs/stdenv/generic/make-derivation.nix b/pkgs/stdenv/generic/make-derivation.nix
@@ -33,6 +33,7 @@ let
     optionalAttrs
     optionalString
     optionals
+    pipe
     remove
     splitString
     subtractLists
@@ -159,6 +160,8 @@ let
     "format"
     "fortify"
     "fortify3"
+    "strictflexarrays1"
+    "strictflexarrays3"
     "shadowstack"
     "nostrictaliasing"
     "pacret"
@@ -356,14 +359,18 @@ let
         ) == 0;
       dontAddHostSuffix = attrs ? outputHash && !noNonNativeDeps || !stdenv.hasCC;
 
-      hardeningDisable' =
-        if
-          any (x: x == "fortify") hardeningDisable
-        # disabling fortify implies fortify3 should also be disabled
-        then
-          unique (hardeningDisable ++ [ "fortify3" ])
-        else
-          hardeningDisable;
+      concretizeFlagImplications =
+        flag: impliesFlags: list:
+        if any (x: x == flag) list then (list ++ impliesFlags) else list;
+
+      hardeningDisable' = unique (
+        pipe hardeningDisable [
+          # disabling fortify implies fortify3 should also be disabled
+          (concretizeFlagImplications "fortify" [ "fortify3" ])
+          # disabling strictflexarrays1 implies strictflexarrays3 should also be disabled
+          (concretizeFlagImplications "strictflexarrays1" [ "strictflexarrays3" ])
+        ]
+      );
       defaultHardeningFlags =
         (if stdenv.hasCC then stdenv.cc else { }).defaultHardeningFlags or
         # fallback safe-ish set of flags

diff --git a/pkgs/test/cc-wrapper/flex-arrays-fortify-example.c b/pkgs/test/cc-wrapper/flex-arrays-fortify-example.c
@@ -0,0 +1,33 @@
+/* an example that should be protected by FORTIFY_SOURCE=2 but
+ * only if the appropriate -fstrict-flex-arrays= argument is used
+ * for the corresponding value used for BUFFER_DEF_SIZE
+ */
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+struct buffer_with_header {
+    char header[1];
+    char buffer[BUFFER_DEF_SIZE];
+};
+
+int main(int argc, char *argv[]) {
+    /* use volatile pointer to prevent compiler
+     * using the outer allocation length with a
+     * fortified strcpy, which would throw off
+     * the function-name-sniffing fortify-detecting
+     * approaches
+     */
+    struct buffer_with_header *volatile b = \
+      (struct buffer_with_header *)malloc(sizeof(struct buffer_with_header)+1);
+
+    /* if there are no arguments, skip the write to allow
+     * builds with BUFFER_DEF_SIZE=0 to have a case where
+     * the program passes even with strict protection.
+     */
+    if (argc > 1) {
+        strcpy(b->buffer, argv[1]);
+        puts(b->buffer);
+    }
+    return 0;
+}
-Original file line number
+Diff line change
@@ Expand Up / @@ -123,6 +123,8 @@ stdenv.mkDerivation (finalAttrs: { @@
         acl
       ];
+      hardeningDisable = [ "strictflexarrays3" ];
       configureFlags = lib.optional (!xarSupport) "--without-xml2";
       preBuild = lib.optionalString stdenv.hostPlatform.isCygwin ''
@@ Expand Down @@