From 781b42b87dfb3c970583b9107364f91789e97b0b Mon Sep 17 00:00:00 2001
From: Robert Scott <code@humanleg.org.uk>
Date: Tue, 1 Apr 2025 21:12:32 +0100
Subject: [PATCH] cc-wrapper: add nostrictaliasing hardening flag support

this equates to -fno-strict-aliasing

this is not a particularly new flag and is supported by all our
gcc and clang versions.

add to pkgsExtraHardening's defaultHardeningFlags.
---
 doc/stdenv/stdenv.chapter.md                      | 4 ++++
 nixos/doc/manual/release-notes/rl-2505.section.md | 2 ++
 pkgs/build-support/cc-wrapper/add-hardening.sh    | 6 +++++-
 pkgs/stdenv/generic/make-derivation.nix           | 1 +
 pkgs/top-level/stage.nix                          | 1 +
 5 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/doc/stdenv/stdenv.chapter.md b/doc/stdenv/stdenv.chapter.md
index 80059a78733c..bf8048a3a789 100644
--- a/doc/stdenv/stdenv.chapter.md
+++ b/doc/stdenv/stdenv.chapter.md
@@ -1568,6 +1568,10 @@ This flag adds the `-fstack-clash-protection` compiler option, which causes grow
 
 The following flags are disabled by default and should be enabled with `hardeningEnable` for packages that take untrusted input like network services.
 
+#### `nostrictaliasing` {#nostrictaliasing}
+
+This flag adds the `-fno-strict-aliasing` compiler option, which prevents the compiler from assuming code has been written strictly following the standard in regards to pointer aliasing and therefore performing optimizations that may be unsafe for code that has not followed these rules.
+
 #### `pie` {#pie}
 
 This flag is disabled by default for normal `glibc` based NixOS package builds, but enabled by default for
diff --git a/nixos/doc/manual/release-notes/rl-2505.section.md b/nixos/doc/manual/release-notes/rl-2505.section.md
index 16b9677ce907..2bdb63c2c76f 100644
--- a/nixos/doc/manual/release-notes/rl-2505.section.md
+++ b/nixos/doc/manual/release-notes/rl-2505.section.md
@@ -462,6 +462,8 @@
 
 - `services.avahi.ipv6` now defaults to true.
 
+- A new hardening flag, `nostrictaliasing` was made available, corresponding to the gcc/clang option `-fno-strict-aliasing`.
+
 - In the `services.xserver.displayManager.startx` module, two new options [generateScript](#opt-services.xserver.displayManager.startx.generateScript) and [extraCommands](#opt-services.xserver.displayManager.startx.extraCommands) have been added to to declaratively configure the .xinitrc script.
 
 - All services that require a root certificate bundle now use the value of a new read-only option, `security.pki.caBundle`.
diff --git a/pkgs/build-support/cc-wrapper/add-hardening.sh b/pkgs/build-support/cc-wrapper/add-hardening.sh
index 4440d99ccaba..9fed30303ab8 100644
--- a/pkgs/build-support/cc-wrapper/add-hardening.sh
+++ b/pkgs/build-support/cc-wrapper/add-hardening.sh
@@ -32,7 +32,7 @@ if [[ -n "${hardeningEnableMap[fortify3]-}" ]]; then
 fi
 
 if (( "${NIX_DEBUG:-0}" >= 1 )); then
-  declare -a allHardeningFlags=(fortify fortify3 shadowstack stackprotector stackclashprotection pacret pie pic strictoverflow format trivialautovarinit zerocallusedregs)
+  declare -a allHardeningFlags=(fortify fortify3 shadowstack stackprotector stackclashprotection nostrictaliasing pacret pie pic strictoverflow format trivialautovarinit zerocallusedregs)
   declare -A hardeningDisableMap=()
 
   # Determine which flags were effectively disabled so we can report below.
@@ -91,6 +91,10 @@ for flag in "${!hardeningEnableMap[@]}"; do
       if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling stack-clash-protection >&2; fi
       hardeningCFlagsBefore+=('-fstack-clash-protection')
       ;;
+    nostrictaliasing)
+      if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling nostrictaliasing >&2; fi
+      hardeningCFlagsBefore+=('-fno-strict-aliasing')
+      ;;
     pie)
       # NB: we do not use `+=` here, because PIE flags must occur before any PIC flags
       if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling CFlags -fPIE >&2; fi
diff --git a/pkgs/stdenv/generic/make-derivation.nix b/pkgs/stdenv/generic/make-derivation.nix
index 22338e9983ff..8ecdb6879740 100644
--- a/pkgs/stdenv/generic/make-derivation.nix
+++ b/pkgs/stdenv/generic/make-derivation.nix
@@ -119,6 +119,7 @@ let
     "fortify"
     "fortify3"
     "shadowstack"
+    "nostrictaliasing"
     "pacret"
     "pic"
     "pie"
diff --git a/pkgs/top-level/stage.nix b/pkgs/top-level/stage.nix
index bd0dcf9e0473..d953741b4579 100644
--- a/pkgs/top-level/stage.nix
+++ b/pkgs/top-level/stage.nix
@@ -420,6 +420,7 @@ let
               super'.stdenv.cc.defaultHardeningFlags
               ++ [
                 "shadowstack"
+                "nostrictaliasing"
                 "pacret"
                 "trivialautovarinit"
               ]