Fstack-protector-all flag is not found in Expo apps

Please provide the following:

  1. SDK Version: 34
  2. Platforms(Android/iOS/web/all): iOS

Our security team encountered a security vulnerability in our expo app where the Fstack-protector-all flag is not found. This means the App is not compiled with Stack Smashing Protector (SSP) flag. This is basically a protection against the possibility of overrunning a buffer on a function’s stack.

The basic idea behind stack protection is to push a “canary” (a randomly chosen integer) on the stack just after the function return pointer has been pushed. The canary value is then checked before the function returns; if it has changed, the program will abort.

To solve this problem the GCC has on option to turn on “-fstack-protector”.
The expo documentation does not mention this flag in the app.json.
IS there a way for us to make a build with this flag on?
If not, is there a plan to integrate it in future.

Hi

To be clear, this is not a vulnerability, but rather the lack of a sort of safety-net.

Have you ejected your app? If so then I think you can add the fstack-protector-all flag in the Xcode build settings, but I’m not sure this will be sufficient. You might need to build (Expo’s fork of) React Native from scratch.

If your app is not ejected I think it might be best to post this as a feature request here:

https://expo.canny.io/feature-requests

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.