[arch-dev-public] Add -fstack-protector{-all} to default CFLAGS?
Allan McRae
allan at archlinux.org
Tue May 11 22:35:30 EDT 2010
Hi,
We have a bug report asking to enable stack-smashing protection in our
package building. Looking at the overhead estimates by other distros
that use it, overall it appears fairly minimal (OpenBSD says 1.3% on
average). There used to be some build issues (see bottom of this page
for Ubuntu report: https://wiki.ubuntu.com/GccSsp), but I am not sure of
the current status. Also, it can be disabled with -fno-stack-protector
if needed.
I am in favour of doing this. I think adding -fstack-protector is
enough as that adds protection to only functions "vulnerable" to buffer
overflows (as defined by gcc... mainly character arrays) while
-fstack-protector-all adds it to all functions.
We should maybe also add -D_FORTIFY_SOURCE=2. This detects some buffer
overflows compile time and others at run time. It was designed to have
minimal runtime overhead.
Any opinions?
Allan
More information about the arch-dev-public
mailing list