[arch-dev-public] Add -fstack-protector{-all} to default CFLAGS?

Allan McRae allan at archlinux.org
Tue May 11 22:35:30 EDT 2010


We have a bug report asking to enable stack-smashing protection in our 
package building.  Looking at the overhead estimates by other distros 
that use it, overall it appears fairly minimal (OpenBSD says 1.3% on 
average).  There used to be some build issues (see bottom of this page 
for Ubuntu report: https://wiki.ubuntu.com/GccSsp), but I am not sure of 
the current status.  Also, it can be disabled with -fno-stack-protector 
if needed.

I am in favour of doing this.  I think adding -fstack-protector is 
enough as that adds protection to only functions "vulnerable" to buffer 
overflows (as defined by gcc...  mainly character arrays) while 
-fstack-protector-all adds it to all functions.

We should maybe also add -D_FORTIFY_SOURCE=2.  This detects some buffer 
overflows compile time and others at run time.  It was designed to have 
minimal runtime overhead.

Any opinions?


More information about the arch-dev-public mailing list