[arch-dev-public] Add -fstack-protector{-all} to default CFLAGS?

Jan de Groot jan at jgc.homeip.net
Wed May 12 02:49:53 EDT 2010

On Wed, 2010-05-12 at 12:35 +1000, Allan McRae wrote:
> Hi,
> We have a bug report asking to enable stack-smashing protection in our 
> package building.  Looking at the overhead estimates by other distros 
> that use it, overall it appears fairly minimal (OpenBSD says 1.3% on 
> average).  There used to be some build issues (see bottom of this page 
> for Ubuntu report: https://wiki.ubuntu.com/GccSsp), but I am not sure of 
> the current status.  Also, it can be disabled with -fno-stack-protector 
> if needed.
> I am in favour of doing this.  I think adding -fstack-protector is 
> enough as that adds protection to only functions "vulnerable" to buffer 
> overflows (as defined by gcc...  mainly character arrays) while 
> -fstack-protector-all adds it to all functions.
> We should maybe also add -D_FORTIFY_SOURCE=2.  This detects some buffer 
> overflows compile time and others at run time.  It was designed to have 
> minimal runtime overhead.
> Any opinions?

Given the fact that GCC 4.5 produces broken binaries with software that
needs -fno-strict-aliasing (busybox comes to mind, but also others), I
don't think it's good to introduce such a change now. Our toolchain
should get fixed before we attempt to add more features to our compiler

More information about the arch-dev-public mailing list