[arch-dev-public] Add -fstack-protector{-all} to default CFLAGS?
Thomas Bächler
thomas at archlinux.org
Wed May 12 03:29:54 EDT 2010
Am 12.05.2010 09:15, schrieb Allan McRae:
> On 12/05/10 16:49, Jan de Groot wrote:
>> On Wed, 2010-05-12 at 12:35 +1000, Allan McRae wrote:
>>> Hi,
>>>
>>> We have a bug report asking to enable stack-smashing protection in our
>>> package building. Looking at the overhead estimates by other distros
>>> that use it, overall it appears fairly minimal (OpenBSD says 1.3% on
>>> average). There used to be some build issues (see bottom of this page
>>> for Ubuntu report: https://wiki.ubuntu.com/GccSsp), but I am not sure of
>>> the current status. Also, it can be disabled with -fno-stack-protector
>>> if needed.
>>>
>>> I am in favour of doing this. I think adding -fstack-protector is
>>> enough as that adds protection to only functions "vulnerable" to buffer
>>> overflows (as defined by gcc... mainly character arrays) while
>>> -fstack-protector-all adds it to all functions.
>>>
>>> We should maybe also add -D_FORTIFY_SOURCE=2. This detects some buffer
>>> overflows compile time and others at run time. It was designed to have
>>> minimal runtime overhead.
>>>
>>> Any opinions?
>>
>> Given the fact that GCC 4.5 produces broken binaries with software that
>> needs -fno-strict-aliasing (busybox comes to mind, but also others), I
>> don't think it's good to introduce such a change now. Our toolchain
>> should get fixed before we attempt to add more features to our compiler
>> flags.
>>
>
> There is a fix on the gcc bug tracker but I am waiting for it to be
> backported to gcc-4.5. If it has not been done by the next toolchain
> rebuild (I expect in the next week), I will backport it myself.
Yeah, but there's even more breakage in busybox as you might have
noticed, unrelated to that fix.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.archlinux.org/pipermail/arch-dev-public/attachments/20100512/6b67579e/attachment.bin>
More information about the arch-dev-public
mailing list