On Thu, 17 Sep 2015 11:07:37 +0300
Alexander Todorov <atodorov@xxxxxxxxxx> wrote:
> Can somebody comment on the -fstack-protector-all vs
> -fstack-protector-strong issue ? Do we want to change the default for
> %__global_cflags in /usr/lib/rpm/redhat/macros ?
-all is not needed, -strong is the right balance between security and
performance. For example
int add(int a, int b)
{
return a+b;
}
Does that need a stack canary? This is the nature of why some functions
don't get a canary. Whenever knowledge of a stack frame is passed as a
pointer to a function, then -strong will kick in and do a stack check
on return.
To know if the right thing is being done is hard to script. You really
need to see what flags are passed to each source file being compiled.
You just can't get at that from readelf.
-Steve
--
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
