На 17.09.2015 в 13:34, Steve Grubb написа:
On Thu, 17 Sep 2015 11:07:37 +0300
Alexander Todorov <atodorov@xxxxxxxxxx> wrote:
Can somebody comment on the -fstack-protector-all vs
-fstack-protector-strong issue ? Do we want to change the default for
%__global_cflags in /usr/lib/rpm/redhat/macros ?
-all is not needed, -strong is the right balance between security and
performance. For example
int add(int a, int b)
{
return a+b;
}
Does that need a stack canary? This is the nature of why some functions
don't get a canary. Whenever knowledge of a stack frame is passed as a
pointer to a function, then -strong will kick in and do a stack check
on return.
Hi Steve,
thanks for the explanation.
So it looks like I should ignore stack canary warnings (assuming the package is
using the default flags). Should this be ignore for both libraries and
executable binaries or only libraries ? Or the answer is once again, you can't
tell that easily ?
To know if the right thing is being done is hard to script. You really
need to see what flags are passed to each source file being compiled.
You just can't get at that from readelf.
Is it realistic to request a RFE with this information stored in the compiled
object and then be read by readelf ? If so I can file bugs in
bugzilla.redhat.com or upstream .
--
Alex
--
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
