On 09/17/2015 06:15 PM, Steve Grubb wrote:
On Thu, 17 Sep 2015 13:53:38 +0300
Alexander Todorov <atodorov@xxxxxxxxxx> wrote:
На 17.09.2015 в 13:34, Steve Grubb написа:
On Thu, 17 Sep 2015 11:07:37 +0300
Alexander Todorov <atodorov@xxxxxxxxxx> wrote:
Can somebody comment on the -fstack-protector-all vs
-fstack-protector-strong issue ? Do we want to change the default
for %__global_cflags in /usr/lib/rpm/redhat/macros ?
-all is not needed, -strong is the right balance between security
and performance. For example
int add(int a, int b)
{
return a+b;
}
Does that need a stack canary? This is the nature of why some
functions don't get a canary. Whenever knowledge of a stack frame
is passed as a pointer to a function, then -strong will kick in and
do a stack check on return.
Hi Steve,
thanks for the explanation.
So it looks like I should ignore stack canary warnings (assuming the
package is using the default flags). Should this be ignore for both
libraries and executable binaries or only libraries ? Or the answer
is once again, you can't tell that easily ?
Not completely. See below.
To know if the right thing is being done is hard to script. You
really need to see what flags are passed to each source file being
compiled. You just can't get at that from readelf.
Is it realistic to request a RFE with this information stored in the
compiled object and then be read by readelf ? If so I can file bugs
in bugzilla.redhat.com or upstream .
I think Florian answered this. Indeed, the --debug-dump option does
find these strings, but they are mixed in with other data. I think that
if there is no canary and flags were passed, its not a problem. If the
flags are absent, the build scripts are suspect.
-Steve
So, I see that the various vtk libraries show No canary found. However,
I'm pretty sure that the proper --specs=redhat-hardened-{cc1,ld} flags
etc are getting passed to the compile. Perhaps there is some issue
parsing the C++ libraries or is something else going on like the above?
--
Orion Poplawski
Technical Manager 303-415-9701 x222
NWRA/CoRA Division FAX: 303-415-9702
3380 Mitchell Lane orion@xxxxxxxxxxxxx
Boulder, CO 80301 http://www.cora.nwra.com
--
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
