-fstack-protector-strong vs -fstack-protector-all

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi all.

Since i started to rebuild my packages for hardened builds issue, I
discovered (until now) a couple of libraries that result without
"Canary protection" according to output of 'checksec' tool.
Of course, I verified that all optimization flags used in Fedora by
default were respected; as you know, we use '-fstack-protector-strong'
flag to check for buffer overflows, but some libraries like

libmozalloc.so in 'icecat'
https://bugzilla.redhat.com/show_bug.cgi?id=1283307

or

libmodplug/libtimidity in 'MOC' (RPM Fusion free)

seem to need be compiled with '-fstack-protector-all' otherwise
would result a "No Canary protection" warning from 'checksec' output.

GCC-5.3 documentation says:

- -fstack-protector
    Emit extra code to check for buffer overflows, such as stack
smashing attacks. This is done by adding a guard variable to functions
with vulnerable objects. This includes functions that call alloca, and
functions with buffers larger than 8 bytes. The guards are initialized
when a function is entered and then checked when the function exits.
If a guard check fails, an error message is printed and the program exits.

- -fstack-protector-all
    Like -fstack-protector except that all functions are protected.

- -fstack-protector-strong
    Like -fstack-protector but includes additional functions to be
protected — those that have local array definitions, or have
references to local frame addresses.


So,

1) From point of view of packaging, is it acceptable a forcing of
- -fstack-protector-all?

2) Does -fstack-protector-all permit a real protection where
- -fstack-protector-strong does not?

- -- 
Antonio Trande

mailto: sagitter 'at' fedoraproject 'dot' org
http://fedoraos.wordpress.com/
https://fedoraproject.org/wiki/User:Sagitter
GPG Key: 0x565E653C
Check on https://keys.fedoraproject.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJWb/cfAAoJEF5tK7VWXmU8T8QIAKgLd2AtUxi2t/cxWSgsIqBl
EDw/gwv2C87cdJSes/k/e6hPfkdlGdI8bKWlj6ZHlq169cjj28f0mxyc8ZspHqZ6
MKs/MqMPRRBhI00nevZRY0DffaOQL0f6GKHRecQu2pkse7kig4E6JowmSuO0V5e2
soHJmG3Oyr4ugI3hzLCstl0k785Mfh0K1fRodpX/OEuVg/CQ+C5lB5tOD6JsBr0j
OUoKxWL9LAQOw7J162nETMEJd6HsvkCwv1XTFFhh9EDyqFxJUvoBNjcoLBj9LRsb
3RPGWFiDbrFbC+G4OxQT/HI+fj+3sTEDtY7t8kAGn7Fo1UJfiKpbk+F8UO7BZug=
=I0nT
-----END PGP SIGNATURE-----
--
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
http://lists.fedoraproject.org/admin/lists/devel@xxxxxxxxxxxxxxxxxxxxxxx
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux