Michael Zintakis <michael.zintakis@xxxxxxxxxxxxxx> writes: > My understanding is that for building the toolchain (gcc, glibc, > binutils etc) it is advisable to disable FORTIFY_SOURCE and not use > any ssp or -fstack-protector-* options. You should not use -D_FORTIFY_SOURCE or -fstack-protector when building glibc or any target library which is part of gcc. It's OK to use them when building gcc itself, as long as the definition doesn't leak through to any target libraries (e.g., libgcc, libstdc++). --disable-libssp is of course a gcc configure time option. I'm not sure it really makes any difference one way or another when using glibc. In general the only reason to ever use --disable-libssp would be if libssp does not work for your target. > And then there is the issue with building the 'regular' software - > should I enable or use these options (or can I, provided that I > compiled my toolchain without them, assuming that I also used > "--disable-libssp" as well?) and if so what of the above options > should I use? > > The software I need to build is a mixture of the kernel itself and > regular programs, so I don't know whether to use the above options? > Many thanks in advance for the advice given! I would not expect -D_FORTIFY_SOURCE to make any difference when building the kernel, unless the kernel provides some special semantics for it. In general it's perfectly reasonable to use -D_FORTIFY_SOURCE when building an application program. It will compile the program to use code which is slightly slower but is less vulnerable to buffer overflows in some cases. I don't know whether you can use -fstack-protector when building the kernel. In general it's perfectly reasonable to use when building an application program. It will cause the program to use code which is slightly slower but which detects stack buffer overflows in some cases. Ian
