On Mon, Mar 21, 2011 at 1:21 PM, Ian Lance Taylor <iant@xxxxxxxxxx> wrote: > Michael Zintakis <michael.zintakis@xxxxxxxxxxxxxx> writes: > >> My understanding is that for building the toolchain (gcc, glibc, >> binutils etc) it is advisable to disable FORTIFY_SOURCE and not use >> any ssp or -fstack-protector-* options. > > You should not use -D_FORTIFY_SOURCE or -fstack-protector when building > glibc or any target library which is part of gcc. ÂIt's OK to use them > when building gcc itself, as long as the definition doesn't leak through > to any target libraries (e.g., libgcc, libstdc++). > > > --disable-libssp is of course a gcc configure time option. ÂI'm not sure > it really makes any difference one way or another when using glibc. ÂIn > general the only reason to ever use --disable-libssp would be if libssp > does not work for your target. > > >> And then there is the issue with building the 'regular' software - >> should I enable or use these options (or can I, provided that I >> compiled my toolchain without them, assuming that I also used >> "--disable-libssp" as well?) and if so what of the above options >> should I use? >> >> The software I need to build is a mixture of the kernel itself and >> regular programs, so I don't know whether to use the above options? >> Many thanks in advance for the advice given! > > I would not expect -D_FORTIFY_SOURCE to make any difference when > building the kernel, unless the kernel provides some special semantics > for it. ÂIn general it's perfectly reasonable to use -D_FORTIFY_SOURCE > when building an application program. ÂIt will compile the program to > use code which is slightly slower but is less vulnerable to buffer > overflows in some cases. > > I don't know whether you can use -fstack-protector when building the > kernel. ÂIn general it's perfectly reasonable to use when building an > application program. ÂIt will cause the program to use code which is > slightly slower but which detects stack buffer overflows in some cases. Ian, I don't think Michael was saying: configure: --disable-libssp build: -D_FORTIFY_SOURCE -O2 -fstack-protector I think he was saying: configure: --disable-libssp build: -U_FORTIFY_SOURCE -O2 -fno-stack-protector As for the kernel; it can be build with stack protector. But like (e)glibc, the kernel enables it internally. So you build the kernel with: -U_FORTIFY_SOURCE -fno-stack-protector and enable CONFIG_CC_STACKPROTECTOR=y and -fstack-protector will be turned on in all the right places. > Ian > -Bryan
