On Thu, Jun 30, 2011 at 03:31:24PM +0200, Jakub Jelinek wrote:
On Thu, Jun 30, 2011 at 03:19:10PM +0200, Reindl Harald wrote:
> as far as i can see fedora is built with "-fstack-protector" and not
> "-fstack-protector-all" - is there a specific reason for not using
> the "all" variant
Sure, it is expensive to set up the canary even when it is obvious
it isn't needed. We by default use 4 byte+ arrays as the trigger to
add stack canaries (gcc default is 8 byte+), with -fstack-protector-all
you add it even for functions that don't have any stack variables at
all, or that have only scalar vars etc.
I'd add that even functions as simple as
int foo (void) { return 1; }
are "protected" with -fstack-protector-all, with -fstack-protector
this function has 2 instructions, with -fstack-protector-all 11, which
includes creating a stack frame etc.
Really, -fstack-protector --param=ssp-buffer-size=4 is carefully chosen
reasonable default, just don't listen to clueless LFS/Gentoo folks
that suggest something else.
Jakub